In this post we describe the configuration of a Kerio Control appliance for use with 3CX Phone System. This configuration is based on version 8.3.0 build 1988.
In general Kerio Control is known to work correctly and can be used as a gateway in front of a 3CX Phone System to connect VoIP Providers, Direct Remote Extensions (STUN) and 3CX Tunnel connections. However the Firewall features SIP and HTTP inspection where the functionality could not be determined. For SIP the inspection is to be disabled, but the HTTP-Proxy/Content Filter rules may affect the connection to 3CX Phone System for updates and MyPhone connections (not part of this document).
The status of this type of firewall is: Supported
Nat Type: IP Restricted
Firewall configuration will never be carried out by the 3CX Staff, and must be made by the System Administrator of the company. You must understand the risk of opening ports to the World Wide Web. Read https://www.3cx.com/blog/docs/securing-hints/ for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misconfiguration that may be made using this guide.
Open the Kerio Control Web Admin portal and navigate to “Services”:
- Locate the “SIP” Service and set the Protocol Inspection to “None”.
- Click “Add” to create a new service. To determine which ports need to be opened, see this link: https://www.3cx.com/docs/firewall-router-configuration-voip/. As the ports may depend on the version you are using refer to the admin manual for the fully updated port list.
- As the SIP service is created by default, services for the Audio(1), 3CX Tunnel (2), HTTP (3) and HTTPs (4) need to be added.
- Now group all needed services into a Service Group.
- Save your configuration by clicking “Apply”.
From the Kerio Control Web Admin portal, navigate to “Traffic Rules”:
- This is the default rule list. Click the the “Add” button to create a new rule.
- Select the “Port mapping” option and enter the IP address (1) of the 3CX Phone System. In the “Service” entry field, click “Select” (2) and select the “3CX Phone System” Service group you have created earlier. Click “Next” to finish the setup.
- The rule will be created and must be placed at an appropriate position as to not be blocked by any other rule.
Run the 3CX Firewall Checker to validate the setup from the 3CX Management Console “Settings” > “Firewall Checker”. All tested ports must return green / working.
If you use this firewall in a remote location in front of an STUNed IP Phone, the appropriated NAT rule to the internal IP Phone MUST be created (“SIP” Service Inspection must be turned off). Calls with audio may be received while the call is inbound but on outbound calls audio will be absent both incoming and outgoing. This is mainly due to the behavior of the firewall expecting audio/data to be send before it allows receiving on dynamically created NATs. Based on the timing, it could happen that the 3CX Phone System sends audio to the remote IP Phone’s IP:RTPport address, before the STUNed IP Phone has send data to the 3CX Phone System. The initial inbound stream causes the firewall to block data from and to the 3CX Phone System media server (RTP ip:port) for all connections, not even allowing the internal phones to send data to the 3CX Phone System. Therefore, NAT rules must be configured for each IP Phone.