3
How does WebRTC work with SmarterMail 17.x?
Problem reported by Stefan Mössner - 3/22/2020 at 3:19 PM
Resolved
Hello all,

I'm a user of SmarterMail 17.x Free and want to use the team workspace for video conferencing. But this doesn't work every time or not with all features and I think this is related to my network and firewall implementation.

What I want to do is:

  1. Connecting with an internal client to the SmarterMail server by using Google Chrome. Because of the need of SSL for getting the video and audio to work I have to connect to the external address of my server. The server is located in the same internal network as the client.
  2. Connecting from a second client to the SmarterMail server. This could be a mobile phone with Android 10 connected to LTE using Google Chrome.
This is my network design:

  1. I only have one public IP address. So this address is the same for my internal client connecting to the internet and for my server accessed from the internet.
  2. There is a Sophos UTM 9.7 firewall which terminates the SSL connection and forwards decrypted traffic to the server. The Sophos UTM works as WAF (web application firewall) for the server. The WAF is configured to passthrough websocket traffic to the server. 
  3. The firewall itsself is connected to a DSL router which is connected to the internet. The Sophos UTM is an exposed host to the router to get all external traffic redirected to the firewall.
  4. The Sophos UTM is a transparent proxy with SSL interception for the internal clients connecting to the internet. For accessing the external address of my server there's a skip rule for the transparent proxy.
What's working and what's not working:

  1. Accessing the Team workspace is possible.
  2. Chat is working.
  3. Muting video and/or audio device is possible and this could be seen on the other client.
  4. Two internal Windows based clients can do video conferencing without issues.
  5. With Android 10 connected to internal WLAN I got video up running but there's no audio. And this isn't related to hardware issues. With Android 9 there are no issues with audio.
  6. Using Windows based clients internal and external needs to open all TCP and UDP ports from internal to external network for a working video conference.
  7. Using Android 10 from external there's no video and no audio.
Sometimes I saw outgoing UDP traffic from the internal client connecting to an external STUN/TURN Server and the external client tried to connect to the firewall by UDP ports. But opening these ports didn't help. I think the Sophos UTM doesn't know where to redirect these connections. For today I have no more idea how to get the video conference working with all the devices. For now it's working accidentally. So this isn't reliable.

To get WebRTC working I need some more information:

  1. Where is the signaling server for WebRTC? Is it the SmarterMail server?
  2. Is there a STUN/TURN server for relaying the UDP traffic?
  3. Which TCP and UDP ports are used by the WebRTC implementation of SmarterMail?
  4. Is there a detailed technical documentation of the WebRTC implementation in SmarterMail which helps to get the video conference working?
Hopefully you can help. Any ideas are welcome.

Thank You.

26 Replies

Reply to Thread
1
Christopher Hiatt Replied
I hope you get a solution.

I've been trying for two months. Crickets......

0
Stefan Mössner Replied
So, I'm not alone with this issue. This is good to know because at first I wasn't sure if it's an issue regarding my infrastructure. I didn't see your similar issue.

Today I did some further investigation using wireshark: When trying to connect to an external system the connection will use STUN server from Google to handle the connection parameters. This is the normal way if there's no possibility to connect directly to the other system without NAT etc. But then I don't see any UDP packets going to the external client. And I don't know what the external system is doing. Is it connecting to the same STUN server? And is it then trying to connect to the internal server directly via UDP? The packet capture of my Android phone isn't working as I expected.

Maybe there's a need to have a relay server to passthrough the firewall limitations regarding the requirements for getting WebRTC to work.
0
Stefan Mössner Replied
Interesting: Yesterday we tested videoconferencing with a Android smartphone connected to the internal network and a Windows system outside. There were no issues with using the videoconference. Actually I only opened all outgoing UDP instead of all TCP and UDP ports.

But it doesn't help to solve the issues I found and documented at start of this thread. The situation is more confusing now...
0
Christopher Hiatt Replied
Put the Android in airplane mode then turn on the wifi making sure it can't bypass your firewall on cellular data.
0
Stefan Mössner Replied
Putting the Android 10 in airplane mode then turning on the wifi doesnt solve the issue with having video but no audio.

Yesterday I found out that WebRTC (with 3CX webmeeting) doesn't like HTTP and HTTPs proxies. Only bypassing the SSL intercept is not enough. You have to deactivate all proxy features. This is easy because you can set an exception rule with a regex for *.3cx.net.

But with SmarterMail it seems to have another implementation of WebRTC which causes to the testing results I documented at start of this thread. Conferencing between 2 Windows based systems (1 inside and 1 outside of my network) and between an Android 9 (inside of my network) and a Windows system (outside of my network) works although there's no proxy exception set. You need only to open all outgoing UDP ports because WebRTC opens a direct connection to the conferencing partner for transferring the video and audio data.

For the Android devices the transparent proxy is bypassed because of certificate issues. For Windows systems the HTTP/HTTPS proxy is active.
0
Stefan Mössner Replied
Incoming or outgoing? I opened all outgoing UDP ports because there are used dynamic UDP high ports when WebRTC is used. And for me it's not clear why it's working with Windows systems connected from outside but not with the Android 10. And with an internal connected Android 10 device using Chrome browser I see video but I have no audio. An internal connected Android 9 doesn't have issues. Both devices have the same firewall and proxy policies on my Sophos UTM.
0
Stefan Mössner Replied
I don't see incoming connections with these ports from my Android 10 using LTE.
0
Stefan Mössner Replied
I'm using Windows Defender. I'm wondering why it's working with Windows based systems but not with Android at all. Last weekend we tested with another Android 9 device and there was the same issue like I have with Android 10. Last weekend a conference with 3 Windows based computers (1 internal and 2 external) worked fine. And on my Sophos UTM there's an IPS activated. But I have no events regarding blocked connections by IPS.
1
Andrew Barker Replied
Employee Post Marked As Resolution
The current BETA build has new settings for specifying STUN/TURN servers at the domain level. Specifying a TURN server will likely resolve many of the issues reported with connecting to users across network boundaries.
Andrew Barker Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Christopher Hiatt Replied
"Specifying a TURN server will likely resolve many of the issues reported "


In practice does this actually fix it?

Are there any suggested servers to use or is there any info on the proper syntax to enter the server data in the SmarterMail settings for this? This still doesn't work for me on users separated by an intelligent firewall.
0
Urs Replied
Hi Christopher

I tried it with installing coturn, but for me it did not work with android 4g webmail to w10 desktop.
Android and Desktop PC same network all is working, as soon Android i.e. on 4G - negative.
Checked with provider, ports are not blocked.

If you get it running, please write me how you did - thanks
0
Christopher Hiatt Replied
I wish they would just remove it or add some additional information on what is needed for it to work. 

But the same results as you. Works fine on same LAN segment. Just doesn't work when devices are separated across the firewall. I do get the box where the video should be, it is just empty.
0
Chris Mayer Replied
Hello All

We have in the newest smartermail also the problem with team workspace that it works well inside LAN but if an external MAC user want's to connect he or she hears and see's us from the LAN where also the smartermail server resides on but we do not see or here she or he.

also the video and microphone on the remote MAC is geyed out.

do we need to confiured something special to get that work or open any special firewall ports internet -> DMZ ( smartermail server ) or vise versa?

best regards chris
Chris Mayer Simple Hosting GmbH www.simplehosting.ch
0
Urs Replied
Hi Chris
you may also check this thread:

however if you get it up and running, please call me, I tried for days...
Gruess Urs

0
Chris Mayer Replied
Hello Urs

I did't get it to work with the STUN. i tried many different ports and server and it did never work if 1 of the two test clients connected over a fortigate firewall.
the only way was to install or test it with a TURN server where the traffic from both clients go over that server. with a TURN server it was working.

would be nice if here smartermail could improve that part of smartermail.

gruss chris
Chris Mayer Simple Hosting GmbH www.simplehosting.ch
0
Chris Replied
We deployed Prexip TURN Server (vmware based) and everything works now. So you guys need a TURN server.
0
Christopher Hiatt Replied
Prexip hides their pricing VERY well. Any info on it?
4
Chris Replied
I downloaded the TURN server for free. It’s wizard based setup and was really easy to deploy and the installation guide on their site was easy to follow. Although it was built for prexip, you would just plug in your smartermail server IPs as if they were prexip servers. Worked like a charm.
Previously had issues where audio or video wouldn’t connect over various firewalls. iOS devices didn’t work, etc. We ran several tests with 8 people at 8 locations and it worked beautifully. 
2
echoDreamz Replied
Just to add our usage in, we run CoTurn on a small Ubuntu box and have had no issues with audio/video across different devices.
0
Vincent Sammons Replied
This is an ENTERPRISE branded product. Most "enterprises" use NAT and enterprise firewalls. It would be great if they had more technical details on how to set this up with enterprise firewall solutions in place such as SonicWall and Cisco. I still do not see any technical details for a network engineer to make sure the proper ports and protocols are opened for this to work. If another product is required to use the Video it would be great on what is recommended by Smartermail. I was not able to find any technical documentation on this. It would be great to be able to utilize these functionality in our Enterprise.

Please add this to the knowledge base for SonicWall Routers.
https://www.sonicwall.com/support/knowledge-base/configuring-consistent-nat-network-address-translation/170505836533942/

**Also note that if you have multiple IP addresses on your server, the XMPP should ONLY be bound to the NATed IP address.

Vincent Sammons
0
Christopher Hiatt Replied
Is a STUN/TURN server still a hard requirement to use web meetings between users separated across the WAN?

I just upgraded from 16.3 to whatever version is current (19.x?) and tested the meetings room again. Still no video and audio between users separated across the firewall WAN link. This was never an important feature but thought I would see if it ever started working out of the box.

If a 3rd party STUN server is required, anyone have a good suggestion?
0
Matt Petty Replied
Employee Post
There are open-source, run-your-own servers you can try. There are also hosted services, atleast one of the hosted services provided kind of like a trial which is a good way to test if a TURN server would fix the issue your having with routing.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Christopher Hiatt Replied
I've seen many. I was hoping someone had a suggestion on what they found worked well or was easier to deploy.

What would be REAL helpful is if there was more documentation on this feature. Suggestions like don't block outbound port X or does it need 1:1 port mapping. Does it need an inbound port open? Etc... If you use a hosted server, open these ports or do not filter these ports. 

Anything other than if it doesn't work, try a third party STUN server.
2
echoDreamz Replied
As I stated previously, we use CoTurn and it works perfectly.
3
Roger Replied
Hello everyone

We use a dedicated Coturn server under Debian Linux, which enables these connections for all participants on the Internet, otherwise you only have the signal within the same network where the participants are located. We then create a Coturn user with a password for each domain and store this information in the customer domain at SmarterMail, works perfectly.

Greetings, Roger
2
J. LaDow Replied
Based on threads above, and through our own testing we will also be implementing coturn on one of our public Debian instances.  I will try to make some documentation available once we're fully implemented.
MailEnable survivor / convert --

Reply to Thread