3CX Server - Installation, Configuration and Setup

Network Requirements
Installing the 3XC Server
Summary
Common Steps:
Windows Installation:
Linux VM (VirtualBox) Installation:
Configuration Wizard
Management
Setting up SMTP (email)
Provisioning
Manual Provisioning (Avaya Phones)
Softphone Provisioning
PnP Provisioning (fake)
Configuring J100 PnP support
Firmware Upgrade
Use of TLS and SRTP
Testing:

Network Requirements
The requirement for the network were a test version of the 3CX server will run is referred to in the 3CX reference document 1a - Local LAN.docx.

IP Phones provisioned as “Local LAN” assume that the PBX and IP Phone have an IP range that is described in RFC1918 (10.0.0.0/8,
172.16.0.0/12, 192.168.0.0/16).

What this means is that it must be a private network. In addition, the network must support the required multicast IP address (224.0.1.75) which is
also defined in RFC 1918.

If the phones and 3CX server reside on different subnets, the router in between must be configured to forward multicast.

If all devices are on the same subnet, the router is not involved.

Your machines should be able to reach 3cx activate server (activation.3cx.com:443)

Installing the 3XC Server

Summary
These instructions document the installation steps of a 3CX server on 1) Windows 10 Enterprise and 2) Linux VM. You will need TWO licenses
(free) for two instances of 3CX servers. 3CX offers one free license per user (per email) which limits PBX to 25 devices and 4 concurrent calls.

Instructions below cover installation (Windows and Linux VM), PBX setup, configuration, provisioning (manual and PnP) and simple call tests.

Other types of installations not covered here: SBC, MiniPC, Cloud, 3cx package on plain Debian 9.

Common Steps:
1. Register a new account at 3cx.com and Get a license key (one account per email). IMPORTANT: One key allows only one instance of
installation. You will need multiple keys for multiple instances.
https://www.3cx.com/phone-system/download-phone-system/
2. Watch your emails (check spam folder). You will get 1) verification email 2) Download instructions and license KEY.
Save this email.
3. Download (links and instructions are also in the email):
1. Windows Installer: https://downloads.3cx.com/downloads/3CXPhoneSystem155.exe or
2. Linux ISO: https:// downloads.3cx.com /downloads/debian9iso/debian-amd64-netinst-3cx.iso

NOTE: Make sure your machine can reach: activation.3cx.com:443

Avaya users: Keep ZScaler CA certificate handy. You will need it later.
Windows Installation: Linux VM (VirtualBox) Installation:
Detailed instructions: https://www.3cx.com/docs/manual/phone- Detailed instructions: https://www.3cx.com/docs/debian-linux-
system-installation-windows/ using-virtualbox/

Minimum Requirements: 1CPU, 1GB ram, 10GB free hard drive 1. Download and install virtualbox albox on your host
space. machine if not already done (my host is: Ubuntu 18.04)
2. Reserve an IP on your local network for your 3cx host
1. Run the downloaded 3cx installer. machine (DHCP is also an option but better use static IP)
2. Follow through the Wizard, accept/install additional licenses 3. Create a VM (HD 20+GB, RAM 2+GB)
/components. 4. Network adaptor: Bridged. Promiscuous mode: All
3. Installation is complete when you see: 5. Copy the downloaded 3cx iso on your host machine and
'Welcome to the 3CX Configuration Tool' mount it under 'Storage'Controller IDE on your VM
4. Aavaya users: You may need to install the ZScaler 6. Start the VM and Choose 'Install' menu option.
certificate on your browser and PC. Download ZscalerRootC 7. Pick a hostname ( This can be different from sip FQDN
ertificate-2048-SHA256.crt and just double click on it. that you will choose later). You may also enter an IP
5. To re-run configuration wizard, run C:\Program Files\3CX address.
Phone System\Bin\PBXWizard\PbxConfigTool.exe 8. Configure network (static or DHCP)
6. Skip to 'Configuration Wizard' 9. Select a domain name ( this should be the same as for
local network devices and may be different from sip domain
you will configure later)
10. Specify root password.
11. Partition drive: Choose option 1 'Guided - use entire disk'
(unless you know what you are doing)
12. Chose 3cx package to install: "3CX Stable" (note, there is
also an option to choose SBC)
13. Installation is complete when you see:
'Welcome to the 3CX Configuration Tool'
14. Avaya users behind zscaler proxy

Install zscaler certificate

You need to append /etc
/ssl/certs/ca-
certificates.crt with
contents of attached
ZscalerRootCertificate-
2048-SHA256.crt. e.g
Open
ZscalerRootCertificate-
2048-SHA256.crt in a
text editor and copy
its contents to
clipboard.
ssh to your pbx as root
(ssh root@pbx-ip)
# cp /etc/ssl/certs/ca-
certificates.crt ~/ca-
certificates.crt_BAK
# cat >> /etc/ssl/certs
/ca-certificates.crt
paste the contents of
clipboard
Press CTRL-D
exit ssh

15. To re-run configuration wizard, run 'sudo /usr/sbin

/3CXWizard --cleanup'
16. Skip to 'Configuration Wizard'
Configuration Wizard
Detailed instructions: https://www.3cx.com/docs/manual/configuring-your-pbx/

1. Continuing from the Installation step, you will be at the prompt asking to chose an option:

1. (1) Using a Web Browser

2. (2) Command Line
2. If you chose 1, open a browser at http:<ip-of-your-pbx>:5015
(I prefer CLI as it is fast and simple)
3. Select 'Create new install' and enter the license key that was sent to you in the email. (hint: To get this key again, re-register with same
email and the same key will be emailed to you).
4. Very important. Your installation will halt at this step if the 3cx machine is unable to reach activation.3cx.com OR validate it's
certificate. For Avaya users, this step requires zscaler CA installed in the trust store.
5. Select your Public IP: important if your machine is behind a proxy (such as all Avaya), your 'publicly exposed IP' is not the same as
your 'Public IP'. Manually enter the IP that is reachable by the phones, not the one reported by the setup.
6. Chose if this is static or dynamic (I chose static).
7. Choose FQDN wisely: Select
"I need a 3CX FQDN"
Important chose a unique and friendly host name. This host name will be added to public internet DNS server 3cx.ca (there are choices
for other TLDs). e.g if you chose hostname 'tma', there will be a global DNS entry created, tma.3cx.ca with the IP of our 3cx machine. (Fu
n fact: You can do 'nslookup this-fqdn' from your home and it will resolve to your 3cx-pbx ip.)
The hostname you choose will be permanently locked to your license.
3cx will install a server certificate for this FQDN from 'Let's Encrypt' CA for free.
8. Select the network adaptor that has the chosen IP
9. Create admin account (username/password). (Hint: To reset this password, re-run the configuration wizard as mentioned in the
previous step.)
10. Accept defaults for port numbers (unless you know better).
11. Chose extension length as desired (I chose "4").
12. Select 3CX SMTP Server (unless you know better).
13. Pick operator and voicemail extensions as desired.
14. Select countries for allowed calls (just pick North America) and Language.
15. You will see a 'Congratulations' dialog. Save this information somewhere.
16. Test if you can reach https://<fqdn-or-ip-of-your-3cx>:5001
Hint: If you use IP address, you will get a prompt from browser to add exception for server certificate. Not for FQDN.

You may see an error in 'Information' section of the 'Dashboard', "Activation Failed" next to 'License'. This has not caused any problem in the
actual operation of the PBX so far.

Management
Admin manual: https://www.3cx.com/docs/manual/
User Manual: https://www.3cx.com/user-manual/

Recommended browser: Google Chrome

1. Go to https://<fqdn-or-ip-of-your-3cx>:5001
2. Login using admin credentials as configured earlier. If you forgot the password, you will need to re-run Configuration Wizard as
above. (Also, if you make too many wrong attempts to login, the IP address of your browser machine will be blocks. Use another
machine if that happens.)
 3. Select 'Extensions' from left bar.
4. Click "Add"
5. Enter Extension number, e.g '4000', and fill out other details as desired.
Hint: For manual provisioning of Avaya phones (until we have PnP implemented) chose some simple to type value for "ID field", even
make it same as extension number. Also chose a simple password.
6. Choose password for "Web authentication". This will be used by the user to access their extension through 3CX management ports as h
ttps://<pbx>:5001/webclient
7. Press OK
8. Repeat as needed.

Setting up SMTP (email)

From the web admin console (e.g https://bvw.3cx.ca:5001), click 'Settings' from the left bar, then select 'Email' box in the top row. You will have a
choice from: '3CX SMTP Server, GMail, Outlook, Office365 or Custom SMTP Server'

For those connected directly to the internet, '3CX SMTP Server' (default) should work fine.

For Avaya users, where 3CX SMTP server is not reachable, select 'Custom SMTP Server' and set 'Mail Server' as mailhost.avaya.com
Provisioning
We will provision Avaya phones (manual/http provisioning), Softphone (QR based provisioning) and PnP (fake provisioning for demo for now).

3CX have a special provisioning feature for Avaya phones, using DHCP option 242. That configuration is not done here.

Manual Provisioning (Avaya Phones)

1. Provide your 3cx IP or fqdn to the phone via admin menu or settings file.
Make sure to use the SIP domain to fqdn that was created for your 3cx pbx, e.g bvw.3cx.ca
2. Enter login ID as "ID field" entered in one of the extensions, and corresponding password.

Phone will login with the specified extension.

Softphone Provisioning
3CX has soft clients for Windows, iOS and Android. I have tested iOS client.

1. Search and install "3CX Client" from app or android store.

2. Go to your pbx management console (e.g https://bvw.3cx.ca:5001)
3. Select "Extensions" from the left bar and then click on an unused extension line.
4. Press "Edit"
 5. You should see "QR code" at the right. If not, then click "Client" tab. You should see:

6. Open the '3CX' app on your device, touch the setting icon ( )
7. Point camera to the QR code and select "Scan QR code"

Phone will login with the specified extension.

PnP Provisioning (fake)

This is not a real provisioning. Just a test to demonstrate PnP configuration.

1. Download attached sample PnP multicast packet

2. Using tpcreplay on Linux (or colasoft packet player on Windows) replay the above packet on the same subnet where 3cx machine is.
3. Open web management console (e.g https://bvw.3cx.ca:5001)
4. Select 'Phones' from the left bar.
5. You will see:

6. Select this line and click "Add Ext" or "Assign Ext" or "Reject" from the top bar.

Delete the phone configuration after this test (because the phone doesn't actually exist)

A sample wireshark trace of full PnP provisioning

Note: This is just a fake device. Once we implement PnP, this line will show real information about an Avaya phone.

Configuring J100 PnP support

The production 3CX server does not support PnP for J100 phones. To add this requires that a template definition be added to the server
installation where the template indicates which J100 phones support PnP. This will cause the 3CX administration interface to display J100
phones.

The J100 template file needs to be added in this directory in a Windows installation:

Program Data\3CX\Instance1\Data\Http\Templates\phones

and on Linux:

/var/lib/3cxpbx/Instance1/Data/Http/Templates/phones
Note that this template file also contains definitions of the J100Supgrade.txt and 46xxsettings.txt files.Here is an example file which specifies
4.0.1.0.7 in the upgrade file and contains no settings: avayaJ100.ph.xml

Once the file is placed in this directory, services on the 3CX server must be restarted:

1. Press the Services link on the Dashboard page

2. Select all Services in the list and press the Restart button

Now, when you go to manually add a phone when editing an extension in the Phone Provisioning tab, J100 phones will appear in the list.

In addition, when a J100 phone sends a multicast SUBSCRIBE, it will show up in the list of devices in the Phones page in the 3XC administration
web interface as New AND the Add Ext and Assign Ext options will be enabled so you can actually assign an extension to the J100 phone.

Firmware Upgrade
Unzip firmware upgrade package here:

Windows:
C:\ProgramData\3CX\Instance1\Data\Http\Interface\provisioning\secure_folder
Linux :
/var/lib/3cxpbx/Instance1/Data/Http/Interface/provisioning/secure_folder

(Ref: https://www.3cx.com/sip-phones/avaya-ip-phone-provisioning/#h.a36wrqhhcs7d)

Use of TLS and SRTP

Using TLS for SIP signaling is supported and can be configured on the phone in the usual way using SIP_CONTROLLER_LIST. The only other
thing that is required to do is to enable the Public CA certificates in the phone using the following line in the settings file. The 3CX server uses a
Let's Encrypt certificate and the Let's Encrypt CA is embedded in the phone (as of the 4.0.2.0.5 release).

SET ENABLE_PUBLIC_CA_CERTS 1

On a 3CX production system this is all you should need to do but if you are not using the full FQDN of the 3CX server in your configuration (e.g.
you configure the SIP controller and SIP domain as the server's IP address) then you will also need to disable certificate name validation:

SET TLSSRVRID 0
To use SRTP requires more planning since the 3CX server does not support SRTP vs RTP negotiation. If you want to enable SRTP, you must
enable it for ALL endpoints in the system. To enable SRTP, you must enable TLS signaling as noted above. The following line will
enable aescm128-hmac80:

SET MEDIAENCRYPTION 1

The only other value supported by 3CX for SRTP is 2 (aescm128-hmac32).

Testing:
Setup:

Phone A: 3CX Softphone (iPhone)

Phone B: Avaya J139
Phone C: Avaya J179

1. Simple calls - A calls B. B calls C. C calls A etc.

2. Conference - A calls B, then A clicks 'Conference' and calls C
3. Call transfer - unattended - A calls B, B presses transfer, dials C and press "Now" to complete transfer. A talks to C 1
4. Call transfer - attended - (Requires server config2) - A calls B, B press transfer, dials C and presses "Talk". "All lines are in use"

---

1 There is currently a known issue. For unattended transfer, Avaya phone keeps showing "Resume" softkey and the line LED keeps on blinking.
This can be ignored.
2 On 3CX server admin console, edit extention, in "Forwarding Rules", enable "Accept multiple calls"

Attachments:

File Modified
Jan 04, 2019 by Gibb, Murray
Microsoft Word Document 1a - Local LAN.docx
(Murray)
Jan 09, 2019 by Mahmood,
File ZscalerRootCertificate-2048-SHA256.crt
Shahid (Shahid)
Jan 09, 2019 by Mahmood,
PNG File image2019-1-9_15-44-27.png
Shahid (Shahid)
Jan 09, 2019 by Mahmood,
PNG File image2019-1-9_17-22-50.png
Shahid (Shahid)
Jan 09, 2019 by Mahmood,
File 3cx-PNP-multicast.pcap
Shahid (Shahid)
Jan 09, 2019 by Mahmood,
PNG File image2019-1-9_17-53-17.png
Shahid (Shahid)
Jan 11, 2019 by Mahmood,
File 1 - PnP Provisioning (Sample).pcap
Shahid (Shahid)
Jan 15, 2019 by Mahmood,
PNG File image2019-1-15_8-43-55.png
Shahid (Shahid)
Feb 28, 2019 by Gibb, Murray
XML File avayaJ100.ph.xml
(Murray)
Feb 28, 2019 by Gibb, Murray
PNG File 3cx_services_link.png
(Murray)
Feb 28, 2019 by Gibb, Murray
PNG File 3cx_supported_phones.png
(Murray)

Drag and drop to upload or browse for files

Download All