Sophos Firewall Configuration

Alex.Ruff · March 20, 2020, 4:01pm

Hello, everybody,

I want to run Jitsi meet behind a Sophos UTM 9.
I have already published the Jitsi instance via Web Server Protection.

It also works great with 2 users. I have read the deployment notes regarding NAT firewalls, but I can’t get it to work.

The https ports are routed to the Jitsi instance, also udp 10000-20000

Nevertheless, the conference breaks down if a third participant takes part.

Maybe you can give me a hint.

Alex

damencho · March 20, 2020, 4:14pm

Have you set up private and public address in jvb config?

Alex.Ruff · March 20, 2020, 4:44pm

Hi damencho,

yes ich configured that:

org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=x.x.x.x
org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=x.x.x.x

Alex.Ruff · March 20, 2020, 10:52pm

Hi Damencho,

i followed these instructions:

github.com

jitsi/jitsi-meet/blob/master/doc/quick-install.md#advanced-configuration

# Jitsi Meet quick install

This document describes the required steps for a quick Jitsi Meet installation on a Debian based GNU/Linux system. Debian 8 (Jessie) or later, and Ubuntu 14.04 or later are supported out-of-the-box.

Debian Wheezy and other older systems may require additional things to be done. Specifically for Wheezy, [libc needs to be updated](http://lists.jitsi.org/pipermail/users/2015-September/010064.html).

Also note that a recent default Ubuntu installation has only the `main` repository enabled, and Jitsi Meet needs packages from `universe`. Check your `/etc/apt/sources.list` file, and if `universe` is not present refer to [Ubuntu's documentation](https://help.ubuntu.com/community/Repositories/Ubuntu) on how to enable it. (Usually it amounts to copying the `main` lines and changing to `universe`.)

N.B.:

a.) All commands are supposed to be run by root. If you are logged in as a regular user with sudo rights, please prepend ___sudo___ to each of the commands.

b.) You only need to do this if you want to ___host your own Jitsi server___. If you just want to have a video conference with someone, use https://meet.jit.si instead.

## Basic Jitsi Meet install

### Add the domain name to `/etc/hosts`

Add the the domain used to host the Jitsi Meet instance in the `/etc/hosts` file :

This file has been truncated. show original

damencho · March 21, 2020, 3:40am

So these are the problems that can lead to this experience: not working port forwarding, firewall blocking port 10000, not having correct ip-addresses in jvb config for public and private addresses.
It maybe that your network does not allow sending/receiving udp, maybe.

Alex.Ruff · March 21, 2020, 9:01am

Good morning,

if we use the jvb config you mean the /etc/jitsi/videobridge/sip-commuicator.properties right ?

The Sophos firewall is set up correctly in my opinion. I will run portscans from external portscans again today.

I will get back to you on this.

damencho · March 21, 2020, 2:55pm

That is the config. Does portscan works for udp?

Alex.Ruff · March 21, 2020, 4:19pm

Hi Damencho,

it seems to bee a fireall issue. As I did a portscan the portrange UDP 10000-20000 is not accessable.

Is there a way to use TCP connections only ? I thik i had read something like that. I just started a topic in the Sophos forum. but i think i have to wait there …

Regads,

Alex

damencho · March 21, 2020, 9:30pm

You need turnserver … If you uninstall/purge everything as described in quick install mode, switch to debian unstable repo and install from there, do the let’s encrypt to obtain certs you will get turnserver and jvb on same machine everything behind nginx and tcp will work, but mind that using tcp for media can reduce quality significantly.

Alex.Ruff · March 30, 2020, 7:09am

Good morning damencho,

i have now got jitsi running behind my Sophos firewall, but i now have the following problem.

If a third or fourth participant enters the session, the quality of the conference will drop completely, up to complete disconnections.

Do you have an idea?

Best regards,

Alex

Alex.Ruff · April 18, 2020, 4:40pm

Hi there,

the sophos connection Problems are finaly solved.
For everyone who wants to know, you have to disable the UDP flood protection.

Thx, for the support

Alex