This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Jitsi Meet mit WAF

Hallo,

hat jemand schon mal Jitsi Meet Server hinter einer Sophos über die WAF zum laufen gebracht?

Klar könnte ich die Ports direkt weiter leiten, aber dann ist ja Exchange und andere Dienste per HTTPs WAF nicht mehr erreichbar.

Hätte hier vielleicht jemand einen Tipp für mich?

Grüße Frank



This thread was automatically locked due to age.
Parents
  • I'm running jitsi behind utm WAF without issue.  I use the docker-compose version. 

    Wildcard cert, https & redirect.  Had no issues.

  • Interesting. Http/htttps handled by WAF? Which ports did you redirect? 10000/UDP? What happens if a client in an restricted network, where 10000/UDP outgoing is blocked, joins a meeting?

  • not having issues with 10000udp, it all just seems to work over https.  I seriously did almost nothing to get it up and running other than the basic config for the docker-compose .env and yaml 



    added image
    [edited by: RaveNet at 8:27 AM (GMT -8) on 2 Dec 2020]
  • First of all, thanks for your insights, this might help others.

    For sure your configuration will work if 10000/UDP isn't blocked in client's networks. Unfortunately most corperate networks are very restrictive and block outgoing UDP connections.

    As far as I know Jitsi tries to fall back to 443/TCP is 10000/UDP is blocked. Then clients will use just a TCP connection, but no HTTPS so WAF won't be able to handle this traffic. Also I would guess, that there will also be a problem at the client side if a client's HTTPS traffic is handled by a web proxy if 10000/UDP is blocked.

    Is your Jitsi only used in your internal network or are there also external clients? Do you additionally use an external TURN server?

Reply
  • First of all, thanks for your insights, this might help others.

    For sure your configuration will work if 10000/UDP isn't blocked in client's networks. Unfortunately most corperate networks are very restrictive and block outgoing UDP connections.

    As far as I know Jitsi tries to fall back to 443/TCP is 10000/UDP is blocked. Then clients will use just a TCP connection, but no HTTPS so WAF won't be able to handle this traffic. Also I would guess, that there will also be a problem at the client side if a client's HTTPS traffic is handled by a web proxy if 10000/UDP is blocked.

    Is your Jitsi only used in your internal network or are there also external clients? Do you additionally use an external TURN server?

Children