UDP port 10000 blocked behind corporate firewall - possible approaches

Hello again,
in the following file:

/etc/prosody/conf.avail/xxx.cfg.lua

Do I have to enable the Virtual Host removing the two --?

Thank you

Hi everyone,

solved my problem now by finding a wrong configuration in my videobridge. Had the same effect like Andrea - once a third participant with firewall blocking of udp port joined -> video was broken.

for me it got solved by adding this line to file: “sip-communicator.properties” of my videobridge

org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false

My complete working config for reference - if needed:

org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=MY-DOMAIN
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.MY-DOMAIN
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=PASSWORD
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.MY-DOMAIN
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=6f32e760-2c89-44de-a273-7880f2336459
org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT=55555
org.jitsi.videobridge.octo.BIND_ADDRESS=10.40.100.31 # the address to bind to locally
org.jitsi.videobridge.octo.PUBLIC_ADDRESS=XXX # the address to advertise (in case BIND_ADDRESS is not accessible)
org.jitsi.videobridge.octo.BIND_PORT=4096 # the port to bind to
org.jitsi.videobridge.REGION=region1 # the region that the jitsi-videobridge instance is in
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false

Which ports on the client side have to be open, to work with a jitsi installation (latest release) on a dedicated ubunthu server with and an public ip.

This is our firewall: ```
sudo ufw allow OpenSSH
sudo ufw allow http
sudo ufw allow https
sudo ufw allow in 10000:20000/udp
sudo ufw enable

Thanks for your answer!

We need this, because most of our Customers have no problem with our installation, but some have so we have to make a list of requirements for our customers.
Lorenz

Hi hirnschmalz,
Did you solve your problem. I wanna configure all trafic on 443 TCP port. Because sometimes external user can drop on udp 10000 port so they have to add rule in their security/fw product.
Btw in our cfg.lua file ;
Turn Credentials;

  • Stun and turn port is assigned: 3478 is it true?

How can i solve ony using tcp 443 port for traffic? Thanks

Hi @jitsiboz,

my solution was to create a dedicated turnserver with it’s own ip address.

Hi @hirnschmalz @jitsiboz

I also faced the same problem with the latest jitsimeet.

my solution was to create a dedicated turnserver with it’s own ip address.

What exactly should this be done?
(Note: The latest jitsimeet will have turnserver installed by default)

@hirnschmalz @jitsiboz @damencho

UDP 10000 Port was able to properly failover to TCP 443 in the following ways, and the problem was resolved even in environments where UDP was not available.
(The version of jitsi-meet I tried is the latest 2.0.5142-1)

  1. Separate jitsi-meet front and other components.
    Nodo1:jitsi-meet / Nodo2: prosody, jicofo, jitsi-videobridge2

  2. do not use coturn.

  3. TCP_HARVESTER_PORT=443 setting in sip-communicator.properties
    /etc/jitsi/videobridge/sip-communicator.properties
    org.jitsi.videobridge.TCP_HARVESTER_PORT=443
    org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false

  4. UDP 10000 port is blocked by server firewall.

  5. Fail over to TCP 443 properly!!

@damencho
Will TCP_HARVESTER_PORT=443 continue to be supported by JVB?

Properly ? … please read the documentation.

# Warning
ICE/TCP is not the recommended way to deal with clients connecting
from networks where UDP traffic is restricted. The recommended way 
is to use jitsi-videobridge in conjunction with a TURN server. The 
main reason is that using TURN/TLS uses a real TLS handshake, while 
ICE/TCP uses a hard-coded handshake which is known to be recognized
by some firewalls.
1 Like

@gpatel-fr
Thank you for the document link.

For some reason when using the TURN server, when I blocked UDP, didn’t Fail over to TCP 443 :crying_cat_face:

it works if you take a positive attitude :slight_smile: