3CX SIP Trunk Authentication Types
Before talking about the precautions, let’s first understand the 3CX SIP trunk authentication type. SIP Trunks in 3CX can be configured with the following 4 types of Authentication:
- “Do not require – IP Based”: When this is set, 3CX does not authenticate with the SIP Trunk. Under circumstances however a challenge request may be sent. This may occur if 3CX does not understand which SIP Trunk an incoming INVITE must be associated with.
- “Incoming – Inbound Only”: This option is deprecated
- “Outgoing Outbound Only”: This option is deprecated
- “Register/Account based”: 3CX sends REGISTER messages using the credentials filled in by the user.
Precautions
First of all, we should pay attention to the problem of call source identification. If we use the registration method, 3CX phone system will use the parameter rinstance to identify the call source and match the incoming call for the SIP Trunk. This only applies to registration-based SIP trunks, since registration is not used for IP-based lines. This will use other parameters to match, for details, please refer to the document How 3CX handles incoming calls and call routing.
When we need to establish multiple SIP trunks with the same IP address, we need to pay attention to setting the call source identification at this time, otherwise all numbers will be taken over by the same SIP trunk, which will cause the inbound rules to fail to take effect. It is best to add the other party’s IP to the 3CX whitelist. For specific settings, please refer to the document How to Set the Incoming Parameters of SIP Trunks with Multiple Accounts (Same VoIP Provider).
On the other hand, it is a security issue. There will be another problem in the method without verification. We are using the IP-based method to connect to another PBX system. Because we need to dial each other between extensions, our DID uses the extension number. Our system was harassed by hackers, as shown in the figure below.
Through packet capture analysis, the hacker dialed the number ending in 000 to our 3CX system. Matched to the DID number in our SIP trunk, which resulted in nuisance calls being sent to our extension. So if we can use the registration method, don’t use the IP-based method. In addition, if it is only used in the intranet, then there is no need to open the relevant ports. If there is an IP-based external network SIP trunk, then allow the data of the SIP trunk’s IP to enter on the firewall.