3CX PBX in the Cloud
1 year FREE - no ties!
google cloud platform
3CX
Zero Admin
With the new Dashboard
3CX
Bulletproof Security
With SSL certs and NGINX
3CX
Install on $200 Appliance
Intel MiniPC architecture
3CX
New, Intuitive Windows Client
More themes, more UC
3CX
More CRM Integrations
Scripting Interface to add your own
3CX
Improved Integrated Web Conferencing
iOS and Android apps included
3CX
Run On-Premise or in the Cloud
Google, OVH, Windows & Linux
Fast & easy call management
With the 3CX Web Client

3CX Tunnel / 3CX Session Border Controller

3CX Tunnel / 3CX Session Border Controller

On this topic

3CX Tunnel / 3CX Session Border Controller

Introduction

How it Works

Configuring the Tunnel

Step 1 – Configure the PBX

Step 12 – Configure the Firewall

Step 23 – Configuring Remote Sites via 3CX SBC, 3CX Clients, Bridges

See Also

Introduction

3CX includes the 3CX Tunnel allowing easier bridging of remote 3CX Phone Systems and connecting remote extensions. The 3CX Tunnel combines all SIP (signaling) and RTP (media) VoIP Packets from one location and delivers them to and from another location (typically the PBX Server) using a custom TCP protocol. This simple concept allows 3CX to overcome firewall or telecom provider issues. The 3CX Tunnel can be used for the following reasons:

  • Resolve issues of NAT Traversal at both the remote and the PBX location.
  • Simplified Firewall configuration at both the remote and the PBX location.
  • Overcome difficulties with ISPs that block VoIP Traffic based on port numbers.
  • Allows VoIP-over-WiFi in some restricted locations, such as Hotel rooms.
  • “Fixes” Firewalls that cannot handle VoIP traffic correctly or which are very problematic to configure correctly, such as Microsoft ISA Server

Note: Presence information does not get carried through the Tunnel to the remote network as of yet. Make sure that the HTTPS ports you have chosen during the installation are open on the PBX server side.

How it Works

The 3CX Tunnel

The image above demonstrates how the 3CX Tunnel works. In this example, 3CX Phone System is on IP Address 10.0.0.181, and listens on TCP port 5090 (by default) for incoming Tunnel traffic. We must set up a single Port Forwarding rule on the NAT/Firewall Device, telling it that all incoming TCP traffic received on port 5090 should be delivered to LAN IP Address 10.0.0.181.

The remote setup is shown on the left hand side of the cloud. In this example, the machine with IP address of 192.168.0.2 has the 3CX Client installed. We will need to tell the VoIP Phone the public IP address of the PBX Server (which in this case is 213.165.190.51), and also the private IP address of the PBX Server (which in this case is 10.0.0.181). Since the 3CX Client will by default use the standard port numbers used by 3CX Phone System, typically no further configuration will be necessary.

3CX Tunnel technology can be used in the following scenarios:

  • Connect Remote Sites using the SBC - For remote sites with a number of remote phones, you can deploy the 3CX SBC to the site so that all phones will communicate with the 3CX PBX over a single port. This is also the preferred option in case 3CX Phone System is running in the cloud.
  • Connect Remote 3CX Client Users - The 3CX Clients for Windows, Mac, iOS and Android have a built in tunnel that will be used automatically when the 3CX Client detects it is not on the LAN. No configuration is necessary in the 3CX Client.
  • Connect 3CX Phone Systems via a Bridge - When creating a Bridge to another 3CX Phone System, you can choose to use the 3CX Tunnel rather than a direct connection. 

Configuring the Tunnel

We will use the above example in “How the 3CX Tunnel Works” to configure a tunnel connection.

Step 1 – Configure the Firewall

The Tunnel protocol is designed to eliminate NAT traversal problems and reduce Firewall configuration work to a minimum. There is only one Firewall setting that needs to be made – we must forward the TCP and UDP Tunnel port (set by default to 5090) to the PBX.

Configuring a Port Forward Rule in pfSense

The above picture shows configuration for a pfSense firewall - most firewalls will provide similar functionality. In your firewall:

  1. Enable Port Forwarding.
  2. Specify the PBX’s Local IP Address (which we had set previously to 192.168.9.213)
  3. Set the Type to TCP/UDP.
  4. Set the Port Range to be from 5090 to 5090 (only one port).
  5. Set the Comment field to 3CX Tunnel.
  6. Click on the Add button followed by the Apply button. Your firewall configuration is now done!

Step 2 – Configuring Remote Sites via 3CX SBC, 3CX Clients, Bridges

After you have configured the local tunnel connection and the firewall, the tunnel is now “ready for use”. At the client side you must configure the 3CX Clients, an SBC or the Bridges accordingly.

3CX SBC (Session Border Controller)

The 3CX SBC is suitable for sites with multiple IP Phones in the same LAN. The SBC must be installed at the remote site and is available for Windows and Raspberry Pi:

3CX Clients

No configuration is necessary for the 3CX clients. However to view 3CX Tunnel options, see the chapter Configuring the 3CX Clients.

3CX Bridges

To configure a Bridge using the 3CX Tunnel, see the Chapter Connecting 3CX Phone Systems (Bridges).

See Also

 

You might also be interested in:

Get 3CX Free for 1 Year Today
Download On-Premise Try in the Cloud