3CX Firewall Guide

3CX Firewall Guide

Hosted 3CX Server

If you have a 3CX server hosted with us, you just need to make sure that your devices are able to communicate with that server.
3CX Clients and Session Border Controllers use a combination of HTTPS (default port TCP 443/5001) and 3CX Tunnel (default port 5090)
No port forwards are needed for routers on premise, except for potentially remote SBC management through SSH where requested.

On-Premise 3CX Server

First ensure that port forwards on the router are configured as described in this guide from 3CX: https://www.3cx.com/docs/ports/
Once confident, run the firewall checker and ensure that it passes with flying colours.

Then, if you really want to limit the port forward to specific external IP addresses, ensure that all SIP and RTP ports are allowed from our distributed SIP trunking system called GoVoIP.
The easiest way to do this is to allow all IP addresses for our hosted services which is currently or if you want to be very specific then just allow and