• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

When not to use the Tunnel

Status
Not open for further replies.

petewatterschats

Joined
Jan 19, 2016
Messages
151
Reaction score
0
For remote clients using a soft phone Why would someone not want to use the Tunnel
 
The tunnel is there to help solve the problem of not being able to connect because of (remote) router/NAT issues. If individual devices connect just fine without the tunnel, then the choice to use it is up to you. In some cases, where you don't use a VoIP provider, you can firewall port 5060 but leave open 5090, stopping hackers from attempting to access your PBX through the "standard" SIP port.

The tunnel provides no encryption, it simply moves all traffic to one port. I usually leave it off, and will only use it if I'm unable to register from a remote hotspot/location. The last resort is a VPN connection.
 
The tunnel provides no encryption? I'm pretty sure that's incorrect..
 
There is no date on this, but I haven't heard that tunnel behaviour has yet changed from how it is described here.

http://www.3cx.com/docs/3cx-tunnel-sess ... ontroller/

To have encryption, such as that offered with Secure SIP, you must have certificates, or some means of password protection (not just a SIP password). As far as I'm aware, Presence information still doesn't travel over the tunnel, which came as a bit of a surprise to many.

It's a tool to overcome the issues described in the topic.
 
Actually, as of SP3 at least, encryption is optionally possible. In the configuration file, 3cxsbc.conf, there is a field as follows: SecurityMode = 0. If you change that to 1, then in theory encryption is enabled.

While security is a good thing in almost all cases, it is not automatically good with VOIP. Encryption introduces latency and voice quality is directly related to latency. This is an option to be used judiciously.
 
DSXDATA said:
Actually, as of SP3 at least, encryption is optionally possible. In the configuration file, 3cxsbc.conf, there is a field as follows: SecurityMode = 0. If you change that to 1, then in theory encryption is enabled.

It would be nice to see more information on this.
 
While perhaps not using the traditional encryption methodologies, it does appear to offer some protection (post from 3CX)-

Securing Remote Connections

To address the issue of roaming remote extensions (either because the user is on the move, or because his Public IP Address is dynamic, or both), 3CX Phone System provides another layer of protection via the 3CX Tunnel protocol. The 3CX tunnel Protocol performs three functions:

The ability to overcome NAT issues by consolidating all traffic over a single port.
The conversion of this consolidated traffic into a custom protocol which requires some form of 3CX Tunnel client at the remote location.
A simple additional authentication/authorization layer by means of the tunnel password.

If you truly want TLS, then the softphone (3CX softphone for WIndows and MAC) can handle it. However, I do not know if the tunnel and TLS can co-exist. TLS uses port 5061 in the standard installation.

For me, however; I only use the tunnel when it can overcome firewalll issues that preclude me from connecting normally.
 
lneblett said:
For me, however; I only use the tunnel when it can overcome firewalll issues that preclude me from connecting normally.

I agree. While the 3CX tunnel would make the "monitoring" of SIP calls much more of a challenge. I don't think that it would be impossible, depending on the resources, and, if you were in one location long enough for the person doing the monitoring, to realize what you are doing.. I certainly wouldn't count on it as a replacement for Secure SIP or VPN if your conversations are of a "sensitive nature".

And back to the original question... you would not use it on two 3CX phones simultaneously, behind the same remote router.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,632
Messages
748,963
Members
144,749
Latest member
leo13215464
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.