I hope you get a solution.

I've been trying for two months. Crickets......

So, I'm not alone with this issue. This is good to know because at first I wasn't sure if it's an issue regarding my infrastructure. I didn't see your similar issue.

Today I did some further investigation using wireshark: When trying to connect to an external system the connection will use STUN server from Google to handle the connection parameters. This is the normal way if there's no possibility to connect directly to the other system without NAT etc. But then I don't see any UDP packets going to the external client. And I don't know what the external system is doing. Is it connecting to the same STUN server? And is it then trying to connect to the internal server directly via UDP? The packet capture of my Android phone isn't working as I expected.

Maybe there's a need to have a relay server to passthrough the firewall limitations regarding the requirements for getting WebRTC to work.

Interesting: Yesterday we tested videoconferencing with a Android smartphone connected to the internal network and a Windows system outside. There were no issues with using the videoconference. Actually I only opened all outgoing UDP instead of all TCP and UDP ports.

But it doesn't help to solve the issues I found and documented at start of this thread. The situation is more confusing now...

Put the Android in airplane mode then turn on the wifi making sure it can't bypass your firewall on cellular data.

Putting the Android 10 in airplane mode then turning on the wifi doesnt solve the issue with having video but no audio.

Yesterday I found out that WebRTC (with 3CX webmeeting) doesn't like HTTP and HTTPs proxies. Only bypassing the SSL intercept is not enough. You have to deactivate all proxy features. This is easy because you can set an exception rule with a regex for *.3cx.net.

But with SmarterMail it seems to have another implementation of WebRTC which causes to the testing results I documented at start of this thread. Conferencing between 2 Windows based systems (1 inside and 1 outside of my network) and between an Android 9 (inside of my network) and a Windows system (outside of my network) works although there's no proxy exception set. You need only to open all outgoing UDP ports because WebRTC opens a direct connection to the conferencing partner for transferring the video and audio data.

For the Android devices the transparent proxy is bypassed because of certificate issues. For Windows systems the HTTP/HTTPS proxy is active.

Incoming or outgoing? I opened all outgoing UDP ports because there are used dynamic UDP high ports when WebRTC is used. And for me it's not clear why it's working with Windows systems connected from outside but not with the Android 10. And with an internal connected Android 10 device using Chrome browser I see video but I have no audio. An internal connected Android 9 doesn't have issues. Both devices have the same firewall and proxy policies on my Sophos UTM.

I don't see incoming connections with these ports from my Android 10 using LTE.

I'm using Windows Defender. I'm wondering why it's working with Windows based systems but not with Android at all. Last weekend we tested with another Android 9 device and there was the same issue like I have with Android 10. Last weekend a conference with 3 Windows based computers (1 internal and 2 external) worked fine. And on my Sophos UTM there's an IPS activated. But I have no events regarding blocked connections by IPS.

"Specifying a TURN server will likely resolve many of the issues reported "

In practice does this actually fix it?

Are there any suggested servers to use or is there any info on the proper syntax to enter the server data in the SmarterMail settings for this? This still doesn't work for me on users separated by an intelligent firewall.

Hi Christopher

I tried it with installing coturn, but for me it did not work with android 4g webmail to w10 desktop.

Android and Desktop PC same network all is working, as soon Android i.e. on 4G - negative.

Checked with provider, ports are not blocked.

If you get it running, please write me how you did - thanks

I wish they would just remove it or add some additional information on what is needed for it to work. 

But the same results as you. Works fine on same LAN segment. Just doesn't work when devices are separated across the firewall. I do get the box where the video should be, it is just empty.

Hello All

We have in the newest smartermail also the problem with team workspace that it works well inside LAN but if an external MAC user want's to connect he or she hears and see's us from the LAN where also the smartermail server resides on but we do not see or here she or he.

also the video and microphone on the remote MAC is geyed out.

do we need to confiured something special to get that work or open any special firewall ports internet -> DMZ ( smartermail server ) or vise versa?

best regards chris

Hi Chris
you may also check this thread:

however if you get it up and running, please call me, I tried for days...
Gruess Urs

Hello Urs

I did't get it to work with the STUN. i tried many different ports and server and it did never work if 1 of the two test clients connected over a fortigate firewall.

the only way was to install or test it with a TURN server where the traffic from both clients go over that server. with a TURN server it was working.

would be nice if here smartermail could improve that part of smartermail.

gruss chris

We deployed Prexip TURN Server (vmware based) and everything works now. So you guys need a TURN server.

Prexip hides their pricing VERY well. Any info on it?

I downloaded the TURN server for free. It’s wizard based setup and was really easy to deploy and the installation guide on their site was easy to follow. Although it was built for prexip, you would just plug in your smartermail server IPs as if they were prexip servers. Worked like a charm.

Previously had issues where audio or video wouldn’t connect over various firewalls. iOS devices didn’t work, etc. We ran several tests with 8 people at 8 locations and it worked beautifully. 

Just to add our usage in, we run CoTurn on a small Ubuntu box and have had no issues with audio/video across different devices.

This is an ENTERPRISE branded product. Most "enterprises" use NAT and enterprise firewalls. It would be great if they had more technical details on how to set this up with enterprise firewall solutions in place such as SonicWall and Cisco. I still do not see any technical details for a network engineer to make sure the proper ports and protocols are opened for this to work. If another product is required to use the Video it would be great on what is recommended by Smartermail. I was not able to find any technical documentation on this. It would be great to be able to utilize these functionality in our Enterprise.

Please add this to the knowledge base for SonicWall Routers.
https://www.sonicwall.com/support/knowledge-base/configuring-consistent-nat-network-address-translation/170505836533942/

**Also note that if you have multiple IP addresses on your server, the XMPP should ONLY be bound to the NATed IP address.

Is a STUN/TURN server still a hard requirement to use web meetings between users separated across the WAN?

I just upgraded from 16.3 to whatever version is current (19.x?) and tested the meetings room again. Still no video and audio between users separated across the firewall WAN link. This was never an important feature but thought I would see if it ever started working out of the box.

If a 3rd party STUN server is required, anyone have a good suggestion?

There are open-source, run-your-own servers you can try. There are also hosted services, atleast one of the hosted services provided kind of like a trial which is a good way to test if a TURN server would fix the issue your having with routing.

I've seen many. I was hoping someone had a suggestion on what they found worked well or was easier to deploy.

What would be REAL helpful is if there was more documentation on this feature. Suggestions like don't block outbound port X or does it need 1:1 port mapping. Does it need an inbound port open? Etc... If you use a hosted server, open these ports or do not filter these ports. 

Anything other than if it doesn't work, try a third party STUN server.

As I stated previously, we use CoTurn and it works perfectly.

Hello everyone

We use a dedicated Coturn server under Debian Linux, which enables these connections for all participants on the Internet, otherwise you only have the signal within the same network where the participants are located. We then create a Coturn user with a password for each domain and store this information in the customer domain at SmarterMail, works perfectly.

Greetings, Roger

Based on threads above, and through our own testing we will also be implementing coturn on one of our public Debian instances.  I will try to make some documentation available once we're fully implemented.