• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Best practice On-premise or Off-premise (private) cloud installation

Status
Not open for further replies.

angeraer

Forum User
Joined
Dec 4, 2017
Messages
6
Reaction score
0
Hello,

I've been reading this forum and the website for quite a while now trying to figure out the best practice implementation for a 'hosted' installation. There are numerous threads about this topic and I already installed it +20 times now in all different configurations trying to see what works best:). Can I summarize the 3CX best practice possibilities to this:
  • On-premise installation:
    • Phones and PABX in the same (V)LAN
  • Off-premise installation:
    • if extensions < 5 use direct SIP with STUN. (Firewall rules needed in both ways with unique ports per phone!)
    • If extensions < 50 use a SBC. SBC and phones in same (V)LAN.
    • If extensions > 50 use multiple SBCs and phones in multiple (V)LANs since there is a limitation in number of extensions per SBC.
    • Tunnel on-premise phone (V)LAN via VPN to off-premise PABX. (Example encrypted EoIP Layer 2 tunnel)
    • Use an off-premise non-3CX SBC as a SIP proxy. Phones will be seen as if they are locally connected to the PABX. (Not supported by 3CX)

The fact that I currently have an 'unknown brand' cloud PBX from a provider currently working without a SBC and without STUN configured on the phones means they are using some other technology? How is it possible that this system doesn't need firewall rules or whatever to have it operational?

thanks,

Andy.

EDIT1: Added VPN solution as suggested by @sip.bg
EDIT2: Added off-premise SBC colution as suggested by accentlogic
 
Last edited:
If you can control routers and build IPsec VPNs, better use this technology. No limitations about number of phones.
If using specific routers like MikroTik, you can even build Layer2 EoIP tunnels with IPsec -- this allows PBX to discover phones like they are in the local segment of PBX LAN. The price of MikroTik routers start from $20.-
 
@angeraer You missed the VPN method which @sip.bg pointed out. And chances are you current cloud provider is using a SBC but they have the SBC on their end.
 
@angeraer You missed the VPN method which @sip.bg pointed out. And chances are you current cloud provider is using a SBC but they have the SBC on their end.

Well they won't give me insight into their setup of course:) Any idea how this circumvents the SIP, RTP ports night mare? I don't have any specific configuration in the phone, the only thing I see in the yealink phone configuration is:

account.1.outbound_proxy.1.address = sip.xxxxxxx.xxxxxx.be

The sip server address is the same. (account.1.sip_server.1.address = sip.xxxxxxx.xxxxxx.be)

Andy.
 
I think you currently have summed up the best practice options very well, although we use an SBC any time there is more than 1 phone at site. Although not supported, our experience has been that if there is just one phone STUN has worked with no issues with no local firewall changes at the client site.

As sip.bg and cobaltit said, VPN is a solid way to go if it's an option. Might be hard to scale and it complicates the install a bit, so I'd probably only use it on larger installations.

I think you found what your current provider is doing, which is basically an SBC or Proxy agent in between the client premise and the PBX. It makes 3CX think all the phones are LAN based, and the proxy manages all of the translations. This means it's not supported by 3CX, so I would not call it a "best practice", but that depends on your perspective.
 
  • Like
Reactions: sip.bg
I have a few installations out there with PBX delivers audio set and no port incrementing and multiple remote stun phones with no issues. Am I just getting lucky.
 
Very helpful post, @angeraer. Would you mind sharing an example on how you assign/handle ports in the first situation (if extensions < 5 use direct SIP with STUN). Thanks!
 
Just to put it out there that other methods of achieving remote extensions exist without a need for an SBC on site or ports opening in the firewall.
 
@V, example? As you probably figured out by now, I am fairly new at this, but trying to learn quickly.
 
Remote extensions may be configured to use PBX public IP address as STUN (at port 5060) for them.
You don't need to configure anything on the remote router, except may be DHCP server with Option 66 to automate provisioning of remote phones.
The router in front of PBX must be configured to allow port forwarding / NAT according 3CX requirements (tcp 5000,5001,5060,5061,5090; udp 5060,5090,9000-9500).
Using SBC is an option (normally you don't need it, STUN is enough).
 
It is possible with certain handsets to open a tunnel directly to the PBX encapsulating all traffic and having the phones appear locally to the PBX.
 
Our set up is PBX on the Google and remote sites using 7960s. We prepare the config files and provision the phones via TFTP.

@sip.bg, if they all use the same public IP, how would server be able to tell the difference between the phones? I was under the impression that was an identified issue, and we actually had to set up a SBC to resolve. It just seems too onerous to dedicate a machine as SBC for fewer than 5 phones. Or is this different? Perhaps a specific example?

@V, we are currently using older phones, 7960s. Are you able to be configured to use the tunnel?
 
If your routers are working properly (and make full cone NAT) you may use STUN method for configuring remote extensions (as many as you want). All remote phones will register from the public address of the remote site, but from different ports. All phones may have port 5060 as their local SIP port (default setting).

If this setup is not working, either replace your router with professional one (not a cheap home router) or use SBC to overcome network issues. For optimal price performance brand I recommend using MikroTik routers. No issues with them and 3CX deployment.

However, I always recommend implementing VPN tunnels in corporate environment.
 
You might want to re-consider your Mikrotik idea, twice now in the last 6-12 months, leaked information has shown that the NSA has full root backdoors in them, and can take full control of the devices without the knowledge of the owners/admins. They like to talk a big game about security, but you might want to do your research. Follow the below link and read the "Hive" section, This is just one of the 2-3 different backdoors/exploits the NSA has to break into Mikrotik devices.
https://protonmail.com/blog/cia-wikileaks-encryption/
https://wikileaks.org/ciav7p1/

Actual Documents on the Exploits: They have it so easy its almost automated to bust into these things. See Link 3 for a direct example.
https://wikileaks.org/ciav7p1/cms/page_16384512.html
https://wikileaks.org/ciav7p1/cms/page_28049428.html
https://wikileaks.org/ciav7p1/cms/page_44957707.html
https://wikileaks.org/ciav7p1/cms/page_16384604.html - ChimayRed, so easy to bust into a Mikrotik a 5yr old could do it.


If you can control routers and build IPsec VPNs, better use this technology. No limitations about number of phones.
If using specific routers like MikroTik, you can even build Layer2 EoIP tunnels with IPsec -- this allows PBX to discover phones like they are in the local segment of PBX LAN. The price of MikroTik routers start from $20.-
 
Last edited:
You might want to re-consider your Mikrotik idea, twice now in the last 6-12 months, leaked information has shown that the NSA has full root backdoors in them, and can take full control of the devices without the knowledge of the owners/admins. They like to talk a big game about security, but you might want to do your research. Follow the below link and read the "Hive" section, This is just one of the 2-3 different backdoors/exploits the NSA has to break into Mikrotik devices.
https://protonmail.com/blog/cia-wikileaks-encryption/
https://wikileaks.org/ciav7p1/

Actual Documents on the Exploits: They have it so easy its almost automated to bust into these things. See Link 3 for a direct example.
https://wikileaks.org/ciav7p1/cms/page_16384512.html
https://wikileaks.org/ciav7p1/cms/page_28049428.html
https://wikileaks.org/ciav7p1/cms/page_44957707.html

Hive exploit affected many OS, including Windows, Linux, Android. Its not only MikroTik affected. However newer MikroTik firmware closed the exploit: https://forum.mikrotik.com/viewtopic.php?f=21&t=119308&p=587512#p587512
 
Last edited:
Yes im aware the exploit was closed, however, it just seemed troubling to me, that 2-3 times now, root access has been exposed through various exploits, it makes one wonder about the quality of their code reviews. Cisco in a few cases has been just as guilty, they dont like letting outsiders review their nitty gritty source code, and as such, they have had backdoor/exploit issues as well. in one such case it was possible to login to a router just by using a apostrophe as the username with no password.

Hive exploit affected many OS, including Windows, Linux, Android. Its not only MikroTik affected. However newer MikroTik firmware closed the exploit: https://forum.mikrotik.com/viewtopic.php?f=21&t=119308&p=587512#p587512
 
  • Like
Reactions: accentlogic
In our environment we have Cisco units, from 2500s, 7507, and misc others, a few junipers, fortinet's, Brocade or 2, a bunch of older sonicwall units thanks to my predecessor, which i keep trying to get replaced, and bunch of OPNSense/pfSense units that we have found to work very well, especially for complicated NAT/Network scenarios.
Everyone has their own favorite firewall device, obviously you like your mikrotiks. We tried one out, but discovered their implementation actually doesn't work well in situations that require full-cone nat with static source and destination ports going through their NAT engine, and so we swapped it with an opnsense unit and fixed the problem. This was causing intermittent no-audio scenarios on a 3CX hosted install, the unit kept re-mapping the port numbers to random ephemeral ports, even after we followed their instructions, so we canned it. OPNSense has a single rule you add, which is simple, and fixes the issue, for 3CX or anything that needs full-cone support.

MikroTik is not worse than any other Cisco, Juniper, Ubiquity and other routers. This is a good article on strengthening router security: https://www.manitonetworks.com/networking/2017/7/25/mikrotik-router-hardening
 
Very good experience. Probably you haven't disabled some NAT helpers, enabled by default in MikroTik, like SIP helper. There is also 3CX guide on how to configure MikroTik routers for use with 3CX: https://www.3cx.com/docs/mikrotik-firewall-configuration/

We are operating a large network with over 1000 MirkoTik routers at customer sites and many cloud-core routers for cloud PBX implementations and other VPS services. This includes VPNs and VLANs, as well as EoIP, IPIP and GRE tunnels with IPsec, MPLS, etc.

But everyone has the freedom to choose its favorite platform. MikroTik is also quite cost-effective, which is important in competitive environment and is also an European brand (designed and manufactured in EU). I'm not going to compare MikroTik with other brands like Cisco, Juniper, etc. The mere fact MikroTik is selling more units than anybody else, is enough.

The purpose of suggesting using MikroTik in this forum, is the fact that many customers and integrators experience difficulties in solving relatively simple network tasks, like building a VPN tunnel, etc. I'm just giving the idea such tasks can be easily accomplished with MikroTik routers, which can ease the deployment of 3CX system solutions. In most cases this could be easier than installing and configuring a 3CX SBC, less limitations, etc.
 
Last edited:
  • Like
Reactions: nitrox
The base little OPNSense we use for remote offices, and some of the permanent work at home people, and small networks is ~$100, and OPNSense is hardware agnostic, so we just install it on a device that has the proper specs to handle the load expected, and it just works. In the datacenter we have one on a Dual Quad Core Xeon Dell R710, 96 GB RAM, it handles our gigabit fiber links into our internal datacenter network. We have 8 Gigabit links connected to it. It handles 10 blocks of IPs(/27s) we route to internal servers, and is setup for ~50,000,000 as a max state table size.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,603
Messages
748,762
Members
144,715
Latest member
iTVerse
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.