First of all you should setup a 'Registered SIP trunk' on your Hero account before configuring your 3CX system. Click the link below for a detailed look at how to setup a registered SIP trunk in the Hero portal:
Setup your Registered SIP Trunk in the Hero Portal
First Login to the Hero Customer Portal click on the Voice tab and then select the 'Profiles' option in the left side menu. Then select the Connection Type as 'Registered SIP Trunk'. Choose the phone number you want to use as your 'pilot number'. This is typically the 'main' number on your account and will be the number you use to register with to Hero:
Press Save 'Default' Profile. Now ALL other numbers on your account will behave like DDI numbers and will be automatically routed to your 3CX trunk via the pilot number registration which we will setup next. Any new numbers added to the account will automatically route to 3CX as well.
Add a new SIP Trunk to 3CX
- Login as an administrator to your 3CX account and then select 'SIP trunks' from the left menu:
- Click 'Add SIP Trunk' in the SIP Trunks page:
- Click on Select Country and type the word 'Generic' and select the 'Generic' option:
- Select the option 'Generic SIP Trunk' and then enter the main 'pilot' phone number from your Hero account to be the 'Main Trunk No'
- In the General tab enter the 'Registrar/Server/Gateway' host to be 'phone.hero.co.nz' (or if you are a wholesale partner please enter your own white label proxy hostname here). You should set the 'Outbound Proxy' to be this host name too.
- Enter the number of simultaneous calls to be that allowed on your trunk
- Under the authentication settings enter:
- Type of Authentication: Register/Account based
- Authentication ID: <your-phone-number> (e.g. 092420001) - this will be the same as the main trunk number you entered above.
- Authentication Password: <your-password> - this will be your Hero account password or the password on your main trunk number if this is different.
- You should now route the number to the extension of your choosing. How you setup your own 3CX routing is beyond the scope of this document as this is different for every user but an example is shown below routing the call to 'extension 70'
- In the DDI tab you should see your main trunk number already listed. You can add more DDI's from your Hero account in this page if you have other numbers that are routing to your trunk.
- In the Caller ID page you can configure the Caller ID to be your main number or whatever is your preference. You can use this page to create other 'rules' for outgoing and incoming caller ID presentation
- Under the option tab make sure that you allow inbound and outbound calls and disable video calls if these are not required. You can also tick the Supports Re-Invite box if required. The other settings should be fine as the defaults. If you wish to use TLS (encryption) as your Transport then you will first need to upload our certificates to 3CX. Please contact our team if you need this.
- Under the Options tab we recommend changing the Codec Priority so that G.722 is listed first followed by G.711 A-law and then G729.
- If you wish to pass through the original Caller ID for forwarded/diverted calls from 3CX then you will need to go into the Outbound Parameters and change the P-Asserted-Identity User Part field to be the 'OriginatorCallerID' Original Caller number option.
- Finally press the OK button to save and add the trunk and then wait for a few seconds and refresh the SIP trunks page and the trunk should come online with a green icon beside it meaning that the trunk is registered and you are setup and ready to go!
Adding Hero network addresses to your 'Whitelist'
It is recommended that you 'white-list' the Hero subnet 220.127.116.11/24 to avoid 3CX black-listing our trunks for some reason. We have had cases were 3CX has inexplicably added our SIP trunk to the blacklist which has caused the trunk to go offline. By whitelisting our IP addresses this should not ever happen
- On the left menu in 3CX select the 'Security' menu and click on 'IP Blacklist'
- We recommend adding our full /24 subnet to the white list - although you can choose to just whitelist our trunk IP address if you prefer - but by adding our subnet you are 'future-proofing' any future changes to our IP addressing for trunks.
- Select 'Add a range of IP Addresses' and then in the Network address field type '18.104.22.168' and then select '/24' in the subnet mask option. This should then display the IP address range as '22.214.171.124 - 126.96.36.199'
- Then ensure you select the Action as 'Allow' and then type some description (e.g. Trusted SIP Trunk Provider IP Range)
- Ensure that the Expiration date is a long way out in the future (e.g. 2040) and then press 'OK' to save your white list settings.
- If the white list entry was saved correctly then you should see something like below in the IP Blacklist page. Again ensure you select 'Allow' and not 'Block'
How to setup TLS as your SIP transport
3CX can also encrypt your SIP traffic by using TLS as the SIP transport type. This means that your SIP traffic will be encrypted on your SIP trunk. Below are the instructions on how to set this up in 3CX.
- Login to your 3CX server and click on your Hero trunk in the SIP trunks page and then click on the Options tab. Towards the bottom of this page you will see 'Transport Protocol' as an option.
- Select TLS as the Protocol type. This will then bring up a TLS Root Certificate upload option.
- Now download the Hero certificates from the following URL and save this to your computer:
If you are a wholesale partner customer then you will need to use the 'securevoip.nz' certificate instead which is at the following link. You will also need to change your registrar and outbound proxy host settings to be 'securevoip.nz' as well so they match our white label certificate.
- Now upload the saved certificate (PEM) file using the 'Upload' button and then press 'OK' at the top of the page to save your settings
- All being well you should now see the SIP trunk come up with a green 'online' icon in the main SIP Trunks page. It can take several seconds for the trunk to come back online. If you want to confirm that the trunk is using TLS then you can login to the Hero Web Portal and click on the number you are registering with on 3CX and it should show the words 'transport=TLS' in the full contact details for your number. For example:
- If you have problems connecting via TLS please ensure that you have set your Registrar and Outbound Proxy settings to 'Auto Discovery'. If you have set the ports manually then ensure you change the SIP port to TCP port 5061 in your settings for the trunk (and not the default UDP port 5060)
If you require further assistance with your 3CX configuration then please contact 3CX directly or your PBX reseller and they can assist you with the setup of the PBX and extensions etc.
Please contact our team if you require any further assistance.