Sametime Meetings Premium internally without Google STUN servers
Daniel Nashed – 23 December 2020 19:52:51
We ran into this today. A customer is using ST Meetings Premium in their intranet and have no connection outside.
This isn't only a challenge for software installation and updates, but also causes issues with ST meetings if the Google STUN servers cannot be reached.
Side note: The update from Pre-Release to Premium by the way just took 1 hour for the meeting server, community server and proxy server all togehter!
A STUN server is actually a TURN server, taking care that server and client can talk to each other if a NAT environment is involved.
This can hit you even in an intranet depending on the network segmentation with IPv4 addressing.
In case NAT is involved you would need an internal TURN server. If no NAT is involved you still have to disable the Google STUN servers.
Disable STUN Servers in intranet without NAT
To disable the STUN servers you have to modify the hidden internal configuration file .env. (the file has a leading dot which makes it hidden on Linux).
The line to disable looks like this by default:
JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302
In addtion you have to set to set the DOCKER_HOST_ADDRESS to the exposed, accessible IP address in your custom.env file.
This should be the primary interface of your Docker host!
# IP address of the Docker host. Check LAN configuration of the system. If the host has multiple interfaces,
# choose the one which is considered the routable IP for the host.
DOCKER_HOST_ADDRESS=192.168.96.15
After you made the change, you have to restart your environment.
The easiest way is to use "docker-compose down" and "docker-compose up -d".
In one case my containers have not been removed cleanly and I had to use a "docker-compose rm".
Tip: To ensure the changes are applied you should remove the jitsi-config folder before your bring up the server again.
Side note: This will overwrite your private key and certificate for the web-server usually you have replaced it with your own key and you have to copy it again.
In case the server created a self signed, you are getting a new one and all users get a security warning.
You should always deploy a real certificate! And keep a copy outside the directory to copy it back again.
The keys are located in jitsi-config/jibri_web/keys and they are called cert.crt and cert.key
Test if you can access the Google STUN servers
There is a client you can install to check the connection.
Here is an example how to install and test.
You can use the same test on your own TURN server later.
yum install -y epel-release
yum install -y coturn-utils
turnutils_uclient -v -p 19302 stun.l.google.com
Installing your own TURN server
In case you have NAT connections internally you can install your own TURN server.
If running on CentOS or RHEL this is very easy. The most used TURN server project is https://github.com/coturn/coturn
I have installed the server locally without any modification.
Installation
yum install coturn
Enable and start systemd service
systemctl enable coturn
systemctl start coturn
The configuration is located here --> /etc/coturn/turnserver.conf
The default used port 3478 and 3479 and you have to open those ports in your firewall for TCP and UDP!!! (can be OS firewall and/or corporate internal firewalls)
Afterwards you can change your STUN server configuration in .env like this and start the ST meeting server again:
JVB_STUN_SERVERS=192.168.96.213:3478
Reference for the general info an topology configurations. https://help.hcltechsw.com/sametime/11.5/admin/topology.html
Conclusion
A NAT environment can also be an intranet environment. It doesn't need to be an outside connection.
So you either disable the STUN server as described if no NAT is involved or install your own TURN server.
Thanks to the HCL Sametime Support team to quickly help us to figure out what was going wrong!!
Most of it is documented but not exactly with this background and in one place.
-- Daniel
- Comments [1]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}