Configuring The Firewall – 3CX

Firewall configuration is a requirement for 3CX to work properly on the system. There are settings that needs to be changed for Voice Calls and other features to work and connect to the 3CX server.

Requirements:

• Basic Knowledge in Routing
• Configurable Firewall
  • pfSense
  • WatchGuard
  • Sonicwall
• Knowledge on the Firewall device

Note: 3CX Support will NOT configure your firewall for you.

Informations on NAT (Network Address Translation) and Ports:

• It translates Public Address (IPv4) to Private IP Addresses (NAT/PAT)
• It allows or restricts. ACL (Access Control List)
• It is required to allow connections to 3CX from:
  • Provider
  • 3CX Clients
  • Support IP Phones
  • 3CX SBC and Bridges
• IPv6 is supported
  • NAT is not supported
  • IPv6 Firewall Rules (ACL) is needed if used
• Full Cone NAT
  • It is required by 3CX PBX
  • It allows incoming network traffic from uncontacted sources, that is required for;
    • VoIP Provider
    • Mobile Devices
    • Home Offices
• Port Preservation
  • Internal Source Port = External Source Port
  • The Protocol (SIP/SDP) defines the port
    • it ensures connectivity
    • eliminates destination implementations
• Disable SIP ALG
  • ALG – Application Layer Gateway (Firewall)
    • it inspects content of the packages
    • it is made for clients and not servers

Configuration for Providers:

• Inbound NAT Ports Required:
  • SIP Port (can only be changed within the installation process)
  • Default ports
    • 5060 – UDP
    • 5060 – TCP
  • Audio Ports (includes Video and Fax)
    • Ranges from 9000 to 10999 – UDP

Configuration for 3CX Clients, SBC and Bridges:

• Inbound NAT Ports Required: (can only be changed within the installation process)
  • Tunnel Port (both SIP & Audio traffic are combined)
    • Default port is 5090 – TCP & UDP
  • HTTPS port
    • Default port is 5001 – TCP

Configuration for 3CX Client (3CX WebMeeting):

• Allow Outbound ACL
  • Host: webmeeting.3cx.net:443
• Inbound NAT Ports Required: (can only be changed within the installation process)
  • HTTPS Default Port is 5001 – TCP

This enables the starting of Web Meetings and notifications of waiting users in meeting room.

Configuration for Remote IP Phones:

• Inbound NAT Ports Required
  • SIP: Default Port is 5060 – TCP & UDP
  • Audio Ports Ranges from 9000 to 10999 – UDP
  • For provisioning, the default port is 5001 – TCP

The Remote Configuration Wizard:

• Inbound NAT Ports Required:
  • HTTP Default Port is 5015 – TCP
  • This is within the duration of the host setup

Status Validation:

From the Management Console, go to Dashboard then Firewall Checker.

• GREEN is Pass
• RED is Fail
• If you see even one RED status, it means it is Fail. You need to reconfigure the firewall and test again. It should show 100% Pass (All GREEN). Firewall Checker only tests UDP Ports.
• No HTTPS and Tunnel TCP Ports

What are the configurations that will be checked by Firewall Checker?

• Full Cone NAT – needs to be correctly configured and tested
• Port Preservation – needs to be correctly configured and tested
• SIP ALG – needs to be disabled and tested by the Firewall Checker

Possible SIP ALG Results:

• Done (GREEN )
  • No ALG was detected
• Failed (RED)
  • Checksum Sent and Received
    • SIP ALG has been detected
    • You need to disable on the Firewall
    • ALG might be detected and dropped the packet