If your clients have 3CX hosted in the cloud and IP phones connected on-site, then this article is a must-read for you. If you have more than 10 IP phones connecting to your 3CX in the cloud, 3CX recommends that you install a dedicated SBC (Session Border Controller) to manage and secure your VoIP traffic. Less than 10 IP phones, and you can save some money and buy a Router Phone that will operate as an SBC and IP phone, or use multiple router phones.


What is an SBC?

3CX defines an SBC (Session Border Controller) as, “A software service that installs in your local network to allow easy connection of IP Phones to a 3CX instance in the cloud or a remote on premise 3CX.”.


Why do we need an SBC?

To understand the role of the SBC, you need to have a good understanding of NAT (Network Address Translation).  Let’s take 3CX Hostel, a secure mecca for backpackers in Cyprus, and the local manager, Jeremiah Cole, as an example.

At 3CX Hostel, there are dozens of tenants.

Imagine that your friend Aubrey Graham is living at 3CX Hostel, and you were to send him a letter.

What information would you need?

  1. The address of 3CX Hostel (street, suburb, etc.).
  2. The name of the person you want it to send it to.

Let’s say you sent the letter but forgot to write Aubrey’s name on it, the manager would receive the letter, but not knowing who it was addressed to, immediately discard it.  This is analogous to networking where the post system is the internet, the address is the IP address of the router, and the manager does the routing (you can call him the router 😂).

Now, when you were setting up 3CX, you would have done something called Port Forwarding, which is basically where Aubrey would have told the manager, “Hey, if you see a letter come to the hostel with the name “Aubrey Graham” on it, please send it to room xxx”.

Jeremiah the manager would then go to his guestbook and write this down as a rule.  Thereby creating an entry in his ‘NAT table’ so he could look it up later.  Your router does NAT very similarly in that, “IF traffic comes through this port, PUSH packets to this phone server”. Thus, the NAT entry is created, and letters are routed correctly to Aubrey at 3CX Hostel.  This is a very basic explanation of how NAT works, which we will further in the next concept.

A good VoIP system relies on the manager, ie. the router, to have perfect information and an up-to-date NAT table. This is especially difficult when phones don’t have static IP addresses and can require complex routing to configure!


Why don’t the 3CX Apps need an SBC?

The 3CX mobile/desktop apps are proprietary software which have their own built-in tunnel to 3CX, so it is unnecessary to have an additional SBC.  You might ask, why don’t phones just come with this software installed straight out of the box?  Manufacturers generally are vendor agnostic, so having a piece of software linked directly to 3CX isn’t exactly a great business move.  With that being said, Yealink, Fanvil and Snom have worked closely with 3CX so that some of their IP phones are supported to run with Router Phone firmware which allows them to perform the same functionality as an SBC.


Enter the SBC

Unfortunately, managers like Jeremiah can be forgetful, and tend to overlook their guests very quickly.  Much like a NAT table, his guestbook gets lost, and NAT entries expire!

To keep the NAT entries current, the SBC overcomes NAT issues by sending packets directly to the 3CX server, outbound, to keep entries alive and bypass routing issues.

This has several benefits including:

  • Combining SIP and RTP packets from one location, thus streamlining the number of ports used and reducing common firewall and networking issues.
  • Encrypting VoIP traffic in a secure tunnel.
  • Better QoS.
  • No need for static IPs for each phone, and complex firewall rules.


Key Considerations

  • The SBC needs to be constantly running – the moment the SBC goes down, all your VoIP traffic goes down. This is a highly unlikely event.
  • There are additional costs for the SBC and assigning a static IP.
  • A newer option is also the router phone – specific models of IP phone with a firmware that includes the SBC.
  • STUN is not supported moving forward – an SBC is essential for a hosted 3CX PBX solution.


Is security that important in VoIP? Who hacks phone systems??

Security is imperative to an IP PBX solution.  Adam Finch was a victim of VoIP fraud, where two men managed to hack into his company’s PBX (PBX specifics are unknown). The hackers called a desk phone at a random office, but it was 7 pm and nobody picked up.  3CX users will know that calls like this usually are setup to go to voicemail…unless it hits a phone that allows you to check voicemail remotely.  Once the hacker got in, he began spamming 4-digit PIN combinations, until eventually he was able to gain access and change their permanent forwarding number.

BINGO.  The hacker then sets their forwarding number to their pay-per-minute line.  Virtually setting up an online ATM and collecting what the FBI estimated to be 20 million dollars in damages.  The Communications Fraud Control Association estimates PBX hacking to cost businesses upwards of 10 billion dollars a year.  Encrypting voice traffic with an SBC is a key step to ensuring secure communications.


How to setup a 3CX SBC

  1. You will want to head into your 3CX v20 Admin Console (this will be visible if you have an Administrator role set).
  2. Click “Voice & Chat” on the sidebar.
  3. “+ Add SBC”



Then you’ll just need to choose what type of machine you want to run the SBC on, and key in your provisioning URL and Auth ID that 3CX will provide in the next screen.





Don’t take our word for it

Familiarise yourself with the hardware requirements and have a go! We’ll be releasing a “How-To” video for setting up a Router Phone soon, so keep your eyes peeled. If you need advice reach out to us at uc@bluechipit.co.nz and we’ll be happy to walk through solutions and options that will work for your SBC requirements.