This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

3cx pbx in high availability mode behind Sophos UTM

Hi new to the world of Sophos.

I have a client with 3cx Voip PBX in a high availability mode. This  consists of 2 hardware devices, an Active Server (3cx 1) and a Passive Server which works on fail over of the Active server( 3cx 2).

3cx 1 has an ip address 192.168.44.98 , 3cx 2 has an ip address of 192.168.44.99 .

Both servers are set so that they use FQDN for the registration of ip Phones and ATA devices. 

In fail over the ip phones and ATA register to the Passive Server (3cx 2) in the expected manor.

In fail over the client can make calls using the sip trunk , but no incoming calls are presented to the Passive server (3cx 2).

 

This is clearly a firewall/NAT issue , the question is how do I get the Sophos UTM  to use the FQDN to pass Sip traffic from the Sip Trunk when the 3cx is in fail over mode.



This thread was automatically locked due to age.
Parents
  • Hi Ian,

    welcome to the community.
    Sorry, don't understand all details of your setup...some questions:
    -Sophos is your perimeter firewall (between internet and lan only ... or between internal phones and 3cx too)
    -phones connecting 3cx from LAN or internet?
    -do you use different (external?) IP's for primary and secondary 3cx?
    -do you use a SIP-trunk to external sip-provider
    -in failover - you are unable to call from one connected phone to another connected phone? You are able to call from phone to the world? You are unable to receive incoming calls from the world?

    - while in failover-mode ... check firewall-livelog for incomming/NATed packets (turn on logging within firewall and NAT-Rules)

    please post the result from 3cx firewall-check

    How do you configure HA?
    The guide from www.3cx.com/.../ talks from one FQDN and 2 Public IP's.
    While takeover the secondary device change the IP behind FQDN.
    I can't find a guide/example with 2 FQDN.  


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • Hi Ian,

    welcome to the community.
    Sorry, don't understand all details of your setup...some questions:
    -Sophos is your perimeter firewall (between internet and lan only ... or between internal phones and 3cx too)
    -phones connecting 3cx from LAN or internet?
    -do you use different (external?) IP's for primary and secondary 3cx?
    -do you use a SIP-trunk to external sip-provider
    -in failover - you are unable to call from one connected phone to another connected phone? You are able to call from phone to the world? You are unable to receive incoming calls from the world?

    - while in failover-mode ... check firewall-livelog for incomming/NATed packets (turn on logging within firewall and NAT-Rules)

    please post the result from 3cx firewall-check

    How do you configure HA?
    The guide from www.3cx.com/.../ talks from one FQDN and 2 Public IP's.
    While takeover the secondary device change the IP behind FQDN.
    I can't find a guide/example with 2 FQDN.  


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
  • Hi Dirk 

    to answer your questions 

    Sophos is the perimeter firewall both 3cx are behind it as well as the phones ( all on the same subnet ).

    Both Primary and Secondary 3cx use the same external IP , they use an FQDN to register the phones not IP. The FQDN is provided by by 3CX from their server.

    SIP trunk is provided by a UK telco and uses direct IP for connection ( ie not registration authorisation).

    In fail over everything works as  expected , except the ability to receive calls from outside , so phone to phone and phone to outside world calls are ok .

  • How the external UK telco provider knows from fail-over situation?
    As far as i know he send SIP/RTP to registred IP.
    With different external IP's for each 3cx node the provider should use the "living" connection and you can build DNAT Rules depending on external IP.
    (the scenario explained within the link above)
    Don't know SIP / RTP with SNI (ServerNameIndication) like used with WebServers.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.