Reference11r1:Concept Using PBX services from public internet

From innovaphone wiki
Jump to navigation Jump to search

Applies To

This information applies to

  • all innovaphone devices from V11


This article illustrates the requirements for using the following services of the innovaphone PBX from the public internet without VPN:

  • Phone registration and telephony
  • myPBX web application including WebRTC softwarephone
  • myPBX call list from the innovaphone Reporting (optional)

In the following the term phone means hardware phone, softwarephone or myPBX for Android.


Port forwardings

In order to make the PBX services available from public internet, the following port forwardings may be used on the NAT router. Pbx services nat mappings.png

TCP/1300 on the PBX
This port is used by phones to register using H323/TLS. The public port must be TCP/1300 as well.
TCP/1720 on the PBX
This port is used by phones to register using H323/TCP (no TLS encryption, not recommended). The public port must be TCP/1720 as well.
TCP/443 on the PBX
This port is used by the myPBX web application and the WebRTC softwarephone to communicate with the PBX. Assign any free public port.
TCP/443 on the innovaphone Reporting (optional)
This port is used by the myPBX web application to get the call list from the innovaphone Reporting. Assign any free public port.

Please mind that forwarding the HTTPS ports of the PBX and the innovaphone Reporting also exposes the adminstration interface.

NAT type

To support any-to-any communication, all of the routers must support full-cone or restricted NAT. If this is an issue, media-relay can be enabled for all remote clients in the SB object (note though that this does not help for remote WebRTC endpoints).

If none of the involved routers support full cone NAT, it might still work. Full-cone, restricted- and port-restricted will work in any combination. However, if one end does symmetric NAT it will work only if the other side does full-cone or restricted NAT.

Detecting the NAT style

To find out what type of NAT router is installed, you can use the following stun-client:

You can then start the client by commandline, e.g:


The output can be interpreted like this:

Independent Mapping, Independent Filter = Fullcone NAT
Independent Mapping, Address Dependent Filter = Restricted Cone NAT
Independent Mapping, Port Dependent Filter = Port-Restricted Cone NAT
Dependent Mapping = Symmetric NAT


VoIP endpoints (e.g. phones and interfaces) need a STUN server in order to do NAT traversal using ICE. Therefore make sure that a STUN server is configured on all phones and gateways.

  • If your installation uses an innovaphone box as the only NAT router, you can use the box as the STUN server. Enable STUN and configure the public address or the DNS name of the box as the STUN server on all devices.
  • Otherwise configure a STUN server that is located in the public internet on all devices.


Please make sure the following conditions are given:

  • The phone certificates contain the device ID that is used for registration
  • The PBX trusts certificates of the phones (or the issuing certification authority)
  • The web browsers trust the certificate of the PBX
  • The web browsers trust the certificate of the innovaphone Reporting (optional)


The use of DNS names for PBX, Reporting and STUN servers is optional. It can facilitate the management of the installation. But this means that DNS must be available on all the endpoints.

See also