SBC or VPN with Google

Discussion in '3CX Phone System - General' started by vectra, Feb 2, 2018.

Tags:
Thread Status:
Not open for further replies.
  1. vectra

    Joined:
    Nov 3, 2009
    Messages:
    23
    Likes Received:
    0
    Hi Guys,

    I have to deploy 55 extensions at customer site and 3CX will be hosted on google. Since I will have 10 T46S with a lot of BLF buttons and SP buttons and 45 T42S with at least 3 SP button per phone does SBC for Windows will able to run this scenario without issue or I have to try some how to make VPN between VM Instance and my Zywall 310 on site (IPsec)?
     
  2. eddv123

    eddv123 Active Member

    Joined:
    Aug 15, 2017
    Messages:
    895
    Likes Received:
    136
    Hi Vectra,

    The SBC will not be able to fulfill this requirement, the SBC for Windows supports 50 extensions max and 250 BLF's = 5 per phone.

    You will have to use VPN and DHCP option 66 albeit it is a bit more configuration to setup the VPN to a cloud system: https://www.3cx.com/sip-phones/dhcp-option-66/

    One thing to note about DHCP Opt 66 and VPN is unfortnately you cannot utilize PnP provisioning as you must be within the same subnet for this feature.

    See here for the VPN setup on Google: https://cloud.google.com/vpn/docs/how-to/creating-vpns
     
    accentlogic likes this.
  3. eddv123

    eddv123 Active Member

    Joined:
    Aug 15, 2017
    Messages:
    895
    Likes Received:
    136
    I have known one or two people using multiple SBC's however I have not personally done this myself and it would probably be un-supported.
     
  4. jbryant84

    jbryant84 New Member

    Joined:
    Apr 6, 2016
    Messages:
    106
    Likes Received:
    38
    The sbc doesn't need port forwarding, as it makes an outbound connection to the PBX, which is allowed by firewalls. That said, It may be a pain to set up, but a VPN coupled with option 66 pointed at the PBX lan ip would probably be the best way to accomplish this.
     
  5. vectra

    Joined:
    Nov 3, 2009
    Messages:
    23
    Likes Received:
    0
    Yes, I agree that VPN will be a best option. DHCP option 66 no need at all. All phones will be provision updating auto provision address. I'm trying to setup VPN on Google but no luck, Do you think that STUN can work on that number of extensions? I have customers with 20 extensions and bunch blf working well using STUN option.
     
  6. eddv123

    eddv123 Active Member

    Joined:
    Aug 15, 2017
    Messages:
    895
    Likes Received:
    136
    I would not say that is full confirmation of support since the head of technical at 3CX quotes "check thats right" at the end of the post. Also I have never seen any official documentation supporting or mentioning support for multiple SBC's (although we all know it is possible).

    Its not something I wouldn't want to see however as it adds more to the 3CX hosted offering, however it would be great to understand if there were any flaws setting up this method.

    For now I will stick with VPN or on-premise for +50 extensions. If you hear anything different let me know.
     
  7. jimbo59

    jimbo59 Member

    Joined:
    Nov 17, 2017
    Messages:
    358
    Likes Received:
    77
    I'd run it local.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    4,381
    Likes Received:
    278
    Hello @vectra

    Multiple SBC's per site are supported by 3CX so you could use that if VPN is not an option.
    STUN is also an option that could work but configuration of the firewall would be a nightmare for 50 phones. Personally if i couldn't set up a VPN connection i would go with SBC's. No firewall configuration required and you can provision phones through PnP which simplifies provisioning a great deal.
     
  9. OCWI

    OCWI New Member

    Joined:
    Jan 17, 2017
    Messages:
    159
    Likes Received:
    44
    Host it and run it with multiple linux SBC's. It will be perfect reliability and the SBC software is mature enough to replace a VPN setup. I believe this will future proof the setup as 3cx continues to evolve their platform.

    Furthermore, you will be provisioning through the recommended method thus increasing reliability. We have several sites using multiple SBC's flawlessly.
     
  10. accentlogic

    accentlogic New Member

    Joined:
    Nov 14, 2013
    Messages:
    161
    Likes Received:
    66
    When you do multiple SBC's at a site, how do you split the phones between the devices? Do you get two choices for each phone, or? We have always just used one SBC or VPN, but as we grow I am certain we'll run into larger installs that need over 50 with no VPN option.
     
  11. eddv123

    eddv123 Active Member

    Joined:
    Aug 15, 2017
    Messages:
    895
    Likes Received:
    136
    I am not saying it is the correct way to do this however the re-sellers I have known to have done this historically have split the LAN subnet so to keep things uniformed.

    Either way, there shouldn't be more than one SBC per LAN subnet otherwise you will get duplicated PnP etc. Currently there is no load balancing/teaming in the 3CX SBC - it is designed as a single instance.
     
  12. OCWI

    OCWI New Member

    Joined:
    Jan 17, 2017
    Messages:
    159
    Likes Received:
    44
    Setup both SBCs with a static ip. Provision all the phones, then change half the phones to the second sbc in the pbx -> extension -> phone provisioning -> ip address of sbc

    restart phone and done
     
  13. vectra

    Joined:
    Nov 3, 2009
    Messages:
    23
    Likes Received:
    0
    Ok Guys, finally I find parameters to get VPN worked beetwen Google cloud and my Zyxel firewall. STUN solution also working fine and I have more then 20 extensions working fine. The only problem is to setup ports and UDP per phone and you have to do that manualy. It will be a great option if 3CX do that automatically if you set up extension with STUN.
     
  14. Nick Galea

    Nick Galea Site Admin

    Joined:
    Jun 6, 2006
    Messages:
    1,887
    Likes Received:
    190
    Implementing a VPN is a good solution but you should not use STUN as per Yiannis post above. Without STUN there is no need to configure any ports
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #14 Nick Galea, Feb 8, 2018
    Last edited: Feb 8, 2018
  15. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    HI
    You need to use the SBC in this case. Because with STUN you depend on the firewall NAT mapping functionality and that might not be consistent..

    What I would do if I were you is
    1 SBC
    Everyphone I need to connect all behind this SBC and proxy through SBC
    And most importantly - Install the latest version. We made tests of up to 100 extensions behind the sbc. If you are gentle on the BLF's you configure per phone, you can get 55 working. The last SBC update is more performant.

    You will need to use SBC on debian or Windows.

    We will be making more updates in the future on this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. vectra

    Joined:
    Nov 3, 2009
    Messages:
    23
    Likes Received:
    0
    Hi Nick, I have a question for you. STUN setup working perfect with zyxel firewalls. I don't have to do anything special except disable ALG but even with this enabled everything working fine. My question is how Ring Central or Nextiva or Grandstream PBX working great behind most firewalls and there is no need to setup unique ports for each phone? Having BLF's, shared parking etc is selling point over other products and running 3CX on Google cloud looks like great setup especially for small businesses (4,5,16 license) but on other hand most of them do not have strong infrastructure, reliable internet connection, tech savvy workers, etc so if sbc failure is just a big headache for us. 99% of them just need to have reliable phone, features here and there so for us this is a primary concern. I lost many customers just because of that. They switched to Ring central and they are never down. HIPAA compliance is also a big issue here in USA. We like 3CX very much but all this changes (mail, lack of HIPAA compliance, shutting down multi tenant version, pushing us to start looking for others solutions or be heart badly. Please, do not this comment in unappropriated way. We invest a lot of time and money to build this business to left over towards other solutions. We are channel partner with many others IT and AV brands and they are very consistent regarding product changes and care what partners saying.
     
  17. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    You dont need to setup ports. We claim we need ports because we need to make some initial assumptions. We assume when we document, that users need their NAT concepts refreshed + we assume that firewalls need port forwarding.
    In reality, if the device works as it should, you dont need port forwarding. In this case you just proved that the firewall you mentioned simply remembers the port mappings it makes and KEEPS them open with keep alives. Others dont remember and close the UDP mappings without sending keepalives.

    Multitenant is dead when a price of a professional hosted vm can be 2 or 5 dollars a month. Thats not the way to go.

    HIPAA always getting improvements. Just made one in recording 2 months ago. I mean its a whole compliance body. Can't expect to have it all done immediately.

    Not inappropriate at all. We like this feedback. Thanks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.