You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by "Kirkham, George" <Op...@goproject.info> on 2020/04/05 22:29:56 UTC
General questions about DMZ, https, apache web server, single
Interent IP address
Hi,
Background
* Reading about Jitsi and BigBlueButton, it seems the underlying
software they the use required "direct connection to the internet" and
exclusive use of port 443.
* While my infrastructure has a single external IP address, Router
that changes Internet facing IP address to internal IP address, DMZ
via NAT firewall which handles UPD, changing IP address to yet another
IP address. This is a common configuration for small business.
* I also have an Apache Web server which uses both port 80 and port
433. I believe while you can redirect port 80 traffic to another
server, because port 443 traffic is encrypted, it cannot be
redirected. The above two systems do not use Apache, but do want to
have use of port 443.
* Reading documentation for Openmeetings which pointed to Kurento
Media Server documetation: "If Kurento Media Server, its Application
Server, or any of the clients are located behind a NAT, you need to
use a STUN or a TURN server in order to achieve NAT traversal."
Questions
Is there any Video Conferencing systems that can work from inside a
NAT DMZ ? Note: I used to use OpenMeeting 2.0 quite effectively
inside a NAT DMZ, and because it did not require the use of port
443, it ran nicely in our environment.
Would OpenMeetings work in Debian 10 (Buster) environment, it did work
in Debian Squeeze, but a lot of underlying software has been updated
since that time?
Does OpenMeetings work in a single Docker container? (not that I
use Docker). I have seen some implementations of the above to systems
where part of the system is in side Docker but not the WebRTC
component.
Any useful thoughts on the above ?
Regards,
George.
Re: General questions about DMZ, https, apache web server, single
Interent IP address
Posted by YUP <yu...@gmail.com>.
Yes, I would like to confirm that it is (still) impossible to use only
one tcp port for OM. You should also have UDP ports open in your
firewall, it is a requirement :(
I even tried to use udptunnel which can operate on tcp port to handle
upd flow, but my attempt was unsuccessful too.
On Mon, Apr 6, 2020 at 4:42 PM Maxim Solodovnik <so...@gmail.com> wrote:
>
> Hello George,
>
> Welcome back :)
> I'm not sure about "any Video Conferencing systems"
> OM 4.0.10 will work almost the same as 2.0.x (it will additionally require websocket connection on the same port as OM) [will use Flash]
> OM 5.0.x CAN work be set up to work over single SSL port but additional server for TURN will be required :(
>
> @Yarema, at this ML try to get everything configured via single HTTPS port, but this seems to be impossible
>
> On Mon, 6 Apr 2020 at 05:30, Kirkham, George <Op...@goproject.info> wrote:
>>
>> Hi,
>>
>> Background
>>
>> Reading about Jitsi and BigBlueButton, it seems the underlying software they the use required "direct connection to the internet" and exclusive use of port 443.
>>
>> While my infrastructure has a single external IP address, Router that changes Internet facing IP address to internal IP address, DMZ via NAT firewall which handles UPD, changing IP address to yet another IP address. This is a common configuration for small business.
>> I also have an Apache Web server which uses both port 80 and port 433. I believe while you can redirect port 80 traffic to another server, because port 443 traffic is encrypted, it cannot be redirected. The above two systems do not use Apache, but do want to have use of port 443.
>>
>> Reading documentation for Openmeetings which pointed to Kurento Media Server documetation: "If Kurento Media Server, its Application Server, or any of the clients are located behind a NAT, you need to use a STUN or a TURN server in order to achieve NAT traversal."
>>
>>
>> Questions
>>
>> Is there any Video Conferencing systems that can work from inside a NAT DMZ ? Note: I used to use OpenMeeting 2.0 quite effectively inside a NAT DMZ, and because it did not require the use of port 443, it ran nicely in our environment.
>>
>> Would OpenMeetings work in Debian 10 (Buster) environment, it did work in Debian Squeeze, but a lot of underlying software has been updated since that time?
>>
>> Does OpenMeetings work in a single Docker container? (not that I use Docker). I have seen some implementations of the above to systems where part of the system is in side Docker but not the WebRTC component.
>>
>> Any useful thoughts on the above ?
>>
>> Regards,
>>
>> George.
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Best regards,
> Maxim
Re: General questions about DMZ, https, apache web server, single
Interent IP address
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello George,
Welcome back :)
I'm not sure about "any Video Conferencing systems"
OM 4.0.10 will work almost the same as 2.0.x (it will additionally require
websocket connection on the same port as OM) [will use Flash]
OM 5.0.x CAN work be set up to work over single SSL port but additional
server for TURN will be required :(
@Yarema, at this ML try to get everything configured via single HTTPS port,
but this seems to be impossible
On Mon, 6 Apr 2020 at 05:30, Kirkham, George <Op...@goproject.info>
wrote:
> Hi,
>
> *Background*
>
>
> - Reading about Jitsi and BigBlueButton, it seems the underlying
> software they the use required "direct connection to the internet" and
> exclusive use of port 443.
>
>
> - While my infrastructure has a single external IP address, Router
> that changes Internet facing IP address to internal IP address, DMZ via NAT
> firewall which handles UPD, changing IP address to yet another IP address.
> This is a common configuration for small business.
> - I also have an Apache Web server which uses both port 80 and port
> 433. I believe while you can redirect port 80 traffic to another server,
> because port 443 traffic is encrypted, it cannot be redirected. The above
> two systems do not use Apache, but do want to have use of port 443.
>
>
> - Reading documentation for Openmeetings which pointed to Kurento
> Media Server documetation: "If Kurento Media Server, its Application
> Server, or any of the clients are located behind a NAT, you need to use a
> STUN or a TURN server in order to achieve NAT traversal."
>
>
> *Questions*
>
> Is there any Video Conferencing systems that can work from inside a NAT
> DMZ ? Note: I used to use OpenMeeting 2.0 quite effectively inside a NAT
> DMZ, and because it did not require the use of port 443, it ran nicely in
> our environment.
>
> Would OpenMeetings work in Debian 10 (Buster) environment, it did work in
> Debian Squeeze, but a lot of underlying software has been updated since
> that time?
>
> Does OpenMeetings work in a single Docker container? (not that I use
> Docker). I have seen some implementations of the above to systems where
> part of the system is in side Docker but not the WebRTC component.
>
> Any useful thoughts on the above ?
>
> Regards,
>
> George.
>
>
>
>
>
>
>
>
--
Best regards,
Maxim
Re: General questions about DMZ, https, apache web server, single
Interent IP address
Posted by Maxim Solodovnik <so...@gmail.com>.
No problem then :)
You can set up both OM<->world and OM<->Apache<->world (latter
configuration will use more "natural" 443 port + TURN ports only)
On Tue, 7 Apr 2020 at 10:37, Kirkham, George <Op...@goproject.info>
wrote:
> Hi,
>
> Thanks for the replies.
>
> I have no issue opening UDP ports 40000-60000, nor is it an issue for me
> to use extra TCP or UDP ports other than port 443. That is using ports 80,
> 443, 2443, 3443, 5070, 50-70, 5443, 8080, 8443, etc.
>
> People who would be connected to my OpenMeetings server should not be
> behind restrictive firewalls, so I would not need to excursively use just
> port 443.
>
> Thus if my Apache web server was using port 443, I do not mind using port
> 5443, 5080, and UDP ports 40000-60000 for OpenMeetings, if this is possible?
>
> Are there other ports that need to be opened?
>
> FYI: My firewall has never had issues forwarding UDP ports in the past.
>
> https://openmeetings.apache.org/PortSettings.html
> *Port settings*
> Default Configuration
> *Port 5443:* HTTPS (For web interface)
> *Port 5080:* HTTP (For unsecured web interface, useful if SSL proxy
> is being used)
>
> Configure alternative ports
> You need to change $OM_HOME/conf/server.xml file, OpenMeetings server need
> to be restarted so that changes are online.
> Preventing Firewall issues
>
> A common way of bypassing the firewall is to change HTTP port to 80
>
> On Tuesday, 07-04-2020 at 11:03 Maxim Solodovnik wrote:
>
> The problem here: TURN required UDP in range: 40000-60000 and it seems to
> be impossible to pass all these connections via 443
>
> On Tue, 7 Apr 2020 at 02:31, Zenon Panoussis <or...@provocation.net>
> wrote:
>
>>
>> > I believe while you can redirect port 80 traffic to another
>> > server, because port 443 traffic is encrypted, it cannot be
>> > redirected.
>>
>> It can, as long as it is done transparently. If you have, say,
>> serviceA on internalhostA:443 and serviceB on internalhostB:443,
>> you can tell the router something like
>>
>> incoming on port 2443 -> hostA:443
>> incoming on port 3443 -> hostB:443
>>
>> If the router is running linux, the above is very simple:
>>
>> iptables -A PREROUTING -t nat -i wan0 -p tcp --dport 2443 -j DNAT --to
>> 192.168.1.10:443
>> iptables -A PREROUTING -t nat -i wan0 -p tcp --dport 3443 -j DNAT --to
>> 192.168.1.20:443
>> iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
>>
>> Cheers,
>>
>> Z
>>
>>
>>
>
> --
> Best regards,
> Maxim
>
>
--
Best regards,
Maxim
Re: General questions about DMZ, https, apache web server, single
Interent IP address
Posted by "Kirkham, George" <Op...@goproject.info>.
Hi,
Thanks for the replies.
I have no issue opening UDP ports 40000-60000, nor is it an issue for
me to use extra TCP or UDP ports other than port 443. That is using
ports 80, 443, 2443, 3443, 5070, 50-70, 5443, 8080, 8443, etc.
People who would be connected to my OpenMeetings server should not be
behind restrictive firewalls, so I would not need to excursively use
just port 443.
Thus if my Apache web server was using port 443, I do not mind using
port 5443, 5080, and UDP ports 40000-60000 for OpenMeetings, if this
is possible?
Are there other ports that need to be opened?
FYI: My firewall has never had issues forwarding UDP ports in the
past.
https://openmeetings.apache.org/PortSettings.html
Port settings
Default Configuration
Port 5443: HTTPS (For web interface)
Port 5080: HTTP (For unsecured web interface, useful if SSL
proxy is being used)
Configure alternative ports
You need to change $OM_HOME/conf/server.xml file, OpenMeetings server
need to be restarted so that changes are online.
Preventing Firewall issues
A common way of bypassing the firewall is to change HTTP port to 80
On Tuesday, 07-04-2020 at 11:03 Maxim Solodovnik wrote:
The problem here: TURN required UDP in range: 40000-60000 and it seems
to be impossible to pass all these connections via 443
On Tue, 7 Apr 2020 at 02:31, Zenon Panoussis wrote:
> I believe while you can redirect port 80 traffic to another
> server, because port 443 traffic is encrypted, it cannot be
> redirected.
It can, as long as it is done transparently. If you have, say,
serviceA on internalhostA:443 and serviceB on internalhostB:443,
you can tell the router something like
incoming on port 2443 -> hostA:443
incoming on port 3443 -> hostB:443
If the router is running linux, the above is very simple:
iptables -A PREROUTING -t nat -i wan0 -p tcp --dport 2443 -j DNAT --to
192.168.1.10:443 [1]
iptables -A PREROUTING -t nat -i wan0 -p tcp --dport 3443 -j DNAT --to
192.168.1.20:443 [2]
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
Cheers,
Z
--
Best regards,
Maxim
Links:
------
[1] http://192.168.1.10:443
[2] http://192.168.1.20:443
Re: General questions about DMZ, https, apache web server, single
Interent IP address
Posted by Maxim Solodovnik <so...@gmail.com>.
The problem here: TURN required UDP in range: 40000-60000 and it seems to
be impossible to pass all these connections via 443
On Tue, 7 Apr 2020 at 02:31, Zenon Panoussis <or...@provocation.net> wrote:
>
> > I believe while you can redirect port 80 traffic to another
> > server, because port 443 traffic is encrypted, it cannot be
> > redirected.
>
> It can, as long as it is done transparently. If you have, say,
> serviceA on internalhostA:443 and serviceB on internalhostB:443,
> you can tell the router something like
>
> incoming on port 2443 -> hostA:443
> incoming on port 3443 -> hostB:443
>
> If the router is running linux, the above is very simple:
>
> iptables -A PREROUTING -t nat -i wan0 -p tcp --dport 2443 -j DNAT --to
> 192.168.1.10:443
> iptables -A PREROUTING -t nat -i wan0 -p tcp --dport 3443 -j DNAT --to
> 192.168.1.20:443
> iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
>
> Cheers,
>
> Z
>
>
>
--
Best regards,
Maxim
Re: General questions about DMZ, https, apache web server, single
Interent IP address
Posted by Zenon Panoussis <or...@provocation.net>.
> I believe while you can redirect port 80 traffic to another
> server, because port 443 traffic is encrypted, it cannot be
> redirected.
It can, as long as it is done transparently. If you have, say,
serviceA on internalhostA:443 and serviceB on internalhostB:443,
you can tell the router something like
incoming on port 2443 -> hostA:443
incoming on port 3443 -> hostB:443
If the router is running linux, the above is very simple:
iptables -A PREROUTING -t nat -i wan0 -p tcp --dport 2443 -j DNAT --to 192.168.1.10:443
iptables -A PREROUTING -t nat -i wan0 -p tcp --dport 3443 -j DNAT --to 192.168.1.20:443
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
Cheers,
Z