We recently upgraded a couple of clients to 3CX v12 SP6 and the new interface looks good. We have sent the Welcome e-mail to a number of test staff members to setup their iPhone and Androids and the first thing we noticed is despite using the 3CX Tunnel for voice connectivity we are also required to forward TCP 5000 or 5001 to the 3CX Phone System... Does this not alarm anyone? If not, let me explain - TCP 5000/5001 are the management ports of the phone system. I'm surprised this didn't raise any eyebrows with the 3CX security team.. :S 3CX - Please tell me you plan to run the 3CXPhone presence over the 3CX Tunnel in future ? or plan to use an alternate locked down HTTP port that doesn't publish the front door to the 3CX phone system to the world. I understand it is our responsible to set a secure password on the 3CX Management interface, however for the same reason banks don't put their combination protected vaults on the street I do not feel comfortable doing this. I would rather not be the victim of a 0day 3CX, Abyss or IIS security hole found by someone with too much time.