• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Connect Remote Extensions through Fortigate Firewall

Status
Not open for further replies.

Warren.Bedser

Joined
Nov 17, 2011
Messages
9
Reaction score
0
Hi there

I have multiple remote extensions that i need to connect to the 3CX system. On the fortigate firewall, I have opened the following ports and port forwarded them to the 3CX server :
5090
5060
9000-9049
3478

Are there any other ports that need to be opened??

Thank you

Warren
 
We use fortigates exclusivley. Give this a shot. These are some notes I had in my system for using a voip provider with a fortigate. You might need to do this to enable remote phones as well. I have not had a customer need remote phones yet.

If you run into problems with SIP and H.323 traversing your Fortigate firewalls this may be related to the SIP and H.323 session helpers (i.e. proxies). You can tweak them on the command line only. Here is what a typical configuration looks like:

config system session-helper
edit 1
set name pptp
set port 1723
set protocol 6
next
edit 2
set name h323
set port 1720
set protocol 6
next
edit 3
set name ras
set port 1719
set protocol 17
next
*** snip ***
edit 12
set name sip
set port 5060
set protocol 17
next
edit 13
set name dns-udp
set port 53
set protocol 17
next
end

To disable the SIP and H.323 session helpers use the following syntax:

config system session-helper
delete 12
delete 3
delete 2
end

Keep in mind to delete session helpers starting at the highest numbered one. Otherwise you may inadvertently delete the wrong session helpers if you are not careful.

*****

Update: In FortiOS 3.0 MR6 and above you should also try the following commands:

config system settings
set sip-helper disable
end

and

config system settings
set sip-nat-trace disable
end
 
I've just completed a 50 extension 3CX install where half of the extensions are split between two remote sites and the 3cx is behind a fortigate. I tried a few different configurations.

The 3cx tunnel is the path of least configuration for remote extensions - as you only need the tunnel port (and webserver port if using myphone). The tunnel is best used with the 3cx softphone, or with the 3cx SIP proxy manager installed at the remote site. Additionally, the fortigate (or any other SIP helper enabled device) doesn't have any knowledge of SIP traffic over the tunnel port - it's simply TCP/UDP traffic so you don't have any SIP helper complications.

Additionally, it's easier to prioritize the single tunnel port traffic with fortigate than it is multiple port(s) or port ranges.

There are some intermittent one-way audio issues that you may or may not see when using the tunnel. If you see it, there is an out of band fix that should be available from support, and I believe it will most likely be incorporated into a future SP.

If you're have permanent remote sites with multiple extensions per site and good bandwidth, a nailed-up connection (like VPN) could simplify some things, like phone provisioning for example.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,621
Messages
748,857
Members
144,735
Latest member
Hammad.k
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.