I’ve found during 3CX training sessions, that our partners get fantastic value in attending. They can ask more in-depth questions and discuss upcoming deployments. A common theme this year has been around remote deployment and “hub and spoke” configurations. This is where phones sit offsite, with 3CX sitting either in the Cloud or on premise. Smaller satellite sites sitting remotely, hang off a central head office. 3CX has a myriad of ways for phones to be deployed offsite. The simplest way boils down to using a session border controller (SBC) or a direct VPN between sites. (Note STUN requires a lot of port forwards at remote sites, and can be influenced by SIP ALG). The most common question is which to choose, and why?


Offsite deployments are becoming increasingly common with 3CX adopting support for; AWS, Google Cloud, Azure and the list goes on. A lot of partners are now looking at local data centres to host their customers’ 3CX instances. This is for the sake of simplicity, as well as lower latency. This also applies to the aforementioned head office scenario where they may have a server or an Intel NUC sitting with 3CX, and then linking in remote sites across the country. The how and why comes down to a couple of factors. The main factor is to cater for networking traffic, especially since multicast traffic will only travel to the edge of local area network.




The 3CX SBC is a simple application that can run on Windows, Linux and even a Raspberry Pi. You can access and create SBC connections from the latest version of v16. This is under SIP trunks from within the management console. Then install the application at the remote site with these credentials. Once this has been set up, any local multicast traffic will hit the SBC and forward to the main 3CX system. This causes the phone to appear under the management console’s phones area – for simple assignment to a new or existing extension. Click here for guidelines from 3CX around hardware requirements, and soft limits on the number of extensions and BLFs that these devices can handle. The added benefit beyond install simplicity, is that the SBC can encrypt and encapsulate SIP traffic. This gives an extra layer of security for phone calls, as well as just needing port 5090 forwarded for UDP and TCP to the internal static IP of the SBC at the remote site. The 3CX SBC is also a free application.


The other option for an offsite phone is a VPN. Depending on how the networking infrastructure has been set up, these tunnels may already be in place. This makes deployment even simpler. Multicast will be able to reach the 3CX PBX on the other side of the VPN – as traffic will be local to it. I like to say that 75% of any successful install is proper planning and the network layer is critical in this planning. Depending on the customer, the network configuration may sit outside of a partner’s control. So the party responsible for it will need to be looped into this initial scope, to make sure it is possible with the existing equipment and create a plan around it. A VPN works well with SIP traffic, provided it is transparent and isn’t filtering any RTP or multicast traffic for our install case here. Given that the PPTP protocol is no longer secure, most VPNs are using IPSEC and it is recommended to do this over a GRE tunnel as IPSEC by default does not support multicast traffic. DHCP option 66 is another way to get around these hurdles with VPN, if they arise. (Make sure that this isn’t already set to an incumbent provider’s PBX!). The key thing to keep in mind, is a VPN can potentially enable more physical phones and BLFs than using an SBC.However, it needs to be set up correctly if it isn’t already in place. The SBC is a simple plug and play solution to quickly get phones operational offsite, when a VPN isn’t feasible or required.


Whether an install leverages a SBC or a VPN, it is important to always scope correctly and have an install and configuration plan in place before deployment day. If you need to chat through a scenario you are facing, reach out to the Soft Solutions VoIP Support Team for guidance.