[jitsi-users] Corporate firewall settings to use Jitsi client and webapp meet.jit.si


#1

Dear all,

in order to use the Jitsi client and the webapp meet.jit.si I need to
know what to ask our network team in terms of corporate firewall
settings, i.e. which inbound and outbound ports to open and towards
which external IPs. Could you please help me?

Thanks so much in advance.

Best,
Paolo.


#2

Hello Paolo,

in order to use the Jitsi client and the webapp meet.jit.si I need to
know what to ask our network team in terms of corporate firewall
settings, i.e.

this are the common ports used by jitsi-meet and xmpp.

80 TCP HTTP/BOSH/Websocket
443 TCP HTTP/BOSH/Websocket
4443 TCP jitsi-meet videostream for very restrictive environments
5222 TCP XMPP client to server connections
5269 TCP XMPP server to server connections
5280 TCP HTTP and SecureWebSocket connection (SSL)
5281 TCP HTTP and WebSocket connection
3478 UDP/TCP STUN/TURN Port forwarding to turnserver
5349 UDP/TCP SSTUN/STURN Port forwarding to turnserver
10000-20000 UDP/TCP jitsi-meet videostream RTP (This port range may vary, depending on videobridge config!)
10000-20000 UDP/TCP TURN server media (This port range may vary, depending on TURN server config!)

Regards,

Rainer

···

----- Am 18. Jan 2016 um 16:25 schrieb Paolo Dongilli paolo.dongilli@gmail.com:


#3

In fact from outside you need just these:

80 TCP HTTP/BOSH/Websocket
443 TCP HTTP/BOSH/Websocket
4443 TCP jitsi-meet videostream for very restrictive
environments
10000-20000 UDP/TCP jitsi-meet videostream RTP (This port range
may vary, depending on videobridge config!)
10000-20000 UDP/TCP TURN server media (This port range may vary,
depending on TURN server config!)

If Jitsi Meet is installed all on one host, you only need these from
outside.

And the following you need from localhost (or between the different
machines, in case the components of Jitsi Meet is installed on
different servers):

5222 TCP XMPP client to server connections
5269 TCP XMPP server to server connections
5280 TCP HTTP and SecureWebSocket connection (SSL)
5281 TCP HTTP and WebSocket connection

I'll add also TCP 5347, which is the default for xmpp components
connections. You need the components to be able to open it on the
prosody host, so that they can register.

···

On Mon, 18 Jan 2016 17:26:15 +0100 (CET) Rainer Schuth wrote:

--

Yasen Pramatarov
Lindeas Ltd. https://lindeas.com
'working on GNU/Linux ideas'
Professional Jitsi Meet services


#4

Thanks so much.

What if I want to use specifically the services hosted at jit.si?
What are in this case destination IPs and PORTs I need to specify in
our firewall?

Thanks,
Paolo.

···

On Mon, Jan 18, 2016 at 5:52 PM, Yasen Pramatarov <yasen@lindeas.com> wrote:

On Mon, 18 Jan 2016 17:26:15 +0100 (CET) Rainer Schuth wrote:

In fact from outside you need just these:

80 TCP HTTP/BOSH/Websocket
443 TCP HTTP/BOSH/Websocket
4443 TCP jitsi-meet videostream for very restrictive
environments
10000-20000 UDP/TCP jitsi-meet videostream RTP (This port range
may vary, depending on videobridge config!)
10000-20000 UDP/TCP TURN server media (This port range may vary,
depending on TURN server config!)

If Jitsi Meet is installed all on one host, you only need these from
outside.

And the following you need from localhost (or between the different
machines, in case the components of Jitsi Meet is installed on
different servers):

5222 TCP XMPP client to server connections
5269 TCP XMPP server to server connections
5280 TCP HTTP and SecureWebSocket connection (SSL)
5281 TCP HTTP and WebSocket connection

I'll add also TCP 5347, which is the default for xmpp components
connections. You need the components to be able to open it on the
prosody host, so that they can register.

--
> Yasen Pramatarov
> Lindeas Ltd. https://lindeas.com
> 'working on GNU/Linux ideas'
> Professional Jitsi Meet services

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#5

For my experience you need:

80 TCP HTTP/BOSH/Websocket
443 TCP HTTP/BOSH/Websocket

10000-20000 UDP/TCP jitsi-meet videostream RTP

You can skip port 80 if you use only https
Anyway if you need firewall traversal you need the TURN server, and i don't
know if meet.jitsi.si is configured this way!

If you need some professional experience, drop me an email!
I've worked on 3 projects using jitsi-meet

By

···

On Mon, Jan 18, 2016 at 6:42 PM, Paolo Dongilli <paolo.dongilli@gmail.com> wrote:

Thanks so much.

What if I want to use specifically the services hosted at jit.si?
What are in this case destination IPs and PORTs I need to specify in
our firewall?

Thanks,
Paolo.

On Mon, Jan 18, 2016 at 5:52 PM, Yasen Pramatarov <yasen@lindeas.com> > wrote:
> On Mon, 18 Jan 2016 17:26:15 +0100 (CET) Rainer Schuth wrote:
>
> In fact from outside you need just these:
>
>>80 TCP HTTP/BOSH/Websocket
>>443 TCP HTTP/BOSH/Websocket
>>4443 TCP jitsi-meet videostream for very restrictive
>>environments
>>10000-20000 UDP/TCP jitsi-meet videostream RTP (This port range
>>may vary, depending on videobridge config!)
>>10000-20000 UDP/TCP TURN server media (This port range may vary,
>>depending on TURN server config!)
>
> If Jitsi Meet is installed all on one host, you only need these from
> outside.
>
> And the following you need from localhost (or between the different
> machines, in case the components of Jitsi Meet is installed on
> different servers):
>
>>5222 TCP XMPP client to server connections
>>5269 TCP XMPP server to server connections
>>5280 TCP HTTP and SecureWebSocket connection (SSL)
>>5281 TCP HTTP and WebSocket connection
>
> I'll add also TCP 5347, which is the default for xmpp components
> connections. You need the components to be able to open it on the
> prosody host, so that they can register.
>
> --
> > Yasen Pramatarov
> > Lindeas Ltd. https://lindeas.com
> > 'working on GNU/Linux ideas'
> > Professional Jitsi Meet services
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--

[image: Andrea Magatti on about.me]

Andrea Magatti
about.me/amagatti
  <http://about.me/amagatti>


#6

If you want to use meet.jit.si, you just have to allow outgoing
connections to meet.jit.si IP addresses on ports 80 and 443 TCP.

It would be good to also have the range 10000-20000 UDP. Outgoing, to
the server.

If you don't have the UDPs, you'll get switched to TCP-only connection
and you'll get the media streams from port 443 on the second address --
this way Jitsi Meet works with peers behind NAT and with restricted
UDP.

···

On Mon, 18 Jan 2016 18:42:07 +0100 Paolo Dongilli wrote:

What if I want to use specifically the services hosted at jit.si?
What are in this case destination IPs and PORTs I need to specify in
our firewall?

--

Yasen Pramatarov
Lindeas Ltd. https://lindeas.com
'working on GNU/Linux ideas'
Professional Jitsi Meet services


#7

Thanks again to all of you for your quick replies to my questions.

Best regards,
Paolo.


#8

Just a quick note that since recently the single-port mode is enabled by default, so the whole range is no longer necessary and just port 10000 suffices.

You may still need the full 10000-20000 range if you use jigasi or jitsi-hammer (or any clients other than jitsi-meet).

Regards,
Boris

···

On 18/01/16 14:52, Yasen Pramatarov wrote:

On Mon, 18 Jan 2016 18:42:07 +0100 Paolo Dongilli wrote:

What if I want to use specifically the services hosted at jit.si?
What are in this case destination IPs and PORTs I need to specify in
our firewall?

  If you want to use meet.jit.si, you just have to allow outgoing
  connections to meet.jit.si IP addresses on ports 80 and 443 TCP.

  It would be good to also have the range 10000-20000 UDP. Outgoing, to
  the server.