Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Hallo,
hat jemand schon mal Jitsi Meet Server hinter einer Sophos über die WAF zum laufen gebracht?
Klar könnte ich die Ports direkt weiter leiten, aber dann ist ja Exchange und andere Dienste per HTTPs WAF nicht mehr erreichbar.
Hätte hier vielleicht jemand einen Tipp für mich?
Grüße Frank
You'll have to have a DNAT rule for 10000/UDP from external to your Jitsi server. WAF with 80/TCP and 443/TCP should work at least for non restricted clients.
Is Jitsi configured to know internal/external…
Hi FischerFrank,
Thank you for reaching out to the Community!
Check out the following troubleshooting document for WAF and see if that helps you identify the issue.
Thanks,
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Hi H_Patel,
the WAF Works with 3 Webservers behind the Sophos SG.
But i cant reached the Jiti Meet Server behind the Sophos SG by WAF.
If i Disable WAF and do some NAT with Ports 80,443,10000 it works but not with WAF.
I need to get this Working.
with WAF i got this error:
Proxy ErrorThe proxy server received an invalid response from an upstream server.The proxy server could not handle the request GET /.Reason: Error reading from remote server
regards
frank
Hallo Frank,
Herzlich willkommen hier in der Community !
(Sorry, my German-speaking brain isn't creating thoughts at the moment.
Please show about 50 related lines from the Web Application Firewall log.
MfG - Bob (Bitte auf Deutsch weiterhin.)
Hi Bob,
this is what i get
in the Log.
2020:10:25-16:34:33 gateway httpd[32399]: [proxy_http:error] [pid 32399:tid 3951938416] (70014)End of file found: [client 109.42.3.49:1313] AH01102: error reading status line from remote server JITSI_Internal_IP:443 2020:10:25-16:34:33 gateway httpd[32399]: [proxy:error] [pid 32399:tid 3951938416] [client 109.42.3.49:1313] AH00898: Error reading from remote server returned by / 2020:10:25-16:34:33 gateway httpd: id="0299" srcip="109.42.3.49" localip="WAN_IP" size="379" user="-" host="109.42.3.49" method="GET" statuscode="502" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken, SkipCookieSigning, SkipThreatsFilter" time="13423" url="/" server="meet.myhost.net" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X5WbCTLoppOChxHZZUspMwAAAKs" 2020:10:25-16:34:35 gateway httpd[32399]: [proxy_http:error] [pid 32399:tid 3951938416] (70014)End of file found: [client 109.42.3.49:1313] AH01102: error reading status line from remote server JITSI_Internal_IP:443, referer: https://meet.myhost.net/ 2020:10:25-16:34:35 gateway httpd: id="0299" srcip="109.42.3.49" localip="WAN_IP" size="0" user="-" host="109.42.3.49" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken, SkipCookieSigning, SkipThreatsFilter" time="12671" url="/favicon.ico" server="meet.myhost.net" port="80" query="" referer="https://meet.myhost.net/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X5WbCzLoppOChxHZZUspNAAAAKs" 2020:10:25-16:34:35 gateway httpd[32399]: [proxy_http:error] [pid 32399:tid 4061043568] (70014)End of file found: [client 109.42.3.49:10196] AH01102: error reading status line from remote server JITSI_Internal_IP:443, referer: https://meet.myhost.net/ 2020:10:25-16:34:35 gateway httpd[32399]: [proxy:error] [pid 32399:tid 4061043568] [client 109.42.3.49:10196] AH00898: Error reading from remote server returned by /favicon.ico, referer: https://meet.myhost.net/ 2020:10:25-16:34:35 gateway httpd: id="0299" srcip="109.42.3.49" localip="WAN_IP" size="401" user="-" host="109.42.3.49" method="GET" statuscode="502" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken, SkipCookieSigning, SkipThreatsFilter" time="12732" url="/favicon.ico" server="meet.myhost.net" port="443" query="" referer="https://meet.myhost.net/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X5WbCzLoppOChxHZZUspNQAAAJ4" 2020:10:25-16:34:37 gateway httpd: id="0299" srcip="109.42.3.49" localip="WAN_IP" size="29" user="-" host="109.42.3.49" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" time="5060770" url="/Microsoft-Server-ActiveSync" server="mail.freaky-media.net" port="443" query="?Cmd=Ping&User=frank&DeviceId=SEC1037E3C4CCECF&DeviceType=SamsungDevice" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X5WbCDLoppOChxHZZUspMQAAALw"
You're right, that's not much more info than what you already said, Frank, Let's look at pictures of the Edits of the Virtual Server with 'Advanced' open and of the Firewall Profile.
so here some Pics from Backend.
Firewall Profile all Disables so no Scan or Check does.
i had this done with the oder Ports 4443 -
by NAT Port 10000 is redirected to Jitsi Meeting
maybe this hoped ..
if you need some other Information, get in touch
best regards
Frank
The only thing I can see to try, Frank, is 'HTML umschreiben'. If that doesn't work, then I would say that you've proven that Jitsi is not compatible with WAF.
this i fear - every Options i try end in an error.
Hope some one else, found a solution.
Is Jitsi configured to know internal/external address? Read https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart#setup-and-configure-your-firewall
The following extra lines need to be added to the file /etc/jitsi/videobridge/sip-communicator.properties:
/etc/jitsi/videobridge/sip-communicator.properties
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<Local.IP.Address> org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<Public.IP.Address>
And comment the existing org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES.
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES
Be aware that Jitsi clients will try to fallback to 443/TCP if 10000/UDP is blocked. Here comes the problem: Jitsi's 443/TCP connection is _NO_ http, so sophos WAF can't handle it. Thus said, external connections will only work with 10000/UDP opened.
Another point is Sophos' flood protection. Watch your logs and be sure to set increase values there, if protection fires.
I'm running jitsi behind utm WAF without issue. I use the docker-compose version.
Wildcard cert, https & redirect. Had no issues.