Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Restrict extension registration to internal IP addresses

Discussion in '3CX Phone System - General' started by JonnyM, Jun 21, 2014.

Thread Status:
Not open for further replies.
  1. JonnyM

    Joined:
    May 17, 2010
    Messages:
    81
    Likes Received:
    5
    Is there any way to restrict handset registration to internal IP addresses only? We don't have any remote users, and if we ever need it then they will be using 3CXPhone over the tunnel.

    I see quite a few failed registrations in the log, and I think I could improve security if 3CX just didn't listen to registration attempts from any subnet other than 192.168.3.0/24

    Is this possible?
     
  2. bardissi

    bardissi Member

    Joined:
    Jan 31, 2012
    Messages:
    318
    Likes Received:
    0
    This is already done by default as all extensions are set to disallow registration outside of the lan.. check box on the other tab of every individual extension
     
  3. bardissi

    bardissi Member

    Joined:
    Jan 31, 2012
    Messages:
    318
    Likes Received:
    0
    This is already done by default as all extensions are set to disallow registration outside of the lan.. check box on the other tab of every individual extension
     
  4. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    1
    The other one would be to firewall SIP connections to your SIP trunking providers' specs. That would cut out SIP traffic on the WAN for all those registrations.

    I tend not to do that as much, the tunnel can be problematic for mobile in my experience.. and handsets as remote extensions will need "help" to tunnel (proxy manager..).

    Limiting your exposure from outside is ideal, but can have side-effects. If indeed you go with the tunnel approach, however, firewall inbound SIP.
     
  5. JonnyM

    Joined:
    May 17, 2010
    Messages:
    81
    Likes Received:
    5
    Limiting the extension registration to LAN-only does the trick, but doesn't stop the attempts.

    I will have a chat with our SIP provider and see if they can give me a list of the IP addresses that they use.

    Thanks for your help.
     
  6. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,086
    Likes Received:
    325
    Are you talking about your own users attempting a registration from outside the LAN, or hacker attempts? If it's the latter, then you can either go for a more "configurable" firewall/router, discuss the problem with your ISP to see if they can help block certain IPs, or, tweak the 3CX security Blacklist settings, to quickly stop unauthorized registration attempts.
     
Thread Status:
Not open for further replies.