Setup BBB only ports 80 443 on client side needed
353 views
Skip to first unread message
Jonathan
Jun 9, 2021, 10:04:09 AM6/9/21
to BigBlueButton-dev
Hi,
we often have problems with users behind restricted firewalls that can not access our BBB because the required Ports are blocked (they can't even connect utilizing our TURN/STUN Server).
Is there a way to set up a BBB so that clients only need to have TCP Port 80 / 443 open to connect? Maybe over a reverse proxy etc.?
Any ideas are much appreciated!
Cheers Jonathan
Daniel Schröter
Jun 12, 2021, 11:25:45 AM6/12/21
to BigBlueButton-dev
jona...@gmail.com schrieb am Mittwoch, 9. Juni 2021 um 16:04:09 UTC+2:
we often have problems with users behind restricted firewalls that can not access our BBB because the required Ports are blocked (they can't even connect utilizing our TURN/STUN Server).
Is there a way to set up a BBB so that clients only need to have TCP Port 80 / 443 open to connect? Maybe over a reverse proxy etc.?
Yes, with turn server ;-)
I'm running a BBB and can access everything if I restricted my local firewall to 80,443 (and 53 for DNS).
Maybe your turn configuration is not working as expected?
I configured turn in bbb on my site end after several weeks I saw a configuration issue :-o
Maybe you can test it with test.bigbluebutton.org?
Hiroshi Suga
Jun 12, 2021, 10:49:12 PM6/12/21
to BigBlueButton-dev
I am afraid that fixing the Turn server is the only feasible solution.
Setting up a stable coturn server is not straightforward. I have, for instance, this problem:
Safari/iOS also shows some connection problems even for using STUN service.
sd...@distancelearning.cloud
Jun 14, 2021, 7:55:49 AM6/14/21
to bigblueb...@googlegroups.com
Make sure stun/turn is explicitly using port 443 and not 3478 in your stun/turn config files.
Regards,
Stephen
--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/1f08f4cd-61f2-4180-a19c-484112ad1450n%40googlegroups.com.
Jonathan
Jun 16, 2021, 6:21:20 AM6/16/21
to BigBlueButton-dev
Hi all,
thanks for your answers! We thought we had a pretty standard config. Can you spot anything wrong with this Turn Server conf:
---------------------------------------
listening-port=3478
tls-listening-port=443
alt-tls-listening-port=5349 # We used that as a ios workaround
external-ip=XXX
tls-listening-port=443
alt-tls-listening-port=5349 # We used that as a ios workaround
external-ip=XXX
min-port=32769
max-port=65535
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=XXX
cert=XXX
pkey=XXX
cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
dh2066
no-tlsv1
no-tlsv1_1
simple-log
# To enbale timestamps in logs
new-log-timestamp
------------------------------------------------------------
Best Jonathan
Jonathan
Jun 16, 2021, 6:29:43 AM6/16/21
to BigBlueButton-dev
Also one more specific question here: how did you test that locally? Can u send me a Linux command or site. I couldn't get it to work ...
Jonathan
Jun 16, 2021, 6:39:01 AM6/16/21
to BigBlueButton-dev
I just tried
sudo ufw allow in "Nginx Full"
wich results in this: (sorry its in german but I think you get the idea
Status: Aktiv // active
Protokollierung: on (low)
Voreinstellung: deny (eingehend // inbound), allow (abgehend //outbound), deny (gesendet//send)
Neue Profile: skip
Zu Aktion Von
-- ------ ---
80,443/tcp (Nginx Full) ALLOW IN Anywhere
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
Protokollierung: on (low)
Voreinstellung: deny (eingehend // inbound), allow (abgehend //outbound), deny (gesendet//send)
Neue Profile: skip
Zu Aktion Von
-- ------ ---
80,443/tcp (Nginx Full) ALLOW IN Anywhere
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
Reply all
Reply to author
Forward
0 new messages