Configuring Kerio Control Firewall for 3CX Phone System
In this manual, we will talk about setting up the Kerio Control firewall to work with the 3CX Phone System. We will analyze the process using the example of Kerio version 8.3.0 build 1988.
Typically, Kerio Control works correctly when used as a border gateway for connecting VoIP operators, remote subscribers (STUN) and connecting through the 3CX Tunnel. The firewall includes functionality for checking SIP and HTTP traffic, but these mechanisms may affect the correct operation of remote 3CX Phone.
Nat type: IP Restricted
Open the Kerio Control Web Admin control panel and go to “Services”:
')
Via Kerio Control Web Admin, go to the “Traffic Rules” section:
Select "Port mapping" and specify the IP address (1) 3CX Phone System. In the “Service” field, click “Select” (2) and select the “3CX Phone System” service. Click “Next” to complete.
A rule will be created and it must be placed so that it is not blocked by other rules.
To check, run the 3CX Firewall Checker - 3CX Management Console “Configure>“ Firewall Checker ”. All ports should display green.
If you use this firewall at a remote point in front of an IP phone with STUN, a NAT rule must be created for each IP phone (the “SIP” check must be disabled). There may be a situation when there are only outgoing calls, and for incoming calls there may be no voice in both directions. This may be due to the fact that the firewall first waits for transmission of audio or data from the local network, and only after that allows reception to dynamic NAT. Depending on the time, it may turn out that 3CX Phone System sends audio to a remote IP phone: RTP port before this unit (using STUN) sends data to the PBX. Then the incoming stream from the 3CX media server will be blocked by the Firewall, while not allowing other devices on this network to work. Therefore, NAT rules need to be configured separately for each IP phone.
Since this configuration procedure is provided for informational purposes and is not an official manual, we cannot be held responsible for possible security problems that may arise in your network after passing through all the steps of this instruction.
Typically, Kerio Control works correctly when used as a border gateway for connecting VoIP operators, remote subscribers (STUN) and connecting through the 3CX Tunnel. The firewall includes functionality for checking SIP and HTTP traffic, but these mechanisms may affect the correct operation of remote 3CX Phone.
Nat type: IP Restricted
So, let's proceed to the setup ...
Open the Kerio Control Web Admin control panel and go to “Services”:
')
- Set the check for “SIP” to “None”.
- Click “Add” to create a new service. The list of ports that need to be opened here: http://www.3cx.com/docs/firewall-router-configuration-voip/ . Note that port numbers may depend on the 3CX version.
- If the SIP service already exists by default, then Audio (1), 3CX Tunnel (2), HTTP (3) and HTTPs (4) must be added manually.
- Collect all services in one group.
- Save the configuration by clicking “Apply”.
NAT setup
Via Kerio Control Web Admin, go to the “Traffic Rules” section:
- This is a list of rules. Click “Add” to create a new rule.
Select "Port mapping" and specify the IP address (1) 3CX Phone System. In the “Service” field, click “Select” (2) and select the “3CX Phone System” service. Click “Next” to complete.
A rule will be created and it must be placed so that it is not blocked by other rules.
Check
To check, run the 3CX Firewall Checker - 3CX Management Console “Configure>“ Firewall Checker ”. All ports should display green.
note
If you use this firewall at a remote point in front of an IP phone with STUN, a NAT rule must be created for each IP phone (the “SIP” check must be disabled). There may be a situation when there are only outgoing calls, and for incoming calls there may be no voice in both directions. This may be due to the fact that the firewall first waits for transmission of audio or data from the local network, and only after that allows reception to dynamic NAT. Depending on the time, it may turn out that 3CX Phone System sends audio to a remote IP phone: RTP port before this unit (using STUN) sends data to the PBX. Then the incoming stream from the 3CX media server will be blocked by the Firewall, while not allowing other devices on this network to work. Therefore, NAT rules need to be configured separately for each IP phone.
NB
Since this configuration procedure is provided for informational purposes and is not an official manual, we cannot be held responsible for possible security problems that may arise in your network after passing through all the steps of this instruction.
Source: https://habr.com/ru/post/249649/
All Articles