Firewall configuration split setup

Hi,

sorry for the somewhat banal question, but I’m not quite sure which ports in the firewall need to be opened for jitsi. My servers are running behind a perimeter firewall. Each server has a public IP, no NAT.

My setup:

first server:

jicofo
jitsi-meet-web
jitsi-meet-web-config
jitsi-meet-prosody

open port: 443/tcp

other servers with jitsi-videobdridge2 exclusively:

jitsi-videbridges2

open port: 10000/udp

Do I have to open further ports?

Cheers,
m.

No.

1 Like

@damencho Thanks! What about fallback ports or the portrange 1000-2000/udp I read about. What are those for?

The bridge nowadays run only in single port mode, which is 10000. 5 years ago this was not the case and the range was used.

1 Like

@damencho what about port JICOFO_PORT=5347 in /etc/jicofo/config and 5223 seen in prosody? And on which port do the videbriges server communicate with the prosody?

5347 is the component port, jicofo has a suer connection over port 5222 and a compoenent connection. Port 5223 is not used.

thats means no need to open port 20000 only 10000?

Thank you

yes

1 Like

@damencho still confused about needed open ports.

This is my setup: Two servers A and B with public IPs behind a perimeter firewall, on which port 443/tcp is open for server A and port 10000/udp is open for server B.

public IP A                                             pubic IP B
+------------------+                                    +------------------+
|  jicofo          |                                    |                  |
|  meet-web        |                                    |   videbridge     |
|  web-config      |   <----------- ??? ------------>   |                  |
|  prosody         |                                    |                  |
+------------------+                                    +------------------+
        |                                                        | 
        |                    perimeter firewall                  |
        +--------------------------------------------------------+
        |                                                        |
      443/tcp                                                 10000/udp
        |                                                        |
   public net                                                public net

Where do I have to open ports 5347 and 5222 ot further ports?

Ciao
Marcus

5222 and 5437 need to be open on IP A, so that IP B can talk to it

2 Likes

@jcfischer Jens-Christian, thanks for your answer. Just to be sure: ports 5222 and 5437 only have to open behind the perimeter firewall (in the “internal” network), no need to open them to the external net on the perimeter firewall, right?

And which protocol for ports 5222 and 5437? tcp or udp, or both?

If I scan the server (from the internal net) find the following open ports:

PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
5222/tcp open  xmpp-client
5269/tcp open  xmpp-server
5280/tcp open  xmpp-bosh
8888/tcp open  sun-answerbook

exactly they need to be open between frontend and videobridge servers. TCP only for 5222 and 5347, UDP for port 10000 on the videobridges

Hey guys,

thank you for all the great discussions and patience in this community. I am completely new to the whole Jitsi area and I am configuring a setup quite simular to the one of localguru. My only difference or addition is a STUN/TURN-Server running on its own virtual machine and all my 3 servers are behind a NAT Router. I read a lot of stuff and most likely I just overlooked the information I am missing right now.
So I have 3 Servers, 1 is Jitsi-Meet with jicofo, prosidy and the web-frontend, 1 is “just” used as a videobridge and then the STUN/TURN-Server. Excuse me for potentially stupid questions:
I am interested in the network paths, that are taken, so that I understand, who is talking to whom in the basic scenarios:

  1. an external device wants to start/join a conference on my jitsi system, so the device connects over 443 to my Jitsi-Meet-Server because there is the website hosted. But when it tries to join a conference, as far as I understand, the Jitsi-Meet-Server tells the device about the videobridge that is hosting the conference and the device starts its own connection (completely separated from the connection with the Jitsi-Meet-Server?) to the videobridge on UDP 10000. So far so right, I hope.

  2. Now I come to my question/struggle: now when UDP 10000 is blocked on other networks but devices still want to participate on a conference, I wonder how the STUN/TURN-Server gets involved. I saw some config-files but at least on one point I quite insecure:
    Does the STUN/TURN-Server behind my NAT Router need its own public IP Address? To be precise: who is connecting to the STUN/TURN-Server on what port?

How does this connection come up, after the device that is trying to connect to a conference signals that UDP 10000 is not possible for it?

I usually confuse people with my questions or scenarios, I hope you understand what I mean :slight_smile: I try to understand how STUN/TURN gets involved, whether it would need a Public IP and which firewall setup is necessary for STUN/TURN. Internally all 3 Servers are placed in the same network with no firewall in between, so there won’t be any communication issues.

(Last but not least: Am I right, that on my Jitsi-Meet-Server I can also run a videobridge in addition the one videobridge on a separated server?)

Best regards and thank you again for all the help throughout all community forums and all the patience
Michael

Prosody is advertising the turnservers to the clients, and in paralel with the udp 10000 connection it tries to connect to turn server (which needs to be reachable on a public address and port) and if 10000 udp fails but the relay (the turn server connection) is possible it will send media to turn server which is a relay to jvb, so it will forward the media to the jvb.

Great! Thanks a lot! That will help me to configure the rest of the system the right way. :slight_smile: Have a great day you all and especially @damencho for alle the support!

@damencho
I have two jvbs. One is in same server where my prosody installed and another is separate server pointing to my prosody. My Prosody server in on Public IP and 80, 443 and 10000 ports are open. My second bridge is on private IP. Second bridge is unable to pair the end points as there is no 10000 port open.

Whether my second bridge also required public ip and 10000 port to be opened? Or I need to open STUN/TURN port in my main meet server

Please help.

All bridges need a combination of public address and port so clients can connect to them.

@damencho
Thanks for reply.

But the conference call and allocation of media is being centrally managed by Jicofo. My additional bridges are publishing their information at central Jicofo. Then Jicofo should handle the job of allocation of bridges to meetings. In that case, public IP may not be required for each additional bridges configured and published in central jicofo.
Please correct me if I am wrong.
I hope you understand what I mean.

With Best Wishes
Santanu

The clients connect directly to the bridges on the allocated channels. The bridge creates the channels sending the port and address to jicofo which is sending them to the clients, informing them where to connect to.

@damencho

So I need to assign Public IP to my second bridge and only 10000 UDP access needs to be allowed. If my bridge is behind the firewall then what should be the configuration in my second bridge. Please help.

With best wishes,
Santanu