• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

3CX Soft Phone via Public IP (i.e. no VPN)

Status
Not open for further replies.

ziptalk

Joined
Nov 16, 2008
Messages
180
Reaction score
0
I have a simple requirement. I have fully tested the 3CX with VOIP gateways, an Analogue Gateway and can happily make and receive calls.

When I test the Soft Phone from remote locations, I generally use a VPN connection. However, I would like the ability for the 3CX soft phone to connect in via the WAN address of the 3CX server.

Upon configuring the 3CX SoftPhone client to connect to the WAN address, it successfully logs in. However, any calls that I make get returned as 'forbidden'.

Calls made to this softphone from either phones on the LAN where the 3CX is based come through fine.

Has anyone successfully managed to get a 3CX soft phone or any SIP phone to connect externally via the WAN address (Public IP) ?

I have included my Server log below that gets generated when I try to establish a call from the SoftPhone that's not on the VPN - if anyone can see anything there that they can assist on that would be greatly appreciated. Thanks for your help. Regards, Lewis

22:22:02.327 Call::Terminate [CM503008]: Call(32): Call is terminated
22:22:02.327 CallCtrl::eek:nIncomingCall [CM502001]: Source info: From: 32; To: "3CXPhone"[sip:[email protected]:5060];tag=e778ff46[sip:[email protected]:5060]
22:22:02.327 CallCtrl::eek:nIncomingCall [CM503013]: Call(32): Incoming call rejected, caller is unknown; msg=SipReq: INVITE [email protected]:5060 tid=a04b4272523e0319 cseq=INVITE [email protected]:5070 / 2 from(wire)
22:22:02.117 evt::CheckIfAuthIsRequired::not_handled [CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
INVITE sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.80.100:5070;branch=z9hG4bK-d8754z-c025893e6739792d-1---d8754z-;rport=20132;received=82.71.0.209
Max-Forwards: 70
Contact: [sip:[email protected]:5070]
To: [sip:[email protected]:5060]
From: "3CXPhone"[sip:[email protected]:5060];tag=e778ff46
Call-ID: ZTI3ZmY0NWM2Y2RiYzg1NWIyMmZlN2FiNmQ3MjE4ZTA.
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REGISTER, SUBSCRIBE, NOTIFY, REFER, INFO
Supported: replaces
User-Agent: 3CX Phone 7.0.3766.0
Content-Length: 0


22:22:02.107 evt::CheckIfAuthIsRequired::not_handled [CM302001]: Authorization system can not identify source of: SipReq: INVITE [email protected]:5060 tid=c025893e6739792d cseq=INVITE [email protected]:5070 / 1 from(wire)
 
Hi I'm Light
I have that problem too. And I can make call from vpn to vpn but i can't hear the voic from any distinations.
Have you been succesfull call from vpn to vpn user with soft phone or hard phone? If can please help me to resolve this problem.
Thanks you so much.
Light
:)
 
This is most likely a firewall issue. A common mistake is that both ends do not have the proper ports open. Say the 3cx server is at work, and the softphone is at home. You need to have the sip and rtp ports open on the firewall at work AND at home.

Checkout this FAQ on how to setup a home router for this 2-way communication between home and work.
https://www.3cx.com/docs/manual/firewall-router-configuration/

Let me know how it goes!
 
Last edited by a moderator:
I managed to get this working in the end and believe it was a NAT / firewall issue.

I am not sure how I over came it, but it was pretty much ensuring that the FQDN sip.ziptechservices.co.uk had the usual ports forwarded to the 3CX internal IP Address, and under Settings > General that sip.ziptechservices.co.uk was specified as the URI to receive external calls.

Interestingly enough, my observations are that clients connected via VPN seem to be quicker, although it shouldn't be because either way it's packet switching across the Internet. Might be coincidence, but certainly my experience. I found the x-lite softphone client is not as quick as the 3CX one, but I am still in early-days of trialling.

Getting it to do what you want it to do isn't that hard, getting it to do it consistently and reliably is my challenging over remote broadband links.

Lewis
 
I think i tricked myself here in thinking I had overcome this problem. I haven't. I had a lan-to-lan VPN on one of our routers, and hence this skewed my interpretation that I had this one nailed. I have now come onto the remote testing phase of my setup i.e. remote softphones and hardphones and realise I still receive forbidden when I call an internal extension from the WAN. I can sign in and register my extension fine in my softphone okay with or without the tunnel.

I cleared the Server Activity Log, dialled extension 3969 which is a SNOM 320 sat in the office. I am connecting to sip.ziptechservices.co.uk over the Internet. And I receive 'Forbidden' in the softphone. Any ideas what I am missing, I have all the respective ports forwarding inbound, i.e. sip/5060/tcp, rtp-9000-9049 tcp and udp/5090 tcp for the tunnel. Signing in is not a problem, calling an internal extension is: see log.

Code:
23:03:24.582  [CM503008]: Call(49): Call is terminated

23:03:24.582  [CM502001]: Source info: From: "Lewis Sheridan"<sip:[email protected]:5060>;tag=454e1439<sip:[email protected]:5060>

23:03:24.582  [CM503013]: Call(49): Incoming call rejected, caller is unknown; msg=SipReq:  INVITE [email protected]:5060 tid=836919194b18d800 cseq=INVITE [email protected]:21590 / 2 from(wire)

23:03:24.382  [CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:

  INVITE sip:[email protected]:5060 SIP/2.0

  Via: SIP/2.0/UDP 192.168.80.101:51636;branch=z9hG4bK-d8754z-9f590d1fb024b839-1---d8754z-;rport=21590;received=82.71.0.209

  Max-Forwards: 70

  Contact: <sip:[email protected]:21590>

  To: <sip:[email protected]:5060>

  From: "Lewis Sheridan"<sip:[email protected]:5060>;tag=454e1439

  Call-ID: ZTJhMDFlOGJlMTUzMmU0OWQ1ZGJiNzJhOTI1ZjBlYzc.

  CSeq: 1 INVITE

  Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REGISTER, SUBSCRIBE, NOTIFY, REFER, INFO

  Supported: replaces

  User-Agent: 3CXVoipPhone 3.0.4959.0

  Content-Length: 0

  


23:03:24.382  [CM302001]: Authorization system can not identify source of: SipReq:  INVITE [email protected]:5060 tid=9f590d1fb024b839 cseq=INVITE [email protected]:21590 / 1 from(wire)

Appreciate any assistance on this - since the two features that make this a goer is oddly enough the fact that calls do not present themselves to extensions that are busy in a hunt group, i.e. just skips to the next, and the ability to have remote home workers and the hunt-group work remotely. I really want to lose the dependency on any VPN connectivity and truely have this work across the Internet.

Thanks in advance, Lewis
 
Hi

Try to do the following;

1. Set all remote phones to register against the public IP of 3Cx server.
2. Set the 3CX Server > General , SIP domain to read the private IP address of the 3CX server. We suspect this is set to an FQDN. If you need to change this restart the 3CX Phone System service.

Please advise the outcome.
 
William400 said:
Hi

Try to do the following;

1. Set all remote phones to register against the public IP of 3Cx server.
2. Set the 3CX Server > General , SIP domain to read the private IP address of the 3CX server. We suspect this is set to an FQDN. If you need to change this restart the 3CX Phone System service.

Please advise the outcome.
Thanks for that, I will test this evening and update accordingly. Many Thanks, Lewis
 
William400,

We're also trying to get this right at the moment can you confirm you mean the actual ip address not the FQDN.

And we are talking about "3cx Phone system->Settings->advanced->Settings for Direct SIP Calls->Local SIP domain", I could not see a sip domain entry under 3CX Server > General

we are using the latest version 7

thanks,

martin
 
ndl said:
William400,

We're also trying to get this right at the moment can you confirm you mean the actual ip address not the FQDN.

And we are talking about "3cx Phone system->Settings->advanced->Settings for Direct SIP Calls->Local SIP domain", I could not see a sip domain entry under 3CX Server > General

we are using the latest version 7

thanks,

martin
Hi Martin,

I believe William was referring to 3CX > Settings > Advanced > Settings for Direct SIP Calls > Local SIP Domain since I too could not see it under 3CX > General as William had suggested. I replaced my FQDN with the 'public' IP Address of the server and not the local one and this allowed it to work. A clue I think is in the Server Activity log where it referes to the source ID and invite request and it appends the extension with an IP Address and if this does not match your 'Local SIP Domain' field then the call is forbidden.

I have requested an rDNS entry and will reinstate the FQDN - and see whether that allows it to work. When you make the call in from external check the activity log and adjust the SIP Domain accordingly - I don't understand overly why this works, but it does - hope that helps.

I actually think 3CX should do a Nugget on an end to end provisioning, i.e. common things that everyone gets stuck on, like provisioning half a dozen phones, call in from remote, general setup of the 3CX software, provisioning a gateway etc. That would probably solve half the questions on the community forum - the documentation is good - but you really have to Google to get to those answers in my experience. Hope that works for you,

Lewis
 
I think that a change to the help message displayed when you hover over the blue help icon would help give a clue, maybe replace “3cx.local” with “3cx.com“. It would help give you an idea that it’s an external address not a local address

martin
 
ndl said:
I think that a change to the help message displayed when you hover over the blue help icon would help give a clue, maybe replace “3cx.local” with “3cx.com“. It would help give you an idea that it’s an external address not a local address

martin
Agree... even a full blow explanation would fit into an html alt tag, or even example plus description of use.
 
Earlier this week I had the same issues in getting a remote extension (PAP2T-NA) setup properly. Both the remote extension & 3CX Server are behind NAT/Firewalls. Until today, the remote extension would register successfully and could even receive phone calls....but I couldn't place a call to an internal extension # or external # (got busy signal). I upgraded to 7.1 Beta to see if that may resolve my issue but the problem still persisted. Finally, I found this post and entered a value in Advanced > Settings for Direct SIP Calls -> Local SIP Domain. We have FQDN (ex. sip.mycompany.com) for our server and I recall using this FQDN when I configured the remote device this week. So I entered the FQDN in the Local SIP Domain, registered the device and it was now able to place calls. And I left the "Allow calls to external SIP URIs" unchecked. The reason I am writing this up is because the suggestion has been made that FQDNs will not work. But it worked for me today. Perhaps this is something that has been enhanced in 7.1 Beta. But my gut tells me, if you want to us FQDN you have to make sure your remote device sip settings are configured to use it as well.


PAP2T-NA > NAT/Firewall ----------I N T E R N E T-------------- NAT/Firewall (ports mapped) > 3CX Server
 
Hello,

I am currently working with Version 9 and would like to update the domain which we register against, currently (sip.mydomain.com) and would like to have (voip.mynewdomain.com). Updating the 'local domain' does not seem to allow this change, however is there a service restart required?

Your insight would be much appreciated.

Thank you,
 
It won't allow a change, or, the change doesn't take affect? If a restart is required, you are usually told.

You really should have started a new thread, this is quite an old one
 
Thanks and I'll start a new thread on this one, thanks!
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.