3CX with IP Authenticated SIP Trunks

3CX has been conformance tested with many SIP Trunk suppliers but these tests do not generally take the requirement for NAT traversal into account. By manually specifying your WAN IP address or using STUN and combining it with port forwarding it will work with the majority of SIP providers out there.

Where 3CX falls down is if you're using a SIP trunk provider who use IP based authentication rather than registering using a username / password. One of the largest suppliers of business IP telephony services is Gamma Telecom and they use IP authentication.

The likes of Gamma prefer to use IP authentication and as a carrier it makes sense. If they only accept connections from IP addresses they allow it reduces their exposure to SIP exploits and brute force attacks. A potential attack has to use the customer's PBX or network as an attack vector which in turn shifts the liability for security onto the customer.

IP SIP authentication often uses the "VIA" header in the SIP INVITE. 3CX does not allow you to specify which IP address is added to the VIA header and will always take the IP address from the NIC. This causes problems if you're running 3CX on a private IP address as there's no way to display your WAN address in the VIA header.

People have asked 3CX to add this functionality but they have so far refused, citing SIP RFC's and that VIA should not manipulated. Such a request can be seen here.

3CX's solution is shown here and requires you to have two NIC's on your server. One for the private network so your 3CX server can respond to SIP phones and one with a public WAN IP address to communicate with the SIP SBC. This is OK if you have a block of IP addresses from your ISP and can route one directly to your server but if you have just one WAN address its not so simple.

If you're using a Draytek router there is a handy feature called "True DMZ". This will allow the router to be assigned the WAN IP address from the ISP but also allow your NIC of the 3CX server to have the same address. The Draytek router will pass any packet sent to the WAN IP address straight to the NIC of the server without modifying anything. 

With True DMZ you can associate the MAC address of your 3CX NIC. The router should pass the WAN IP address to the NIC using DHCP, but when I tested this myself it only passed on the gateway address. This may be because I was testing in a visualized environment but was easily resolved by manually setting the IP address, subnet and gateway from the router.

This pretty much removes the need for NAT traversal. Your SIP packets (importantly the VIA header) will display the WAN IP address when sending out the INVITE and packets being returned from the SBC or SIP proxy will be sent straight back to the 3CX server allowing 2 way communication.

This solution allows your router to still offer NAT, firewall and DHCP services to your private clients whilst still allowing your 3CX server to have the WAN address for the connection.

There are similar ways to give your server the WAN address such as putting your router into bridge mode and having the server dial up a PPPoE connection.

For information on configuring 3CX with Gamma Telecom who use IP Authentication click here.

For information on Draytek True DMZ functionality Click here

If you're looking to buy SIP trunks or Broadband then check out Eclipse Networks who are my current employer.