Introduction

To use remote extensions or a VoIP Provider, you need to make changes to your firewall configuration, for 3CX to communicate successfully with your SIP trunks and remote IP phones. This guide gives you a generic overview of the ports that need to be opened/statically forwarded on your firewall. See also detailed step-by-step guides for popular firewalls that take you step-by-step to the correct configuration of your firewall. You can learn more in Routers, NAT, VoIP and Firewalls.

Configure the Ports for your SIP Trunk / VoIP Provider

Open these ports to allow 3CX to communicate with the VoIP Provider/SIP Trunk and WebRTC:

• Port 5060 (inbound, UDP) for SIP communications.
• Port 9000-10999 (inbound, UDP) for RTP (Audio) communications, i.e. the actual call. Each call requires 2 RTP ports, one to control the call and one for the call data, so the number of ports you need to open is double the number of simultaneous calls.

💡 Tip: The above default 3CX Phone System port ranges can be set during installation and verified via the 3CX Management Console in “Settings” > “Network” > “Ports”.

Configure the Ports for Remote 3CX Apps

To allow users to use their 3CX apps remotely, on Android, iOS, Mac or Windows, you need to ensure that these ports are open:

• Port 5090 (inbound, UDP and TCP) for the 3CX tunnel.
• Port 443 or 5001 (inbound, TCP) HTTPS for Presence and Provisioning, or the custom HTTPS port you specified.
• Port 443 (outbound, TCP) for Google Android Push.
• Port 2195, 2196 (outbound, TCP) for Apple iOS Push.

PUSH messages are sent by 3CX Phone System to Extensions using smartphones to wake up the devices for calls. This greatly enhances the usability of the smartphone apps.

Port Configuration for Remote IP Phones / Bridges via Direct SIP

For remote IP Phones and bridges you have the choice of using the 3CX SBC (Tunnel) or Direct SIP. The 3CX SBC service bundles all VoIP traffic over a single port to vastly simplify firewall configuration and improve reliability. No additional configuration is required because the 3CX SBC uses the same ports as the 3CX apps. More information on SBC can be found here.

To connect remote extensions via direct SIP, you must open the following ports:

• Port 5060 (inbound, UDP and TCP), Port 5061 (inbound, TCP if using secure SIP) – already open if using SIP Trunks.
• Port 9000-10999 (inbound, UDP) for RTP – already open if using SIP Trunks.
• Port 443 or 5001 (inbound, TCP) HTTPS for provisioning, unless you have specified custom PBX ports.

Port Configuration for 3CX WebMeeting, SMTP & Activation

To create and participate in web-based meetings, the 3CX-hosted cloud service must be able to communicate with the 3CX PBX and vice versa. To do so, these ports need to be configured:

• Port 443 (outbound, TCP) to
  webmeeting.3cx.net

  –  allow traffic to the FQDN rather than to the IP address when possible, as the IP may change.

• Forward port 443 or 5001 (inbound, TCP) or the specified custom HTTPS port, to notify users of incoming web meetings.
• To send emails using 3CX SMTP, your network needs to allow outbound TCP:2528 for the 3CX host machine.

Disable SIP ALG

Use a router / firewall without a SIP Helper or SIP ALG (Application Layer Gateway), or a device on which SIP ALG can be disabled. For example see how to switch off ALG on popular routers:

• How to Disable SIP ALG on Fortinet / FortiGate
• How to Disable SIP ALG on Netgear Routers
• How to Disable SIP ALG on Thomson Routers

Run the Firewall Checker

After configuring your firewall, run the 3CX Firewall Checker to verify its configuration!