Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

General question about phone compatibility

Discussion in '3CX Phone System - General' started by ovizii, Dec 7, 2017.

Thread Status:
Not open for further replies.
  1. ovizii

    Joined:
    Nov 20, 2017
    Messages:
    55
    Likes Received:
    1
    I found the general info page: https://www.3cx.com/sip-phones/ but what exactly does compatibility mean? Are these phones able to use the 3cx specific tunnel?

    The reason I am asking is that I am planning to host my own 3cx pabx in the cloud and am looking at compatible phones to use in our offices. The mobile clients and softphones seem to use this tunnel so that's already quite secure and now I was wondering about the desk phones.

    I'd appreciate any info or pointers to go read up on this issue.

    I know I can set up a SBC to use the tunnel. Just trying to figure out if any phones do this directly.
     
  2. ovizii

    Joined:
    Nov 20, 2017
    Messages:
    55
    Likes Received:
    1
    OK, answered my own question, around minute 3:20

    on youtube: 3CX Intermediate Certification: 7. Remote IP Phone Extension (SBC) v15.5

    So you need an SBC to add the tunnel feature to compatible phones.
     
  3. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    220
    For secure operation you need either to enable secured SIP and secure RTP for remote phones or use an IPsec VPN tunnel.
    3CX tunnel used in softphones and 3CX SBC only encapsulates traffic to port 5090 tcp & udp, but traffic will not be encrypted.

    Compatible phones can be provisioned and maintained by 3CX PhoneSystem, so they are recommended to be used. Legacy phones are also partly or fully compatible, some features may not work eventually, e.g. remote phonebook, etc. They are tested with 3CX.
    All other SIP 2.0 devices may work or not with 3CX -- you need to test them. This means no phonebook, no firmware upgrades, blind or attended transfer may not work, etc. Configuring them could mean lots of manual work.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 sip.bg, Dec 7, 2017
    Last edited: Dec 7, 2017
    nitrox likes this.
  4. ovizii

    Joined:
    Nov 20, 2017
    Messages:
    55
    Likes Received:
    1
    Thanks very useful info but it raises a few other questions:

    Any best practices regarding how to connect an office securely to a cloud hosted 3CX? I could open a VPN tunnelboth ways but I'm sure there are some best practices out there?

    Also, you say that the 3cx tunnel via port 5090 doesn't encrypt the traffic which has got me confused. You mean it only serves to use 1 port vs many ports and transports all traffic between a phone and the pabx through 1 port but other than that there's no encryption?
     
  5. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    220
    Depends what you want to achieve.

    Encrypting traffic is possible with secure SIP/secure RTP in phones, but this means importing certificates, etc., which is different for different brands and not documented by 3CX (only how to enable it per extension / provisioned phone).

    I would rather prefer site-to-site VPN with IPsec, between routers and independent from PBX and phones. You need to be able to control routers for this. Some phones could build a L2TP or OpenVPN tunnel to your main router (in front of PBX), if not usiing site-to-site IPsec VPN.
    3CX tunneling encapsulates the traffic only, like GRE (General Route Encapsulation) tunnel, supported widely by routers. 3CX tunnel is also similar to IAX tunneling in Asterisk world (at port 4569). Will be a good idea, if 3CX supports IAX, as there are hardware phones, supporting IAX accounts, beside SIP.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 sip.bg, Dec 7, 2017
    Last edited: Dec 7, 2017
    nitrox likes this.
  6. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    220
    Using 3CX SBC is a very good solution when you don't have control over the network (3CX PhoneSystem is cloud-based, you can't build VPNs) or you experience difficulties with voice (as SIP NAT is not straightforward procedure and could be an issue with some routers).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Saqqara

    Saqqara Well-Known Member

    Joined:
    Mar 12, 2014
    Messages:
    1,252
    Likes Received:
    203
    How many phones are you talking about ? As this could affect what solution you go for.

    The simple solution is Site to Site VPN, as sip.bg has already mentioned
     
  8. ovizii

    Joined:
    Nov 20, 2017
    Messages:
    55
    Likes Received:
    1
    Thanks for all the tips, I need to think this through.

    Here is the setup though, if you want to give some tips:


    1 3cx in the cloud not natted or at least full cone nat with its own public static IP
    1 office secured with a firewall with a VPN Server for colleagues working remotely

    from what I hear you saying, it sounds like I would need to run a vpn server on the 3cx machine so my office can connect there?
     
  9. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    220
    Don't you have a router at your cloud site? It's better to terminate the VPN tunnels into a router, not the PBX server.
    How that office VPN is terminated at the PBX site?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.