3CX behind Sophos UTM-9 Firewall

Discussion in '3CX Phone System - General' started by MarkLFT, Jan 26, 2015.

Thread Status:
Not open for further replies.
  1. MarkLFT

    Joined:
    Jan 4, 2015
    Messages:
    10
    Likes Received:
    0
    Has anyone successfully configured a Sophos UTM Firewall to enable a 3CX system? I have been working with Sophos for a while, so am comfortable forwarding ports and publishing simple sites, but I am having problems with 3CX.

    My 3CX is using the built-in web server, configured for ports 5000 / 5001. I have published these the same way as I already have several other websites published. I have forwarded port 5060/61, 5090, and 9000 -9049 to the correct host, but still I have issues.

    The issues I have is:

    1. Browsing to the admin website, works inside the firewall, but from outside, it starts to load the pages, shows headers, and the rotating circle, but never displays any content. From inside the firewall it works correctly.

    2. If I run the firewall test, it fails on the first test, but I can resolve the stun server addresses, I have port 5060 forwarding to the IP address of the 3CX system, but still nothing works.

    I would be greatful for any and all advice.

    Thanks
     
  2. MarkLFT

    Joined:
    Jan 4, 2015
    Messages:
    10
    Likes Received:
    0
    Ok rookie error. Problem with ports fixed, set Sophos firewall correctly, forget the Windows Firewall.
     
  3. marzetti

    Joined:
    Feb 3, 2015
    Messages:
    1
    Likes Received:
    0
    Hi Little,
    May I ask what rules you setup on the UTM to get this to work? We also have a UTM here and are having issues.
     
  4. mr_jack

    Joined:
    Apr 9, 2015
    Messages:
    1
    Likes Received:
    0
    Hi Little,

    I'm too interested in which firewall / nat rules you created on the UTM so that the 3cx firewall was happy.

    For NAT was it DNAT or 1 - 1 NAT ?

    Maybe an example ?

    Thanks.

    Jack
     
  5. AndyBarr

    Joined:
    Apr 8, 2015
    Messages:
    33
    Likes Received:
    0
    I have fallen foul of this a couple of times, so I bet that the NAT rules were all created but forgot to open the firewall ports.
     
  6. Superheater

    Joined:
    Apr 13, 2015
    Messages:
    1
    Likes Received:
    0
    Like mr_jack, I am interested in what rules you used to get this working too. I am familiar with NAT rules but I am struggling to get this working from behind Sophos UTM.
     
  7. TCF

    TCF

    Joined:
    May 6, 2015
    Messages:
    92
    Likes Received:
    2
    I am interested in the settings as well. Has anyone got it working since posting?
     
  8. TCF

    TCF

    Joined:
    May 6, 2015
    Messages:
    92
    Likes Received:
    2
    I'm working on setting it up right now. When I get it working I'll post a tutorial.
     
  9. Thomas 3CX

    3CX Support

    Joined:
    May 6, 2015
    Messages:
    15
    Likes Received:
    0
    Hello,

    Keeping in mind that the network and 3rd party configuration is out of 3CX scope I would like to inform you that:

    1. Browsing to the admin website, works inside the firewall, but from outside, it starts to load the pages, shows headers, and the rotating circle, but never displays any content. From inside the firewall it works correctly.
    - I assume you are applying on the firewall AV or IPS services. A packet capture on the firewall would have been helpful since you will see what kind of traffic is dropped to the PBX destination and adjust the configuration accordingly.

    2. If I run the firewall test, it fails on the first test, but I can resolve the stun server addresses, I have port 5060 forwarding to the IP address of the 3CX system, but still nothing works.
    - When firewall checker fails means that something was miss-configured. Verify the configuration one more time and pcaps would be the solution in order to determine the root cause of the issue. 5060 is not the only port needed from the PBX (see bellow provided link)

    Please let me provide you some documentation that may be helpful:

    • Ports used by 3CX Phone System
    - http://www.3cx.com/blog/docs/ports-used/

    • Firewall & Router Configuration
    - http://www.3cx.com/docs/firewall-router-configuration-voip/

    • Firewall Configuration for 3CX Phone System (Sophos NOT included but it might be of use)
    - http://www.3cx.com/support/firewall-configuration/

    Thanks.
     
  10. MillsAz

    Joined:
    Feb 24, 2017
    Messages:
    1
    Likes Received:
    3
    I have had tons of fun setting up Sophos UTM 9 for 3CX. Here are the steps to take:

    1. DO NOT SETUP Network Protection > VoIP. It will result in complete failure. I've spent hours on support with Sophos and the answer is do not turn it on.
    2. Create your Service 3CX_Service (Definitions & Users>Service Def) and add the ports here: http://www.3cx.com/blog/docs/ports-used/
    upload_2017-2-23_20-10-7.png
    3. Create the Network Def for your internal 3CX server.
    upload_2017-2-23_20-12-17.png
    4. Create your external interface (Interfaces & Routing>Interfaces>Additional Addresses), Name it 3CX_WAN:
    • External interface: upload_2017-2-23_20-16-26.png USE /32 Netmask rather than ISP's subnet mask
    5. Create Masquerading Rule (Network Protection>NAT>Masquerading tab), use the interface created in step 4 in the Use Address and Network from Step 3. Interface is your ISP uplink which should already exist if you can access the internet.
    upload_2017-2-23_20-21-4.png

    6. Create your DNAT rule (Net Protection>NAT>NAT tab), "Going To" is the Interface ADDRESS and not the network.
    upload_2017-2-23_20-25-11.png

    7. If you have Intrusion Prevention turned on (Net Protection>Intrusion Prov) then go to the Exceptions tab and add exception
    • I created 2: Internal & External
    • External upload_2017-2-23_20-30-29.png

    • Internal upload_2017-2-23_20-31-1.png
    8. Make sure all the NAT, Masquerade, and Exceptions are all turned on so you see upload_2017-2-23_20-33-23.png
    9. Now your are ready to test the Firewall Diagnostics in the 3CX console.
    10. You will see some of the Media Server ports failed, but some didn't. This is because the Anti-PostScan is turned on in the UTM Net Prot>Intrusion Prev>Anti-PortScan tab. Turn it off and try the firewall diags again and everything will pass.

    If you are still having troubles with the 5060 or 5090 ports you should recheck all the settings in the UTM.

    Good Luck!!
     

    Attached Files:

    #10 MillsAz, Feb 24, 2017
    Last edited: Feb 24, 2017
    benitok, randybell and d31 like this.
  11. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    6,444
    Likes Received:
    463
    thank you for sharing @MillsAz, i am sure many people will find this helpful
     
Thread Status:
Not open for further replies.