Just dropping this here in case anyone else faces this issue. We deployed 3CX in the DMZ zone since all servers that are public facing are required to go there. The rules would allow direct access from the LAN across the needed ports for phone calls, etc. One issue that came up was provisioning the phones. All options required extensive manual work unless you have the phones on the same subnet as the server or an SBC was involved. The problem is that we would not want the phones to use the SBC since they have direct access to the 3CX server in the DMZ zone on the ports they need. Plus the SBC cannot support all the phones and creates another point of failure that we would prefer to avoid. The solution was to deploy an SBC to identify via broadcast traffic the phones in 3CX, then when provisioning simply switch the type of provisioning from using the SBC to the local LAN. Phone reboots and is provision properly without having to resort to manual provisioning or DHCP. I would think this would work in VPN scenarios as well or any situation where the phones can access the LAN IP of the 3cx server, but due to networking configuration the multicast traffic can't reach it.