Go back

How to configure port forwarding (proxying) on TrueConf Server for Linux

November 22, 2022
Konstantin Kotov

Konstantin Kotov

Port forwarding or port translation is a technology that makes it possible to route network traffic between different “port:address” pairs according to certain rules. It is usually used within the router so that its external IP address could give access to the hosts in the local network, for example, it enables TrueConf Server users to connect from outside the network. However, this technology may be helpful in many other cases.

Let us take a look at one of these situations; you need to forward ports from the machine with the NGINX web server to the machine where TrueConf Server is deployed. In this way we can better protect the video conferencing server because its internal IP address will be hidden behind a proxy.

In our case the proxy machine will run Debian 11; the following software will be installed:

  • NGINX – 1.22.0
  • TrueConf Server – 5.0.3
  • firewalld – 0.9.3.

Proxy server configuration

We first have to configure NGINX as a proxy for the TrueConf Server web service. In our configuration, it will proxy the traffic coming to the standard HTTP and HTTPS ports: 80 and 443 respectively. If you are using different ports (check the server documentation if you want to change them), you will need to specify them in the corresponding lines in the settings below.

To configure the proxy server, you will need to write directives in the configuration file. By default this file is called nginx.conf and can be found in one of the following directories:

  • /etc/nginx;
  • /usr/local/nginx/conf;
  • /usr/local/etc/nginx.

Directives should be placed within the server { … } block. Please take these steps:

  1. Specify the ports that will be listened to: 80 and 443.
  2. Specify the path to the SSL certificate and its key to configure HTTPS connection for NGINX (if you do not have the certificate, you can generate it with the OpenSSL library). Once you have completed this step, it is no longer necessary to configure HTTPS on the side of TrueConf Server because the traffic will be encrypted by the proxy server.
    An HTTPS connection is required for the TrueConf Server API to operate. Without it, you won’t be able to obtain an OAuth2 token to work with the API.

  3. Write the location block with the configuration for proxying

    In the proxy_pass directive, specify the internal address of TrueConf Server in your local network. It will be available to the host from NGINX. This directive will make sure that the traffic coming to the ports specified previously will be routed to the selected address. In addition to proxying, this block will configure the transfer of HTTP headers and disable the verification of the SSL certificate.

  4. If users may connect to the server via WebRTC (from a browser), write another block called location from a new line after the previous block. This new block will include the configuration for proxying WebSocket requests to the port 4309. This port is used for sending signaling or controlling traffic (between the video conferencing server and the browser client application). In this way, you will make sure that the web server is not excessively loaded with traffic processing.

    WebSocket requests should only be proxied through HTTP. Otherwise, connecting to the conference will be impossible.

    At this point, the configuration of the Nginx proxy server is complete. To apply all the changes, you will need to restart the server. To do it, run the following command as the superuser:

Firewall configuration

In addition to the protocols discussed previously (HTTP, HTTPS, and WebSocket), other protocols that use different ports may be needed for the correct work of all features available in TrueConf video conferencing:

  • 4307 – the main and only TCP port needed for transferring media data between TrueConf Server and TrueConf client applications
  • 554 – TCP port for working via RTSP protocol
  • 1720 – TCP port for establishing connection with H.323 devices
  • 52000–52499 – TCP ports that will be used for handshaking via H.323
  • 5060 – TCP or UDP port for initializing connection via SIP
  • 50000–51999 – UDP ports for transferring media streams via SIP/H.323.
This list above includes only some of the required ports. To learn more about the ports used by TrueConf Server, check the corresponding guide.

In this case, HTTP/HTTPS traffic routing via the NGINX web server will not be enough. You can use a firewall to configure forwarding for other ports. For example, it is possible to use the firewalld package.

To run the commands listed below, use the sudo program or enter the superuser mode by running the su command and entering the root password.
  1. At first, it is necessary to install the firewall:
  2. Next, allow requests to NGINX with these commands:

    Explanation of the parameters:

    • --permanent – enables to add the setting on a permanent basis by saving it after the restart of the OS or firewall
    • --zone="public" – selects the zone to which the configuration will apply
    • --add-service – adds the service to the specified zone.
  3. Run the commands for forwarding TCP and UDP ports. These commands can be used for forwarding either a single port or a range of ports. We will show one command for each type: the first will forward the 554 port (for RTSP) and the second one will forward 50000-51999 port range (for SIP/H.323):

    Similar commands can be used to forward other required ports
    Explanation of the parameters:

    • --add-forward-port — enables to forward a port from one machine to another
    • port – specifies the port or a range of ports that will be forwarded
    • proto – specifies the protocol that will be used to transfer data via a port
    • toport – specifies the target port
    • toaddr – specifies the address of the machine to which the initial port will be forwarded.
  4. Run the commands that will substitute the address of the proxied machine (where TrueConf Server is installed) for the address of the proxy server. In this way, we will route the inbound and outbound traffic via the proxy by hiding the real IP of the video conferencing server. The list of ports for TCP and UDP protocols should be configured separately, for example:

    Explanation of the parameters:

    • --direct – enables direct interface allowing fine tuning (this is the syntax of the iptables package)
    • --add-rule – adds an iptables rule
    • ipv4indicates that the configuration is made for IPv4 traffic
    • nat – enables the NAT table
    • POSTROUTING – enables the POSTROUTING chain
    • 0 – the priority of the specified rule (0 is the highest priority)
    • -p tcpselects TCP network protocol
    • -p udpselects UDP network protocol
    • -m multiport – applies the rule to multiple ports
    • --dports – the list of ports to which the rule will apply
    • -j SNAT – selects the action that will be performed if the packet matches the specified rule
    • --to-source 192.168.10.2specifies the IP address that will be used to replace the initial one (in our case, it is the proxy IP address)

Configuration test

When the configuration is completed, restart firewalld to save changes:

Next, check if the settings have been applied. To do it, run the command identical to the one you used for port forwarding. You only have to replace --add-forward-port with -–query-forward-port. For example, to check if the 554 port has been forwarded, run this command:

If the word no is displayed in the console, the port has not been forwarded. This problem may occur because you did not include the --permanent key in the corresponding command. Re-run this command and make sure that this key is included.
If the word yes is displayed in the console, the port has been successfully forwarded to the machine with TrueConf Server.


Still have questions? Please contact our support team directly via online chat.

Sign up for newsletter