Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

CTI mode for a segregated network

Discussion in '3CX Phone System - General' started by IT Hamster, Oct 23, 2015.

Thread Status:
Not open for further replies.
  1. IT Hamster

    May 21, 2015
    Likes Received:
    Hello All,

    I have an upcoming deployment for a client that already has infrastructure in place to segregate their VoIP network from their computer network. I've done some preliminary setup tests (see attached picture) with a few firewalls and switches.

    In this configuration, I am unable to use CTI mode. I'll admit I'm not a networking Guru, but I take direction well and was wondering if anyone of you have a similar setup in your network and if so, would you mind pointing me in the right direction as to how to accomplish this? Feel free to tell me I've got the wrong setup!

    I'm all for learning the best way to implement this stuff.

    Thanks in advance,
    IT Hamster

    Attached Files:

  2. AlexanderHanna

    AlexanderHanna New Member

    Oct 2, 2015
    Likes Received:
    Hi, when you say you are unable to use CTI, have you tried it? I have installs on different networks and the user is still able to use CTI to control the phone.
  3. JonnyM

    May 17, 2010
    Likes Received:
    Can you add some interface addresses/subnets to your diagram and describe where and if NATing is taking place?
  4. tsukraw

    tsukraw New Member

    Mar 9, 2012
    Likes Received:
    Agree we for sure need to see some IP address info.
    So looking at your diagram it appears the PC and Voice network are 100% separate with separate routers and connections to the WAN correct?

    If this is the case CTI will not work since you cannot talk subnet to subnet.

    A simple test would be put a phone on the Voice network, from a PC with the 3CXphone software can you PING the IP address of the phone? If the answer is NO then CTI will not work... "as of v14.SP1 changes are coming that will allow it"....

    If the answer is yes. Then can you pull up the web interface of the phone?

    So more or less how CTI works is it is sending HTTP commands to the phone. So the PC needs to be able to talk to the local IP of the phone. This only applies if the phone is setup in a local mode. Remote STUN CTI is not available yet.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. jholcombe

    Jul 9, 2014
    Likes Received:
    For CTI mode to work, I believe the phones and computers running 3CXPhone in CTI mode are going to need to be able to communicate with each other. They can be segmented onto separate networks. However, the design shown appears to be two totally separate networks with firewall separation with two separate firewalls. The only way I think you could make this work is to set up a VPN between both firewalls so the computer network and phone network can communicate with each other. I'm not sure what ports you'll need to open between them though to get this to work.

    Are there actually two physically separate switch configurations as well, or do the two firewalls plug into the same set of switches?

    I would suggest, if possible, running the computers and phones on the same switch equipment. If they must be isolated onto different VLANS then tag the port the phone is connected to with a VLAN for the phone network. Run the computer network untagged. Set up a DHCP option on the computer network to tell the phones to switch to the tagged phone network. Create another DHCP option on the phone network for the phone provisioning. This way the phones can be easily re-provisioned if necessary in the future. Set up the 3CX server and other VoIP equipment (gateways, etc) to run on the phone VLAN.

    If you have two separate physical networks running into the same office, I'm afraid you might run into issues where people plug their computers in to the wrong port (phone network) or phones into the wrong port (computer network), or possibly even have a patch cable inadvertently connecting both networks together. If you've got phones with two ports, users could plug both ports in across networks, creating what I call a "phone bridge".

    You can set up ACLs on the switch if you need to so only certain traffic will go between the two subnets, or VLAN all the way back to the firewall and set up the ACLs from there. Again though I'm not sure what ports are necessary for 3CXPhone to communicate in CTI mode. I wish you success with your project!

Thread Status:
Not open for further replies.