# Firewall & Router Configuration

## <span class="c14 c2">Introduction</span>

If you have 3CX installed on-premise you need to make changes to your firewall configuration to allow 3CX to communicate successfully with your SIP trunks and apps. This guide gives you a general overview of the ports that need to be opened/statically forwarded on<span class="c4"> your firewall. </span>

If you have remote IP phones, you need to put an SBC or router phone in front of them. Alternatively we recommend the use of our apps which have an inbuilt tunnel.

## Ports required for your SIP Trunk / VoIP Provider

![Ports required for your SIP Trunk / VoIP Provider](https://lh7-us.googleusercontent.com/XEfeXtN3fnTQ_Aydwwljvyi-6hX8nl5goZjk52VjPWucFS6VNN5wNvikGmP5ClgYbbcSyVcrE-6eD1EW2Iel0eVxLZOVlnzVvvBrowoBYHeUY_NaUNaD81rUDoA2j6tsfv8oploHy95R-nM "Configure the ports  for your SIP Trunk / VoIP Provider")

Open these ports to allow 3CX <span class="c4">to communicate with the VoIP Provider/SIP Trunk and WebRTC:</span>

- Port 5060 (inbound, UDP) and 5060-5061 (inbound, TCP) for SIP communications.
- Port 9000-10999 (inbound, UDP) for RTP (Audio) communications, i.e. the actual call. Each call requires 2 RTP ports, one to control the call and one for the call data, so the number of ports you need to open is double the number of <span class="c4">simultaneous calls.</span>

## Ports required for remote 3CX Apps &amp; SBC

To allow users to use their 3CX apps remotely, on Android, iOS or Windows, you need to ensure that these ports are open:

- Port 5090 (inbound, <span class="c4">UDP and TCP) for the 3CX tunnel.</span>
- Port 443 or 5001 (inbound, TCP) HTTPS for Presence and Provisioning, or the custom HTTPS port you specified.
- <span class="c4">Port 443 (outbound, TCP) for Google Android Push.</span>
- Port 443, 2197 and 5223 (outbound, TCP) for Apple iOS Push. More information <span class="c3">[here](https://support.apple.com/en-gb/102266)</span>.

![Configuring the ports for remote 3CX clients](https://lh7-us.googleusercontent.com/M1xWJAQ96OvA3ZWOGws3sCBgbD0sq-NblpDFbXp6dy3OW24lUyAoYvAYJASKrzuak8nDY59aqj9LOHKAtIOVaIjoCDxay54zbvA8N67VsvC5XRv8hduqfr-I44gx2eKaOKDb5PI6ir9MFrk "Configure the ports for remote 3CX clients")

PUSH messages are sent by the 3CX System to Extensions using smartphones to wake up the devices for calls. This greatly enhances the usability of the smartphone apps.

## Ports required f<span class="c14 c2">or 3CX Video Conference</span>

<span class="c4">To create and participate in web-based meetings, the 3CX-hosted cloud service must be able to communicate with the 3CX PBX and vice versa. To do so, these ports need to be configured:</span>

![Configuring Ports for 3CX Video Conferencing](https://lh7-us.googleusercontent.com/OrkynVlJxhjS4FqcR2bXjvY4_D7CezZiEPhQ9MbS-7HzpxyzmpoZHGjc9-0MRRkVMe08E3D9DZ3ZNtH1nnqoQH5oLFIlxExaT3DmRitUwj86PZCTF324jV3Hc4z_oMpwhYOvdYxE5MLR2qg "Configuring Ports for 3CX Video Conferencing")

- <span class="c4">Port 443 (inbound, TCP) must be allowed for participants to connect your 3CX System</span>
- <span class="c4">3CX System: Port 443 (outbound, TCP) must be allowed to connect to 3CX’s cloud infrastructure</span>
- <span class="c4">Users: Port 443 (outbound, TCP) and 48000-65535 (outbound, UDP) must be allowed to exchange audio and video with other participants</span>

## <span class="c14 c2">Ports required for Other Services (SMTP &amp; Activation)</span>

<span class="c4">A 3CX System connects to various services provided by 3CX in the cloud.</span>

- <span class="c4">SMTP Service: Cloud Service for SMTP Messages  
     smtp-proxy.3cx.net, 2528 (outbound, TCP)</span>
- Activation Service: Activation of 3CX Products  
     activate.3cx.com,<span class="c4"> 443 (outbound, TCP, uninspected traffic) </span>
- <span class="c4">RPS Service: Provisioning of Remote IP Phones  
     rps.3cx.com, 443 (outbound, TCP)</span>
- Update Server: For updates of 3CX System and firmware of IP Phones  
     downloads-global.3cx.com, 443 (outbound, TCP)

## <span class="c2">Configure Split DNS</span><span class="c14 c2"> / Hairpin NAT</span>

You will need to configure the 3CX FQDN to work both internally on your local network and externally outside of your network (unless you do not want to give access to your phone system from outside the network).

## <span class="c2">Disable SIP ALG</span><span class="c14 c2"> </span>

Use a router/firewall without a SIP Helper or SIP ALG (Application Layer Gateway), or a device on which SIP ALG can be disabled.

## <span class="c14 c2">Run the Firewall Checker</span>

After configuring your firewall, run the 3CX Firewall Checker to verify its configuration!

## <span class="c2 c14">Step by Step Instructions for Popular Firewalls</span>

Example configurations for popular firewalls:

- <span class="c3">[Configuring a Sonicwall Firewall for 3CX](https://www.3cx.com/docs/sonicwall-firewall-configuration/)</span>
- <span class="c3">[Configuring a Draytek 2820 Router for 3CX with QoS configuration](https://www.3cx.com/docs/draytek-firewall-configuration/)</span>
- <span class="c3">[Configuring AVM FritzBox as a Firewall with 3CX](https://www.3cx.com/docs/avm-fritzbox-firewall-configuration/)</span>
- <span class="c3">[Configuring a CISCO router to allow connection to a VOIP provider](https://www.3cx.com/docs/cisco-router-configuration/)</span>
- <span class="c3">[Configuring FortiGate 40F for 3CX](https://www.3cx.com/docs/fortigate-firewall-configuration/)</span>
- <span class="c3">[Configuring a WatchGuard XTM Firewall for 3CX](https://www.3cx.com/docs/watchguard-xtm-firewall/)</span>
- <span class="c3">[Configuring a pfSense Firewall for 3CX](https://www.3cx.com/docs/pfsense-firewall/)</span>
- <span class="c3">[Configuring MikroTik Firewall](https://www.3cx.com/docs/mikrotik-firewall-configuration/)</span>