Separate names with a comma.
Discussion in '3CX Phone System - General' started by petewatterschats, Apr 2, 2016.
For remote clients using a soft phone Why would someone not want to use the Tunnel
The tunnel is there to help solve the problem of not being able to connect because of (remote) router/NAT issues. If individual devices connect just fine without the tunnel, then the choice to use it is up to you. In some cases, where you don't use a VoIP provider, you can firewall port 5060 but leave open 5090, stopping hackers from attempting to access your PBX through the "standard" SIP port.
The tunnel provides no encryption, it simply moves all traffic to one port. I usually leave it off, and will only use it if I'm unable to register from a remote hotspot/location. The last resort is a VPN connection.
The tunnel provides no encryption? I'm pretty sure that's incorrect..
There is no date on this, but I haven't heard that tunnel behaviour has yet changed from how it is described here.
http://www.3cx.com/docs/3cx-tunnel-sess ... ontroller/
To have encryption, such as that offered with Secure SIP, you must have certificates, or some means of password protection (not just a SIP password). As far as I'm aware, Presence information still doesn't travel over the tunnel, which came as a bit of a surprise to many.
It's a tool to overcome the issues described in the topic.
Actually, as of SP3 at least, encryption is optionally possible. In the configuration file, 3cxsbc.conf, there is a field as follows: SecurityMode = 0. If you change that to 1, then in theory encryption is enabled.
While security is a good thing in almost all cases, it is not automatically good with VOIP. Encryption introduces latency and voice quality is directly related to latency. This is an option to be used judiciously.
It would be nice to see more information on this.
While perhaps not using the traditional encryption methodologies, it does appear to offer some protection (post from 3CX)-
Securing Remote Connections
To address the issue of roaming remote extensions (either because the user is on the move, or because his Public IP Address is dynamic, or both), 3CX Phone System provides another layer of protection via the 3CX Tunnel protocol. The 3CX tunnel Protocol performs three functions:
The ability to overcome NAT issues by consolidating all traffic over a single port.
The conversion of this consolidated traffic into a custom protocol which requires some form of 3CX Tunnel client at the remote location.
A simple additional authentication/authorization layer by means of the tunnel password.
If you truly want TLS, then the softphone (3CX softphone for WIndows and MAC) can handle it. However, I do not know if the tunnel and TLS can co-exist. TLS uses port 5061 in the standard installation.
For me, however; I only use the tunnel when it can overcome firewalll issues that preclude me from connecting normally.
I agree. While the 3CX tunnel would make the "monitoring" of SIP calls much more of a challenge. I don't think that it would be impossible, depending on the resources, and, if you were in one location long enough for the person doing the monitoring, to realize what you are doing.. I certainly wouldn't count on it as a replacement for Secure SIP or VPN if your conversations are of a "sensitive nature".
And back to the original question... you would not use it on two 3CX phones simultaneously, behind the same remote router.