Blog

News

Press Releases

Events

Knowledge Base

Terminology

Webinars

Go back

How to configure port forwarding (proxying) on TrueConf Server for Linux

November 22, 2022

Konstantin Kotov

Categories: Knowledge Base, TrueConf Server administration

Port forwarding or port translation is a technology that makes it possible to route network traffic between different “port:address” pairs according to certain rules. It is usually used within the router so that its external IP address could give access to the hosts in the local network, for example, it enables TrueConf Server users to connect from outside the network. However, this technology may be helpful in many other cases.

Let us take a look at one of these situations; you need to forward ports from the machine with the NGINX web server to the machine where TrueConf Server is deployed. In this way we can better protect the video conferencing server because its internal IP address will be hidden behind a proxy.

In our case the proxy machine will run Debian 11; the following software will be installed:

NGINX – 1.22.0
TrueConf Server – 5.0.3
firewalld – 0.9.3.

Table of Contents

Proxy server configuration

We first have to configure NGINX as a proxy for the TrueConf Server web service. In our configuration, it will proxy the traffic coming to the standard HTTP and HTTPS ports: 80 and 443 respectively. If you are using different ports (check the server documentation if you want to change them), you will need to specify them in the corresponding lines in the settings below.

To configure the proxy server, you will need to write directives in the configuration file. By default this file is called nginx.conf and can be found in one of the following directories:

/etc/nginx;
/usr/local/nginx/conf;
/usr/local/etc/nginx.

Directives should be placed within the server { … } block. Please take these steps:

Specify the ports that will be listened to: 80 and 443.

listen 80 default_server; listen [::]:80 default_server; listen 443 ssl default_server; listen [::]:443 ssl default_server;

1
2
3
4
5

listen 80 default_server;
listen [::]:80 default_server;

listen 443 ssl default_server;
listen [::]:443 ssl default_server;
Specify the path to the SSL certificate and its key to configure HTTPS connection for NGINX (if you do not have the certificate, you can generate it with the OpenSSL library). Once you have completed this step, it is no longer necessary to configure HTTPS on the side of TrueConf Server because the traffic will be encrypted by the proxy server.
An HTTPS connection is required for the TrueConf Server API to operate. Without it, you won’t be able to obtain an OAuth2 token to work with the API.

ssl_certificate /etc/example/certificate.crt; ssl_certificate_key /etc/example/cert-key.key;

1
2

ssl_certificate /etc/example/certificate.crt;
ssl_certificate_key /etc/example/cert-key.key;

Write the location block with the configuration for proxying

 location / {
    proxy_pass https://192.168.10.1:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
 }

location / {

proxy_pass https://192.168.10.1:443;

proxy_ssl_verify off;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Real-IP $remote_addr;

}

In the proxy_pass directive, specify the internal address of TrueConf Server in your local network. It will be available to the host from NGINX. This directive will make sure that the traffic coming to the ports specified previously will be routed to the selected address. In addition to proxying, this block will configure the transfer of HTTP headers and disable the verification of the SSL certificate.

If users may connect to the server via WebRTC (from a browser), write another block called location from a new line after the previous block. This new block will include the configuration for proxying WebSocket requests to the port 4309. This port is used for sending signaling or controlling traffic (between the video conferencing server and the browser client application). In this way, you will make sure that the web server is not excessively loaded with traffic processing.

 location /websocket/ {
    proxy_pass http://127.0.0.1:4309/websocket/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
 }

location /websocket/ {

proxy_pass http://127.0.0.1:4309/websocket/;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "Upgrade";

proxy_set_header Host $host;

}

WebSocket requests should only be proxied through HTTP. Otherwise, connecting to the conference will be impossible.

At this point, the configuration of the Nginx proxy server is complete. To apply all the changes, you will need to restart the server. To do it, run the following command as the superuser:

 nginx -s reload

1	nginx -s reload

Firewall configuration

In addition to the protocols discussed previously (HTTP, HTTPS, and WebSocket), other protocols that use different ports may be needed for the correct work of all features available in TrueConf video conferencing:

4307 – the main and only TCP port needed for transferring media data between TrueConf Server and TrueConf client applications
554 – TCP port for working via RTSP protocol
1720 – TCP port for establishing connection with H.323 devices
52000–52499 – TCP ports that will be used for handshaking via H.323
5060 – TCP or UDP port for initializing connection via SIP
50000–51999 – UDP ports for transferring media streams via SIP/H.323.

This list above includes only some of the required ports. To learn more about the ports used by TrueConf Server, check the corresponding guide.

In this case, HTTP/HTTPS traffic routing via the NGINX web server will not be enough. You can use a firewall to configure forwarding for other ports. For example, it is possible to use the firewalld package.

To run the commands listed below, use the sudo program or enter the superuser mode by running the su command and entering the root password.

At first, it is necessary to install the firewall:

apt install firewalld

1

apt install firewalld
Next, allow requests to NGINX with these commands:

firewall-cmd --permanent --zone="public" --add-service=http firewall-cmd --permanent --zone="public" --add-service=https

1
2

firewall-cmd --permanent --zone="public" --add-service=http
firewall-cmd --permanent --zone="public" --add-service=https
Explanation of the parameters:
- --permanent – enables to add the setting on a permanent basis by saving it after the restart of the OS or firewall
- --zone="public" – selects the zone to which the configuration will apply
- --add-service – adds the service to the specified zone.

Run the commands for forwarding TCP and UDP ports. These commands can be used for forwarding either a single port or a range of ports. We will show one command for each type: the first will forward the 554 port (for RTSP) and the second one will forward 50000-51999 port range (for SIP/H.323):

 firewall-cmd --permanent --zone="public" --add-forward-port=port=554:proto=tcp:toport=554:toaddr=192.168.10.1
 firewall-cmd --permanent --zone="public" --add-forward-port=port=50000-51999:proto=udp:toport=50000-51999:toaddr=192.168.10.1

1 2	firewall-cmd --permanent --zone="public" --add-forward-port=port=554:proto=tcp:toport=554:toaddr=192.168.10.1 firewall-cmd --permanent --zone="public" --add-forward-port=port=50000-51999:proto=udp:toport=50000-51999:toaddr=192.168.10.1

Similar commands can be used to forward other required ports

Explanation of the parameters:

--add-forward-port — enables to forward a port from one machine to another
port – specifies the port or a range of ports that will be forwarded
proto – specifies the protocol that will be used to transfer data via a port
toport – specifies the target port
toaddr – specifies the address of the machine to which the initial port will be forwarded.

Run the commands that will substitute the address of the proxied machine (where TrueConf Server is installed) for the address of the proxy server. In this way, we will route the inbound and outbound traffic via the proxy by hiding the real IP of the video conferencing server. The list of ports for TCP and UDP protocols should be configured separately, for example:

 firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -p tcp -m multiport --dports 4307,554,1720,5060,52000:52499 -j SNAT --to-source 192.168.10.2
 firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -p udp -m multiport --dports 5060,50000:51999 -j SNAT --to-source 192.168.10.2

firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -p tcp -m multiport --dports 4307,554,1720,5060,52000:52499 -j SNAT --to-source 192.168.10.2

firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -p udp -m multiport --dports 5060,50000:51999 -j SNAT --to-source 192.168.10.2

Explanation of the parameters:

--direct – enables direct interface allowing fine tuning (this is the syntax of the iptables package)
--add-rule – adds an iptables rule
ipv4 – indicates that the configuration is made for IPv4 traffic
nat – enables the NAT table
POSTROUTING – enables the POSTROUTING chain
0 – the priority of the specified rule (0 is the highest priority)
-p tcp – selects TCP network protocol
-p udp – selects UDP network protocol
-m multiport – applies the rule to multiple ports
--dports – the list of ports to which the rule will apply
-j SNAT – selects the action that will be performed if the packet matches the specified rule
--to-source 192.168.10.2 – specifies the IP address that will be used to replace the initial one (in our case, it is the proxy IP address)

Configuration test

When the configuration is completed, restart firewalld to save changes:

 firewall-cmd --reload

1	firewall-cmd --reload

Next, check if the settings have been applied. To do it, run the command identical to the one you used for port forwarding. You only have to replace --add-forward-port with -–query-forward-port. For example, to check if the 554 port has been forwarded, run this command:

 firewall-cmd --permanent --zone="public" --query-forward-port=port=554:proto=udp:toport=554:toaddr=192.168.10.1

1	firewall-cmd --permanent --zone="public" --query-forward-port=port=554:proto=udp:toport=554:toaddr=192.168.10.1

If the word no is displayed in the console, the port has not been forwarded. This problem may occur because you did not include the --permanent key in the corresponding command. Re-run this command and make sure that this key is included.
If the word yes is displayed in the console, the port has been successfully forwarded to the machine with TrueConf Server.