Softphone Outside Firewall

Discussion in '3CX Phone System - General' started by Anonymous, Dec 7, 2006.

  1. Anonymous

    Anonymous Guest

    Great software, up and running in 10 minutes in a lab environment. Question, is it possible to connect a softphone client to the pbx from outside a firewall without a VPN connection? I think SIP is UDP, is there any way to configure things for TCP to make firewall configuration reasonable?

    Thanks.

    -Travis
     
  2. Watashi_FR

    Joined:
    Dec 5, 2006
    Messages:
    63
    Likes Received:
    0
    Hi Travis,

    if you open port 5060 on your firewall plus a client range (this range can usually be configured in your softphone software, X_Lite has the option) you should be in business (works for us). Also, mind the settings for 3CX (see General Settings) where port ranges for internal and external calls are set.
     
  3. Anonymous

    Anonymous Guest

    travis,

    you say that if i configure my x-lite ports if possible to use 3cx outside of the firewall???
     
  4. Watashi_FR

    Joined:
    Dec 5, 2006
    Messages:
    63
    Likes Received:
    0
    Here's how we did it: we opened UDP5060 on our firewall and NATed it to the 3CX server. We forced 3CX to use 7000-7500 for internal and 9000-9100 for external calls and opened and NATed these ports as well. Now, using X-Lite from outside our local network took a bit of tweaking, but this is the configuration we use that works:
    [​IMG]
    [​IMG]

    Hope this helps.
     
  5. Anonymous

    Anonymous Guest

    Thanks for the info, helps to know someone has this working. I tried these settings with no luck so I ran a packet capture on the PBX and I see my SIP register request followed by a 407 Proxy Authentication Required response back to the remote client. Any ideas? Thanks again for your config.

    -Travis
     
  6. Watashi_FR

    Joined:
    Dec 5, 2006
    Messages:
    63
    Likes Received:
    0
    A 407 would indicate that you are using a proxy server between your SIP client and the (remote) 3CX server, or between the 3CX and the internet. In both cases you need to check your credentials between client and proxy and make sure that the ports mentioned before are allowed by the proxy server.

    The configuration I described does not use a proxy, just a NAT-enabled firewall and router. If anyone has experience with a setup involving a proxy server (Microsoft ISA Server or other), with 3CX either in the DMZ or behind the proxy, they would be able to provide feedback on this setup?
     
  7. archie

    archie Well-Known Member
    3CX Staff

    Joined:
    Aug 18, 2006
    Messages:
    1,309
    Likes Received:
    0
    Yes, this is correct behavior of PBX. If your phone client doesn't provide Authentication info in the first registration request, PBX will reply with 407 and expects that your client will re-sent registration with authentication info added to it. After receiving such a registration - client is treated as registered.
     
  8. Watashi_FR

    Joined:
    Dec 5, 2006
    Messages:
    63
    Likes Received:
    0
    That's interesting, does that mean that 3CX acts as a (SIP) Proxy? And if so, would it be possible to "slave" a 3CX server to another 3CX server? This would open up some interesting implementation scenarios (multiple offices with interconnected 3CX servers, for example).
     
  9. Anonymous

    Anonymous Guest

    So I have this working, just not ideal from a firewall configuration perspective. My current environment is the 3CX PBX behind an ISA 2006 firewall. Opened 5060 UDP and 7100-7200 UDP inbound. Remote end has an x-lite client behind an ISA 2004 firewall. Configured x-lite to use ports 7100-7101 and opened firewall 7100-7101 UDP inbound to the client and have call setup between the remote x-lite client and a local 3CX Phone client. Is there anyway to get this going over TCP so the client end doesn't need firewall rules (or the firewall client software in the case of ISA)? Great stuff.

    -Travis
     
  10. archie

    archie Well-Known Member
    3CX Staff

    Joined:
    Aug 18, 2006
    Messages:
    1,309
    Likes Received:
    0
    Yes, it's possible. Not in current version, though. But now we're working on new version which will be ready for those scenarios.
     
  11. archie

    archie Well-Known Member
    3CX Staff

    Joined:
    Aug 18, 2006
    Messages:
    1,309
    Likes Received:
    0
    Thank you for nice feedback :)
    It is possible to make SIP prefer TCP/IP connection, but right now this option is not accessible for users yet. Anyway, there is no possibility to make RTP stream over SIP, so it will always use UDP.
     

Share This Page