It’s one thing to get a phone system set up, but it’s another to make sure that it is appropriately maintained long term – whether for internal use or for a customer.

Aatrox Communications works with customers and partners to help you make the right decisions with the initial deployment of your 3CX phone system to ensure it is reliable and maintainable moving forward.

We’ve worked with 3CX going way back to version 6 – and have learned a few things along the way. We’re often asked how and where to use a Session Border Controller, or SBC, so wanted to go into a bit more detail in this post.

To understand the purpose of the SBC, we need to look at how things work when there isn’t one, in which case a remote handset must be configured using STUN.

STUN Configuration

Nearly all offices will have a single connection to the internet, which is identified by a single public IP address (either static or dynamic). If the office has more than one device connecting to the internet (hint: most do!) a router is used to “route” traffic between the public internet and the local network.


From the local network side, the public internet is completely visible as the global IP address space (subject to any outbound firewall rules) – but from the public internet looking in, individual devices are not visible, only the single public IP address of the router.


Now, as the devices behind the router can’t be individually identified by IP address, another system needs to be used – and that is typically port forwarding. Each handset is assigned three unique port numbers (SIP and a local RTP audio range), which are configured in the router to point to that specific handset’s local IP address.


STUN server options

When you make an outbound phone call, your handset can contact the 3CX server because it can see it directly via the server’s public IP address.

When you receive a call, the 3CX server applies the appropriate inbound routing rules and ends up with an extension or group of extensions that need to ring. It contacts them over their individual SIP ports, which are routed to the handsets individual IP addresses.

If the phone is answered the same process is followed for the voice channels themselves.


All of that sounds pretty complicated.


Port forwarding is a manual task and IP addresses can change and wreak havoc. Further to that, many corporate networks and IP addresses have restrictions in place on opening and forwarding ports.


So, what’s the alternative?


As you might have guessed, that’s where the session border controller comes in handy!

What is a session border controller (SBC)?

The SBC role is a lightweight Microsoft Windows program that dials a tunnel from the PC where it’s installed, to the remote 3CX server.

(Image from 3CX)
Think of it as a site-to-site VPN, which only transfers voice traffic from the SBC Windows machine to the 3CX Cloud Instance. Like a VPN, it also encrypts your voice traffic as it is transferred from onsite to the 3CX Cloud Instance.


The session border controller does this by dialing a tunnel on port 5090 (the default tunnel port can be changed if needed) to the remote 3CX server. Because it is installed on the local network, it can address all the phones directly (i.e. without NAT or port forwarding) and can use that to perform ongoing discovery of any phones on the network. Once discovered, they can be assigned to extensions and provisioned from the 3CX Cloud Instance’s Management Console.


The SBC overcomes the majority of firewall, NAT, and ISP restrictions that block standard VoIP traffic.


The only port which needs to be open is the tunnel port which forwards to the 3CX Cloud Instance.

We strongly recommended that you set up a monitoring agent (any number of tools perform this role adequately) to watch the SBC service on the Windows machine to make sure that it is still running, because if it stops… so will the devices relying on it.


The SBC has further advantages over STUN when you start using advanced features such as CTI Mode on the softphone.

It is much easier to deploy a SBC than configure additional port forwarding for each and every phone configured using STUN.

Read about a deployment we carried out where a cloud based phone system was set up with unsupported phones.


Deploying 3CX on the right infrastructure and connecting the phones in the right method can make the difference between having a maintainable solution and not.


Aatrox Communications is here to assist in advising and deploying solutions for customers and partners. Don’t hesitate to get in touch.