DrVoIP Support > DrVoIP Network, VoIP, Security & AWS Cloud! > Knowledgebase

Understanding SIP Firewall Configuration


In order for VOIP  Phone System to communicate successfully with VoIP providers and Remote Extensions, your firewall/router device must be configured for SIP operation. To maximize your chances of success, make sure you choose a device that does not implement a SIP Helper or SIP ALG, or which can be configured to be disabled.

Microsoft ISA Server is inappropriate for SIP use since it cannot correctly implement UDP Port Forwarding.

Note: LAN security remains the responsibility of the System Administrator, and this information is limited to describing the technical implementation. Generally, any procedure that allows traffic from outside into the LAN may represent a security issue. Please review this article for some pointers about security with VOIP.

Incoming Ports

In a default installation of a VOIP  Phone System, the PBX listens for SIP messages on ports 5060 (UDP & TCP). The audio streams are handled by ports UDP RTP ports that you must configure as a range.  For example, 9000-9049 (UDP only) – this will allow up to 25 simultaneous calls with VoIP providers or with remote extensions. These ports must be forwarded to the LAN IP Address of the 3CX PhoneSystem machine, avoiding port translation for traffic on these ports. You should also perform port forwarding for port 5090 (TCP & UDP) to allow remote extensions to connect using the a VPN or  Tunnel Protocol.

Outgoing Ports

Configuring your firewall to control and restrict outgoing traffic can be a very time-consuming process, and to avoid errors you should consider granting the PBX machine unrestricted access to the Internet.

Restricting outgoing traffic by destination port is not possible, so you will need to use some other mechanism. Keep in mind that even though your VOIP system listens for SIP on port 5060 and audio on ( example 9000-9049), a VoIP Provider (or a Remote Extension) has no obligation to use fixed ports.

The PBX will also need access to the STUN servers  to calculate port address translations where port forwarding has not been implemented (unsupported but possible). If, however, you are using a static public IP Address and you have got port forwarding correctly implemented, you should disable STUN completely, and therefore eliminate the need for the PBX to perform STUN requests.

Was this article helpful? yes / no
Related articles SIP - What is a STUN server?
FXS/ FXO procedures – how it technically works
Required ShoreTel Sky Firewall Ports
How does FAX work in VOIP environments?
Setting QOS on ShoreTel Phones
Article details
Article ID: 3
Category: Knowledgebase
Rating (Votes): Article rated 3.0/5.0 (28)

« Go back