Click to get the latest Buzzing content. Take A Sneak Peak At The Movies Coming Out This Week (8/12) Everything we know about ‘Shang-Chi and the Legend of the Ten Rings’.
- I'm exploring the possibility of moving our company (450 locations + 1 HQ, around 3000 users) to 3CX and one of the major requirements is call recording. Our branch users are setup to record calls on demand, afterwards they login to a portal and 'tag' their call with the customers account number.
- Sophos Central provides powerful centralized management, reporting, and zero-touch deployment for all your XG Firewalls and other Sophos products from a single console. Sophos Central is the ultimate cloud-management platform - for all your Sophos products. It makes day-to-day setup, management, and reporting for all your XG Firewalls easy.
Getting Sophos to pass the 3CX firewall test was a challenge, here's a step by step to get it working.
6 Steps total
Step 1: Disable SIP Alg in the XG
The first thing 3CX Support is going to ask about. I will not rewrite the essay on this, instructions are in this Sophos KB
https://community.sophos.com/kb/en-us/123523
Step 2: Create an IP Host to point to 3CX server
System -> Hosts and Services -> IP Host.
Name it and insert the 3CX server's IP address, and Save
Step 3: Create the port forward list
From System -> Hosts and Services -> Services, Create a new service and add the following port forwards
TCP Source 1:65535 Destination 5060
UDP Source 1:65535 Destination 5060
TCP Source 1:65535 Destination 5090
UDP Source 1:65535 Destination 5090
And UDP 1:65535 Destination 9000:10999
Step 4: Create a Business Application Rule
From Protect -> Firewall -> Add firewall Rule, Business application rule.
I stuck this one at the top of the food chain because I did not want it running into a block rule.
A couple notes: I wanted to Geofence as much as possible to limit attack vectors - but how tight you can make it depends on where your 3CX STUN servers are. I was a bit surprised that for my part of the US, running nslookup on 3CX Stun servers gave me Montreal and France.
The thing that had me scratching my head originally is the Destination. This is NOT the server you are forwarding to - it is the XG's WAN port with your public IP. Attach the Service created in Step 1
Step 5: Finish the firewall rule
The rule wouldn't fit in a single screenshot but the hard part was already done. Specify the IP Host created in Step 1 as the Protected Server in the LAN zone, rewrite the source address, choose whether you want to log the traffic or not, and save the rule.
Go back to your 3CX Server and test.
Step 6: Things that will make it bomb out
Do NOT specify the destination as your 3CX server (The knot in my forehead is still going down) - It's the XG's WAN port (#2 in a default config)
I suggest NOT geofencing until you get a successful firewall test - I started out by just trying to get 5060 to come through with client network any, built the other rules up, and then once it was all working initially tried to tighten to United States ... that bombed miserably. Ran nslookup and found the STUN servers for my area resolved to Montreal and France. I'd imagine you would need to allow any country where you have a presence or reps travelling there - but that's outside the scope of this HOWTO.
The last UDP rule in the service set up in step 1 covers the media ports for a default installation (9000-10999) I don't know how huge your phone system would need to be to need more ports, but if the firewall check gets to 11000 and starts failing, that's the one to change.
I hope this saves someone else the frustration I felt getting this going - Zero documentation on one side plus confusing documentation on the other made this more painful than it should have been. Once I figure out how to think in Sophos things will go a lot easier.
0 Comments
Users might meet the SIP Call issue including:
- One way audio
- No audio in both way
- The call hangs up at 30 seconds
Mostly it is relevant to the router, firewall, or VPN gateway settings. We often suggest the client to disable SIP ALG, SIP forwarding.
In this article, we would offer some settings that we had experienced. But each router manufacture might have their own naming rules or logic principle for the settings. So we could not cover all.
Disclaimer...!
We only offer a suggestion for the router settings. But we don't offer support to debug your router. If you need the support of the router settings or you don't have the knowledge of router settings, please seek help from the manufacturer's support or your IT Admin.
1. Disable SIP ALG on Cisco Router with CLI only.
Command: no ip nat service sip udp port 5060
2. Disable SIP ALG option in Cisco RV320 router.
3. Disable SIP ALG on Huawei HG8145V
4. Disable SIP Transformations & consistent NAT on SonicWall
5. Disable SIP ALG on Billion router.
6. Disable SIP Passthrought on Asus RT-N66U router.
7. Disable SIP ALG, and check Non-NAT option on TP-Link TL-ER6020.
8. Disable SIP ALG on D-Link DIR-605L
- Log in to the CLI using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner of the Admin Console screen.
- Choose option 4. Device Console.
- Execute the following command(s):
- Sign in to the CLI console and select option 4. Cyberoam Console from the Main Menu list.
- Execute the following command:
console> cyberoam system_modules sip unload
How to use a custom port
3cx Sophos Xg Vs
If you are using a custom port for SIP communication and you would like to load the same ports under the Cyberoam SIP helper module, issue the commands below:
console> cyberoam system_modules sip load ports 5061Download and install WinSCP from https://sourceforge.net/projects/winscp/
Connect to your CloudKey with WinSCP via SSH and browse to the directory srv/unifi/data/sites/default (my site was called default, your site might be named something different).
Create a file on your computer named config.properties.
Edit the config.properties file and add 'config.ugw.voip.sip_alg_disable=true' (without quotes) and save.
Copy the file to the CloudKey to the folder you browsed to in step 2.
Force your USG to do provisioning by creating a port forwarding rule and then deleting it.
You can verify that the settings are working by connecting to your USG via SSH. If you are on Windows, use Putty. Once connected via SSH, type the command 'lsmod | grep sip' (without quotes). If SIP ALG is disabled, you will not get anything back and just be returned to the command prompt.
13.How to Disable SIP ALG on a Thomson Router
SIP ALG is used to try and avoid configuring Static NAT on a router. Its implementation, however, varies from one router to another, often making it difficult to inter-operate a router with SIP ALG enabled with a PBX. In general, you would want to disable SIP ALG and configure one to one port mapping on the router.
In this article, we will show you how to disable SIP ALG on a Thomson router. SIP ALG on this router is known to cause problems with VoIP calls. Proceed as follows:
Open Command Prompt – “Start” → “Run” → type “cmd” and press “Enter”.
In Command Prompt, type “telnet 192.168.1.254” and press enter. 192.168.1.254 is the default IP address of the router. If you are running on Windows 7/8/8.1/10, you might need to install the telnet client from “Control Panel” → “Programs and Features” → “Turn Windows features on and off”.
The default username is “Administrator”, and there is no default password, leave blank.
Type “connection unbind application=SIP port=5060” and press “Enter”.
Type “save all” and press “Enter”.
Type “exit” and press “Enter” to exit the telnet session.
SIP ALG is now disabled on your Thomson router.
Note:
The SIP phones behind this router should be configured not to use STUN
The SIP phones must NOT be configured with a local port of 5060 or 5061. The local port of the phone must be changed to something else.
Configuring a SIP Phone behind a Thomson router might require port forwarding to be implemented on the router. So you will need to port forward the SIP and AUDIO (RTP) ports on the Thomson router and point them to the SIP Phone’s IP Address.
14.Disabling SIP-ALG on the FortiGate 80C Firewall
Step 1: Disable SIP ALG
The SIP ALG functionality seems to be harder to disable (even if it is disabled via WEB Interface) and varies greatly between models. In addition, the type of NAT may break correct functionality or re-enable SIP ALG. On devices running FortiOs, you will need to disable this in multiple places as shown below:
Open the FortiGate CLI from the dashboard.
Enter the following commands in FortiGate’s CLI:
config system settings
set sip-helper disable
set sip-nat-trace disable
reboot the device
Reopen the FortiGate CLI and enter the following commands (do not enter text after //)
config system session-helper
show //you need to find the entry for SIP, usually 12, but it may vary
delete 12 //or the number that you identified from the previous command
Create a rule and set the “Protection Profile” to “Unfiltered”
Reboot the device and you should be ready to use your FortiGate 80C with the 3CX Phone System without any issues.
Step 2: Removing the Session Helper
Run the following commands:
config system session-helper
Show
Amongst the displayed settings will be one similar to the following example:
edit 13
set name sip
set protocol 17
set port 5060
In this example, the next commands would be:
delete 13
end
Step 3: Change the default –VoIP –alg-mode
Run the following commands:
config system settings
set default-VoIP-alg-mode kernel-helper based
end
If Version 5.2 and above continue
config VoIP profile
edit default
config sip
set status enable/disable
end
end
Step 4: Clear Sessions or Reboot
To clear sessions:
Ideally, you would only delete sessions related to VoIP traffic. However, in the case of SIP, this means not only deleting the SIP control sessions but also all sessions opened to handle the audio (RTP) traffic. If you know the port-range used for the audio traffic, you can be selective with your session clear by first applying a filter.
diagnose the system session filter ...
See the related article 'Troubleshooting Tip: FortiGate Firewall session list information'.
The command to clear sessions applies to ALL sessions unless a filter is applied, and therefore will interrupt traffic.
diagnose system session clear
Alternatively, reboot the FortiGate using either GUI or CLI. The CLI command is:
execute reboot
Step 5: Validating Your Setup.
Log into your 3CX Management Console → Dashboard → Firewall and run the 3CX Firewall Checker. This will validate if your firewall is correctly configured for use with 3CX. More information about the Firewall Checker can be found here.
15.How to Disable SIP ALG on Netgear Routers
Option 1
Open the Netgear router configuration by browsing to its LAN Address (http://192.168.0.1 by default).
Log in to the router’s configuration. The default username is “admin”and the default password is “password”.
In the main menu, select “Advanced” → “WAN Setup”.
Enable the option “Disable SIP ALG”.
Click “Apply”.
3cx Behind Sophos Xg
Option 2
Open the Netgear router configuration by browsing to its LAN Address (http://192.168.0.1 by default).
Log in to the router’s configuration. The default username is “admin” and the default password is “password”.
In the main menu, select “Security” → “Firewall” → “Advanced”.
Uncheck the option “Enable SIP ALG”.
3cx Sophos Xg Software
Click “Apply”.