3CX NZ Setup Guide & Tutorial

3CX Setup Guide for UFONE (Supported by 3CX) in New Zealand
Firstly, make sure that the computer/server power scheme is on 'High performance' -- this ensures that the computer operates at maximum performance and it will not goes into sleep mode after 30 minutes (Windows default).
  1. Computer Name format is CompanyName-3CX
  2. Assign IP and make sure that the server is configured for the client’s network (3CX Server IP is NOT designed to be changed after installation) — Add client’s IP as secondary IP if needed!!
  3. Go to https://www.3cx.com/phone-system/download-links/ — and download the latest 3CX Server
  4. After installation done, you will be asked whether you want to continue using web browser (press 1) or CLI (press 2)
  5. Windows Firewall popup might also occur and in that case; tick all network to make sure 3CX is allowed to connect to all the networks.
  6. 3CX Management Console credentials, setup the username (e.g. 3cxadmin) and you can also use the same password with Windows’.
  7. Public IP Address, open up https://www.whatismyip.com/
  8. Configuring FQDN: Select ‘I need a 3CX FQDN.’ — Enter Client’s Name as Subdomain and, Select a 3CX Domain: Select New Zealand (*.3cx.co.nz)
  9. Select Local IP and make sure to choose the client’s IP again here.
  10. ===WAIT=== it might take some time during the ‘Creating FQDN and certificates…’ process, that is perfectly normal.
  11. Set HTTPS port to 443 and HTTP port to 80 if those ports are not currently in use.
  12. Login to 3CX Management Console for the first time, the best practice is to use: ‘3 Digits (000-999)’ — be aware, this cannot be changed later!!
  13. 3CX Phone System Admin Email: your@admin-email.add
  14. Use mail server (necessary, I’d personally recommend using SendGrid):
    » Mail Server IP or FQDN: smtp.sendgrid.net
    » Reply To Address: 3cx@intra.saputra.local
    » Email: companysmtp (e.g. saputrasmtp)
    » Password: companysmtp’s sendgrid password
    » Enable SSL/TLS: ticked
    » Perform ‘TEST’ and make sure you get this message: ‘Mail sent’ in green colour.
  15. Select Country: New Zealand, Set the Time Zone: +12:00 New Zealand (Wellington, Auckland)
  16. Select Language: UK English Prompts Set (or select Aussie/NZ Prompts Set if available)
  17. Registration Details:
    License Key: (leave it alone)
    Contact Name: Systems Administrator
    Company Name: (e.g. Saputra Enterprises Ltd.)
    Email: use@real-email.here
    Phone: +64-9-xxxxxxx
    Country: New Zealand
  18. If there are any updates available (it will be indicated by red bubble on the Updates link)
  19. Go to Updates Page, tick ‘Automatic updates’, select ‘Weekly 0:00 every Sunday’ — DO NOT tick the 3CX PBX updates (this will make sure all clients/templates are updated while leaving the PBX system untouched to avoid undesirable unknown update effect)
  20. Add SIP Trunk / VoIP Provider:
    Country: NZ
    Provider: UFONE
    Main Trunk Number is the Main Phone Number, e.g. ‘649xxxxxxx’ — FORMAT MUST BE LIKE THIS, OTHERWISE WILL NOT WORK!!
  21. Trunk Details:
    Enter name for Trunk: leave it UFONE
    Registrar/Server/Gateway Hostname or IP: see credentials, e.g. ‘xxxxxx.sip.ufone.co.nz’
    SIM Cals: depending on the UFONE contracts, e.g. 2
    Authentication ID: see sip username
    Authentication Password: see sip password
  22. CREATE INBOUND RULES, put ‘UFONE’ as Inbound rule name just click OK to create (might need to repeat depending on how many numbers they have)
    1. Emergency 111:
      » Calls to numbers starting with prefix: 111
      » Calls to Numbers with a length of: 3
      » Route 1: ‘UFONE’ / Strip Digits ‘0’ / Prepend ”
      » Route 2: ‘UFONE’ / Strip Digits ‘0’ / Prepend ’64’
      » Route 3: ‘BLOCK CALLS’ / Strip Digits ‘0’
    2. International:
      » Calls to numbers starting with prefix: 00
      » Route 1: ‘UFONE’ / Strip Digits ‘2’ / Prepend ‘+’
      » Route 2: ‘UFONE’ / Strip Digits ‘0’ / Prepend ”
      » Route 3: ‘BLOCK CALLS’ / Strip Digits ‘1’
    3. National + Mobile + Tollfree:
      » Calls to numbers starting with prefix: 0
      » Route 1: ‘UFONE’ / Strip Digits ‘1’ / Prepend ’64’
      » Route 2: ‘BLOCK CALLS’ / Strip Digits ‘1’
    4. Local 09:
      » Calls to Numbers with a length of: 7
      » Route 1: ‘UFONE’ / Strip Digits ‘0’ / Prepend ‘649’
      » Route 2: ‘BLOCK CALLS’ / Strip Digits ‘1’
    5. Catch All:
      » Route 1: ‘UFONE’ / Strip Digits ‘0’ / Prepend ”
      » Route 2: ‘BLOCK CALLS’ / Strip Digits ‘1’
  24. Go to Windows DHCP server, on IPv4 -» Scope [LAN_IP] [Domain] -» right click on Scope Options -» select Configure Options -» and tick option 66 (Boot Server Host Name), add provisioning http URL from 3CX (e.g. ‘’)
  25. Back to 3CX Management Console, click Phones -» Add Phone -» Choose Extension (e.g. 303) -» Choose from available models (e.g. GXP-1628) and add the mac address of the phone (e.g. ‘000b82a347ab’) -» click OK and OK again to close the extension window.
  26. Go to that phone’s web interface using IP address, enter on browser (e.g. login using admin:admin and reboot the phone so that it will be provisioned on the next boot.
  27. Setup port forwarding on the router/firewall to the 3CX server IP address for the ports specified below:
    » Default SIP port is 5060 UDP and TCP;
    » Default RTP ports are 9000-9500 UDP only (please also open these ports in Firewall, and it will not make our network vulnerable as the RTP ports are on-demand, so 3CX will only open when it’s required)
    » Default Tunnel port is 5090 UDP and TCP;
    » Default https port 5001 or can also 443 TCP.

Another phone provisioning method:

» Configuring the provisioning server via the Grandstream GXP series web interface

Step 1: Configure the phone in 3CX

  1. Log in to your 3CX Management Console ⇒ Phones ⇒ press “Add Phone.”

  1. Pick an extension from the list to which the IP phone shall be assigned.

  1. Select the model and enter the MAC address of the device which can be found on the back of the device itself.

  1. Optional set the “Phone Display Language” and “Timezone” for the device.

  1. Take a copy of the “Provisioning Link” which needs to be entered into the Grandstream GXP in step 2.

Step 2: Enter the Information into the Web Interface of the device

  1. Open the Web Interface of the Grandstream phone and login (default password is admin).
  2. Navigate to “Maintenance” ⇒ “Upgrade and Provisioning.”
  3. Set the “Upgrade via” to HTTP.
  4. In “Configuration Server Path” and “Firmware Server Path” enter the provisioning link taken from step 1 and paste in without http://”
    (example: pbx.mybusiness.local/provisioning/pc56bscs195k)
  5. Press “Save and Apply” and “Reboot” which can be found in the top right corner of the Grandstream web interface.

Grandstream GXP1628/GXP2140/GXP2160 attended transfer fix:

Go to Phone UI -» Settings -» Call Features -» » Auto-Attended Transfer (by default: No) — set to “Yes”, and the phone will use attended transfer by default.

3CX Notes & Best Practices

I attended 3CX training on 6-7 March 2017 at the Grand Millennium Hotel, Auckland CBD. Here are my notes and tips for 3CX best practices, please feel free to add by posting a comment down below.

  • As of March 2017, Sonicwall Firewall requires a hotfix to be able to work properly with 3CX.
  • SIP port is used just for signaling, RTP ports used for audio and videos.
  • If 3CX is not on 5060, there will be NO PnP Provisioning.
  • STUN tells source IP of the 3CX.
  • Main trunk number = phone number.
  • Full cone NAT (i.e. static NAT) is required:
    » A full cone NAT (also known as a one to one NAT) is the only type of NAT where the port is permanently open and allows inbound connections from any external host. A full cone NAT maps a public IP address and port to a LAN IP and port. Any external host can send data to the LAN IP through the mapped NAT IP and port. If it tries to send data through a different port, it will fail. This type of NAT is also known as port forwarding. This NAT type is the least restrictive type of NAT; the only requirement is that the connection comes in on a particular port (the one you opened).
    Example –  A server has a website running on port 80. We create a one-to-one rule that maps the router WAN IP of to with port 80 to port 80. Any external host that sends data to on port 80 is NAT-ed (and sent) to port 80.
    Note: The port numbers do not have to be the same; We could run my website on port 8080 but create the NAT mapping to forward port 80 to port 8080. This port gives the appearance to the public Internet that my website is on port 80. A connection attempt on any other port is dropped.
  • Disable SIP ALG (Application Layer Gateway) at Router / Firewall (MUST DO, ELSE WILL CREATE ISSUES WITH 3CX!!)
  • » Default SIP port is 5060 UDP and TCP;
    » Default RTP ports are 9000-9500 UDP only (please also open these ports in Firewall, and it will not make our network vulnerable as the RTP ports are on-demand, so 3CX will only open when it’s required)
    » Default Tunnel port is 5090 UDP and TCP;
    » Default https port 5001 or can also 443 TCP.
  • 3CX version 15 requires .NET 4.6.1 — older .NET will cause unexpected behaviours.
  • Please run 3CX on a dedicated instance when possible, NEVER run these service along with 3CX:
    » Microsoft Exchange;
    » Microsoft SQL Server;
    » DNS Server;
    » VPN Server.
  • When there are around 50 simultaneous users, the best practice would be to run 3CX on a Server OS and not a Desktop OS, as Server OS handles network traffic better than a Desktop OS.
  • When configuring outbound dialling, replace + with 00.
  • Setup exclusion on 3CX Program Files and Program Data folders on Anti-Virus & Windows Firewall.
  • Disable any other NIC such as WAN Miniport, Wi-Fi, Bluetooth, etc.
  • Only >Pro version has the failover feature.
  • Do NOT change LAN IP of the 3CX server once setup finished — if setting up for a client on office, setup 3CX with their network configuration.
  • Create A record for the 3CX FQDN.
  • Turn on scheduled nightly backup plan.
  • Keep OS and 3CX on latest update as possible.
  • Uninstalling / Migration: Always copy backup folder before uninstalling 3CX server as the default backup folder will be deleted after the uninstall process finished.
    e.g. C:\ProgramData\3CX\Instance1\Data\Backups
  • Uninstalling: Release the IP from the 3CX Customer Portal: https://customer.3cx.com/
  • Maintenance: Always reboot Windows when there’s a chance so that 3CX can do its housekeeping.
  • SIP Fork is when more than one device on the same extension (e.g. already have IP Phone, installing 3CX client on computer)
  • Plan and add emergency numbers, ensure they are on the top of rules, avoid using extensions that being used by country’s emergency number, e.g. 111 (NZ emergency number) or 911 (US emergency number)
  • It is possible to set up sync between Office 365 & Google contacts and 3CX using the 3CX client.

Enable Verbose Service Startup/Shutdown Messages on Windows

Open up regedit.exe and head to the following key, creating it if the key path isn’t there:


Once you are there, create a new 32-bit DWORD on the right-hand side named VerboseStatus, giving it a value of 1.

Now when you start up or shut down, you’ll see more verbose messages telling you what is taking so long.

I have created lazy way to do it, just copy the code below:

Windows Registry Editor Version 5.00


Save as .reg file and run as administrator as we need to edit the HKLM.

I have tested this on Windows 7 SP 1, Windows 8, Windows 8.1 and Windows 10 version 1607 (Anniversary Update)

Andy & Thirza Wedding Beautiful Moments of Love


This is our story on how we know each other during the Long Distance Relationship and how we met for the very first time.

Official YouTube Link: Andy & Thirza Wedding Beautiful Moments of Love

Andy & Thirza Wedding Morning Express SDE


This is our wedding morning express show, thanks to Royal Cinema & Royal Photography for the same day edit. This video was broadcasted live during our wedding party.

Official YouTube Link: Andy & Thirza Wedding Morning Express SDE

Bare Metal Recovery with LOGICnow MAX Backup

LOGICnow MAX Backup can be used to recover a system from scratch.

Bare metal recovery allows you to recover your system directly to bare hardware (or VM) without a prior OS installation and return to its previous state.

Supported operating systems (as of 2016-10-06):

  • Windows Vista
  • Windows 7
  • Windows 8 / 8.1
  • Windows 10
  • Windows Server 2008 / 2008 R2
  • Windows Server 2012 / 2012 R2

Operating system requirement applies to the source computer and to the computer on which the bootable media is created.

To get started:

  1. Go to MAX Backup Additional Tools page, from the ‘BARE METAL RECOVERY’ section, select either .EXE download (for creating bootable USB drive) or .ISO download (for creating bootable DVD drive)
  2. Install or burn the Bare Metal Recovery tool on your USB drive or DVD drive.
  3. Boot the USB drive / DVD drive you just created (Make sure the BIOS/UEFI settings are intact. If you boot in a mode that isn’t compatible with the firmware used on the source computer, the restore session will fail.)
  4. Configure or confirm network settings using the command line options (use number to perform the task)
  5. Backup Manager wizard will open in a chromium-embedded browser, enter the backup device configuration.
  6. Go to Restore » Bare Metal Recovery » adjust the settings as appropriate.
  7. Choose the data to restore.
  8. Finally, click ‘Restore’ to begin the restore process.

How to Repair a .pst file

This solution will usually also fix any Outlook that having stuck issues while on ‘Loading Profile’ screen
Outlook 2016 Loading Profile
Outlook 2016 Loading Profile
  1. Exit Outlook, and browse to <drive>:\Program Files — or, if you see a Program Files (x86) folder on the same drive, browse to that instead. For example, C:\Program Files or C:\Program Files (x86).For Office 2016 use this path: C:\Program Files\Microsoft Office\root\Office16
  2. In the Search box, type Scanpst.exe.

If the search doesn’t find Scanpst.exe, try searching in the alternative folder mentioned in step 2, above — Program Files or Program Files (x86).

  1. Double-click Scanpst.exe.
  2. In the Enter the name of the file you want to scan box, enter the name of the .pst file you want the tool to check, or click Browse to select the file.
  3. By default, a new log file is created during the scan. Or, you can click Options and choose not to have a log created, or to have the results appended to an existing log file.
  4. Click Start.

If the scan finds errors, you’re prompted to start the repair process to fix them.

The scan creates a backup file during the repair process. To change the default name or location of this backup file, in the Enter name of the backup file box, enter a new name, or click Browse to select the file you want to use.

  1. Click Repair.A copy of the log file is saved to the same folder as the .pst file.
  2. Start Outlook with the profile that contains the Outlook Data File that you repaired.
  3. Switch to the Folder List view in the Folder Pane by pressing Ctrl+6.

In the Folder Pane, you might see a folder named Recovered Personal Folders that contains your default Outlook folders or a Lost and Found folder. Although the repair process might recreate some of the folders, they may be empty. The Lost and Found folder contain any folders and items recovered by the repair tool that Outlook can’t place in their original structure.

You can create an Outlook Data File, and drag the items in the Lost and Found folder into the new data file. After you’ve moved all the items, you can remove the Recovered Personal Folders (.pst) file. This includes the Lost and Found folder.

If you can open the original Outlook Data File, you may be able to recover additional items. The Inbox Repair tool creates a backup file with the same name as the original, but with a .bak extension, and saves it in the same folder. You may be able to recover items from the backup file that the Inbox Repair tool couldn’t recover.

To recover items from the backup (.bak) file, make a copy of it and give the copy a new name with a .pst extension, such as bak.pst. Import the bak.pst file into Outlook, and then use the Import and Export Wizard to import any additional recovered items into the newly created .pst file.

Remove / Purge Deleted Users from Office 365 Admin

You can run the command via AD PowerShell directly:

$msolcred = get-credential
connect-msolservice -credential $msolcred

To purge the deleted user accounts:

get-msoluser –returndeletedusers -maxresults 100000 | remove-msoluser -removefromrecyclebin -force

Allows Standard User to Run an Application as Administrator

How to Create a Shortcut that allows a Standard User to Run an Application as Administrator

Want to allow a standard user account to run an application as administrator without a UAC or password prompt? You can easily create a shortcut that uses the runas command with the /savecred switch, which saves the password.

Note that using /savecred could be considered a security hole – a standard user will be able to use the runas /savecred command to run any command as administrator without entering a password. However, it’s still useful for situations where this doesn’t matter much – perhaps you want to allow a child’s standard user account to run a game as Administrator without asking you.

Enabling the Administrator Account

First you’ll need to enable the built-in Administrator account, which is disabled by default.

To do so, search for Command Prompt in the Start menu, right-click the Command Prompt shortcut, and select Run as administrator.

Run the following command in the elevated Command Prompt window that appears:

net user administrator /active:yes

The Administrator user account is now enabled, although it has no password.

To set a password, open the Control Panel, select User Accounts and Family Safety, and select User Accounts. Click the Manage another account link in the User Accounts window.

Select the Administrator account, click Create a password, and create a password for the Administrator account.

Creating the Shortcut

Now we’ll create a new shortcut that launches the application with Administrator privileges.

Right-click the desktop (or elsewhere), point to New, and select Shortcut.

Enter a command based on the following one into the box that appears:

runas /user:ComputerName\Administrator /savecred “C:\Path\To\Program.exe

Replace ComputerName with the name of your computer and C:\Path\To\Program.exe with the full path of the program you want to run. For example, if your computer’s name was Laptop and you wanted to run CCleaner, you’d enter the following path:

runas /user:Laptop\Administrator /savecred “C:\Program Files\CCleaner\CCleaner.exe”

Enter a name for the shortcut.

To select an icon for your new shortcut, right-click it and select Properties.

Click the Change Icon button in the Properties window.

Select an icon for your shortcut. For example, you can browser to CCleaner.exe and choose an icon associated with it. If you’re using an other program, browse to its .exe file and select your preferred icon.

The first time you double-click your shortcut, you’ll be prompted to enter the Administrator account’s password, which you created earlier.

This password will be saved – the next time you double-click the shortcut, the application will launch as Administrator without asking you for a password.

As we mentioned above, the standard user account now has the ability to run any application as Administrator without entering a password (using the runas /savecred command to launch any .exe file), so bear that in mind.

The Administrator password is saved in the Windows Credential Manager – if you want to remove the saved password, you can do it from there.