Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Connect Remote Extensions through Fortigate Firewall

Discussion in '3CX Phone System - General' started by Warren.Bedser, Jan 31, 2012.

Thread Status:
Not open for further replies.
  1. Warren.Bedser

    Joined:
    Nov 17, 2011
    Messages:
    9
    Likes Received:
    0
    Hi there

    I have multiple remote extensions that i need to connect to the 3CX system. On the fortigate firewall, I have opened the following ports and port forwarded them to the 3CX server :
    5090
    5060
    9000-9049
    3478

    Are there any other ports that need to be opened??

    Thank you

    Warren
     
  2. netswork

    netswork Active Member

    Joined:
    Mar 11, 2011
    Messages:
    577
    Likes Received:
    1
    We use fortigates exclusivley. Give this a shot. These are some notes I had in my system for using a voip provider with a fortigate. You might need to do this to enable remote phones as well. I have not had a customer need remote phones yet.

    If you run into problems with SIP and H.323 traversing your Fortigate firewalls this may be related to the SIP and H.323 session helpers (i.e. proxies). You can tweak them on the command line only. Here is what a typical configuration looks like:

    config system session-helper
    edit 1
    set name pptp
    set port 1723
    set protocol 6
    next
    edit 2
    set name h323
    set port 1720
    set protocol 6
    next
    edit 3
    set name ras
    set port 1719
    set protocol 17
    next
    *** snip ***
    edit 12
    set name sip
    set port 5060
    set protocol 17
    next
    edit 13
    set name dns-udp
    set port 53
    set protocol 17
    next
    end

    To disable the SIP and H.323 session helpers use the following syntax:

    config system session-helper
    delete 12
    delete 3
    delete 2
    end

    Keep in mind to delete session helpers starting at the highest numbered one. Otherwise you may inadvertently delete the wrong session helpers if you are not careful.

    *****

    Update: In FortiOS 3.0 MR6 and above you should also try the following commands:

    config system settings
    set sip-helper disable
    end

    and

    config system settings
    set sip-nat-trace disable
    end
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cfive

    cfive Member

    Joined:
    Aug 20, 2009
    Messages:
    284
    Likes Received:
    6
    I've just completed a 50 extension 3CX install where half of the extensions are split between two remote sites and the 3cx is behind a fortigate. I tried a few different configurations.

    The 3cx tunnel is the path of least configuration for remote extensions - as you only need the tunnel port (and webserver port if using myphone). The tunnel is best used with the 3cx softphone, or with the 3cx SIP proxy manager installed at the remote site. Additionally, the fortigate (or any other SIP helper enabled device) doesn't have any knowledge of SIP traffic over the tunnel port - it's simply TCP/UDP traffic so you don't have any SIP helper complications.

    Additionally, it's easier to prioritize the single tunnel port traffic with fortigate than it is multiple port(s) or port ranges.

    There are some intermittent one-way audio issues that you may or may not see when using the tunnel. If you see it, there is an out of band fix that should be available from support, and I believe it will most likely be incorporated into a future SP.

    If you're have permanent remote sites with multiple extensions per site and good bandwidth, a nailed-up connection (like VPN) could simplify some things, like phone provisioning for example.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.