Enlightenment on some jitsi features

hi there . I’M NOT A DEVELOPER . I’m straight “hardcore” Systems Administrator and i admin storage, blades, virtualization, networking and, in some extent, i install OS’s and Databases . For reasons internal to my Company i became in charge of mounting a jitsi platform . So i did the jitsi meet quick install and add two additional videobridges machines using this doc :


I can see that it uses JVB v2 and the install is different from the older JVB . I can see there that are differences on those two JVB installs :
  1. My main concern is that for my install, only the jitsi meet is published (in our organization) with a NATed public ip . The additional two JVB machines have intranet addresses . Is this correct and functional ? or somehow i have to bind the internal addresses with the NATed PUBLIC ip on jistsi-meet main server ?

. Being a Sys admin i’m used to apps that manage creation of users and passwords . Right now i’m doing it using command line after configuring Jicofo Secure Domain. Two questions :

  1. Is there any jitsi module or 3rd app that can permit create usernames and passwords using some kind of console that can be delegated to a power user and, as such, liberate the (me) the Administrator of doing this by shell ?

  2. The Jicofo Secure Domain config allows users to create rooms . But i can see (as a Hosting room User ) that there is a functionality to share the link and add a password … I can’t really get it . i create a password but users can still get into the room without using the designated password . help.

thank you . i apprecite any info because these techonologies are not my day to day interaction and i’m feeling difficulties with all the jargon you guys use and also the understanding of the technology behind it

Welcome to the forum, @JMont! :smiley:

With regards to your questions:

  1. I’m not absolutely certain about an intranet setup, but I know that for a regular ‘exposed’ jvb, the public ip address is necessary. If behind a NAT, the port must be forwarded appropriately. I’ll leave others to provide more guidance on this one for you.

  2. Have you checked out JWT tokens? Also, you can use Ldap with Jitsi. Both are user management and authentication tools that I believe will provide the solution to this need.

  3. You can password protect any Jitsi meeting. Once a meeting is password protected, all attendants will need that password in order to join the meeting. Now, “secure domain” in Jitsi is a feature that somewhat allows you to create a “moderator” type role with moderator-level access. When you implement “secure domain”, only a person with moderator-role (defined in prosody) will be able to start a meeting. That person/persons will have to authenticate in order to create/start the meeting; other guests will then be allowed into the meeting (no sign-in required).

Hope this helps. :smiley:

Hi Freddie,
Thank you for your answers . I’ll take a look on LDAP integration . It would be nice if i could integrate it with Microsoft Active Directory .

As about passwords and authentication, what you’re saying is or i have secure domain configured or i have created rooms that are password protected … or one way or the other, right ?

My main concern now is the jvb part and possible steps missing on the configuration. Can anybody answer this questions on NAT ip’s ? should i post it on other forum topic ?

Again, thanks for your answers.
Stay safe,
JMont

The JVBs are the media servers, they relay the audio and video streams from and to the peers. So it’s important for the peers to be able to reach the JVBs - if they have direct connection through UDP 10000 it’s better, this means public IPs for the videobridges and UDP 10000 open to Internet.
If the peers can’t use UDP 10000 (they are behind firewalls and/or NAT), you can use TURN server, it can help with IP discovery and also with relaying the streams from/to the bridges over TCP. It’s an inferior solution, so it’s used as a backup plan if/when the users can’t reach the bridges over UDP.
So if your JVBs are in a NAT/DMZ the turn can help, but it’s always better if you can expose a public ip and udp.
Check this doc, and also the threads here in the community forum about TURN and Coturn.

1 Like

Thank you Yasen,
Yes i can open directly udp 10000. In reality, the clients are in a closed network circuit, even though the publishing is done by NAT on the firewall, the same firewall has those networks published on it’s configuration … meaning that when they access the public ip the traffic is NOT routed on the internet . The exception being if they’re doing a conference that has users that don’t belong to our customers (circuited) network . Nevertheless, even in those cases i can open the udp port .
My major difficulty is that i’m not a core developer and sometimes i’m feeling (somewhat) overwhelmed trying to understand some of the modules and configurations on jitsi and following more technical jitsi forums ,
About JVB NAT:
For me is not clear because that part of ICE(?) config it’s about sip communication but also XAMPP . The quick install states:
“If the installation is on a machine behind NAT jitsi-videobridge should configure itself automatically on boot. If three way calls do not work, further configuration of jitsi-videobridge is needed in order for it to be accessible from outside.
Provided that all required ports are routed (forwarded) to the machine that it runs on. By default these ports are (TCP/443 or TCP/4443 and UDP/10000).
The following extra lines need to be added to the file /etc/jitsi/videobridge/sip-communicator.properties:
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<Local.IP.Address>
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<Public.IP.Address>
And comment the existing org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES.”

So,

  1. do i have to configure it on the JVB’s ? (i’m guessing yes)
  2. How does the MAIN JVM machine knows about the JVB’s ?
  3. Any additional configs ?

I could not figure it out out on the jistsi tutorials.
. Sorry for what maybe to you guys, obvious questions, but for someone outside of the development world is not so clear …
Help appreciated ,

I think your installation is complicated for the initial step. First, install JMS without the additional JVBs and stabilize it for local and remote clients.

The remote and local clients should use the same host address while connecting to JMS and needed a valid certificate for this address.

Hi there . Yes that has been done . I’ve a working main JMS running. The urgency is to scale it up, because the number of solicitations are increasing . That’s the reason i’m asking some detail on additional JVB’s, like:

  • They must be also NATed ? (because i’ve seen an example in the net where JVB’s are pointing to the public ip on the JMS; (https://samynitsche.de/4-install-jitsi-meet-and-configure-load-balancing)

  • I’m also tryng to understand the mechanics of how the main JMS knows about the JVB’s machines (NOT the JVB -> JVM, but how does JVM “register”/knows about the JVB ? ) . When i say that i’m guessing is the prosody module but i’m not sure and specially the list of nEEDED OPEN PORTS ON THE FIREWALL (meaning the PUBLIC - internet client access- firewall and the internal firewall, in this case ufw-ubuntu 18,) , because i’ve seen also different port config specs on several docs on the forum . My main concern is ports 5222 and 5347 … also i’ve seen configs that say these ports are all tcp and others with udp .
    It should be simple to enumerate those features but somehow i’m not getting a clear picture on this simple doubts … sorry maybe because i’m not a core developer (i’m a virtualization and storage admin) … time is passing and i really need to implement this . Maybe i should post this questions on the config thread ?
    Thank you Emrah for your interest and answering me .
    Can you guys help me understand these configuration parameters ?

The remote and local clients can connect directly to JVBs. Therefore “yes, they must be also NATed”. If you have only one public IP then you should use a different UDP port for each JVB.

AFAIK, JVB is a XMPP client, it connects to prosody through TCP/5222 and prosody can monitor the online JVBs.

Only TCP/5222 is needed.

     TCP/5222
JVB ----------> JMS

Probably you will also need to configure SINGLE_PORT_HARVESTER_PORT in /etc/jitsi/videobridge/sip-communicator.properties. This is the default conf

org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT=10000

Thanks,
Very kind of you to give some time with basic questions, but i’m having problems with xmpp listening on port 5222/tcp and it’s not the firewall . Have already installed twice the video-bridges from scratch . Moving to Install thread . Really need to solve this at maximum urgency :

Could you try the following in JVB

apt-get install curl
curl http://videoconf.uniteltmais.cv:5222

… just hangs there . Butv i’m sure it’s open. I did a specific firewall rule for outside world (which is more than required by the install) .and doing a check port from a internet website ‘checker’ image ,
but somehow i have the timeout .

  • I can connect (telnet) using private ip
    … and i want to seize this opportunity to tell about my config :
  • /etc/jitsi/videobridge/sip-communicator.properties on my 2 JVB machines, didn’t change org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME .

I maintained the original value from jvb install . Should i changed for a “human readable” nickname ?
Also, as you can see LOCAL_ADDRESS and PUBLIC_ADDRESS were configured to reflect the respective ip’s of the JVB machine(s)
UWF firewall on main JMS has 5222/tcp open from Anywhere
My suspicion is that maybe it has to do with my nginx configuration file /etc/nginx/sites-available/videoconf.uniteltmais.cv.conf , namely some parameters on HSTS headers (?) : I’ve changed ssl ciphers and did several “add_header” parameters . The idea was to reinforce the webserver security … but i’m not a expert . PARTIAL screenshot:

forgot to say : NAted public ip’s for JVB are open only to 10000/udp for the ‘world’

Since JVBs can’t connect through the public IP (probably missing routing rule on firewall), add the private IP of JMS to /etc/hosts on JVBs

hi. Yes it worked and JVB machines registered on jicofo log . Then i had an issue with certificate verification which the solution pointed to here https://github.com/jitsi/jitsi-meet/wiki/jitsi-meet-load-balancing-installation-Ubuntu-18.04-with-MUC-and-JID .
That was solved too.
Now facing SEVERE error on Jicofo Logs about colibri . This time i’m lost on what to do :


i Have hundreds of entries with this
tried to restart the services but error comes back . Any insights ?
thank you for all your help

I’ve never seen before. Maybe there is a typo in the config files

hi. sorry . I’m about to post a help shout on the installation thread but before, just to see if you (maybe) can identify the following issues :

  1. i can start a jitsi room with the videobridge down on main JMS and using just one of the bridges on the jvb machine … good
  2. As soon i join a 2nd user to the room i have the “something wrong error”
  3. LOGS :
    jicofo

VB on jvb machine :

Anyway you have been of great help and for that i thank you.

Seems to me a mismatch between jicofo and jvb versions. What versions do you use?

hello. The main JMS machine was installed on May 2020. Recent add-up on ‘stand-alone’ jvb machines about 3 days ago. Ashamed to ask but : (can’t find on google and can’t see it on the files either) which command to find the required versions ?

You need to update jms. So the easiest is to stick to latest stable, the combinations that are packed under the metapackage jitsi-meet are tested together and work without a compatability problem. For example looking at latest stable here will give you the versions of the 3 components web, jicofo and jvb:


Latest stable is 2.0.5142 which is web 1.0.4466, jicofo 1.0-644, and jvb 2.1-376-g9f12bfe2.

Hi Damencho. Like i said before, not being a developer, doubts arise and have to ask basic questions sometimes: Is it suffice just to do a apt update && apt upgrade on the main JMS ?

. My worry is because we already have users registered and also customization’s done

. The other scenario that i see is to do another jms machine and adapt the nat rules . Probably it will make me also reinstall the jvb nodes since there are hard-coded parameters on the nodes that would be changed with a new JMS machine . This scenario would be disruptive on account of the above customization’s needed .

. If i can do the ‘in-place’ update i would not mind to reinstall new jvb nodes (if needed) and then re-register them with xmpp

can you clarify the best practice for a jms update or point to documentation on it ?
Thank you