Home | Configuration guides and docs | 3CX Administration Manual | Firewall & Router Configuration

Firewall & Router Configuration

● Introduction
● Configure the Ports for your SIP Trunk / VoIP Provider
● Configure the Ports for Remote 3CX Apps
● Port Configuration for Remote IP Phones / Bridges via Direct SIP
● Port Configuration for 3CX Video Conference
● Other Services (SMTP & Activation)
● Disable SIP ALG
● Run the Firewall Checker
● Step by Step Instructions for Popular Firewalls
● See Also

Introduction
To use  remote extensions or a VoIP Provider, you need to make changes to your firewall configuration, for
3CX to communicate successfully with your SIP trunks and remote IP phones. This guide gives you a general
overview of the ports that need to be opened/statically forwarded on your firewall. See also detailed step-by-
step guides for popular firewalls  that take you step-by-step to the correct configuration of your firewall. You
can learn more in Routers, NAT, VoIP and Firewalls.

Configure the Ports for your SIP Trunk / VoIP Provider

Open these ports to allow 3CX to communicate with the VoIP Provider/SIP Trunk and WebRTC:

● Port 5060 (inbound, UDP) and 5060-5061 (inbound, TCP) for SIP communications.
● Port 9000-10999 (inbound, UDP) for RTP (Audio) communications, i.e. the actual call. Each call requires
2 RTP ports, one to control the call and one for the call data, so the number of ports you need to open is
double the number of simultaneous calls.

Configure the Ports for Remote 3CX Apps

To allow users to use their 3CX apps remotely, on Android, iOS or Windows, you need to ensure that these
ports are open:
 ● Port 5090 (inbound, UDP and TCP) for the 3CX tunnel.
● Port 443 or 5001 (inbound, TCP) HTTPS for Presence and Provisioning, or the custom HTTPS port you
specified.
● Port 443 (outbound, TCP) for Google Android Push.
● Port 443, 2197 and 5223 (outbound, TCP) for Apple iOS Push. More information here.

PUSH messages are sent by the 3CX System to Extensions using smartphones to wake up the devices for
calls. This greatly enhances the usability of the smartphone apps.

Port Configuration for Remote IP Phones / Bridges via Direct SIP

For remote IP Phones and bridges, you have the choice of using the 3CX SBC (Tunnel) or Direct SIP. The
3CX SBC service bundles all VoIP traffic over a single port to vastly simplify firewall configuration and improve
reliability. No additional configuration is required because the 3CX SBC uses the same ports as the 3CX
apps. More information on SBC can be found here.

To connect remote extensions via direct SIP, you must open the following ports:

● Port 5060 (inbound, UDP and TCP), Port 5061 (inbound, TCP if using secure SIP) - already open if
using SIP Trunks.
● Port 9000-10999 (inbound, UDP) for RTP - already open if using SIP Trunks.
● Port 443 or 5001 (inbound, TCP) HTTPS for provisioning, unless you have specified custom PBX ports.

Port Configuration for 3CX Video Conference

To create and participate in web-based meetings, the 3CX-hosted cloud service must be able to communicate
with the 3CX PBX and vice versa. To do so, these ports need to be configured:
 ● Port 443 (inbound, TCP) must be allowed for participants to connect your 3CX System
● 3CX System: Port 443 (outbound, TCP) must be allowed to connect to 3CX’s cloud infrastructure
● Users: Port 443 (outbound, TCP) and 48000-65535 (outbound, UDP) must be allowed to exchange
audio and video with other participants

Other Services (SMTP & Activation)

A 3CX System connects to various services provided by 3CX in the cloud.

● SMTP Service: Cloud Service for SMTP Messages

        smtp-proxy.3cx.net, 2528 (outbound, TCP)

● Activation Service: Activation of 3CX Products

        activate.3cx.com, 443 (outbound, TCP, uninspected traffic)

● RPS Service: Provisioning of Remote IP Phones

        rps.3cx.com, 443 (outbound, TCP)

● Update Server: For updates of 3CX System and firmware of IP Phones

        Downloads-global.3cx.com, 443 (outbound, TCP)

Disable SIP ALG

Use a router/firewall without a SIP Helper or SIP ALG (Application Layer Gateway), or a device on which SIP
ALG can be disabled. For example, see how to switch off ALG on popular routers:

● How to Disable SIP ALG on Fortinet / FortiGate

● How to Disable SIP ALG on Netgear Routers
● How to Disable SIP ALG on Thomson Routers

Run the Firewall Checker

After configuring your firewall, run the 3CX Firewall Checker to verify its configuration!

Step by Step Instructions for Popular Firewalls

Example configurations for popular firewalls:
● Configuring a Lancom Firewall for 3CX
● Configuring a Sonicwall Firewall for 3CX
● Configuring a Draytek 2820 Router for 3CX with QoS configuration
● Configuring a Zyxel P-662H-D1 Router with 3CX
● Configuring AVM FritzBox as a Firewall with 3CX
● Configuring a CISCO router to allow connection to a VOIP provider
● Configuring FortiGate 80C for 3CX
● Configuring a WatchGuard XTM Firewall for 3CX
● Configuring a pfSense Firewall for 3CX
● Configuring a Kerio Control Appliance for 3CX
● Configuring MikroTik Firewall

See Also
● Learn more about Routers, NAT and VoIP.
● Find additional information regarding Firewall Configuration for 3CX.
● How to use the 3CX Firewall Checker.
● Watch the Configuring the Firewall training video
● What ports to open if you have trouble with PUSH - PUSH Troubleshooting guide

 Discuss this article

Get 3CX Free for 1 Year

Hosted by 3CX, in your private cloud or on-premise! No strings attached, get started today:
Name

Email address

This site is protected by reCAPTCHA and the Google

Privacy
Policy and
Terms of Service apply.

Let's Go

or use