3cx behind a Sophos SG Firewall

Discussion in '3CX Phone System - General' started by Jens-NTCG, Dec 20, 2017.

Thread Status:
Not open for further replies.
  1. Jens-NTCG

    Joined:
    Oct 23, 2017
    Messages:
    4
    Likes Received:
    0
    Hallo Community,

    we are new to this business and made our first Steps in the World of 3CX. We successfully installed some Test-3CX on the Linux-ISO and last week we startet with our first business Step and a Real Installation for our own company.

    Up till now all the steps we tried are working and we just have some issues with our new Firewall Configuration.
    We use now a Sophos XG (not UTM9).

    After having some issues with the SIP ALG and port 9000 and 9001 through the Firewalltest, my colleque disabled all SIP Feature on the Sophos XG and now the 9000 and 9001 issue is gone but now 5060 is marked red.

    Addionally we have some issues with the Webproxy and the Sophos XG. It seems the the login is working. Sometimes the Calllist are displayed sometimes not and never the Presens-List is shown. Nevertheless Phone Calls are sometime working and sometimes not.

    Has anyone already did a successfully installation with a Sophos XG and could provide us some addional help?

    Inside the lan the 3CX is working successfully, its only about working with external clients or SBC.

    Greetings from Hamburg, Germany
    Jens Meske
     
  2. Jens-NTCG

    Joined:
    Oct 23, 2017
    Messages:
    4
    Likes Received:
    0
    Update: we get the Client working after disabling the antivirus Filter in the ReverseWebProxy in der Sophos

    We only had to solve the Strange 5060 "not reachable".
    Specially because we could see 5060 Packets direct on the appliance via ssh shell and also in the logs from the 3cx we see the 5060 connects. Phones are working.
     
    #2 Jens-NTCG, Dec 20, 2017
    Last edited: Dec 20, 2017
  3. PhatPanda

    Joined:
    Aug 26, 2015
    Messages:
    48
    Likes Received:
    2
    Assuming you guys already did this to disable SIP ALG: console> system system_modules sip unload? Are you saying the firewall checker is still red for 5060? It will remain red if you have limited connectivity WAN to LAN your PBX from only your SIP trunk provider IP(s). If the phones are making and receiving calls you should be fine. We did have a SIP split brained issue where incoming calls would intermittently not connect, and engineer helped up with a configuration change that I can share if needed (we are on a XG 210 v17 MR2).

     
    #3 PhatPanda, Dec 20, 2017
    Last edited: Dec 20, 2017
  4. jem1

    Joined:
    Aug 29, 2012
    Messages:
    78
    Likes Received:
    30
    I would honestly skip any of the security features for the port forwarding of the 3CX ports, you will probably run into issues along the way. I have a virtual XG 17 MR3 at home and firewall check passes without a hitch but I don't run any of the security services for the forwarding. You can then maybe do one at a time back on to see maybe which is causing the issue.
     
  5. Jens-NTCG

    Joined:
    Oct 23, 2017
    Messages:
    4
    Likes Received:
    0
    Thank you for your Reply, yes we did this on the console, after that we had only the issue with the webfilter and the firewallcheck with port 5060. Nevertheless it seems to work fine now.
     
  6. Jens-NTCG

    Joined:
    Oct 23, 2017
    Messages:
    4
    Likes Received:
    0
    Thank you for your reply, our Firewall Expert don`t like disabling ;-)
    For now it seems working.
     
  7. jem1

    Joined:
    Aug 29, 2012
    Messages:
    78
    Likes Received:
    30
    Oh i understand, it's just sometimes these extra security features do a little too much and mess with VoIP or video communications.
     
Thread Status:
Not open for further replies.