configuring external extension Status 403 forbidden

Discussion in '3CX Phone System - General' started by slippers, May 23, 2011.

Thread Status:
Not open for further replies.
  1. slippers

    Joined:
    May 3, 2011
    Messages:
    5
    Likes Received:
    0
    hello, i hope someone can shed some light on this

    we have 3cx up and running at head office, using VOIP unlimited, phones all work fine at head office
    director now wants an extension at his home
    so i bought him a Yealink SIP T20P, setup an extension 201 and went to his house. phone registers, phone shows 201 on screen but can not dial out, get forbidden on screen

    wireshark on 3cx server shows STATUS 403 forbidden when trying to dial the reception extension from MD house for example - or any other extension
    firewall checker ran all fine - exit code 0
    we are not using a proxy at head office or at MD house ?
    directors remote SIP phone is pointed at Ext IP of office FW, ports forwarded
    am I missing something here ?
    tech support agent said i need to use proxy, then i rang back later and another chap said i didnt and was using wrong firmware on Yealink. firmware on Yealink now 9.60.0.110 but still can not make a call
    any help please, how do i do this
    the company may also want extensions putting in at other directors and managers houses if this works well, so i'm trying to impress here !!
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,778
    Likes Received:
    286
    There have been some other external Yealink issues recently, but they may not be related.
    If you are using 3CX version 10, there is an option in each extension to allow remote registration, be sure that is enabled. I assume that you have STUN enabled in the remote set (although that should not cause the forbidden error).

    Have a look at he 3CX server log, it may give you some more info as to what it going on during a registration attempt.
     
  3. slippers

    Joined:
    May 3, 2011
    Messages:
    5
    Likes Received:
    0
    thanks lee
    we are using version 9. the phone registers. extension is green in 3cx

    directors WAN ip = 188.220.99.xx
    directors handset LAN IP = 192.168.249.13
    directors home extension = 201
    server log - blacklist ?!?!?!


    18:51:55.894 Requests rate from IP 188.220.99.xx is too high! Blacklisted for 334 seconds
    18:51:55.894 [CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
    INVITE sip:101@mail.mydomain.com SIP/2.0
    Via: SIP/2.0/UDP 188.220.99.xx:5062;rport=5062;branch=z9hG4bK1914690299
    Max-Forwards: 70
    Contact: <sip:201@188.220.99.xx:5062>
    To: <sip:101@mail.mydomain.com>
    From: "jon home"<sip:201@mail.mydomain.com>;tag=347124977
    Call-ID: 141431230@192.168.249.13
    CSeq: 1 INVITE
    Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
    Supported: replaces
    User-Agent: Yealink SIP-T20P 9.60.0.110
    Allow-Events: talk, hold, conference, refer, check-sync
    Content-Length: 0

    18:51:55.894 [CM302001]: Authorization system can not identify source of: SipReq: INVITE 101@mail.mydomain.com tid=1914690299 cseq=INVITE contact=201@188.220.99.xx:5062 / 1 from(wire)
    18:51:38.488 Currently active calls [none]
    18:51:06.488 Currently active calls [none]
    18:50:34.489 Currently active calls [none]
    18:50:02.489 Currently active calls [none]
    18:49:55.301 [CM506001]: STUN request to resolve SIP external IP:port mapping is sent to STUN server 96.9.132.83:3478 over Transport 192.168.250.3:5060
    18:49:30.489 Currently active calls [none]
    18:48:58.489 Currently active calls [none]
    18:48:26.490 Currently active calls [none]
     
  4. slippers

    Joined:
    May 3, 2011
    Messages:
    5
    Likes Received:
    0
    ok got a little way forward
    on the yealink at directors house changed the SIP server from the FQDNS name of the firewall to the actual ext IP of the main firewall
    the forbidden error has now gone, so it looks like these yealinks cant do a simple DNS lookup on an A record !
    anyway we can now ring extensions in the Head office but theres no one in at this time of night to answer them.

    i did try calling an external number from the directors house i.e 9,01215212344 destination phone rang but got no audio when they answered
     
  5. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,778
    Likes Received:
    286
    Did you put your URL into the SIP domain of 3CX? It wants that there if you send a call to the URL rather than the direct public IP. I would X out your URL in your post too. The registration shows the public IP of the set at the far end (X out that IP too), so I don't think it is a STUN issue. Could there be a port conflict? Does the remote router have a built in ATA?
     
  6. slippers

    Joined:
    May 3, 2011
    Messages:
    5
    Likes Received:
    0
    yes details removed as suggested lee,

    ok, from the directors home i can now dial an office extension but no audio is coming through to either end, the phone in the head office rings.

    are there any rules / port forwarding required at the directors house ? at the moment its just a basic netgear firewall with full outbound access but no inbound rules or NAT rules.... i thought the only port forwarding required was at the 3CX server end

    thanks for the help so far, i'm new to this VOIP stuff but keen to learn
     
  7. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,778
    Likes Received:
    286
    You should not have to do any port forwarding at a remote end. You could try putting its IP in the DMZ, if the router supports that.

    Someone else is having a problem with a Yealink at a remote location...http://www.3cx.com/forums/calling-remote-location-from-office-20108.html
     
  8. georgek

    Joined:
    Sep 6, 2012
    Messages:
    2
    Likes Received:
    0
    I had the same problem, Grandstream GXP 2020 on an external ext was registering but could not make calls, 403 not allowed to make call or Forbidden is using the 3CX Softphone.

    After contacting the support team and providing all support information required they suggested i use the SIP Proxy manager but i said this was simply not acceptable as so many other PBX systems dont have a problem having external extensions.

    Anyway so went away and done my own digging around. The solution for me was in the 3CX System:

    Go to: Settings>Network>STUN Server tab and put a tick in "Turn off STUN Server", then put your public IP in the section "Public IP to specify in Contact and SDP". Once i dont this everything worked fine when i configured the phone as per this article: http://www.3cx.com/blog/voip-howto/remote-extensions/

    Hope this helps.
     
Thread Status:
Not open for further replies.