Corporate firewalls- use port 443 for videobridge with jitsi docker

Hello,
I am configuring jitsi meet using docker setup. But audio/video doesn’t work on strict corporate networks where only port 443 is allowed. Could you help with what options do I have to fix it? Since both web and jvb container would need to bind on port 443.

All docker containers are running on same machine, same IP address. I would like to avoid need for TURN server.

Thanks!

If the network equipment uses deep packet inspection your only shot is a turnserver, jvb does not support a standard https link for the TCP fallback, and anyway coturn handling TCP traffic performs better than jvb.

OK. Thanks for your reply.
Its it also possilble by having 2 external IP addresses, one for web server and second for JVB. But both running on the same machine with an internal IP address.
Then map JVB to internal IP on e.g. 4443 port.
Forward second IP 443 -> internal 4443 port and announce 2nd IP and port 443 from JVB?

Not sure I fully understood everything, but here are some properties you may find useful: https://github.com/jitsi/ice4j/blob/master/doc/configuration.md
https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Thanks for your help.
Here’s what worked for me:

  1. I have 2 external static IP addresses and one internal IP adress behind NAT where all my docker containers are running.
  2. Map EXT_IP1:443 -> INT_IP->443 (web)
    EXT_IP2:443 -> INT_IP->4443 (jvb)
    also map UDP port in case its open through firewall.
  3. in .env file
    SET DOCKER_HOST = EXT_IP1
    JVB_TCP_HARVESTER_DISABLED=false
    JVB_TCP_PORT=4443
  4. add org.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=443 to JVB sip-communicator.properties
  5. modify jvb/rootfs/etc/service.d/jvb/run: org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=EXT_IP2
  6. Rebuild dokcer images, make clean all, remove config folder
2 Likes

Hi brother @dammsugare,

It seem plausible to use your idea when TURN server is not available in current ‘official’ jitsi docker image . :slight_smile:

Have you also be able to use both into and from secured corporate firewall using this setup?

By the way, which jitsi module you have rebuild (coturn, JVB, or else) ? May we learn from your yaml file, bro? Thank you

Hello,

Yeah its been working for couple of months, at least no issues with firewall. But I faced issue if server is in the same private network as users behind a NAT. Then you would need to create separate private network for Jitsi server (behind same/different NAT).

I havent modified .yaml file. Only .env and I think I had to modify some files in JVB container configuration.