3CX Notes

With the 3CX on-premise and self-hosting solutions, you have complete control
over your system; You’ll have the freedom to customise it to your specific needs,
implement your security protocols, and hold full responsibility for its
management and safety.
As you can understand, installing an on-premise or self-hosted 3CX solution
requires additional technical knowledge. To set up and maintain the system,
you'll need to know, amongst other things, server administration, networking,
and VoIP technology.
This chapter will take you through the steps of installing and configuring the 3CX:
1. On-premise: on your Windows or Linux machine.
2. Self-host: on Google, Amazon, Azure or DigitalOcean Marketplaces.
For installations with up to 120 users, we strongly recommend 3CX Hosted and
3CX SMB - Small Business, which are the most cost-effective and easy ways to
host 3CX. 3CX Support does not cover OS / machine-related issues for self-hosted
or on-premises installs.
Installing 3CX using 3CX Debian ISO

 Introduction
 Step 1: Check System Requirements
 Step 2: Check VM platform requirements
 Step 3: Check Network & Firewall Requirements
 Step 4: Install Debian for 3CX
 Step 5: Upload the Configuration File
 Step 6: Configure Split DNS
 Step 7: Configure your Firewall
 See Also
Introduction
3CX created a Debian Linux ISO to make installation faster and management
easier. You must dedicate your Debian Linux instance to 3CX.
 Do not install other packages or change the configuration.
 Do not install system updates via the command line! This is done
by the 3CX system via updates after they have been tested!
 Any changes to the system will render your installation
unsupported!
Step 1: Check System Requirements
 Υour machine needs at least one dedicated CPU or 2vCPU cores and two
GB of RAM. If you are self-hosting your machine and your hoster is using a
shared CPU, then you need two cores!
 Review the suggested hardware specifications to allocate additional CPU
time and RAM resources based on:
 Number of simultaneous calls the system handles.
 Number of active users - 100 Web Client active sessions is more
demanding than 100 occasional calls via IP phones.
 Call recording use - stresses the system for audio mixing and file storage.
 3CX can be installed on any hardware that runs Debian 12. If you want to
do a barebone install ensure that the hardware works with Debian 12 and
that the hardware vendor will support you with any issues. We can not
assist with any issues in installing Debian 10 on barebone hardware.
 Do not configure a virtual network, VPN interface or the TeamViewer VPN
option on the 3CX host.
Step 2: Check VM platform requirements
3CX is tested and supported to run as a Virtual Machine on these hypervisor
platforms:
 VMware vSphere Hypervisor (ESXi) 6.5u1 and above, with VMWare Tools
package installed.
 Microsoft Hyper-V Server (6.2) and above capable of running Debian 12 -
see our Hyper-V Page for required settings.
 KVM 2.8 and up.
 Citrix XenServer 7.0 and above.
 Avoid using 3CX on converted VMs (P2V) due to possible timing issues,
causing the guest OS not to sync with the hypervisor’s timer.
Step 3: Check Network & Firewall Requirements
 On premise installs are only supported on properly configured RFC
1918 private networks, i.e. 172.16.0.0/12, 10.0.0.0/8 or
192.168.0.0/16 IP range.
 The PBX needs to be configured with a dedicated public IP.
 On premise installs require Split DNS so that the 3CX FQDN resolves on
both the internal and the external network.
 Installing 3CX on a machine behind a NAT device requires port forwarding.
See the Firewall & Router Configuration Guide.
Step 4: Install Debian for 3CX
To install Debian for 3CX:
1. Download the latest 3CX ISO.
2. If you are using a hypervisor/virtualized OS, set the CD option to boot from
the ISO and ensure the CD drive is set to connect on startup. If you are
installing on a mini PC, then create a bootable image, plug it into one of
the available Mini PC’s USB ports and set the BIOS to boot from the USB
drive to start the installation.
3. Boot your system with the downloaded 3CX ISO, select “Install” from the
main boot screen and press the <Enter> key.
4. Important: You need to configure a static IP address for the 3CX host
machine. Select <Go Back> or press the ‘ESC’ key when asked for the
hostname to first set the IP address of the system and then configure the
hostname. The system’s IP address affects the running PBX services,
connected clients and IP phones. To change the IP address on a running
3CX system, you need to reboot the machine and then re-provision the
connected apps and IP phones. If you don’t want to set a static IP
address, proceed to No. 6.
5. Select “Configure Network Manually” and press the <Enter> key to
set the system's static IP address. Select <Continue> to enter the network
netmask and select <Continue>. Then, enter the network default gateway
IP address and select <Continue>. Finally, enter the name server(s) IP
address(es) and select <Continue>.
6. Enter a hostname for the computer so you can easily identify it on
your network, using the characters 'a' to 'z', numbers '0' to '9' and the '-'
character.
7. Enter a domain name - use the same domain you used on other
computers in the network, e.g.
mycompany.com
. Select <Continue> to proceed.
8. Select the default system language and press the <Enter> key.
9. Select your geographical location from the location menu and press the
<Enter> key to proceed.
10.Specify the
root
account password for the machine and select <Continue> to re-enter the
password for verification purposes. Finally, select <Continue> to
proceed. Note: Set a strong password for the
root
user, as this account has no restrictions!
11.Select the system timezone and press the <Enter> key to proceed.
12.Partition your disk, selecting “Guided - use the entire disk”. Press the
13.Confirm your disk selection by pressing the <Enter> key. If you are
installing on a bare metal machine, all data on your disk will be erased!
14.Select the “All files in one partition” partitioning scheme and press the
15.Select “Finish partitioning and write changes to disk” and press the
<Enter> key to proceed to the 3CX Debian installation.
16.Select ‘Yes’ and press the <Enter> key to confirm writing changes to the
disk. The install process can take about 5-20 minutes, depending on your
machine’s performance. When the Debian installer finishes, the machine is
rebooted and the 3CX installation starts automatically.
17.Now choose the “3CX Version xx” to install and then press <OK>. Agree
to the “3CX License Agreement” to proceed.
Step 5: Upload the Configuration File
After the 3CX Debian installation finishes, you need to upload the configuration
file to complete the installation.
1. If you do not have a configuration file yet, go to www.3cx.com/install/
2. Login with your 3CX account and configure an On-Premise PBX. At the end
of the process, you will be given a link to the configuration file. You can
copy the link or download the file. For more information see Installing 3CX
3. You can choose to either:
1. Use a web browser on http://<ip of machine>:5015 by selecting option
1
2. Alternatively use the command line by selecting option 2
4. Once your installation is ready, you will be prompted to set your password.
Login to the PBX using the email you used to register.
Step 6: Configure Split DNS

You will need to configure the 3CX FQDN to work both internally on your local
network and externally outside of your network. Read how to configure split DNS
here.
Step 7: Configure your Firewall
In order to configure a SIP trunk or connect remote phones, you will need to
configure your firewall to allow voice traffic in and out of your network. See
our Firewall configuration guide.
Installing 3CX on Windows

 Step 1: Check System Requirements
 Supported VM Platforms
 Network, Firewall & Other Requirements
 Step 2: Prepare Your Host Machine for Installation
 Step 3: Install 3CX for Windows
 Step 4 - Upload the configuration file
 Step 5 - Configure Split DNS
 Step 6 - Configure your Firewall
 See Also
Step 1: Check System Requirements
The following Windows platforms are supported:
 Windows 10 (Pro, Enterprise)
 Windows 11 (Pro, Enterprise)
 Windows Server 2016 (Standard, Datacenter)
Your machine or VM needs at least two CPU cores and two GB of RAM. Review
the suggested hardware specifications to allocate additional CPU and RAM
resources based on:
 Number of simultaneous calls the system handles.
 Number of active users - 100 Web Client active sessions is more
demanding than 100 occasional calls via IP phones.
 Call recording use - stresses the system for audio mixing and file storage.
Supported VM Platforms
3CX is tested and supported to run as a Virtual Machine on these hypervisor
platforms:
 VMware vSphere Hypervisor (ESXi) 6.5u1 and above.
 Microsoft HyperV (6.2) and above capable of running Win 10 or Server
2016 and above - see our Hyper-V Page for required settings.
 KVM 2.8 and above
 Citrix XenServer 7.0 and above
Avoid using 3CX on converted VMs (P2V) due to possible timing issues, causing
the guest OS to not sync with the hypervisor’s timer.
Network, Firewall & Other Requirements
 LAN installs are supported on properly configured RFC 1918 private
networks, i.e. 172.16.0.0 /10.0.0.0/192.168.0.0 IP range.
 The PBX needs to be configured with a dedicated public IP.
 You need to configure Split DNS so that the 3CX FQDN resolve on both the
internal and the external network.
 Installing 3CX on a machine behind a NAT device requires port forwarding.
See the Firewall & Router Configuration Guide.
 Do not configure the 3CX host machine with a virtual network, VPN
interface or the TeamViewer VPN option.
 Use the latest version of Firefox, Google Chrome or Edge to access the 3CX
Admin Console.
Step 2: Prepare Your Host Machine for Installation
Before installing 3CX:
1. Assign a static internal IP address to the host machine’s network adapter.
2. Install all available Windows updates & Service packs.
3. Any installed Antivirus Software should NOT scan:
 C:\Program Files\3CX Phone System\*
 C:\ProgramData\3CX\*
4. If the host machine has multiple network adapters:
 Disable any unused network interface(s), Wi-Fi or Bluetooth adapter(s).
 Just ONE default gateway, i.e. no multiple adapters with default gateways!
 Prioritize the primary network interface (the one with the default gateway
configured) to the first position from: “Control Panel” > “Network and
Internet” > “Network and Sharing Center” > “Change adapter
settings”. Press the Alt key to reveal the File menu and click
on “Advanced” > “Advanced Settings”. The “Adapter and
Bindings” tab > “Connections” section shows the available network
interfaces. Ensure that the network card with the default gateway is at the
top position.
5. Disable all power saving options for your System and Network adapters.
Set the system to “High Performance” from within “Control
Panel” > “Hardware” > “Power Options”.
6. Verify that the 3CX host machine is not configured as a server for DNS,
DHCP, MS SharePoint, Exchange, SQL or any other network-
based service(s).
Step 3: Install 3CX for Windows
1. Download the latest 3CX Installation.
2. Double-click on the setup file, read the system requirements and
click “Next”.
3. Read our configuration recommendations and click “Next”.
4. Review and accept the license agreement.
5. Select the installation folder path and then click “Next”. The 3CX Phone
System needs a minimum of 10GB free hard disk space. You need to
reserve additional space to store voicemail files, recordings and voice
prompts.
6. Proceed to “Install” 3CX and the necessary Windows services.
Step 4 - Upload the configuration file
After the 3CX Windows install finishes, you need to upload the configuration file
to complete the installation.
1. If you have not already done so, go to https://www.3cx.com/install/
2. Login with your customer account and configure an On-Premise PBX. At
the end of the process, you will be given a link to the configuration file.
You can copy the link or download the file. For more information
see Installing 3CX
3. Now open a web browser on http://<ip of machine>:5015
4. Alternatively, use the command line by choosing option 1.
5. Once your installation is ready, you will be prompted to set your password.
Login to the PBX using the email you used to register.
Step 5 - Configure Split DNS
network and externally outside of your network (unless you do not want to give
access to your phone system from outside the network). Read how to configure
split DNS here.
Step 6 - Configure your Firewall
In order to configure a SIP trunk or connect remote phones, you will need to
configure your firewall to allow voice traffic in and out of your network. See
our Firewall configuration guide.
Hardware Requirements
 Introduction
 General Requirements
 x86-Based
 3CX PBX
 3CX SBC
 Cloud Provider
Introduction
Refer to these suggested 3CX Phone System usage scenarios based on the
extensions used, to assist you to size the minimum required hardware to run
3CX.
A user (extension) is typically defined to use the 3CX Web Client/Desktop App
and a 3CX Mobile App for communication while being part of one extension
group and one queue. In addition to this, the user may use an IP phone
connected to their extension. These suggested hardware specifications are
provided as a baseline and may change based on your business needs and
usage.
General Requirements
CPU:
 Using Call Queues and group calls taxes the CPU more than 1-on-1 calls,
depending on the number of the call end-points.
 Refer to this CPU hierarchy to assist you in selecting a suitable processor,
based on the suggested processor family. AMD CPUs are supported based
on their equivalence to the suggested Intel CPUs.
Memory:
 Allocating users in more extension groups or queues increases the need
for additional RAM.
Network:
 3CX requires at least a 1Gb LAN network connectivity, depending on the
number of simultaneous calls and usage of other network applications.
 10Gb is required for 1000+ extensions.
 Link Aggregation (LAG, LACP) can be used on HyperVisor platforms to
further expand available throughput but is not available for Bare Metal
machines.
Storage:
 Allocate at least 30GB for the 3CX base system installation.
 Add extra drive/partition/space for backup, voicemail, recordings or
logging. Keep in mind:
 Recording and voicemail: 1 minute of recorded audio consumes ~1MB or
256KB with compression enabled
 Logging: Verbose logs on a busy system can consume up to ~1GB per day
or per 2500 calls.
 Offload (archive) unneeded recordings / voicemails / backups to cold
storage regularly to keep optimal free space available to your PBX.
Small Medium Large Enterprise En
Extensions
10 50 250 1000 10
(up to)
*For usage cases of more than 1000 extensions please contact us to assist you in
planning.
x86-Based
x86-based CPU installs require compatibility to 64-bit architecture and can be
used as “Bare Metal” or “Virtual Machine” deployments. 3CX verified the
usage for the following HyperVisors*:
 VMware vSphere Hypervisor (ESXi) 6.5u1 and above, with VMWare tools
package installed
 Microsoft Hyper-V Server (6.2) and above capable of running Debian 10,
Win10, Server 2016 and above
 Citrix XenServer 7.0 and above
 KVM 2.8 and up
*Additional configuration may be needed for the virtual machine, depending on
the HyperVisor used.
3CX PBX
Small
3CX PBX Linux Debian-based Windows-based
CPU Family Intel i3 (Gen.8) or equivalent
vCPUs 2 2
Memory 2 2
Storage 30 GB SSD based storage
Medium
vCPUs 4 6
Memory 4 6
Large
vCPUs 6 8
Memory 8 10
Enterprise

CPU Family Intel Xeon E5 v4 or equivalent
vCPUs 8 10
Memory 16 18
Enterprise+
CPU Family Intel Xeon E7 v4 or equivalent
vCPUs 8+ 10+
Memory 32+ 34+
Storage 500+ GB SSD based storage
3CX SBC
If the 3CX PBX is located in the cloud and IP phone should be routed to the
instance, these SBC specifications are recommended:
Devices Up to 50 (10 BLFs per device) Up to 100 (10 BLFs per d
Platform Linux Debian-based Windows-based Linux Debian-based W
CPU
Intel i3 (Gen.8) or equivalent Intel i7 (Gen.8) or equivale
Family
vCPUs 2 4 4 6
Memory 2 4 2 4
Storage 30 GB available storage space
Cloud Provider
Suggested virtual machine / instance specifications for Google Cloud Platform
(GCP), MS Azure and Amazon Web Services (AWS) / Lightsail, based on the use
cases outlined in the bare metal configurations. You can opt for instances with
higher performance and memory according to your needs.
Microsoft Am
Cloud Provider Google (GCP) Amazon EC2
(Azure) Lig
Small (up to 10 ext) e2-highcpu-2 B2s a1.large t2
Medium (up to 50
n1-standard-4 D4 v3 m5ad.xlarge t2
ext)
Large (up to 250

n1-highmem-4 D12 v2 r5ad.xlarge t2
ext)
Adjust storage size and swap space accordingly, based on your needs and usage.
Installing 3CX Phone System on a Hyper-V VM

 General Settings
 Configuring a Static MAC address
 Broadcom NetXtreme 1-Gigabit
 Windows on Hyper-V
 Hyper-V Integration Services
 Verify Installed Network Drivers
 Check if NTP Source is Set to the Hyper-V Server
 Debian on Microsoft Hyper-V
 Prerequisites
 Time Synchronization on Debian VM
 See Also
When running Microsoft Hyper-V, it is important to have the following settings
configured on the 3CX Virtual Machine (VM) for optimal performance.
General Settings
Configuring a Static MAC address
It is very important for licensing that the MAC address of the hosted VM is a
constant value. To set a static MAC address for the 3CX VM running in Hyper-V:
1. Open a command prompt on the 3CX virtual machine.
2. Click “Start”, type “cmd” and press <Enter>.
3. Type “ipconfig /all” and press the <Enter> key.
4. Note down the value in the “Physical Address” field to use for the 3CX
VM in Hyper-V Manager, marked in this example as xx-xx-xx-xx-xx-xx.
5. Start Hyper-V Manager with administrative privileges.
6. In the “Virtual Machines” section, right-click on the 3CX VM to configure

and choose “Settings”.
7. In the “Settings for <VM_name>” window, select “Network
Adapter” > “Advanced Features”.
8. Set the “MAC address” field to “Static” and use the “Physical
Address” value you noted earlier to fill in the corresponding fields.
9. Click “OK” to save settings.
Broadcom NetXtreme 1-Gigabit
If the HyperV server uses the above-defined network adapter(s), the driver must
be updated to the latest version and/or VMq needs to be disabled for those.
More information can be found here.
Windows on Hyper-V
Hyper-V Integration Services
Hyper-V Integration Services are automatically installed via Windows Update and
can solve some issues related to NTP and network card performance.
Verify Installed Network Drivers
To verify that Integration Services are installed open an administrative command
prompt and:
1. Type “ipconfig /all” and press “Enter”.
2. If the result of the ipconfig shows the installed Network Adapter
as “Microsoft Virtual Machine Bus Network Adapter”, you need to
install the Integration Services.
3. If the result of the “ipconfig” command shows your Network Adapter
as “Hyper-V Network Adapter”, your Integration Services are already
installed.
Check if NTP Source is Set to the Hyper-V Server
Keeping the system time synchronized is essential to the normal operation of a
3CX PBX. To verify the Windows time synchronization status, open an
administrative command prompt and:
1. Enter the command “w32tm /query /source”

2. The command’s result should be “VM IC Time Synchronization
Provider”
3. If you read “Local CMOS Clock” or a name of an NTP host you need to
install Integration Services on the VM.
Debian on Microsoft Hyper-V
Prerequisites
 Standard Network Adapter: 3CX on Debian explicitly requires a standard
“Network Adapter, i.e. the “Legacy Network Adapter” type
is not supported.
 Generation 1 VMs only are supported by 3CX. Refrain from using
Generation 2 VMs.
Time Synchronization on Debian VM
To install and configure the NTP (Network Time Protocol) client after creating a
Debian VM instance, run these commands as “root” or via “sudo”:
apt update
apt install ntp
📄 Note: Supported versions of Debian Linux have built-in support for Hyper-V
Integration Services.
Chapter 2: Firewall Configuration
A firewall is a network security system that monitors and controls incoming and
outgoing network traffic based on predetermined security rules.
On-premise and self-hosted installations require firewall configuration to allow
system access from outside the network, i.e. remote extensions or web-based
management. If the firewall is not configured correctly, it can prevent access to
the 3CX system or leave it vulnerable to unauthorized access.
For this chapter, you need to be familiar with your firewall device and the
routing. 3CX will not configure your firewall.
We’ll go through the main aspects of ports and routing as well as the Firewall
checker feature. This includes understanding the necessary ports and protocols
used by the system, configuring firewall rules to allow only necessary traffic, and
detecting any unauthorised access.
Firewall & Router Configuration
 Introduction
 Ports required for your SIP Trunk / VoIP Provider
 Ports required for remote 3CX Apps & SBC
 Ports required for 3CX Video Conference
 Ports Required for Other Services
 Configure Split DNS / Hairpin NAT
 Disable SIP ALG
 Run the Firewall Checker
 ACL/Firewall
 Step by Step Instructions for Popular Firewalls
 See Also
Introduction
If you have 3CX installed on-premise you need to make changes to your firewall
configuration to allow 3CX to communicate successfully with your SIP trunks and
apps. This guide gives you a general overview of the ports that need to be
opened/statically forwarded on your firewall.
If you have remote IP phones, you need to put an SBC or router phone in front of
them. Alternatively we recommend the use of our apps which have an inbuilt
tunnel. More information on SBC can be found here.
Ports required for your SIP Trunk / VoIP Provider
Open these ports to allow 3CX to communicate with the VoIP Provider/SIP Trunk
and WebRTC:
 Port 5060 (inbound, UDP) and 5060-5061 (inbound, TCP) for SIP
communications.
 Port 9000-10999 (inbound, UDP) for RTP (Audio) communications, i.e.
the actual call. Each call requires 2 RTP ports, one to control the call and
one for the call data, so the number of ports you need to open is double
the number of simultaneous calls.
Ports required for remote 3CX Apps & SBC
To allow users to use their 3CX apps remotely, on Android, iOS or Windows, you
need to ensure that these ports are open:
 Port 5090 (inbound, UDP and TCP) for the 3CX tunnel.
 Port 443 or 5001 (inbound, TCP) HTTPS for Presence and Provisioning, or
the custom HTTPS port you specified.
 Port 443 (outbound, TCP) for Google Android Push.
 Port 443, 2197 and 5223 (outbound, TCP) for Apple iOS Push. More
information here.
PUSH messages are sent by the 3CX System to Extensions using smartphones to
wake up the devices for calls. This greatly enhances the usability of the
smartphone apps.
Ports required for 3CX Video Conference
To create and participate in web-based meetings, the 3CX-hosted cloud service
must be able to communicate with the 3CX PBX and vice versa. To do so, these
ports need to be configured:
 Port 443 (inbound, TCP) must be allowed for participants to connect your
3CX System
 3CX System: Port 443 (outbound, TCP) must be allowed to connect to
3CX’s cloud infrastructure
 Users: Port 443 (outbound, TCP) and 48000-65535 (outbound, UDP) must
be allowed to exchange audio and video with other participants
Ports Required for Other Services
3CX connects to various services provided in the cloud.
 SMTP Service: Cloud Service for SMTP Messages
smtp-proxy.3cx.net, 2528 (outbound, TCP)
 Activation Service: Activation of 3CX Products
activate.3cx.com, 443 (outbound, TCP, uninspected traffic)
 Discovery Service: Discover your Public IP
discoverv4.3cx.com, 443 (outbound, TCP, uninspected traffic)
 RPS Service: Provisioning of Remote IP Phones
rps.3cx.com, 443 (outbound, TCP)
 Update Server: For 3CX updates and IP Phone firmware
downloads-global.3cx.com, 443 (outbound, TCP)
Configure Split DNS / Hairpin NAT
network and externally outside of your network (unless you do not want to give
access to your phone system from outside the network). Read how to configure
split DNS here.
Disable SIP ALG
Use a router/firewall without a SIP Helper or SIP ALG (Application Layer Gateway),
or a device on which SIP ALG can be disabled.
Run the Firewall Checker
After configuring your firewall, run the 3CX Firewall Checker to verify its
configuration!
ACL/Firewall
Each on-premise installation environment is different, therefore, it is your
responsibility to define the appropriate ACL/firewall rules that will not allow the
3CX host to reach sensitive subnets/endpoints within your network. This must be
handled on the networking layer in gateways and firewalls and in the forefront of
3CX, to prevent pivoting our infrastructure in the case of a compromise.
Why the Firewall Checker Does Not Lie
 Port Forwarding
 Port Preservation
 Examples
 Test 1
 Test 2
 SIP ALG Test (since V15.5 SP1)
 See Also
3CX has an inbuilt automated firewall checker which validates the setup of your
firewall in terms of “port forwarding” and also “port preservation”.
Port Forwarding
3CX will check if “Full Cone NAT” is correctly set up on the firewall/gateway
device. Full Cone NAT allows any external entity to connect to 3CX without the
need for the firewall to first confirm that the actual packet originated from 3CX
before allowing the connection. This is very important for VoIP Providers
especially, as the SIP server is not the same server (source IP Address) which will
deliver the end audio to your system. In some cases firewall implementation will
set “not allowed” incoming traffic onto a deny list, which will prevent a
connection to the destination even if 3CX starts sending data (audio) to its
destination.
Port Preservation
Port preservation is another key factor which is checked by the firewall checker. It
detects if the firewall alters the port during the LAN IP to WAN IP translation.
Technically speaking this should not matter, however it depends on the
provider's implementation whether they reply to the transport source port of 3CX
seen in the UDP header rather than what is defined by the RFC. The RFC defines
that a SIP server MUST reply to the defined “contact” IP and Port which is in the
content of the SIP message. In order to eliminate any “maybies” the firewall
checker also validates this mapping. It is required that if a SIP message is
generated locally by 3CX from the source port 5060 (default SIP Port) then
translated to the public IP Address (WAN IP) the port, in this case 5060 remains
unchanged.
To do this the firewall checker will run two independent tests with the first
configured STUN Server in your system. By default this is set to stun.3cx.com. It
is highly recommended that this is not altered. Overall, the firewall checker is a
programmatic way to detect your public IP address, similar to using a website
like “what is my IP”, but is extended to also check the port.
Examples
Below is a failed firewall check reported by the 3CX Management Console and a
corresponding wireshark capture of the flow. In this guide we will elaborate the
steps which are taken by the firewall checker and show you the results. The
wireshark capture is limited to show “port 3378 or port 3379” only, which this
test was based on. Its is important for the firewall checker that the Windows
firewall is disabled. The installation of 3CX creates exceptions for some 3CX
applications, however not for the firewall checker itself!
Test 1
3CX stops the services to free the local port in order to bind it to the firewall
checker. This document will only focus on the first port being tested (5060)
however the procedure is the same for all other ports.
The image above shows the following steps:
1. The local 3CX server with IP address 192.168.3.159, Sends a classic stun
request to stun.3cx.com with IP 198.50.247.220.
2. From local port 5060 UDP.
3. To 3478, which is the default stun server port.
4. Declaring that the STUN server should NOT change its IP or the Port in
order to reply to this request.
Each request has a unique “transaction ID” to reliably ensure that the received
data belongs to the initial request. In rare cases you might see that the server
sends multiple requests however never gets a reply as shown below. This implies
that:
a) The outbound traffic was blocked by the firewall or b) No return was passed
back to the server. In both cases, check your firewall settings!
The Stun server then answers with:
1. A Binding Response to the requests
2. Then defines that the public IP and Port from where the request was sent
from is equal to the port 5060 and the IP address is XX.XX.96.162.
Based on the definition earlier - port preservation is working as the stun server
can see the PBX on the defined port. If you see any other port in the “Mapped-
Address” field the firewall check will fail and port preservation is NOT working
correctly. in this case you will need to contact the firewall manufacturer to
resolve the problem.
Test 2
In test 2 the server will send a request to the same stun server as before.
However,
1. The 3CX Server marks the request to be different than before and
sets “Change IP and Change Port” to (1). This means that the stun
server should send its response back to 3CX however from an IP address
and Port which is now unknown to the firewall expecting a response to the
request.
2. It is clear that the server sent the same request 3 times without getting a
reply from the stun server. This indicates that full cone NAT is not working.
Compared to test 1, where the 3CX server actively sends data to the stun server
and receives a response, test 2 shows that the data returns from a source that
3CX has never talked to (i.e the audio server of a VoIP provider) and was not able
to receive any response. In this case contact the firewall manufacturer to resolve
the problem.
The correct response would be to receive data in the second test whereby
the “Mapped-Address” is exactly the same as in test 1 for IP and Port.
If you are keen to see where the traffic should have come from, check your
firewall logs for the IP addresses of the 3CX stun servers. The answer was
expected to come from the 3CX stun servers but never made it to the NIC of
3CX.
SIP ALG Test (since V15.5 SP1)
In addition to the existing NAT test, 3CX evaluates if the firewall has SIP ALG
enabled. SIP ALG in brief, are functions found in some firewall devices inspecting,
beside the from and to IP/Ports access list, the content of the packages. In this
case SIP. For the administrator of 3CX this can cause numerous issues and due to
the fact that the changes to the SIP messages are made by an intermediate hop,
traces made on 3CX will not show those changes. However they may cause
incompatibility issues with remote IP phones or VoIP providers.
Validation: 3CX will generate a generic INVITE message and send it against an
online service hosted by 3CX. Except the public IP address all other information
is generic rendered.
3CX local generates CRC32 hash value from the send message and expects in
return an answer from the cloud service that the hash will have the same value.
If “X-CSREQ” return value matches the local calculated value, it is expected
that SIP ALG has not tampered with the message or is not present. If the values
do not match, the test shows that a hop between 3CX and the online service has
altered the content = SIP ALG.
On a validation basis, the expected hash value can be calculated given that
wireshark has captured the outbound INVITE to the SIP ALG detection service.
Right click on the Invite sent from 3CX, Copy, Bytes, Hex Stream.
Open:http://www.sunshine2k.de/coding/javascript/crc/crc_js.html
And paste the copied hex stream into the CRC Input Data
The given Result must match the value returned.
Network Capture from Web Interface
 Introduction
 Prerequisites
 Start a Capture
 Retrieve the Capture
 Limitations
Introduction
In the 3CX network, captures can be triggered directly from the Management
Console. This allows for live packet captures that are saved in PCAP format which
can then be attached to a generated SupportInfo file or can be directly
downloaded.
Prerequisites
For Windows-based installs, it remains the administrator's obligation to install
Wireshark on the OS running 3CX.
If Wireshark cannot be detected this message is shown.
For Linux-based setups, tcpdump is automatically installed while installing or
updating 3CX.
Start a Capture
1. Go to your 3CX Web Client > Admin Console and navigate to
"Dashboard" > Click on "Capture".
2. If a capture driver is installed, an interface selector is visible for selecting a

specific interface to record from, or select all system interfaces (IPv6
tunneling adapters are excluded).
💡 Tip: Linux allows you to also capture from the localhost (lo), useful while
debugging SBC and tunnel connections.
3. Click on “Capture” to start a new network traffic recording. Wireshark on
Windows and tcpdump on Linux, remotely start capturing on the server
machine.
4. Reproduce the issue as quickly as possible, since traffic capture consumes
resources and disk space. When done click on “Stop” to end the capture.
⚠ Important: Do not click anywhere except “Stop”, or change the URL in the
browser as the window will be locked until the capture is stopped by the admin.
This is to avoid dual or stale background capture processes running in the OS,
filling up the hosts’s disk space / memory.
Retrieve the Capture
After selecting “Stop”, the capture file is saved on your local disk.
You can choose to:

 download it directly, or
 download a support info file, to include this capture along with the system
general configuration.
Regardless of your choice to get the captured PCAP file, the files are deleted from
the server. The server-side capture files are stored in:
 Windows: “C:\ProgramData\3CX\Instance1\Data\Logs\dump.pcap”
 Linux: “/var/lib/3cxpbx/Instance1/Data/Logs/dump.pcap”
Once you download the captured PCAP file, you can review it using Wireshark on
any PC/MAC.
Limitations
Certain limitations are in place to prevent system overloads or abandoned
captures in the system:
 The built-in capture feature cannot be used to run long-term captures and
still need to be started manually by the admin on the host.
 Capture size is limited to capture a maximum of 2 million packets, after
which it automatically stops from collecting more data.
 Chapter 3: Backup & Restore

 Backing up your 3CX system regularly helps prevent data loss due to hardware failure,
software corruption, or human error. Backup and restore are also important when
upgrading your 3CX system.
 Let’s have a better understanding of what you must store, what the additional options
are, where and how!
Using an FTP Server for 3CX Backups - Windows

 Install FileZilla FTP Server for Windows
 Configure the FileZilla FTP Service
 FileZilla Passive Mode Options
 Add an FTP User account
 See More
This guide presents the supported FTP solutions available for 3CX Backup and
Restore on Windows.
Important Note
The FTP servers tested by 3CX on Windows are FileΖilla and Synology FTP. An FTP
server runs independently of your 3CX PBX and is not required to be installed on
the same machine. The FTP server software mentioned in this guide is FileZilla.
Install FileZilla FTP Server for Windows
1. Use an account with administrative privileges to log on to your Windows
Server and download FileZilla Server.
2. Run the downloaded install package and follow the installation wizard
prompts to install FileZilla Server with the default options.
3. Once the installation completes, click on “Close”.
4. Open the FileZilla Server and connect with the default options to
configure.
Configure the FileZilla FTP Service
If your server is not running behind a NAT device, proceed to add a user.
Otherwise, proceed to configure the FileZilla passive mode options.
FileZilla Passive Mode Options
Use the FileZilla navigation menu to go to “Edit” > “Settings” > “Passive
Mode Settings” and configure passive FTP connection options to suit your
network environment:
1. “Use custom port range” - enable and set the port range to use, e.g.
the port range
10100
to
10199
is recommended.
2. “External Server IP Address” > “Use the following IP” - select and
replace the “X.X.X.X” to match your public IP address.
3. “Don’t use external IP for local connections” - enable to use the local
server IP for LAN connections.
4. Click on “OK” to save the configuration.
Add an FTP User account
1. Use the FileZilla navigation menu to go to “Edit” > “Users”.
2. In the “Users” window, click on the “Add” button and enter the
username in the “Add user account” dialog, e.g.
3cxftpuser
. Click “OK” to save the new user.
3. Enable the “Password” option and enter a password in the password

field.
4. Click on the “Shared Folders” page from the left sidebar menu and:
1. Click on “Add” below the “Shared folders” panel, select a directory for
the new FTP user to store 3CX backups into and click “OK” to set.
2. In the “Files” and “Directories” panels, enable the permissions to
assign to the new user. Select all options for full compatibility with the
3CX Backup and Restore function, or set according to your security policy.
3. Click on “Set as home dir” to set the specified shared folder as the
default folder for the new FTP user when logging in.
4. Click “OK” to save the new FTP user configuration.
5. Proceed to use the configured FTP service and user for the Backup and
Restore function in the 3CX Management Console.
Using an FTP Server for 3CX Backups - Linux
 FTP Server for Linux
 Configure the vsftpd FTP Service
 Add an FTP User to vsftpd
 See More
This guide presents the supported FTP solutions available for 3CX Backup and
Restore on Linux.
Important Note
The FTP servers tested by 3CX on Linux are vsftpd and Pro-FTPd. An FTP server
runs independently of your 3CX PBX and is not required to be installed on the
same machine. The FTP server mentioned in this guide is vsftpd.
FTP Server for Linux
This guide describes the installation of the “vsftpd” (very secure file transfer
protocol daemon) FTP server on Debian 9/ Debian 10, free for anyone to
download and use. To install the “vsftpd” FTP server:
1. Use an account with administrative privileges to log on to your Linux
system via SSH or local terminal.
2. Update the APT repository information with the command:

sudo apt update
3. Install
vsftpd
with the command:
sudo apt install -y vsftpd
4. Enable the
vsftpd
service to start on boot with the command:
sudo systemctl enable vsftpd.service
Configure the vsftpd FTP Service
1. Use the terminal on your Linux server to edit the file

/etc/vsftpd.conf
and configure the FTP service, using this command:
sudo nano /etc/vsftpd.conf
2. These are the minimal configuration options that need to be included in
the configuration file for the
vsftpd
service to run as intended:
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=NO
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
#Data Connection Timeout control for large file transfer - adjust accordingly.
data_connection_timeout=3600
chroot_local_user=YES
chroot_list_enable=NO
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=ftp
allow_writeable_chroot=YES
#pasv_enable=YES
#pasv_max_port=10100
#pasv_min_port=10090
#pasv_address=X.X.X.X
Lines starting with a hash (#) are commented out configuration options and are
not applied by “vsftpd” during startup. Configure each option based on your
environment and if your FTP server is running behind a NAT device, proceed to
step “3”, otherwise skip to step “4”.
3. If your FTP server is behind a NAT device, you need to enable the use of
passive FTP. To do this, uncomment or add these configuration options at
the end of the configuration file:
pasv_enable=YES
pasv_max_port=10100
pasv_min_port=10090
pasv_address=X.X.X.X
Configure these passive FTP connection options to suit your network
environment:
 “pasv_min_port” and “pasv_max_port” - set a different port range
(min - max).
 “pasv_address” - replace the “X.X.X.X” to match your public IP
address.
4. Press
Ctrl
+
X
, then
Y
and
Enter
to save the file and exit the editor.
5. Restart the
vsftpd
service to apply the configured options with the command:
sudo systemctl restart vsftpd.service
Add an FTP User to vsftpd
1. Using the Linux terminal, create a new FTP user with the command:
sudo useradd -m -s /bin/nologin 3cxftpuser
In this example we create the FTP user “3cxftpuser” with the “-s
/bin/nologin” option to disable shell access for this account, i.e. to be used only
for file transfers.
2. To set a password for the new FTP user, use this command:
sudo passwd 3cxftpuser
3. Proceed to use the configured FTP service and user for the Backup and
Restore function in the 3CX Management Console.
3CX Backup & Restore Commands
 Introduction
 BackupCmd
 General
 Backup Command on Windows
 Backup Command on Linux
 RestoreCmd
 General
 Restore Command on Windows
 Restore Command on Linux
 See Also
Introduction
These commands can be used to create scripts and schedule backup and restore
operations, externally to the built-in 3CX Management Console functionality. This
is useful when hosting on cloud for archiving in bulk PBX users, data and
configuration for safekeeping.
BackupCmd
The BackupCmd command line tool enables backups to be taken with these
options:
Log filename or full file path, e.g.

-l, --log=VALUE
--log=/var/lib/3cxpbx/bak_cmd_run.log
*Filename to backup in default backup location or full zip archive path,

-f, --file=VALUE
--file=/home/pi/backups/backup.zip
-o, --options=VALUE Backup options, specifying to include in the backup:

 ALL - include everything, or
 add following comma-separated options to only include:
 CH - Call History
 LIC - License
 FQDN - Phone System FQDN
 PROMPTS - Voice Prompts
 FW - Phone Firmware
 REC - Recordings
 VM - Voicemails
Encrypt backup files with password (V15.5 Sp2 onwards), e.g.

--pwd=Value
--pwd=MyB4ckup_Pa55
-h, --help Display command help
--noemail Do not send an email on backup completion, successful or not.
Notes:
 Mandatory options are denoted above with *.
 Specifying an existing backup file with the
-f
or
--file
switch, overwrites it without warning.
 Specify an existing log file with the
-l
or
--log
switch to append to.
 Values, filenames and paths with space(s) are not recommended,
otherwise they need to be enclosed in double quotes when used in option
arguments.
 Ensure that specified backup and log file paths are writable on Linux by
the “phonesystem” user, and on Windows by the executing user.
General
Specifying a filename with the “--file” or “--f” switch as a:
 filename, the backup file is stored in the backup location configured in the
Management Console, e.g.
BackupCmd -f=my-pbx_full_bak.zip
 full filename path, overrides the configured location and stores the backup
file in the specified path, e.g.
BackupCmd -f=c:\backup\my-pbx_full_bak.zip
When the “--log” argument is specified, it has to be followed by either:
 a filename to store the log in the current working directory, e.g.
BackupCmd -l=bak_cmd.log -f=my-pbx_full_bak
 a full path to a local filename to override and store in the file specified,
e.g.
BackupCmd -l=c:\backup\bak_cmd.log -f=my-pbx_full_bak
Backup Command on Windows
To use the backup command on Windows, open a command prompt with
administrative privileges, change to this directory using
cd C:\Program Files\3CX Phone System\Bin
and run the command to:
 Display available backup command options:
BackupCmd.exe --help
 Make a full PBX backup and keep a log:
BackupCmd.exe --file=full_pbx_backup.zip --options=ALL --
log=backup_cmd.log
 Make a backup including call history, license and FQDN, keeping a log:
BackupCmd.exe --file=partial_pbx_backup.zip --options=CH,LIC,FQDN --
log=backup_cmd.log
Backup Command on Linux
To use the backup command on Linux, run the command in a terminal as user
phonesystem
using
sudo
to:
 Display available backup command options:
sudo -u phonesystem 3CXBackupCmd --help
command to see all available options.
 Make a full PBX backup and keep a log:
sudo -u phonesystem 3CXBackupCmd --file=full_pbx_backup.zip --
options=ALL --log=/var/tmp/pbx-backup_cmd.log
 Make a backup including call history, license and FQDN, keeping a log:
sudo -u phonesystem 3CXBackupCmd --file=partial_pbx_backup.zip --
options=CH,LIC,FQDN --log=/var/tmp/pbx_backup_cmd.log
RestoreCmd
The RestoreCMD tool enables to restore backups via command line with these
options:
-l, --log=VALUE Log path or filename
-f, --file=VALUE *Backup path or filename to restore
-h, --help Show command help
--pwd=Value Decrypt backup with given password (V15.5 SP2 onwards)
--failover Failover mode - services are not started after restore on a PBX set up as passiv
Notes:
 Mandatory options are denoted above with *.
 Specify an existing log file with the
-l
or
--log
switch to append to.
 Values, filenames and paths with space(s) are not recommended,
otherwise they need to be enclosed in double quotes when used in option
arguments.
 Ensure that specified log file paths are writable on Linux by the
phonesystem
user, and on Windows by the executing user.
General
Specifying a filename with the “--file” or “--f” switch as a:
 filename, retrieves the backup file from the backup location configured in
the Management Console, e.g.
RestoreCmd -f=my-pbx_full_bak.zip -l=c:\backup\restore_cmd.log
 full filename path, overrides the configured location and retrieves the
backup file from the specified path, e.g.
RestoreCmd -f=c:\backup\my-pbx_full_bak.zip -l=c:\backup\
restore_cmd.log
When the “--log” argument is specified, it has to be followed by either:
 a filename to store the log in the current working directory, e.g.
BackupCmd -l=bak_cmd.log -f=my-pbx_full_bak
 a full path to a local filename to override and store in the file specified,
e.g.
BackupCmd -l=c:\backup\bak_cmd.log -f=my-pbx_full_bak
Note that the specified path needs to be writable:
 on Linux for the “phonesystem” user
 on Windows for the user set to execute the task.
Restore Command on Windows
To use the restore command on Windows, open a command prompt with
administrative privileges, change to this directory using
cd C:\Program Files\3CX Phone System\Bin
and run the command to:
 Display available restore command options:
RestoreCmd.exe --help
 Restore a backup and start 3CX services immediately after restore:
RestoreCmd.exe --file=pbx_backup.zip --log=restore_cmd.log
 Restore a backup in failover mode and keep 3CX services stopped on a
PBX set up as passive failover node:
RestoreCmd.exe --file=pbx_backup.zip --log=restore_cmd.log --failover
Restore Command on Linux
To use the restore command on Linux, run the command in a terminal as user
phonesystem
using
sudo
to:
 Display available restore command options:
sudo -u phonesystem 3CXRestoreCmd --help
 Restore a backup and start 3CX services immediately after restore:
sudo -u phonesystem 3CXRestoreCmd --file=pbx_backup.zip --
log=restore_cmd.log
 Restore a backup in failover mode and keep 3CX services stopped on a
PBX set up as passive failover node:
sudo -u phonesystem 3CXRestoreCmd --file=pbx_backup.zip --
log=restore_cmd.log --failover
Configuring Google Cloud Storage for 3CX
 Prerequisites
 Creating a Service Account
 Creating a Storage Bucket
 See Also
Take advantage of the reliable and cost-efficient online storage on Google Cloud
Platform. 3CX enables you to create storage buckets under your Google Cloud
account and use these to store backups and/or archive recordings.
Prerequisites
To configure Google storage buckets, go to “IAM & Admin” > “IAM” in your
Google Cloud dashboard and verify that your account has at minimum these
roles assigned:
1. “Service Account Admin”.

2. “Service Account Key Admin”.
3. “Project IAM Admin”.
4. “Storage Admin”.
Creating a Service Account
To create a Google Cloud Platform storage bucket you need to first create a
service account under your project:
1. Go to Google Cloud Console and log in with your credentials to view your
dashboard.
2. Select your project from the top navigation bar, or create a new one and
select it.
3. Go to “IAM & Admin” > “Service accounts”.
4. Click on “Create Service Account” and fill in the info for the new service
account in your selected project. Click on “Create”.
5. On the “Grant this service account access to project” page, select
the “Storage Admin” role,click on “Continue” and then “Done”.
📄 Note: Refer to the Google Cloud roles documentation for more info on roles
and their respective permissions.
6. Go back to the service account page and "Keys" section and press the
"Add Key" > "Create new key". In the “Key type” select “JSON” and click
on “Create”.
Creating a Storage Bucket
If you have an active subscription with configured payment options, proceed to
create a new storage bucket under your Google cloud project :
1. From the main navigation menu, select “Storage” > “Browser” and
click on “Create Bucket” to create a new storage bucket.
2. On the "Create a bucket" page, configure:
1. Name - enter a globally unique permanent name.
2. Where to store data - select storage location type according to your
requirements.
3. Storage class - select the appropriate storage class for your use.
4. Access control - set how to control access to the objects in the storage
bucket.
5. Advanced settings - optionally set encryption and retention policy
preferences for the storage bucket.
3. Click on “Create” to set up the new storage bucket.
4. After creating your storage bucket, you can click on “Create folder” to
add new folders for keeping backups and archived recordings in,
e.g. “3cx_backups”.
Proceed to use your saved JSON key and set the configured Google Cloud storage
bucket as a location to store 3CX backups and archive recordings.
⚠ Important:
 Stored backup files or archived recordings in the “Hold” state or
stored/archived due to effective retention policy, cannot be deleted or
overwritten by the PBX.
Chapter 4: Bridges
 Do you want to connect two (2) 3CX systems? Worry not! Let’s say you have two offices
in two different cities or even countries. How would you connect them to move back and
forth? With a bridge, of course!
 This chapter will explain how Bridges work and how to configure them. We’ll also have a
look at different scenarios for better understanding.
 Learning material:
Connecting 3CX Phone Systems (Bridges)

 Introduction
 Creating a Bridge
 Step 1: Create a Bridge on the Master Phone System
 Step 2: Create a Bridge on the Slave Phone System
 Step 3: Configure Presence Across the Bridges
 See Also
Introduction
You can connect two remote 3CX Systems together, enabling calls between
branch offices for free just by utilizing your existing internet connection.
Assign a prefix to the “Bridge”, which you will dial to access the other 3CX
Phone System. This prefix must be followed by the extension number you
wish to reach on the other 3CX Phone System.
Alternatively, you can assign the extensions in Office 1 to start with one
number (e.g. 100, 101, 102 where all extensions start with 1), and the
extensions in Office 2 to start with a different number (e.g. 200, 201, 202 where
all extensions start with 2). This way, users from one office can directly dial
the extension number without using a prefix making calling between offices or
branches seamless. In this case, when the outbound rule is created, you must
ensure that the prefix corresponds to the numbering plan selected and that no
digits are stripped.
New: Both systems must have a fully qualified secure domain name. You
cannot use an IP to refer to the master or slave!
Creating a Bridge
A bridge must be either a “Master” or a “Slave”. First, you create a Master
bridge on the 3CX master system, and then a Slave bridge on the 3CX slave
system.
Step 1: Create a Bridge on the Master Phone System

1. In the 3CX Admin Console on the Master phone system, go to the “Voice
& Chat” function and click “+Add Bridge” > “Master bridge”.
2. Enter a name for the new Master bridge and take note of the virtual
extension number. (You will need this number when you create
the “Slave” bridge connection so ensure that the virtual extension
number generated is not in use on the other 3CX System which will host
the “Slave” bridge endpoint.)
3. Specify an “Outbound rule prefix” to be used for this bridge. If for
example, you specify “3”, then you must dial “3100” to reach
extension “100” on the other 3CX Phone System. This prefix is added to
the caller number in case the call is not answered, so the called party
can easily redial missed calls. (An outbound rule is also required as
described in step 8 below)
4. Specify the maximum number of simultaneous calls you want to allow
through this bridge.
5. Specify the Authentication password to be used for “Authentication” by
the Slave bridge or make a note of the default generated password.
6. The “Remote PBX uses Tunnel” option allows all SIP and RTP traffic to
be sent via a single TCP port via the 3CX Tunnel. If enabled, specify the
FQDN of the Slave 3CX Phone System, for
example “office2.3cx.com” and the remote 3CX Tunnel port. By default
this port is 5090.
7. Click “OK” to create the Master bridge.
8. Go to the “Outbound Rules” function and click “+Add” to create a new
rule. Enter the rule name and then in “Calls to numbers starting with
prefix”, specify the same prefix as the “Outbound rule prefix” in point 3
above. In the “Make outbound calls on” section, select the Master bridge
you created above in the specified backup route dropdown, select “1” in
the “Strip Digits” field (to remove the specified prefix from the dialed
number) and press “OK”.
📄 Note: Make sure that the specified Master 3CX system settings in “Settings >
Security > Allowed Country Codes” are not in conflict with the remote
extension number. For example, dialing the remote office
extension “3001” (prefix + remote extension) fails due to the 3CX Country
Blocking Feature, since calls to the United States (1) are not allowed.
Step 2: Create a Bridge on the Slave Phone System
1. In the 3CX Admin Console of the Slave 3CX Phone System, go to
the “Voice & Chat” function and click “+Add Bridge” > “Slave bridge”.
2. Enter a name for the new Slave bridge and assign the same virtual
extension number as the one configured on the Master 3CX Phone
System bridge.
3. Specify the “Outbound rule prefix” used for the slave bridge to be the
same as the one specified for the Master bridge.
4. Specify the “Authentication Password” configured on the Master 3CX
Phone System.
5. In the “Remote PBX” section enter the FQDN of the Master 3CX Phone
System and the remote port (default 5060).
6. If the remote Master PBX uses a tunnel connection, enable the “Remote
PBX uses SBC/Tunnel Connection” option and verify the port (default
5090).
7. Click “OK” to create the Slave bridge.
8. Go to the “Outbound Rules” function and click on “+Add” to create a
new rule. Enter the rule name and then in “Calls to numbers starting
with prefix”, specify the same prefix as the “Outbound rule prefix” in
point 3 above. In the “Make outbound calls on” section, select the Slave
bridge you created above in the specified backup route dropdown,
select “1” in the “Strip Digits” field (to remove the specified prefix from
the dialed number) and press “OK”.
📄 Note: Make sure that the specified Slave 3CX system settings
in “Settings” > “Security” > “Allowed Country Codes” are not in conflict with
the remote extension number. For example, dialing the remote office
extension “3001” (prefix + remote extension) fails due to the 3CX Country
Blocking Feature, since calls to the United States (1) are not allowed.
Step 3: Configure Presence Across the Bridges
This feature will be available in V20 Update 2
To configure sending and receiving the local extension / user Presence to a
remote 3CX system via a specified bridge, go to the “Voice & Chat” function in
the 3CX Admin Console and edit the bridge:
1. On the “Advanced” tab enable “Publish Information” to broadcast

presence to the remote 3CX system.
2. You can enable the “Receive Information” option so that local 3CX users
can see the Presence of remote office users.
3. Now configure the FQDN of the remote 3CX system. (If a tunneled
connection is configured, this will be automatically populated). If the
webserver of the other 3CX Phone System is running on a non default
HTTP/HTTPS port, for example 5001, then you need to specify the port
after the FQDN, i.e. “office2.3cx.com:5001”.
Installing a 3CX SBC (Session Border Controller)
 What is the 3CX SBC?
 Step 1: Download the 3CX SBC
 Step 2: Add the SBC in 3CX
 Step 3: Install the SBC
 Step 4: Provision your IP Phones
 See Also
What is the 3CX SBC?
If you have a larger network with more than 10 phones, then it's better to
install a dedicated 3CX SBC service.
The 3CX Session Border Controller (SBC) is a software service that installs in
your local network to allow easy connection of IP Phones to a 3CX instance in
the cloud or a remote on premise 3CX. The 3CX SBC combines all SIP
(signaling) and RTP (media) VoIP Packets from one location and delivers
them to 3CX, thereby overcoming common firewall and networking issues that
affect reliability.
You will need to assign the device/machine running the 3CX SBC a Static
IP. This machine must be running all the time!
When is an SBC overkill?
If your network has less than 10 phones, we recommend using an IP phone
that is SBC capable, referred to as a router phone. The following phones can
be used as router phones:
 Fanvil V62, V64, V65
 Fanvil X4U-V2, X5U-V2, X6U-V2, X7-V2, X7C-V2, X210-V2 and X210i-V2
 Snom D862, D865
 Yealink T53, T53C, T53W, T54W, T57W and T41U, T42U, T43U, T46U,
T48U.
If you have a single remote phone that you wish to connect to your 3CX in the
cloud, consider using the 3CX iOS and Android Apps instead. 3CX Apps are
the modern way to connect to a phone system. The user can use it anywhere
in his home, or indeed even outside, and it will save configuration and
maintenance.
Step 1: Download the 3CX SBC
Install the 3CX SBC on any of the following OS / Devices:
 Raspberry PI 5 - follow this guide
 Windows 10 / Server 2016 and up - download 3CX SBC for Windows
 Debian Linux using the 3CX ISO, download the 3CX SBC Debian ISO
Step 2: Add the SBC in 3CX
1. Login to your 3CX Web Client, Admin Console
2. Go to “Admin”, “Voice & chat” and press “+ Add SBC”
3. Select the type of machine you are going to use
4. Your SBC will be created and you will see a pop up with the instructions
on how to install it, a provisioning URL and Auth ID.
Step 3: Install the SBC
1. Set a Static LAN IP on the machine you are going to install it on.
2. Start the installer. If Raspberry Pi 5, follow this guide
3. Click “Next”, accept the “License Agreement” terms and click “Next”.
4. Select the 3CX SBC install location and click “Next”.
5. Enter the “Provisioning URL” that you were given when you created the
SBC. Click “OK”.
6. Enter the “Authentication Key ID” and click “OK”.
7. The SBC will now be listed when a user creates a normal phone that
requires a router phone or an SBC to connect to 3CX.
Step 4: Provision your IP Phones
Once your SBC is installed, you can provision your IP Phones. See this
guide how.
Chapter 5: Basic Troubleshooting
As a 3CXpert you need to be able to troubleshoot any issue arising within the
PBX in no time. 3CX has a variety of tools and resources to help you through
this process such as the event log, audit log, Wireshark and more.
Collecting Logs for 3CX Support

When troubleshooting an issue, the 3CX Support Team may ask you to
generate the support files. These files contain information about the
environment 3CX Phone System is operating in, and other information which
would help 3CX Support troubleshoot further.
The following procedure explains how to generate the support files the 3CX
Support Team requires to troubleshoot issues.
1. Go to your 3CX Admin Console and navigate to “Dashboard” > “Activity
Log” > “Settings”. Ensure that the “Logging Level” is configured to
Verbose and that the “Keep backup of log files” option is enabled.
2. In the 3CX Admin Console, go to “Dashboard” > “Services” and restart
the “3CX PhoneSystem 01 Configuration Server” service. This triggers
the 3CX services to restart. Wait for 5 minutes to ensure that all services
have been restarted and that the processes initialize correctly.
⚠ Important:
 Restarting the services will clear out any existing logs!
 During this time, any active calls will be dropped.
3. 3CX Support may also ask you to reproduce the problem while
capturing network traffic using the built-in Packet Capture utility. This
should be done before generating the support files so that the network
capture can be correlated with the 3CX Phone System log files.
Check this article for more information on how to capture network
traffic.
4. Reproduce the issue, noting were applicable this information:
 Called number.
 Calling number.
 Extension numbers.
 Any other entities, internal or external involved in replicating the issue.
 The exact time the issue was replicated, based on the time on the server
running the 3CX Phone System.
 The route taken by the call.
 Any other information you think could be relevant.
5. Log in to your 3CX Web Client > Admin Console > Dashboard > Click on
"Support Info". The ZIP File "Support Info" will be downloaded.Log in to
the 3CX Management Console and from the top menu bar
select “Support” > “Generate Support Info”.
6. Update the support ticket with any relevant information collected while
reproducing the issue.
7. Attach to the ticket the support ZIP file that you have downloaded and
any other relevant files, such as the network capture file.
8. Finally, make sure you disable the “Keep backup of log files” option and
set the “Logging Level” back to its original setting.
Analyse SIP Communications with 3CX Log Viewer

 Introduction
 Installation
 3CX Bin Log Viewer Overview
 Filtering Options
 Log Window
 Tags Window
 Detail Window
 Other Features
 Information on the 3CX Server Logs
 Useful Tags
Introduction
The 3CX Bin Log Viewer is used to read and filter the logs generated by
the 3CX Phone System, which allows users to build advanced filters and easily
sieve through logs.
Installation
The 3CX Bin Log Viewer can be downloaded and installed directly from the
3CX Admin Console.
You can download the Bin Log Viewer directly from here: 3CX Bin Log Viewer
V15
3CX Bin Log Viewer Overview
The first time you load the 3CX Log Viewer, click on File > Open and navigate
to the location where 3CX logs are stored. The Bin Log Viewer shall not be
used directly on the 3CX host to avoid performance implications with the live
system. Generate a support bundle from the 3CX Management Console and
download it to your PC where the Bin Log Viewer is running. Extract the ZIP
file and within the /Logs folder you will find a file
named “3CXPhoneSystem.bldef”.
The 3CX Bin Log Viewer consists of four main sections which are illustrated
below.
Filtering Options
The Filtering Options section allows you to select which logs are displayed in
the Log Window.
Filter by Date: Select to filter the logging by date / time range. 3CX Phone
System timestamps the logs using the time of the local machine.
Filter by Tags: Most log lines have been assigned a tag. For example, all the
logs for a particular call are tagged with their Call ID (e.g. CallID 10). There are
many tags which you can use. We’ll look at some important tags at the end of
this guide.
When you want to filter by a particular tag, you double click on the tag and the
Tag formula window and the formula text will be updated with your selection.
Click the “Apply” button to filter using the selected tags.
You’ll come across situations where you want to use operators in your filter.
For example, if you select SiPMsg.method(INVITE), and need only the Invites
for extension 100, you can click the “AND” button and then
select “DN(100)” from the tag list.
You can also build nested Queries. For example, you might want to filter for
the INVITE requests for calls with ID 12 and 13. This is shown in the
screenshot below:
The Formula text gets updated as you add and remove tags. Copy and save
formulas that you use often. This will save you time trying to find the tag
needed.
Important Note – The tags shown are the ones which are found in the binary
log. So if, for example, you are trying to filter the log for extension 116, and
you are not finding DN 116, it means that the log does not contain any entries
from extension 116.
Highlight Matching Logs: When this checkbox is checked, all the log entries
are displayed, and the logging that matches the filtering criteria will be
highlighted in red. Press “Apply” to refresh the logging using your selected
filtering criteria.
Log Window
The log window is where the log entries are shown. You can right click on an
entry and “Select All” the log entries or “Copy” the selected logs to the
clipboard. You can select multiple entries by holding down the Shift or Control
key. The above screenshot shows log entries for Extension 100 being
highlighted.
Tags Window
The tags window will show all the tags that have been assigned to the selected
log entry. You can double-click on any of the tags in order to filter using that
tag. If using Operators, you first need to select the operator before double
clicking on the tag in the tags window. The tags window is very useful when
you want to learn about new tags. For example, in the selected log entry the
CallId tag is 1 and the DestAddr.Host is an IP address.
Detail Window
When you select a log line, the detail window will show it.
Some log entries consist of multiple lines which are not shown in the main log
window. These are shown in the detail window. An example is the SIP
messages that are shown in the screenshot below.
Other Features
Records / Page: The 3CX Log Viewer uses paging – it doesn’t show the binary
log in one go, otherwise it might use too many resources and too much time
for a large binary log file. It will log an X amount of records per page. By
default, it loads 10,000 lines per page. This number is configurable from the
Preferences section.
Use the arrow buttons at the top to move from one page to the next or to go to
the beginning or the end of the log file.
Searching the Logs: You can also search the log by inserting the search term
in the Find: entry field and pressing “Enter”. This will search from the current
position to the end. Alternatively, use the down button to search downwards
and hit the up button to search upwards. The search will always be performed
starting from the current position. Note that searches are done across all the
pages until the search reaches the beginning or the end of the log file.
Opening Logs: When you open the 3CX Log Viewer, it will automatically load
the logs from the last location. You can open another set of 3CX logs from
“File → Open”. You can also view a set of logs that you recently opened from
“File → Recent Logs”.
Preferences: From “View → Preferences”, you can configure how many
records are shown per page. You can also select the Severity mask and Log
Level that will be used when showing the logs. The screenshot below shows
the default values, which should be valid in most troubleshooting situations.
These settings are retained when you close the 3CX Log Viewer.
Associate Log Files: From “Settings → Associate log files”, you can associate
blrec and bldef files with the 3CX Log Viewer.
Export to Text: From “Tools → Export to text”, you can export the filtered log
entries to a text file. All log entries from all pages will be exported. Remove
any filters if you want all the log entries to be exported. You might need to
adjust your default filtering preferences from “View → Preferences”.
Command Line: The 3CX Log Viewer can also be executed from the command
line, in which case it will accept the following parameters:
3cxBinLogViewer.exe < Input Path to log files> <Export Path to text file>
If you run 3cxBinLogViewer.exe <Input Path to log files>, 3CX Log Viewer will
load the log files found in the path specified. For example
– 3cxBinLogViewer.exe c:\3cxlogs.
If you run 3cxBinLogViewer.exe <Input Path to log files> <Path to export text
file>, 3CX Log Viewer will export the binary logs in the Input Path to the text
file specified in the Export Path. For example – 3cxBinLogViewer.exe c:\
3cxlogs c:\3cxlogs\txtlog.txt.
Information on the 3CX Server Logs
The 3CX Server Logs are made up of one bldef file and one or more blrec files.
The bldef file is the file that contains information about the tags, and other
index data. The blrec files are the files that hold the logs. Both files are
required in order to read 3CX Logs. Note that one bldef file can be used to read
multiple blrec files.
The 3CX logs rotate when they reach 50MB. If the Keep Backup option (in “3CX
Management Console (Dashboard) → Activity Log → Settings”) is disabled,
two blrec log files are kept – the current one and the previous one. If the Keep
Backup setting is enabled, the older files will be moved to the backup folder.
There is an option to keep backup of log files for X number of days. This
affects how many 3CX Logs are kept in the backup.
Note that the 3CX Server Logs are the logs which are written by the 3CX Phone
System SIP Server service. Other processes, such as the 3CX Phone System
Media Server service, write logs in .log format, and can be viewed with a text
editor.
Useful Tags
This list will help you understand and start using log tags (not all tags are
listed):
 CallId: Each call is assigned a Call ID by the PBX. The CallId tag allows
you to filter by the logging that matches the selected CallId.
 Cause.Code: The Cause.Code shows all the SIP cause codes found in
the log. Therefore, if for example you are troubleshooting a situation
whereby a call is returning a busy tone, you can filter for Cause.Code =
486
 Contact.Host: The Contact.Host allows you to filter for a specific IP
address as listed in the SIP header.
 DestAddr.Host and SrcAddr.Host: Useful when filtering on the
destination/source address. Note that this is the network address, not
the one specified in the SIP header.
 DN: This is the extension number of the phone or device (virtual
extension number). Use this tag to filter the logging from a particular
extension or port on a device.
 InboundDID: This might come in useful when you want to filter the
logging for a specific DID number.
 SipMsg.Method: This is useful to filter the logging and show a specific
SIP message. For example, you might want to show only the REGISTER
SIP methods in the log file. This is useful to get you started – maybe you
want to find when a registration took place so you can then filter the
logging by date. Remember to check the other SipMsg.X tags
Chapter 6: Security & Anti-fraud
Security is a very important issue for any business of any size. 3CX has in-
built security features including Anti-hacking, TLS certificates, SIP
Authentication, and IP Blacklist.
But do you know what the most common VoIP attacks, hacks or exploits are?
Join us on the 3CX live technical webinar to discuss the possible threats along
with how to implement security measures on your system to best protect your
network.
Three Steps to Ensure IP-PBX Security
Posted on April 24th, 2015 by Ruth Elizabeth Abbott, Operations Director, 3CX
All it takes a glance at the week’s headlines to see that cyberattacks are growing
in both frequency and complexity. Internet hackers can strike anyone, even your
business’s IP-PBX phone system. If you’ve recently implemented an IP-based
phone system, ensure you can continue to reap the benefits while avoiding
potential vulnerabilities.
Ensure that your Internet-telephony system is as secure as possible by taking
these three crucial steps:
Implement security software
Ensure you have strong antivirus, antimalware and a firewall in place, and check
that it is regularly updated. An intrusion detection system monitors your IP-PBX
for suspicious activity that could signal an impending attack, while a firewall
reduces access to non-trusted networks by IP-PBX phones. In addition, make sure
your system software is frequently backed up to a secure location to combat
security breaches and hacking.
Set strong passwords
Most IP-PBX servers are configured through a web interface that uses a password
to gain access. As such, a weak password can leave a potential security gap
which hackers can easily exploit. To that end, ensure that strong passwords are
set and frequently changed on IP phones that access the same system. Also be
sure to discard the default password your IP-PBX system came with. Instead, set
a strong password that contains a combination of lower and upper case letters,
numbers, symbols, and avoids spelling out recognizable words and dates.
Monitor system usage
Network attacks will often emerge in the form of unusual or increased network
activity. Monitor network usage through aggregating pertinent information about
network users, applications, and peak usage times. Use visual tools such as
graphs to help pinpoint unusual activity. In doing so, you’ll be able to more easily
detect whether the traffic is a true security threat.
3CX Phone System Anti Hacking – Whitelist/Blacklist

 Introduction
 Adding a Whitelist Entry to 3CX Phone System
 Blocking an IP Address or a Range of IP Addresses
 See Also
Introduction
3CX allows you to whitelist and blacklist IP addresses. All traffic from whitelisted
IP addresses will be granted without being checked by the anti-hacking features.
All traffic from blacklisted IP addresses will be stopped immediately. This guide
explains how to configure new whitelist and blacklist entries in 3CX.
Adding a Whitelist Entry to 3CX Phone System
Let’s assume that you have a remote office connected to your 3CX Phone
System. Your remote office has a public IP address of 123.123.123.123. Traffic
from this IP address is trusted. To add a whitelist for this IP address, you’ll need
to do the following:
1. Go to “Advanced” > “IP Blacklist” in the 3CX Admin Console.
2. Click “Add” to add an entry.
3. From the dropdown menu select “Add single IP Address” and enter the
IP address that you want to allow, e.g. 123.123.123.123 (you can also
select to add a range of IP addresses using a subnet mask).
4. Set Action to “Allow”.
5. Add a description for the IP address, e.g. “Remote office”.
6. Click on “OK” to create an Allow entry in the IP Blacklist for the
whitelisted IP address. All traffic originating from this IP address will be
unchecked and the anti-hacking algorithms will not come into effect.
Blocking an IP Address or a Range of IP Addresses
Let us look at another scenario. Assume that there is a distributed attack coming
from the following IP addresses – 41.202.160.2 and 41.202.191.5. These two IP
addresses have already been blacklisted by 3CX Phone System’s anti-hacking
auto-detection mechanisms. You would, however, want to blacklist all the range,
since you are sure that you will never get any traffic from these IP addresses. In
this case, we will blacklist the whole range from 41.202.0.0 to 41.202.255.255
i.e. all the IP addresses that start with 41.202.
1. Go to “Advanced” > “IP Blacklist” in the 3CX Admin Console.
2. Click “Add” to add a new entry.
3. From the drop down menu select “Add a range of IP Addresses“.
4. Enter the “Network address” which is the first address of the network
range you want to block. For this example we will enter 41.202.0.0.
5. To block all IP addresses starting with 41.202, we
select “/16” as “Subnet Mask”, i.e. 255.255.0.0.
💡 Tip: The range of IP addresses contained by the network mask is displayed
below in “IP address range”.
6. Set Action to “Deny“.
7. Enter a Description for this entry to help you remember why you added
this entry, for example “Distributed attack coming from 41.202.x.x”.
8. Click on “OK” to create a Deny entry in the IP Blacklist. All traffic coming
from this IP address range will be checked, anti hacking algorithms will
come into effect and completely drop and ignore all packets from these
IPs.
The 3CX anti-hacking Blacklist / Whitelist mechanism does not replace a firewall.
It provides a defense mechanism to help separate traffic that is trusted, and
traffic that is not trusted. If for example you want to block all traffic to your
network and allow only your VoIP Provider IP address, you need to set this up on
your firewall.
When configuring a range of IP addresses in the blacklist, you should also ensure
that the range does not include the IP address of the PBX.
How to Check for and Block “Anonymous” Callers

If you want to block calls from “anonymous” callers, you can leverage
the “CallerID Blacklist” feature. From the 3CX Admin Console:
1. Go to “Advanced” > “CID Blacklist” and click on “Add”.
3. In the “Blacklist” dialog:

 Set the “Incoming caller ID to be blocked” field to the
value “Anonymous” or “anonymous”. In this case, we will set the field
to “*nonymous” to match both values (The * will act as a wildcard).
 Set the “Description” field for informational purposes.
4. Click “OK” to save.
At this stage, you can check an inbound call and you should see that the
anonymous call is rejected correctly. Consider this example
This is a typical INVITE from a caller whose CallerID is hidden:
v: SIP/2.0/UDP 169.11.192.162:5080;branch=z9hG4bK-
8b2f242058b3802ce60c00f1db2b8201
f: "Anonymous" <sip:[email protected]>;tag=3727603634-668969
t: <sip:[email protected]>
i: [email protected]
CSeq: 1 INVITE
Max-Forwards: 13
m:
<sip:[email protected]:5080;transport=ud
p>
Proxy-Require: privacy
c: application/sdp
l: 268
Sometimes your telecom provider will deliver the call with “unknown” or some
other text instead of “anonymous”. Simply examine the incoming INVITE
particularly the “From” field and you can then add or adjust your blacklist rule
accordingly.
3CX Security - Reset Credentials/Passwords

Actions to take to increase the security of your PBX
 Introduction
 Action 1: Change the Root/Admin Account Credentials
 Action 2: Set up a System Owner
 Action 3: Limit Access to the 3CX Admin Console and Web Client by IP
 Action 4: Reset User Credentials via Web Client
 Reset Credentials for all Users
 Allow Users to Change their own Credentials
 Action 5: Use SSO - Google or Microsoft 365
 See Also
Introduction
This article takes you through some recommended actions which will increase
the security of your PBX to avoid attacks and potential data breaches.
Action 1: Change the Root/Admin Account Credentials
3CX installs have normal “users” that have extensions and they have a root
account to administer the PBX. The root account is often used by resellers to set
up the system and manage it. If you have changed partners or are unsure of
when the password was last changed we recommend you change it.
To change the root password:
1. Login to your Admin Console as admin/root.
2. Navigate to “Users” and select the System Owner user.
3. Click on the “Reset Password” option below the user profile image
(shown above).
4. An email will be sent to the email specified in the user configuration. Click
on “Set your password”.
5. Type your new Root Password both in New Password and Confirm
Password fields and click “OK”. Passwords should be at least 10
characters long with no spaces. Must contain minimum 1 lowercase and 1
uppercase letter, a digit and a special character. Supported special
characters are: !#$%&()*+,-./:;<=>?@{}
6. This will log you out from the 3CX Admin Console. Login again with your
new credentials.
Forgot your root credentials?
If you forgot your root credentials, you can have them sent to the PBX admin
email:
1. Navigate to the login screen of your 3CX.
2. Click on the “Forgot password?”
3. Enter your Email address
4. Your current credentials will be sent to the configured email address given
the email exists.
Action 2: Set up a System Owner
The role of System Owner which can be assigned to any user/extension. New
installations already configure the first ever user of the system as a system
owner. If you are an existing user and you have upgraded, you will receive a
warning in the Admin Console to assign an extension/user as a System Owner.
1. To assign the ‘System Owner’ role, log in to the 3CX Admin Console and
navigate to “Users”.
2. Edit the user you want to elevate to a System Owner, click on
the “General” tab.
3. Select the “System Owner” role in the “Role” dropdown.
4. Once a user is assigned the “System Owner” role, the user can log in to
both the Web Client and the Admin Console using their existing
credentials. If the user does not have their credentials, press the “Reset
password” button in “Users” > “General”
Action 3: Limit Access to the 3CX Admin Console and Web Client by IP
A really good way to secure your PBX is to lock down the administration of your
PBX to a specific list of IPS, for example, the IP of your office and maybe the IP of
the home of the network administrator. To do this:
1. Log into the 3CX Admin Console.
2. From the left panel, navigate to “Advanced” > “Console Restrictions”
3. Select the option to “Allow Access from specific IP Addresses only”.
4. Click the “+Add” button to add an IP.
5. Important: Before you click OK, make sure that you see the blue info
message (left) indicating that your current IP is allowed
6. If you see this red warning (right), it means you haven’t added your
current remote office IP Address in the allow list. Clicking OK while seeing
this message will lock you out of the Admin Console / Web Client.
7. Make sure you have a static IP! If you have a dynamic IP and it
changes you will be locked out of your Admin Console / Web Client.
Action 4: Reset User Credentials via Web Client
Reset Credentials for all Users
You can mass reset the credentials of any / all users of your PBX using the
following steps:
1. Login to the 3CX Admin Console using Root or System Owner Credentials
and navigate to ‘Users’.
2. Select all the users that you wish to reset their credentials and click
on “Reset”.
3. Reset procedure will start for the selected users.
Keep in mind
Note that if you select to reset the following options you will need to reprovision
any IP phones or apps registered on those extensions.
 SIP ID and Authentication Passwords
 Voicemail PIN
 IP Phone Web Password
 Regenerate provisioning file & QR Code for 3CX Apps
Allow Users to Change their own Credentials
There is also the option of allowing users reset their own credentials from their
Web Clients. To do so:
1. Login to the Admin Console using Root Credentials or as a System Owner.
2. Navigate to “Settings > Options” and make sure to enable the
option “Allow change password for 3CX Apps”.
3. By enabling this, you expose the option in the Web Client for each user to
reset their own credentials.
4. Now inform your users to log into their Web Client and navigate
to “Settings > General” and click on “Change Password”.
5. Type your current password in the Old Password field and type your new
password both in the New Password and Confirm New Password fields.
Click on “Save”. Passwords should be at least 10 characters long with no
spaces. Must contain minimum 1 lowercase and 1 uppercase letter, a digit
and a special character. Supported special characters are: !#$
%&()*+,-./:;<=>?@{}
6. The password is updated and users will need to login to their web client
using their new password.
Action 5: Use SSO - Google or Microsoft 365
A great way to secure your PBX is to enable SSO so that users can use their
Google or Microsoft 365 account to authenticate with the PBX. This allows users
to not only re-use the same password but it also means you can switch on 2
factor authentication if you have it configured.
Please follow these guides to read more on how to set up SSO with 3CX.
 Configuring SSO for Google
 Configuring SSO for Microsoft 365

3CX Notes

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

3CX Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3CX Notes

Uploaded by

Copyright:

Available Formats

With the 3CX on-premise and self-hosting solutions, you have complete control

Installing 3CX using 3CX Debian ISO

Step 6: Configure Split DNS

Installing 3CX on Windows

Small Medium Large Enterprise En

3CX PBX Linux Debian-based Windows-based

CPU Family Intel i3 (Gen.8) or equivalent

Storage 30 GB SSD based storage

3CX PBX Linux Debian-based Windows-based

CPU Family Intel i5 (Gen.8) or equivalent

Storage 100 GB SSD based storage

3CX PBX Linux Debian-based Windows-based

CPU Family Intel i7 (Gen.8) or equivalent

Storage 300 GB SSD based storage

3CX PBX Linux Debian-based Windows-based

Storage 500 GB SSD based storage

3CX PBX Linux Debian-based Windows-based

CPU Family Intel Xeon E7 v4 or equivalent

Memory 32+ 34+

Storage 500+ GB SSD based storage

Devices Up to 50 (10 BLFs per device) Up to 100 (10 BLFs per d

Platform Linux Debian-based Windows-based Linux Debian-based W

Storage 30 GB available storage space

Small (up to 10 ext) e2-highcpu-2 B2s a1.large t2

Large (up to 250

Installing 3CX Phone System on a Hyper-V VM

6. In the “Virtual Machines” section, right-click on the 3CX VM to configure

1. Enter the command “w32tm /query /source”

2. If a capture driver is installed, an interface selector is visible for selecting a

You can choose to:

 Chapter 3: Backup & Restore

Using an FTP Server for 3CX Backups - Windows

3. Enable the “Password” option and enter a password in the password

2. Update the APT repository information with the command:

1. Use the terminal on your Linux server to edit the file

Log filename or full file path, e.g.

*Filename to backup in default backup location or full zip archive path,

-o, --options=VALUE Backup options, specifying to include in the backup:

Encrypt backup files with password (V15.5 Sp2 onwards), e.g.

-h, --help Display command help

--noemail Do not send an email on backup completion, successful or not.

-l, --log=VALUE Log path or filename

-f, --file=VALUE *Backup path or filename to restore

-h, --help Show command help

--pwd=Value Decrypt backup with given password (V15.5 SP2 onwards)

1. “Service Account Admin”.

Connecting 3CX Phone Systems (Bridges)

Step 1: Create a Bridge on the Master Phone System

1. On the “Advanced” tab enable “Publish Information” to broadcast

Chapter 5: Basic Troubleshooting

Collecting Logs for 3CX Support

Analyse SIP Communications with 3CX Log Viewer

Chapter 6: Security & Anti-fraud

Three Steps to Ensure IP-PBX Security

3CX Phone System Anti Hacking – Whitelist/Blacklist

How to Check for and Block “Anonymous” Callers

3. In the “Blacklist” dialog: