Do NOT specify the destination as your 3CX server (The knot in my forehead is still going down) - It’s the XG’s WAN port (#2<\/span> in a default config)<\/p>\n

I suggest NOT geofencing until you get a successful firewall test - I started out by just trying to get 5060 to come through with client network any, built the other rules up, and then once it was all working initially tried to tighten to United States … that bombed miserably. Ran nslookup and found the STUN servers for my area resolved to Montreal and France. I’d imagine you would need to allow any country where you have a presence or reps travelling there - but that’s outside the scope of this HOWTO.<\/p>\n

The last UDP rule in the service set up in step 1 covers the media ports for a default installation (9000-10999) I don’t know how huge your phone system would need to be to need more ports, but if the firewall check gets to 11000 and starts failing, that’s the one to change.<\/p>\n<\/div>\n

I hope this saves someone else the frustration I felt getting this going - Zero documentation on one side plus confusing documentation on the other made this more painful than it should have been. Once I figure out how to think in Sophos things will go a lot easier.<\/p>","step":[{"@type":"HowToStep","name":"Disable SIP Alg in the XG","text":"\nThe first thing 3CX Support is going to ask about. I will not rewrite the essay on this, instructions are in this Sophos KB\n\nhttps://community.sophos.com/kb/en-us/123523"},{"@type":"HowToStep","name":"Create an IP Host to point to 3CX server","text":"\n\n\nSystem -> Hosts and Services -> IP Host.\n\nName it and insert the 3CX server's IP address, and Save","image":"https://us1.discourse-cdn.com/spiceworks/original/4X/5/d/4/5d4039a115fd5a6f5ebeb15c7163d294f9f3179a.jpeg"},{"@type":"HowToStep","name":"Create the port forward list","text":"\n\n\nFrom System -> Hosts and Services -> Services, Create a new service and add the following port forwards\nTCP Source 1:65535 Destination 5060\nUDP Source 1:65535 Destination 5060\nTCP Source 1:65535 Destination 5090\nUDP Source 1:65535 Destination 5090\n\nAnd UDP 1:65535 Destination 9000:10999","image":"https://us1.discourse-cdn.com/spiceworks/original/4X/3/c/b/3cb889c2a200765d134cae7bcafcd794b48fbda1.jpeg"},{"@type":"HowToStep","name":"Create a Business Application Rule","text":"\n\n\nFrom Protect -> Firewall -> Add firewall Rule, Business application rule.\nI stuck this one at the top of the food chain because I did not want it running into a block rule.\n\nA couple notes: I wanted to Geofence as much as possible to limit attack vectors - but how tight you can make it depends on where your 3CX STUN servers are. I was a bit surprised that for my part of the US, running nslookup on 3CX Stun servers gave me Montreal and France.\n\nThe thing that had me scratching my head originally is the Destination. This is NOT the server you are forwarding to - it is the XG's WAN port with your public IP. Attach the Service created in Step 1","image":"https://us1.discourse-cdn.com/spiceworks/original/4X/a/1/6/a16653e1835108a8400036336506928f83521689.jpeg"},{"@type":"HowToStep","name":"Finish the firewall rule","text":"\n\n\nThe rule wouldn't fit in a single screenshot but the hard part was already done. Specify the IP Host created in Step 1 as the Protected Server in the LAN zone, rewrite the source address, choose whether you want to log the traffic or not, and save the rule.\n\nGo back to your 3CX Server and test.","image":"https://us1.discourse-cdn.com/spiceworks/original/4X/e/7/8/e78bfc6948c77ff76f7872d7fb13f3ae5713a13b.jpeg"},{"@type":"HowToStep","name":"Things that will make it bomb out","text":"\nDo NOT specify the destination as your 3CX server (The knot in my forehead is still going down) - It's the XG's WAN port (#2 in a default config)\n\nI suggest NOT geofencing until you get a successful firewall test - I started out by just trying to get 5060 to come through with client network any, built the other rules up, and then once it was all working initially tried to tighten to United States ... that bombed miserably. Ran nslookup and found the STUN servers for my area resolved to Montreal and France. I'd imagine you would need to allow any country where you have a presence or reps travelling there - but that's outside the scope of this HOWTO.\n\nThe last UDP rule in the service set up in step 1 covers the media ports for a default installation (9000-10999) I don't know how huge your phone system would need to be to need more ports, but if the firewall check gets to 11000 and starts failing, that's the one to change."}]}