Configure Kerio Control Firewall for 3CX Phone System

    In this manual, we will talk about configuring the Kerio Control firewall to work with 3CX Phone System. We will analyze the process using Kerio 8.3.0 build 1988 as an example.

    Typically, Kerio Control works correctly when used as an edge gateway for connecting VoIP-operators, remote subscribers (STUNs) and connecting via the 3CX tunnel. The firewall includes functionality for checking SIP and HTTP traffic, but these mechanisms can affect the correct operation of remote 3CX Phone.
    Type Nat: IP Restricted

    So, let's move on to setting up ...

    Open the Kerio Control Web Admin control panel and go to “Services”:

    1. Set the validation for the SIP protocol to None.
    2. Click “Add” to create a new service. The list of ports you need to open here: . Please note that port numbers may vary with 3CX version.

    1. If the SIP service is already by default, then Audio (1), 3CX Tunnel (2), HTTP (3) and HTTPs (4) must be added manually.

    1. Gather all the services in one group.

    1. Save the configuration by clicking “Apply”.

    NAT setup

    Via Kerio Control Web Admin, go to the "Traffic Rules" section:
    1. This is a list of rules. Click “Add” to create a new rule.

    Select “Port mapping” and specify the IP address (1) of 3CX Phone System. In the “Service” field, click “Select” (2) and select the “3CX Phone System” service. Click “Next” to complete.

    A rule will be created and it needs to be placed so that it is not blocked by other rules.


    To check, run 3CX Firewall Checker - 3CX Management Console “Settings>“ Firewall Checker ”. All ports should be displayed in green.


    If you use this firewall at a remote point in front of an IP telephone with STUN, a NAT rule must be created for each IP telephone (the “SIP” check must be disabled). A situation may arise when only outgoing calls are being made, and for incoming people there may be no voice in both directions. This may be due to the fact that the firewall first expects the transfer of audio or data from the local network, and only then allows reception on dynamic NAT. Depending on the time, it may turn out that the 3CX Phone System sends audio to a remote IP phone: an RTP port before this unit (using STUN) sends data to the PBX. Then the incoming stream from the 3CX media server will be blocked by the Firewall without allowing other devices on this network to work. Therefore, NAT rules must be configured separately for each IP phone.


    Since this setup procedure is provided for informational purposes and is not an official guide, we cannot be held responsible for any security problems that may arise on your network after completing all steps of this manual

    Also popular now: