When not to use the Tunnel

Discussion in '3CX Phone System - General' started by petewatterschats, Apr 2, 2016.

Thread Status:
Not open for further replies.
  1. petewatterschats

    petewatterschats New Member

    Joined:
    Jan 19, 2016
    Messages:
    151
    Likes Received:
    0
    For remote clients using a soft phone Why would someone not want to use the Tunnel
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,570
    Likes Received:
    247
    The tunnel is there to help solve the problem of not being able to connect because of (remote) router/NAT issues. If individual devices connect just fine without the tunnel, then the choice to use it is up to you. In some cases, where you don't use a VoIP provider, you can firewall port 5060 but leave open 5090, stopping hackers from attempting to access your PBX through the "standard" SIP port.

    The tunnel provides no encryption, it simply moves all traffic to one port. I usually leave it off, and will only use it if I'm unable to register from a remote hotspot/location. The last resort is a VPN connection.
     
  3. hogan71088

    Joined:
    Nov 30, 2015
    Messages:
    60
    Likes Received:
    3
    The tunnel provides no encryption? I'm pretty sure that's incorrect..
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,570
    Likes Received:
    247
    There is no date on this, but I haven't heard that tunnel behaviour has yet changed from how it is described here.

    http://www.3cx.com/docs/3cx-tunnel-sess ... ontroller/

    To have encryption, such as that offered with Secure SIP, you must have certificates, or some means of password protection (not just a SIP password). As far as I'm aware, Presence information still doesn't travel over the tunnel, which came as a bit of a surprise to many.

    It's a tool to overcome the issues described in the topic.
     
  5. DSXDATA

    DSXDATA New Member

    Joined:
    Oct 20, 2015
    Messages:
    171
    Likes Received:
    60
    Actually, as of SP3 at least, encryption is optionally possible. In the configuration file, 3cxsbc.conf, there is a field as follows: SecurityMode = 0. If you change that to 1, then in theory encryption is enabled.

    While security is a good thing in almost all cases, it is not automatically good with VOIP. Encryption introduces latency and voice quality is directly related to latency. This is an option to be used judiciously.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,570
    Likes Received:
    247
    It would be nice to see more information on this.
     
  7. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,064
    Likes Received:
    58
    While perhaps not using the traditional encryption methodologies, it does appear to offer some protection (post from 3CX)-

    Securing Remote Connections

    To address the issue of roaming remote extensions (either because the user is on the move, or because his Public IP Address is dynamic, or both), 3CX Phone System provides another layer of protection via the 3CX Tunnel protocol. The 3CX tunnel Protocol performs three functions:

    The ability to overcome NAT issues by consolidating all traffic over a single port.
    The conversion of this consolidated traffic into a custom protocol which requires some form of 3CX Tunnel client at the remote location.
    A simple additional authentication/authorization layer by means of the tunnel password.

    If you truly want TLS, then the softphone (3CX softphone for WIndows and MAC) can handle it. However, I do not know if the tunnel and TLS can co-exist. TLS uses port 5061 in the standard installation.

    For me, however; I only use the tunnel when it can overcome firewalll issues that preclude me from connecting normally.
     
  8. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,570
    Likes Received:
    247
    I agree. While the 3CX tunnel would make the "monitoring" of SIP calls much more of a challenge. I don't think that it would be impossible, depending on the resources, and, if you were in one location long enough for the person doing the monitoring, to realize what you are doing.. I certainly wouldn't count on it as a replacement for Secure SIP or VPN if your conversations are of a "sensitive nature".

    And back to the original question... you would not use it on two 3CX phones simultaneously, behind the same remote router.
     
Thread Status:
Not open for further replies.