Sophos XG Firewall: Audio and video calls are dropping or only work one way when H.323 helper module is loaded. KB-000036972 08 7, 2019 3 people found this article helpful. The Sophos XG Firewall Device's clock can be synchronized with global Time Servers so that the time shown in logs and reports is precise and internal activities can be accurately timed. Synchronizing the internal clock of the Sophos XG Firewall Device with NTP Servers can be done in two ways: Using the Web Admin Console (after deployment).
My personal advice is stay away
The product is not bad, but it has tons of limitations. We are paying clients and every time we try to update the system we get a license error. Their customer service team - God make them a team are rude and will not help. They will ask you to pay 75 EUR (on top to whatever you paid) so that an agent that knows as much about 3cx than my cat will login. Then they will tell you uninstall everything and reinstall. Great support.
What are the pros?
The pros is that it runs on Windows. Nothing else its Asterix behind.
What are the cons?
The cons is the company itself. They dont care about customer service, they dont care even about their legal obligations. We just started switching back to freepbx.
+ Read moreGetting Sophos to pass the 3CX firewall test was a challenge, here's a step by step to get it working.
6 Steps total
Step 1: Disable SIP Alg in the XG
The first thing 3CX Support is going to ask about. I will not rewrite the essay on this, instructions are in this Sophos KB
https://community.sophos.com/kb/en-us/123523
Step 2: Create an IP Host to point to 3CX server
System -> Hosts and Services -> IP Host.
Name it and insert the 3CX server's IP address, and Save
Step 3: Create the port forward list
From System -> Hosts and Services -> Services, Create a new service and add the following port forwards
TCP Source 1:65535 Destination 5060
UDP Source 1:65535 Destination 5060
TCP Source 1:65535 Destination 5090
UDP Source 1:65535 Destination 5090
And UDP 1:65535 Destination 9000:10999
Step 4: Create a Business Application Rule
From Protect -> Firewall -> Add firewall Rule, Business application rule.
I stuck this one at the top of the food chain because I did not want it running into a block rule.
A couple notes: I wanted to Geofence as much as possible to limit attack vectors - but how tight you can make it depends on where your 3CX STUN servers are. I was a bit surprised that for my part of the US, running nslookup on 3CX Stun servers gave me Montreal and France.
The thing that had me scratching my head originally is the Destination. This is NOT the server you are forwarding to - it is the XG's WAN port with your public IP. Attach the Service created in Step 1
Step 5: Finish the firewall rule
The rule wouldn't fit in a single screenshot but the hard part was already done. Specify the IP Host created in Step 1 as the Protected Server in the LAN zone, rewrite the source address, choose whether you want to log the traffic or not, and save the rule.
Go back to your 3CX Server and test.
Sophos Xg 3cx Rules
Step 6: Things that will make it bomb out
3cx Behind Sophos Xg
Do NOT specify the destination as your 3CX server (The knot in my forehead is still going down) - It's the XG's WAN port (#2 in a default config)
I suggest NOT geofencing until you get a successful firewall test - I started out by just trying to get 5060 to come through with client network any, built the other rules up, and then once it was all working initially tried to tighten to United States ... that bombed miserably. Ran nslookup and found the STUN servers for my area resolved to Montreal and France. I'd imagine you would need to allow any country where you have a presence or reps travelling there - but that's outside the scope of this HOWTO.
The last UDP rule in the service set up in step 1 covers the media ports for a default installation (9000-10999) I don't know how huge your phone system would need to be to need more ports, but if the firewall check gets to 11000 and starts failing, that's the one to change.
3cx Sophos Xg Free
I hope this saves someone else the frustration I felt getting this going - Zero documentation on one side plus confusing documentation on the other made this more painful than it should have been. Once I figure out how to think in Sophos things will go a lot easier.
Comments are closed.