Firewall & Router Configuration

Introduction

If you have 3CX installed on-premise you need to make changes to your firewall configuration to allow 3CX to communicate successfully with your SIP trunks and remote IP phones. This guide gives you a general overview of the ports that need to be opened/statically forwarded on your firewall. See also detailed step-by-step guides for popular firewalls that take you step-by-step to the correct configuration of your firewall. You can learn more in Routers, NAT, VoIP and Firewalls.

Configure/Open these Ports

To allow 3CX to work properly you will have to open the following ports:

For your SIP Trunk / VoIP Provider

Open these ports to allow 3CX to communicate with the VoIP Provider/SIP Trunk and WebRTC:

  • Port 5060 (inbound, UDP) and 5060-5061 (inbound, TCP) for SIP communications.
  • Port 9000-10999 (inbound, UDP) for RTP (Audio) communications, i.e. the actual call. Each call requires 2 RTP ports, one to control the call and one for the call data, so the number of ports you need to open is double the number of simultaneous calls.

For Remote 3CX Apps & SBC

To allow users to use their 3CX apps remotely, on Android, iOS or Windows, you need to ensure that these ports are open:

  • Port 5090 (inbound, UDP and TCP) for the 3CX tunnel.
  • Port 443 or 5001 (inbound, TCP) HTTPS for Presence and Provisioning, or the custom HTTPS port you specified.
  • Port 443 (outbound, TCP) for Google Android Push.
  • Port 443, 2197 and 5223 (outbound, TCP) for Apple iOS Push. More information here.

Configure the ports for remote 3CX clients

PUSH messages are sent by the 3CX System to Extensions using smartphones to wake up the devices for calls. This greatly enhances the usability of the smartphone apps.

For 3CX Video Conference

To create and participate in web-based meetings, the 3CX-hosted cloud service must be able to communicate with the 3CX PBX and vice versa. To do so, these ports need to be configured:

  • Port 443 (inbound, TCP) must be allowed for participants to connect your 3CX System
  • 3CX System: Port 443 (outbound, TCP) must be allowed to connect to 3CX’s cloud infrastructure
  • Users: Port 443 (outbound, TCP) and 48000-65535 (outbound, UDP) must be allowed to exchange audio and video with other participants

For Other Services (SMTP & Activation)

A 3CX System connects to various services provided by 3CX in the cloud.

  • SMTP Service: Cloud Service for SMTP Messages
            smtp-proxy.3cx.net, 2528 (outbound, TCP)
  • Activation Service: Activation of 3CX Products
                activate.3cx.com, 443 (outbound, TCP, uninspected traffic)
  • RPS Service: Provisioning of Remote IP Phones
            rps.3cx.com, 443 (outbound, TCP)
  • Update Server: For updates of 3CX System and firmware of IP Phones
            Downloads-global.3cx.com, 443 (outbound, TCP)

Port Configuration for Direct SIP / STUN

We do not recommend or support the use of STUN or Direct SIP in the cloud. Instead we require the 3CX SBC (Tunnel). The 3CX SBC service bundles all VoIP traffic over a single port to vastly simplify firewall configuration and improve reliability. No additional configuration is required because the 3CX SBC uses the same ports as the 3CX apps. More information on SBC can be found here.

Disable SIP ALG

Use a router/firewall without a SIP Helper or SIP ALG (Application Layer Gateway), or a device on which SIP ALG can be disabled. For example, see how to switch off ALG on popular routers:

Configure Split DNS

You will need to configure the 3CX FQDN to work both internally on your local network and externally outside of your network (unless you do not want to give access to your phone system from outside the network). Read how to configure split DNS here.

Run the Firewall Checker

After configuring your firewall, run the 3CX Firewall Checker to verify its configuration!

Step by Step Instructions for Popular Firewalls

Example configurations for popular firewalls:

See Also

Discuss this article