Slider 2TryLearn MoreSlash your Phone bills - Slider Image

Use SIP trunks, WebRTC & Apps

Slash your Phone Bill by 80%

Firewall & Router Configuration

On this topic

Introduction

Step 1: Configure the Ports for your SIP Trunk / VoIP Provider

Step 2: Configure the Ports for Remote 3CX Apps

Step 3: Port Configuration for Remote IP Phones / Bridges via Direct SIP

Step 4: Port Configuration for 3CX WebMeeting, SMTP & Activation

Step 5: Disable SIP ALG

Step 6: Run the Firewall Checker

Step by Step Instructions for Popular Firewalls

See Also

Introduction

If you plan to use remote extensions or a VoIP Provider, you need to make changes to your firewall configuration, in order for the 3CX Phone System to communicate successfully with your SIP trunks and remote IP Phones. This guide gives you a generic overview of the ports that need to be opened/statically forwarded on your firewall. We also have detailed guides for popular firewalls that take you step by step to the correct configuration of your firewall. You can learn more in Routers, NAT, VoIP and Firewalls.

Step 1: Configure the Ports for your SIP Trunk / VoIP Provider

Open the following ports to allow 3CX Phone System to communicate with the VoIP Provider/SIP Trunk and WebRTC:

  • Port 5060 (inbound, UDP) for SIP communications.
  • Port 9000-10999 (inbound, UDP) for RTP (Audio) communications, which contain the actual call. Each call requires 2 RTP ports, one to control the call and one for the call data. Therefore, you must open twice as many ports if you wish to support simultaneous calls.

Note that the above port ranges are the default ports in the 3CX Phone System. You can adjust these ports from the 3CX Management Console, in the “Settings” > “Network” > “Ports” function. 

Step 2: Configure the Ports for Remote 3CX Apps

To allow users to use their 3CX apps remotely, on Android, iOS, Mac or Windows, you must open the following ports:

  • Port 5090 (inbound, UDP and TCP) for the 3CX tunnel
  • Port 443 or 5001 (inbound, TCP) HTTPS for Presence and Provisioning (Unless you have chosen custom ports).
  • Port 443 (outbound, TCP) for Google Android Push.
  • Port 2195, 2196 (outbound, TCP) for Apple iOS Push.

PUSH messages are sent by the 3CX Phone System to Extensions using smartphones in order to wake up the devices to take calls. This greatly enhances the usability of the smartphone apps.

Step 3: Port Configuration for Remote IP Phones / Bridges via Direct SIP

For remote IP Phones and bridges you have the choice of using the 3CX SBC (Tunnel) or Direct SIP. The 3CX SBC service bundles all VoIP traffic over a single port and vastly simplify firewall configuration and improve reliability. No additional configuration is required because the 3CX SBC uses the same ports as the 3CX apps use. More information on SBC can be found here.

If you wish to connect remote extensions via direct SIP, you must open the following ports (most of them are already opened if you use a SIP trunk):

  • Port 5060 (inbound, UDP and TCP), Port 5061 (inbound, TCP) (if using secure SIP) - already open if using SIP Trunks.
  • Port 9000-10999 (inbound, UDP) for RTP - already open if using SIP Trunks.
  • Port 443 or 5001 (inbound, TCP) HTTPs for provisioning. (Unless you have chosen custom ports).

Step 4: Port Configuration for 3CX WebMeeting, SMTP & Activation

In order to be able to create and participate in web based meetings the 3CX hosted cloud service must be able to communicate with the 3CX PBX and vice versa. In order to do so the following ports need to be forwarded and outbound traffic needs to be allowed to:

  • Port 443 (outbound, TCP) to webmeeting.3cx.net (the ip may changes and it is recommended to allow traffic to the fqdn rather than to the ip address when possible).
  • Port 443 or 5001 (inbound, TCP unless you have chosen custom ports) to notify users of incoming web meetings.
  • Open the port you selected for HTTPS inbound TCP on your firewall inbound TCP. The default is 443 but if you changed it to 5001 or another custom port, open that port.
  • To be able to send emails using 3CX SMTP the machine needs to allow outbound TCP:2528

Step 5: Disable SIP ALG

To maximize your chances of success, make sure you choose a device that does not implement a SIP Helper or SIP ALG (Application Layer Gateway), or choose a device on which SIP ALG can be disabled. The following links are examples of how to switch off ALG on popular routers:

Step 6: Run the Firewall Checker

After configuring your firewall, run the 3CX Firewall Checker to ensure that configuration is correct!

Step by Step Instructions for Popular Firewalls

Example configurations for popular firewalls:

See Also

Free for up to 1 year! Select preferred deployment:

On-Premise

for Linux on a $200 appliance or as a VM

Get the ISO

On-Premise

for Windows as a VM

Download the setup file

On the cloud

In your Google, Amazon, Azure account

Take the PBX Express