Registration / Authentication

Authentication Types

SIP Trunks in 3CX can be configured with the following 4 types of Authentication:

  • “Do not require - IP Based”: When this is set, 3CX does not authenticate with the SIP Trunk. Under circumstances however a challenge request may be sent. This may occur if 3CX does not understand which SIP Trunk an incoming INVITE must be associated with. This is explained in detail in Inbound Calls.
  • “Incoming - Inbound Only”: This option is deprecated
  • “Outgoing Outbound Only”: This option is deprecated
  • “Register/Account based”: 3CX sends REGISTER messages using the credentials filled in by the user.

Authentication ID and Password

“Registration-based” providers require an Authentication ID and Password to register and/or make outbound calls, as set in the SIP Trunk settings >  “General” tab.

Depending on the Authentication Type you have set, 3CX initially tries to send the REGISTER/INVITE SIP message without any authentication. If the provider responds with a challenge request (e.g. “407 Proxy Authentication Required” or “401 Unauthorized”), then 3CX resends the SIP message with the appropriate SIP Authentication header.

Below is a sample REGISTER SIP message 3CX sends after a challenge request:

REGISTER sip:sip.contoso.com:5060 SIP/2.0

Via: SIP/2.0/UDP 192.168.0.1:5060;branch=z9hG4bK-524287-1---b92cf21ee818d333;rport

Max-Forwards: 70

Contact: <sip:auth_ID@2.2.2.2:5060;rinstance=b7178663ec96c137>

To: <sip:auth_ID@sip.contoso.com:5060>

From: <sip:auth_ID@sip.contoso.com:5060>;tag=ef631140

Call-ID: lBmRktHzOhfKC8sO9Ga_hw..

CSeq: 2 REGISTER

Expires: 600

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REGISTER, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE, UPDATE

Proxy-Authorization: Digest username="auth_ID",realm="sip.contoso.com",nonce="946ea41ffa27927a3dbbb790197a505e",uri="sip:sip.contoso.com:5060",response="bbabc3175bbfcfba7b6c923163a39347",algorithm=MD5

Supported: replaces, timer

User-Agent: 3CXPhoneSystem

Content-Length: 0

The Authentication ID used in the 3CX SIP Trunk settings is sent in the “Contact : User Part”, “To : User Part”, “From : User Part” and “Proxy-Authorization” headers. The Authentication Password is also sent in the “Proxy-Authorization” header, but is encrypted using the nonce value.

3-Way Authentication

3CX also supports 3-way authentication.

When this is enabled, the information 3CX sends after a challenge request is slightly different, as shown below in a sample REGISTER SIP message:

REGISTER sip:sip.contoso.com:5060 SIP/2.0

Via: SIP/2.0/UDP 192.168.0.1:5060;branch=z9hG4bK-524287-1---b92cf21ee818d333;rport

Max-Forwards: 70

Contact: <sip:auth_ID@2.2.2.2:5060;rinstance=b7178663ec96c137>

To: <sip:auth_ID@sip.contoso.com:5060>

From: <sip:auth_ID@sip.contoso.com:5060>;tag=ef631140

Call-ID: lBmRktHzOhfKC8sO9Ga_hw..

CSeq: 2 REGISTER

Expires: 600

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REGISTER, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE, UPDATE

Proxy-Authorization: Digest username="3way_auth",realm="sip.contoso.com",nonce="946ea41ffa27927a3dbbb790197a505e",uri="sip:sip.contoso.com:5060",response="bbabc3175bbfcfba7b6c923163a39347",algorithm=MD5

Supported: replaces, timer

User-Agent: 3CXPhoneSystem

Content-Length: 0

The 3 Way Authentication Password value is used as the “username” value in the “Proxy Authorization” header. All other information is passed the same as without 3 Way Authentication enabled.

REGISTER SIP Message Structure

This section describes how the REGISTER message is structured and where each value is taken from in the SIP Trunk settings.

REGISTER sip:sip.contoso.com:5060 SIP/2.0

Via: SIP/2.0/UDP 192.168.0.1:5060;branch=z9hG4bK-524287-1---b92cf21ee818d333;rport

Max-Forwards: 70

Contact: <sip:auth_ID@2.2.2.2:5060;rinstance=b7178663ec96c137>

To: <sip:auth_ID@sip.contoso.com:5060>

From: <sip:auth_ID@sip.contoso.com:5060>;tag=ef631140

Call-ID: lBmRktHzOhfKC8sO9Ga_hw..

CSeq: 2 REGISTER

Expires: 600

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REGISTER, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE, UPDATE

Supported: replaces, timer

User-Agent: 3CXPhoneSystem

Content-Length: 0

  • “Request Line URI (RURI)”: The RURI is the value set in the “Registrar” field of the SIP Trunk settings.

  • “Via header”: By default, the “Via” header includes the IP Address of the NIC from which the SIP message is sent and the Local SIP Port of 3CX. This can either be a Local LAN IP or a Public IP, depending on the installation.
    To override     the default behavior, in the SIP Trunk settings > “Options” tab, check the option ”Put Public IP in SIP VIA Header” and set the IP address to use.

  • “Contact header”: By default, the Host Part of the “Contact” header includes the 3CX Public IP and Local SIP Port.
    In cases where the 3CX Server has multiple NICs or is on a network with multiple Internet Gateways, the SIP Trunk traffic may have to be sent and received through a specific Gateway.
    In this scenario, the Public IP sent by 3CX for specific SIP Trunk providers may have to be different from the default. To override sending the default Public IP in the “Contact” header,    select the option “Use this IP Address” in  SIP Trunk settings > “Options” tab > “Select which IP to use in ‘Contact’ and ‘Connection’ fields” and set the IP to  use. The same IP is used in the SDP of INVITE messages as well.
  • “rinstance” : When 3CX sends a REGISTER message, in the “Contact” header it also sends an “rinstance” parameter with a unique value. Even though optional, the expected behavior is that the Provider includes this same parameter and value in the “Contact” 200 OK response. The “rinstance” parameter use is explained further in Inbound Calls.
  • “transport=TCP”: 3CX will include this parameter automatically in the “Contact” header when TCP Transport Protocol is used. For more info see the DNS Resolution section.
  • “To” header”: The Host Part includes the “Registrar” value set in the 3CX SIP Trunk settings.
  • “From” header”: The Host Part includes the “Registrar” value set in the 3CX SIP Trunk settings.

  • “Expires” header”: The “Expires” header is the interval at which 3CX refreshes the registration. The SIP Trunk provider must confirm this in the 200 OK response by either matching this value, or overriding it. The value sent by the provider in the response, is the interval 3CX uses to re-register, minus 10%. The “Expires” value 3CX sends can be configured in the “Re-Register Timeout” field   in SIP Trunk settings > “Options” tab.

Last Updated

This document was last updated on 25 July 2024

https://www.3cx.com/docs/sip-trunk-registration-authentication/