• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Cloud 3CX isolated from public internet

Status
Not open for further replies.

RBS

Free User
Basic Certified
Joined
May 8, 2018
Messages
57
Reaction score
3
I'd like to have a setup that has only 3 contact points:

3CX server for admin panel
Cloud VM (Google or AWS)
IP of the phones (place of business)

I suppose the question can be reduced to:
How to isolate the Cloud VM from public access otherwise.
As if the installation didn't exist as far as the rest of the world is concerned.

Would it be VPC? VXC? VPN?

Feel free to rephrase my question and steer it in the right direction.
 
Hi RBS,

I am going to presume from your post that all your are asking is how to make the most out of the security of 3CX Phone System in the cloud.

The main issue here I think is the fact that you have little control over the infrastructure the PBX will be running on and/or network.

What you do have available to you (at least with AWS which I use) is the use of security groups (ACL type rules) to allow access from whomever/wherever you want. Google should be no different.

What you could do is leave these set, only allow HTTPS access (management console) from trusted IP addresses (no "Any" rules) and absolutely do not use Direct STUN as the connection method for your phones.

As you have already identified VPN would be a good option and/or the 3CX SBC, which will connect your phones via it on port 5090 (3CX Tunnel) of which again you would only allow from trusted IP addresses.
 
Yealink SIP-T46S requires direct stun for provisioning. Disable it after it's done?

On google cloud there is no http/https access allowed to begin with. Not sure how 3cx DNS accesses the admin panel, it sets everything up on it's own.

How would you find out which IP to trust for 3cx to access your FQDN?
 
It does not have to use the STUN method for connection, and if you are serious about security I would not recommend using STUN.

Use the SBC instead, you will get plug and play provisioning across it if using a Yealink (fully supported phone).

Yes you are right, these ports will not be open by default you will need to open them using rules (I am going on AWS's security groups however).

As for trusted IP addresses, what I mean is only allow access to the console via where you are located, so your Public IP you connect from.
 
As for trusted IP addresses, what I mean is only allow access to the console via where you are located, so your Public IP you connect from.

Well, not only that, but also the trunk provider (not a problem).
The biggest dilemma is where does 3cx connect from by itself (i.e. license check, or to route "MYFQDN.3cx.us", anything that's not outgoing but must be incoming?
I'm just afraid the whole thing will go down if I only leave my IP and that of sip trunk provider open.

I can't possibly be the first one asking this. Is everyone leaving their pbx open to the world for hacks?
 
For trunking providers for security you are best to go with an IP authenticated SIP trunk (as you allow their public IP address through the firewall only- and they do the same with yours).

Just ensure that you have a static public IP on the PBX so that it' won' change and break the connection.

As for hacking your trunk on most repretable provider platforms you can also limit for the amount of calls made outside of office hours by time and cost.

Most hacks occur out of office hours and they will hijack an endpoint and use your trunks to call a high premium number and rack up a large bill.
 
OK, I've changed ingress "source filters" in Google cloud from 0.0.0.0/0 to only addresses of business IP phone locations and the SIP providers (all static).

Everything works and nothing is accessible from any different IP at all.
Let's hope it won't break something eventually.

What I'd still like to do is create a more direct route from the phone IP to 3cx installation to reduce hops (lag). A bit lost how to do that.
 
What I'd still like to do is create a more direct route from the phone IP to 3cx installation to reduce hops (lag). A bit lost how to do that.

All you can do is put the FQDN, or Public IP in to the device to tell it where the server is located. Unless you control the network between the set and the server, you cannot dictate how data routes between them.
 
Please note that the PBX will need to access "downloads.3cx.com" and "activation.3cx.com" in order to be able to check the licence and get new updates.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,632
Messages
748,963
Members
144,748
Latest member
Murad88
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.