Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

3CX and Microsoft TMG Firewall

Discussion in '3CX Phone System - General' started by dvs4man, Sep 3, 2010.

Thread Status:
Not open for further replies.
  1. dvs4man

    Joined:
    Oct 5, 2009
    Messages:
    50
    Likes Received:
    0
    Hello. My setup is a Windows 2008 R2 server running Microsoft TMG, recently installed.
    I have it as an edge firewall, with 2 NIC cards. One for the outside connection to the internet and the other to the inside domain/network.

    I can make outbound calls to my provider, AItech, fine. Incoming calls are blocked. I see this in the TMG logs. When I use the 'Configure VoIP' Task in the TMG server, it creates 3 Firewall rules. 2 RTP rules (all connections) and 1 SIP rule for 5060. I can then receive incoming calls from the outside, but, the connection only lasts 30 seconds and then disconnects the call.

    The firewall on the 3CX system is turned off.

    I did the 3CX firewall checker, and get the following output:

    3CX Firewall Checker, v1.0. Copyright (C) 3CX Ltd. All rights reserved.

    <15:16:57>: Phase 1, checking servers connection, please wait...
    <15:16:57>: Stun Checker service is reachable. Phase 1 check passed.
    <15:16:57>: Phase 2a, Check Port Forwarding to UDP SIP port, please wait...
    <15:16:57>: UDP SIP Port is set to 5060. Response received WITH TRANSLATION 31656::5060. Phase 2a check passed with WARNINGS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/support/firewall-checker.html

    <15:16:57>: Phase 2b. Check Port Forwarding to TCP SIP port, please wait...
    <15:16:57>: TCP SIP Port is set to 5060. Response received WITH TRANSLATION 31656::5060. Phase 2b check passed with WARNINGS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/support/firewall-checker.html

    <15:16:57>: Phase 3. Check Port Forwarding to TCP Tunnel port, please wait...
    <15:16:57>: TCP TUNNEL Port is set to 5090. Response received WITH TRANSLATION 49902::5090. Phase 3 check passed with WARNINGS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/support/firewall-checker.html

    <15:16:57>: Phase 4. Check Port Forwarding to RTP external port range, please wait...
    <15:17:00>: UDP RTP Port 9000. Response received WITH TRANSLATION 31991::9000. Phase 4-01 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9001. Response received WITH TRANSLATION 37248::9001. Phase 4-02 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9002. Response received WITH TRANSLATION 41896::9002. Phase 4-03 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9003. Response received WITH TRANSLATION 22042::9003. Phase 4-04 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9004. Response received WITH TRANSLATION 32139::9004. Phase 4-05 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9005. Response received WITH TRANSLATION 15868::9005. Phase 4-06 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9006. Response received WITH TRANSLATION 57194::9006. Phase 4-07 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9007. Response received WITH TRANSLATION 60400::9007. Phase 4-08 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9008. Response received WITH TRANSLATION 10662::9008. Phase 4-09 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9009. Response received WITH TRANSLATION 53194::9009. Phase 4-10 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9010. Response received WITH TRANSLATION 19118::9010. Phase 4-11 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9011. Response received WITH TRANSLATION 16936::9011. Phase 4-12 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9012. Response received WITH TRANSLATION 22886::9012. Phase 4-13 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9013. Response received WITH TRANSLATION 28837::9013. Phase 4-14 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9014. Response received WITH TRANSLATION 18329::9014. Phase 4-15 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9015. Response received WITH TRANSLATION 23785::9015. Phase 4-16 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9016. Response received WITH TRANSLATION 42999::9016. Phase 4-17 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9017. Response received WITH TRANSLATION 57344::9017. Phase 4-18 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9018. Response received WITH TRANSLATION 46346::9018. Phase 4-19 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9019. Response received WITH TRANSLATION 45984::9019. Phase 4-20 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9020. Response received WITH TRANSLATION 64152::9020. Phase 4-21 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9021. Response received WITH TRANSLATION 34901::9021. Phase 4-22 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9022. Response received WITH TRANSLATION 22552::9022. Phase 4-23 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9023. Response received WITH TRANSLATION 60323::9023. Phase 4-24 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9024. Response received WITH TRANSLATION 48341::9024. Phase 4-25 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9025. Response received WITH TRANSLATION 23772::9025. Phase 4-26 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9026. Response received WITH TRANSLATION 14783::9026. Phase 4-27 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9027. Response received WITH TRANSLATION 60475::9027. Phase 4-28 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9028. Response received WITH TRANSLATION 38949::9028. Phase 4-29 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9029. Response received WITH TRANSLATION 54791::9029. Phase 4-30 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9030. Response received WITH TRANSLATION 31867::9030. Phase 4-31 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9031. Response received WITH TRANSLATION 29348::9031. Phase 4-32 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9032. Response received WITH TRANSLATION 10946::9032. Phase 4-33 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9033. Response received WITH TRANSLATION 51183::9033. Phase 4-34 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9034. Response received WITH TRANSLATION 50064::9034. Phase 4-35 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9035. Response received WITH TRANSLATION 63284::9035. Phase 4-36 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9036. Response received WITH TRANSLATION 27202::9036. Phase 4-37 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9037. Response received WITH TRANSLATION 49967::9037. Phase 4-38 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9038. Response received WITH TRANSLATION 26077::9038. Phase 4-39 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9039. Response received WITH TRANSLATION 36305::9039. Phase 4-40 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9040. Response received WITH TRANSLATION 48944::9040. Phase 4-41 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9041. Response received WITH TRANSLATION 58222::9041. Phase 4-42 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9042. Response received WITH TRANSLATION 13147::9042. Phase 4-43 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9043. Response received WITH TRANSLATION 55574::9043. Phase 4-44 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9044. Response received WITH TRANSLATION 37909::9044. Phase 4-45 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9045. Response received WITH TRANSLATION 50862::9045. Phase 4-46 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9046. Response received WITH TRANSLATION 16264::9046. Phase 4-47 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9047. Response received WITH TRANSLATION 34146::9047. Phase 4-48 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9048. Response received WITH TRANSLATION 56799::9048. Phase 4-49 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html
    <15:17:00>: UDP RTP Port 9049. Response received WITH TRANSLATION 63338::9049. Phase 4-50 check passed with WARNINGS. Some functionality may be IMPAIRED. For more information, please visit http://www.3cx.com/support/firewall-checker.html


    Application exit code is 53



    I believe the issue resides somewhere around the RTP rules. If anyone is using Microsoft TMG with 3CX, let me know if you have had the same issues and what the resolve was. Any help is greatly appreciated.

    Thanks!
     
  2. hcoover

    Joined:
    Sep 3, 2010
    Messages:
    2
    Likes Received:
    0
    We have the same problem, and worked on it for weeks, Phones would work fine for a while, then problems, a reboot of TMG gateway would fix temporarly. TMG would just start blocking sip packets randomly. We're currently building a new TMG gateway to see if that helps. Meanwhile we're using a hardware firewall for phone system, Multitech Routfinder which works without any special config. I've also tried Linksys, and Netgear all of which work fine. I'll update on the new TMG when done.
     
  3. dvs4man

    Joined:
    Oct 5, 2009
    Messages:
    50
    Likes Received:
    0
    Sadly, I have a solution. I use AITEch since they could port our phone number in our area originally. I use callcentric at my home. I created a free account with callcentric, and tested it through the TMG Server. It worked flawlessly without any port forwarding or using the 'VoIP Configuration' wizard.
    I got a real number then from Callcentric, and have my AITech number forwarded to the callcentric number. I would port my number over to callcentric entirely, but, they cannot port in the area where this number currently resides. SO, the only solution for me right now is to call forward my AITech number to the callcentric number. That way people calling our organization who have our number can reach us. It costs more, but something temporary until I can get the organization to agree to change the number. Once changed, I will be in an area nearby which has more porting options in the future.

    I believe the key is that callcentric does it the more intelligent way by maintaining a primary SIP connection then creating the secondary connections. The firewall then allows the connections from the primary connection to link the secondary RTP connections and allow the traffic. I checked the logs in TMG as well as a Wireshark trace, and that seems to be why Callcentric is working. AITech does not, it seems, and talking to their technical support people, they have no real networking knowledge while callcentric has always come back to me with intelligent answers.

    I see two key issues here. Microsoft TMG still hasn't figured out how to do SIP/RTP well. The second issue is with AITech and the way they do their voice technology. They want you to buy an Edgemark device with your service, which they build in port forwarding into the device. A weak solution compared with Callcentric which has you bring your own device (BYOD) and works with 3CX, PAP2T's (my favorite devices), Cisco ATA 180/188's, etc.

    I would recommend Callcentric to anyone who wants one of the best providers out there. I have tried Broadvoice (not bad), Vonage (horrible - worst provider) and others. Callcentric has great support and good technology.

    Hopefully this helps others.

    Thanks.
     
Thread Status:
Not open for further replies.