3CX Tunnel / 3CX Session Border Controller
On this topic
3CX includes the 3CX Tunnel allowing easier bridging of remote 3CX Phone Systems and connecting remote extensions. The 3CX Tunnel combines all SIP (signaling) and RTP (media) VoIP Packets from one location and delivers them to and from another location (typically the PBX Server) using a custom TCP protocol. This simple concept allows 3CX to overcome firewall or telecom provider issues. The 3CX Tunnel can be used for the following reasons:
- Resolve issues of NAT Traversal at both the remote and the PBX location.
- Simplified Firewall configuration at both the remote and the PBX location.
- Overcome difficulties with ISPs that block VoIP Traffic based on port numbers.
- Allows VoIP-over-WiFi in some restricted locations, such as Hotel rooms.
- “Fixes” Firewalls that cannot handle VoIP traffic correctly or which are very problematic to configure correctly, such as Microsoft ISA Server
Note: Presence information does not get carried through the Tunnel to the remote network as of yet. Make sure that the HTTPS ports you have chosen during the installation are open on the PBX server side.
How it Works
The 3CX Tunnel
The image above demonstrates how the 3CX Tunnel works. In this example, 3CX Phone System is on IP Address 10.0.0.181, and listens on TCP port 5090 (by default) for incoming Tunnel traffic. We must set up a single Port Forwarding rule on the NAT/Firewall Device, telling it that all incoming TCP traffic received on port 5090 should be delivered to LAN IP Address 10.0.0.181.
The remote setup is shown on the left hand side of the cloud. In this example, the machine with IP address of 192.168.0.2 has the 3CX Client installed. We will need to tell the VoIP Phone the public IP address of the PBX Server (which in this case is 22.214.171.124), and also the private IP address of the PBX Server (which in this case is 10.0.0.181). Since the 3CX Client will by default use the standard port numbers used by 3CX Phone System, typically no further configuration will be necessary.
3CX Tunnel technology can be used in the following scenarios:
- Connect Remote Sites using the SBC - For remote sites with a number of remote phones, you can deploy the 3CX SBC to the site so that all phones will communicate with the 3CX PBX over a single port. This is also the preferred option in case 3CX Phone System is running in the cloud.
- Connect Remote 3CX Client Users - The 3CX Clients for Windows, Mac, iOS and Android have a built in tunnel that will be used automatically when the 3CX Client detects it is not on the LAN. No configuration is necessary in the 3CX Client.
- Connect 3CX Phone Systems via a Bridge - When creating a Bridge to another 3CX Phone System, you can choose to use the 3CX Tunnel rather than a direct connection.
Configuring the Tunnel
We will use the above example in “How the 3CX Tunnel Works” to configure a tunnel connection.
Step 1 – Configure the Firewall
The Tunnel protocol is designed to eliminate NAT traversal problems and reduce Firewall configuration work to a minimum. There is only one Firewall setting that needs to be made – we must forward the TCP and UDP Tunnel port (set by default to 5090) to the PBX.
Configuring a Port Forward Rule in pfSense
The above picture shows configuration for a pfSense firewall - most firewalls will provide similar functionality. In your firewall:
- Enable Port Forwarding.
- Specify the PBX’s Local IP Address (which we had set previously to 192.168.9.213)
- Set the Type to “TCP/UDP”.
- Set the Port Range to be from 5090 to 5090 (only one port).
- Set the Comment field to “3CX Tunnel”.
- Click on the “Add” button followed by the “Apply” button. Your firewall configuration is now done!
Step 2 – Configuring Remote Sites via 3CX SBC, 3CX Clients, Bridges
After you have configured the local tunnel connection and the firewall, the tunnel is now “ready for use”. At the client side you must configure the 3CX Clients, an SBC or the Bridges accordingly.
3CX SBC (Session Border Controller)
The 3CX SBC is suitable for sites with multiple IP Phones in the same LAN. The SBC must be installed at the remote site and is available for Windows and Raspberry Pi:
- Installing 3CX Session Border Controller for Windows
- Installing 3CX SBC Session Border Controller for Raspberry Pi and Debian amd64.
No configuration is necessary for the 3CX clients. However to view 3CX Tunnel options, see the chapter “Configuring the 3CX Clients”.
To configure a Bridge using the 3CX Tunnel, see the Chapter “Connecting 3CX Phone Systems (Bridges)”.
- Configuring a SIP Desk Phone as a Tunnelled External Extension with 3CX Phone System.