What concrete ports must be forwarded for Jitsi Meet server

I’ve installed jitsi-meet package on a fresh Debian GNU/Linux 10, intended to be only dedicated to Jitsi Meet (open).
This is an LXC container in a desktop computer, both with their own IP address.
I can forward TCP and UDP ports from Internet router. Only by reverse-proxying* https website from another container (with Apache) to my jitsi container (no port forwarding), this already allows to connect Meet website and see own videocamera image, and place a chat session between users. But not audio/video conference.

(*) mymeets.example.net with Apache’s ProxyPass to target container.

Because I’m using several port ranges to other destinations, I’ve customized 2 listening ports I’ve read to be necessary for audio/video conferences:
/etc/jitsi/videobridge/sip-communicator.properties

org.jitsi.videobridge.TCP_HARVESTER_PORT=65443
org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT=65000

But I’ve read somewhere that TCP_HARVESTER_PORT (default 4443) is only an alternative to 443 when it’s not available. And I don’t understand clearly if SINGLE_PORT_HARVESTER_PORT (default 10000) is only the begin of an UDP port range or what.
In any case I’ve forwarded now both tcp/65443 and udp/65000 from internet router to my jitsi containers, but no better result (no audio/video between users).

I see other listened ports and I don’t know if any of them need to be also available from Internet:

tcp/5280 : lua5.2
tcp/5347 : lua5.2
tcp/5222 : lua5.2
tcp/5269 : lua5.2
tcp/8888 : java
tcp/65443 : java (already mentioned)
tcp/44468 : java (changes on each boot)
tcp/65000 : java (already mentioned)
tcp/37855 : java (changes on each boot)

JVB uses just port 10000 udp.

Do you mean changing SINGLE_PORT_HARVESTER_PORT does not work with clients? Must be 10000 anyway?

And when is really necessary to forward/open TCP_HARVESTER_PORT? (to think if I don’t need to have it exposed to internet)

I was just pointing that you need a single udp port and this is not beginning of a range. By default that port is 10000 and can be changed with a property.

I’ve read somethig about these other properties:

org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<Public.IP.Address>
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<Local/Private.IP.Address>
org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=<Local/Private.IP.Address>
org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=<Public.IP.Address>

Does some documentation be publeshed somewhere about this with details and implications?


I’ve found my problem was I need to set these properties at /etc/jitsi/videobridge/sip-communicator.properties

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.123.456
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=1.2.3.4

(default setup Debian 10 and packages from Jitsi repository)

I see now TCP_HARVESTER_PORT defaults to tcp/4443 if not specified or left property commented.
If nginx is already listening port 443 (and presents Jitsi welcome page) and I specify TCP_HARVESTER_PORT=443 then the java process does not run to listen port 443.

Is it convenient in this context to use a different TCP_HARVESTER_PORT value than 443 to not conflict with nginx? And then to be it forwarded in a NAT context?

Yes you can use different port. https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

As “convenient” I meant also: When do I need to forward port specified at TCP_HARVESTER_PORT in a NAT context?
(I don’t know what TCP harvester exactly does and if it’s required for Internet participants)

This is a fallback for users, where udp is not enbled in their network to be able to connect using TCP. For these cases we recommend using coturn by the way, TCP harvester is by default disabled in latest stable packages.