• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Secured 3CX over public networks

Status
Not open for further replies.

SimWhite

Joined
Dec 19, 2016
Messages
17
Reaction score
1
Could some explain how to get working 3CX clients with TLS and sRTP?

I tried to use LE certificate for TLS on the server side and there is no any problem with Phonerlite softphone or Cisco SPA, they are connected without any problems. But 3CX clients shows me "TLS error".

And it seems "RTP Mode Secure only" didn't worked too. When I make a call it "freezing". There is no incoming call on 3CX clients. Also sRTP didn't work with the system services like Voicemail.

I think not only me used remote PBX installation and want encrypted calls over public networks.
 
Dear SimWhite,

In the 3CX Management Console go to the Extension Settings of the extension you want to enable Secure SIP for, then on the “Network” category choose the SIP Transport and RTP Mode as you can see on the below screenshot.

ZPq8Z-64LX5KJcf0bXAhZyrCjjUpx50kwjpy-CPZNR6Q99HWnezwUtvM0NbNpXutgnMdMy4seJvMCZhghFKHFWLp9c6g0iESJU2uIdkYtNcr4_aKKF3zk4TYzweiz_YK3yyeUIr6



In the 3CX Client go to the configure account then double click on your Account → Advanced Settings and then go to SIP Transport section and choose the TLS and only secure options.


rLFJUNV5qCJm0f44x4ir62BQUYMUA54hgx_540A3plrkT9dbOVOU1gChHNeCp0bO00ABguzzIGHrnqdvSDabrwY5MHysh6-l7RVXFDbbjbmxEwtTRiZV6vmtHaeIMKU7ZtYclBCJ
g2mcc4hrAc0QtEJcf_BlQwBgj-jOpk5_N2j00z_0Yj7BONjsydEh8VwV7nMGimiSmZSR9l_U7GqEhDaER7qinm4Y0Qsxfyz-6tyPOffgokgWV-ZZMxJ5xzxZoF7YVLElmAYqX4yt
a7OT1Qk_MaoEEEOgn96u2MA568eLJc7_2DK9jYRC5t1xdzmE4bn2xabRPZ6ygZ3KcOaI0k-rlWh87nq-rbR98B6CoTDcFEcCJVqjySU6MQ066uQnBhtB4bu7gE6x6c6--Nt6wvzU


Restart the 3CXPhone for Windows application and it should now register using Secure SIP.

In this case you are using a self signed certificate you must make Windows aware of the new self created authority in order to trust the 3CX Phone System:
  1. Copy the “XXXXXX.crt” file to the PC running the 3CXPhone for Windows.

  2. Run the “XXXXXX.crt” file and press the “Install Certificate” button.
QAsJJQa2-nVuVb82KH3gFomadyzYhItRnnjVYG5yyCpxUo2AUu_wpG2CZc-3KHbNVZqVO8ZR4RXy0H9keBw-sb2AuJLo23j57e5MwZM1r2iJo6sj381ktvtEIiUlhDm-eGDPYWqg


  1. Install the certificate for the “Local Machine” and press Next.

  2. Select “Place all certificates in the following store”, then press the “Browse” button and select “Trusted Root Certification Authorities” and press OK, then press Next to import the certificate.
I0Tj2zfu-oQp6Iwgw8H2ZcbLy3Wn2qaqcUe5jA7qgEklMnpL5MAOtMUXUmwc0073EP-ELCattJpRW3Ty8Mfw2tCAjU7qIA42BpAcgBJFhrUNowVKj5pqFtu-AaFMth_6ne5XXGs1



Notes:
  • Enabling “Enable Secure SIP (TLS)” option for an extension enables it globally for that extension. That means that any softphone endpoint registered to this extension must also have the certificate imported into it. Currently the only 3CXPhone that supports Secure SIP is the 3CXPhone for Windows.
 
Currently the only 3CXPhone that supports Secure SIP is the 3CXPhone for Windows.
Windows only? I use MacOS and iOS. What about it?

And what about sRTP? TLS is used only for signalisation. But the voice transmission also must be encrypted.
 
Dear SimWhite,

Sorry is my mistake the Secure Sip for MacOS is supported as well(sRTP and TLS). On iPhones and Androids it is not implemented.
 
I think not only me used remote PBX installation and want encrypted calls over public networks.
This is not good enough?o_O

3CXPhone for Windows, Mac, iOS and Android have a built in tunnel that will be used automatically when 3CXPhone detects it is not on the LAN. No configuration is necessary in 3CXPhone.
 
Dear Sopock,

We have two options regarding remote extensions.
1) You can use the 3CXTunnel that is proprietary by 3CX and is encrypted. This option is enabled by default through that option: "Use 3CX Tunnel for remote connections (3CX Client only)"
2) You can use Secure SIP TLS and sRTP using 5061 port and trusted certificate on client PC but you must disable the option "Use 3CX Tunnel for remote connection" in that case. Also you need to open the 5061 and the external RTP port range (9000-9255) on remote PBX. (This is for Windows and MacOS clients Only, not IPhone and Android). Finally in this case you need to untick the option "Disallow use of extension outside the LAN".
 
3CXTunnel that is proprietary by 3CX and is encrypted
What kind of encryption is using? Is it encrypt everything? Including voice transmission?
 
Dear SimWhite,

The 3CXTunnel is proprietary by 3CX and is based on TLS but is not documented. It encrypts the SIP and RTP signals.
The provisioning and the presence information are transmitted over port 5001 which is based on https.
 
Could you tell it key size?
 
Dear SimWhite,

Obviously i can not disclose this information but bear in mind that the tunnel encryption has double encryption as it takes the tunnel password to encrypt the SIP and RTP data before even transmitting it encapsulated over TLS. Also the tunnel password is alphanumerical numbers with capital letters.
 
You may wireshark tunnel traffic to port 5090 (both TCP and UDP) and check the encryption.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,605
Messages
748,774
Members
144,717
Latest member
sprice352
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.