Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Firewall Lock Down and Port Forwarding

Discussion in '3CX Phone System - General' started by danjhayman, Sep 28, 2016.

Thread Status:
Not open for further replies.
  1. danjhayman

    Sep 28, 2016
    Likes Received:

    We have our 3CX server hosted on an Amazon instance. We have recently received several emails from 3CX about IP making too many login attempts so we've decided to lock down the firewall to our single office IP.

    I have found the below list of ports to open but the firewall checker still fails. Are there any additional ports to open? Does any one have any experience locking down the firewall to a 3CX server?

    TCP 5000 or 80 v14: This port can be configured when Webserver is Abyss. On IIS it is fixed to 80
    TCP 5001 or 443 v14: This port can be configured when Webserver is Abyss. On IIS it is fixed to 443

    UDP & TCP 5060 3CX Phone System (SIP)
    TCP 5061 3CX Phone System (SecureSIP) TLS
    UDP & TCP 5090 3CX Tunnel Protocol Service Listener
    UDP 9000-9255 (default) 3CX Media Server (RTP) – WAN audio/video/t38 streams
    UDP 9256-9500 (default) External media transmission for 3CX WebRTC
  2. leejor

    leejor Well-Known Member

    Jan 22, 2008
    Likes Received:
    The resulting messages, from the Firewall Test, will tell you which ports it finds are not open, or are incorrectly configured. If you are using any remote extensions, that can originate from different IPs, they you may find it hard to completely block attempted hack registrations. You would have to have the firewall "whitelist" a limited number of IPs to the complete exclusion of all others.

    The black list rules can be tweaked to provide a decent "barrier" against hacks. Increasing the blacklist time drastically is a good start.
Thread Status:
Not open for further replies.