Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 5 subscribers
  • Views 3406 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Jitsi Meet mit WAF

FischerFrank

Hallo,

hat jemand schon mal Jitsi Meet Server hinter einer Sophos über die WAF zum laufen gebracht?

Klar könnte ich die Ports direkt weiter leiten, aber dann ist ja Exchange und andere Dienste per HTTPs WAF nicht mehr erreichbar.

Hätte hier vielleicht jemand einen Tipp für mich?

Grüße Frank



This thread was automatically locked due to age.
Parents
  • 0

    Hi H_Patel,

    the WAF Works with 3 Webservers behind the Sophos SG.

    But i cant reached the Jiti Meet Server behind the Sophos SG by WAF.

    If i Disable WAF and do some NAT with Ports 80,443,10000 it works but not with WAF.

    I need to get this Working.

    with WAF i got this error:

    Proxy Error

    The proxy server received an invalid response from an upstream server.
    The proxy server could not handle the request GET /.

    Reason: Error reading from remote server

    regards

    frank

  • 0 in reply to FischerFrank

    You'll have to have a DNAT rule for 10000/UDP from external to your Jitsi server. WAF with 80/TCP and 443/TCP should work at least for non restricted clients.

    Is Jitsi configured to know internal/external address? Read https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart#setup-and-configure-your-firewall

    The following extra lines need to be added to the file /etc/jitsi/videobridge/sip-communicator.properties:

    org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<Local.IP.Address>
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<Public.IP.Address>

    And comment the existing org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES.

    Be aware that Jitsi clients will try to fallback to 443/TCP if 10000/UDP is blocked. Here comes the problem: Jitsi's 443/TCP connection is _NO_ http, so sophos WAF can't handle it. Thus said, external connections will only work with 10000/UDP opened.

    Another point is Sophos' flood protection. Watch your logs and be sure to set increase values there, if protection fires.

Reply
  • 0 in reply to FischerFrank

    You'll have to have a DNAT rule for 10000/UDP from external to your Jitsi server. WAF with 80/TCP and 443/TCP should work at least for non restricted clients.

    Is Jitsi configured to know internal/external address? Read https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart#setup-and-configure-your-firewall

    The following extra lines need to be added to the file /etc/jitsi/videobridge/sip-communicator.properties:

    org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<Local.IP.Address>
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<Public.IP.Address>

    And comment the existing org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES.

    Be aware that Jitsi clients will try to fallback to 443/TCP if 10000/UDP is blocked. Here comes the problem: Jitsi's 443/TCP connection is _NO_ http, so sophos WAF can't handle it. Thus said, external connections will only work with 10000/UDP opened.

    Another point is Sophos' flood protection. Watch your logs and be sure to set increase values there, if protection fires.

Children
No Data
Unfiltered HTML