Secured 3CX over public networks

Discussion in '3CX Phone System - General' started by SimWhite, Dec 26, 2016.

Thread Status:
Not open for further replies.
  1. SimWhite

    Joined:
    Dec 19, 2016
    Messages:
    17
    Likes Received:
    1
    Could some explain how to get working 3CX clients with TLS and sRTP?

    I tried to use LE certificate for TLS on the server side and there is no any problem with Phonerlite softphone or Cisco SPA, they are connected without any problems. But 3CX clients shows me "TLS error".

    And it seems "RTP Mode Secure only" didn't worked too. When I make a call it "freezing". There is no incoming call on 3CX clients. Also sRTP didn't work with the system services like Voicemail.

    I think not only me used remote PBX installation and want encrypted calls over public networks.
     
  2. GiannosC_3CX

    GiannosC_3CX Guest

    Dear SimWhite,

    In the 3CX Management Console go to the Extension Settings of the extension you want to enable Secure SIP for, then on the “Network” category choose the SIP Transport and RTP Mode as you can see on the below screenshot.

    [​IMG]


    In the 3CX Client go to the configure account then double click on your Account → Advanced Settings and then go to SIP Transport section and choose the TLS and only secure options.


    [​IMG][​IMG][​IMG]

    Restart the 3CXPhone for Windows application and it should now register using Secure SIP.

    In this case you are using a self signed certificate you must make Windows aware of the new self created authority in order to trust the 3CX Phone System:
    1. Copy the “XXXXXX.crt” file to the PC running the 3CXPhone for Windows.

    2. Run the “XXXXXX.crt” file and press the “Install Certificate” button.
    [​IMG]

    1. Install the certificate for the “Local Machine” and press Next.

    2. Select “Place all certificates in the following store”, then press the “Browse” button and select “Trusted Root Certification Authorities” and press OK, then press Next to import the certificate.
    [​IMG]


    Notes:
    • Enabling “Enable Secure SIP (TLS)” option for an extension enables it globally for that extension. That means that any softphone endpoint registered to this extension must also have the certificate imported into it. Currently the only 3CXPhone that supports Secure SIP is the 3CXPhone for Windows.
     
  3. SimWhite

    Joined:
    Dec 19, 2016
    Messages:
    17
    Likes Received:
    1
    Windows only? I use MacOS and iOS. What about it?

    And what about sRTP? TLS is used only for signalisation. But the voice transmission also must be encrypted.
     
  4. GiannosC_3CX

    GiannosC_3CX Guest

    Dear SimWhite,

    Sorry is my mistake the Secure Sip for MacOS is supported as well(sRTP and TLS). On iPhones and Androids it is not implemented.
     
  5. Sopock

    Sopock Member

    Joined:
    Jul 11, 2012
    Messages:
    447
    Likes Received:
    20
    This is not good enough?o_O

    3CXPhone for Windows, Mac, iOS and Android have a built in tunnel that will be used automatically when 3CXPhone detects it is not on the LAN. No configuration is necessary in 3CXPhone.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. GiannosC_3CX

    GiannosC_3CX Guest

    Dear Sopock,

    We have two options regarding remote extensions.
    1) You can use the 3CXTunnel that is proprietary by 3CX and is encrypted. This option is enabled by default through that option: "Use 3CX Tunnel for remote connections (3CX Client only)"
    2) You can use Secure SIP TLS and sRTP using 5061 port and trusted certificate on client PC but you must disable the option "Use 3CX Tunnel for remote connection" in that case. Also you need to open the 5061 and the external RTP port range (9000-9255) on remote PBX. (This is for Windows and MacOS clients Only, not IPhone and Android). Finally in this case you need to untick the option "Disallow use of extension outside the LAN".
     
  7. SimWhite

    Joined:
    Dec 19, 2016
    Messages:
    17
    Likes Received:
    1
    What kind of encryption is using? Is it encrypt everything? Including voice transmission?
     
  8. GiannosC_3CX

    GiannosC_3CX Guest

    Dear SimWhite,

    The 3CXTunnel is proprietary by 3CX and is based on TLS but is not documented. It encrypts the SIP and RTP signals.
    The provisioning and the presence information are transmitted over port 5001 which is based on https.
     
  9. SimWhite

    Joined:
    Dec 19, 2016
    Messages:
    17
    Likes Received:
    1
    Could you tell it key size?
     
  10. GiannosC_3CX

    GiannosC_3CX Guest

    Dear SimWhite,

    Obviously i can not disclose this information but bear in mind that the tunnel encryption has double encryption as it takes the tunnel password to encrypt the SIP and RTP data before even transmitting it encapsulated over TLS. Also the tunnel password is alphanumerical numbers with capital letters.
     
  11. Sopock

    Sopock Member

    Joined:
    Jul 11, 2012
    Messages:
    447
    Likes Received:
    20
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    You may wireshark tunnel traffic to port 5090 (both TCP and UDP) and check the encryption.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.