Hi folks,
I put this here since I'm afraid that in the still existing Zimbra Talk forum nobody will see the post.
I finally made Zimbra Talk V2 work on two of our test installations. The video chat works fine with people on the same network but breaks as soon as there's some NAT in between.
The solution should be a TURN/STUN server; I installed and configured one (package coturn on Ubuntu) and added it to the ZTalk config as described here:
https://wiki.zimbra.com/wiki/Talk_V2_Ad ... URN_server
Unfortunately, people are still not able to communicate through a NAT.
It is definitely possible that I made an error somewhere. When I tried my standard ways of debugging issues like these (staring at log files, the browser's network console and wireshark) it looked to me like the TURN server wasn't used by my client at all but I'm not sure if I even looked at the correct things. So my question: Has anybody debugged videochat/WebRTC/TURN before and can point me into the right direction? Is there maybe a hidden debug mode?
Cheers,
Malte
Zimbra Talk V2: How to debug WebRTC/TURN?
Re: Zimbra Talk V2: How to debug WebRTC/TURN?
Ok, using the stun command line client and the Trickle ICE testing service I was able to verify that at least my turn server was working as expected.
I use the following turnserver.conf:
And added a user via
The lt-cred-mech option was essential to enable.
Now I'd still like to know how to debug the browser/Zimbra Talk part to make sure it actually uses the TURN server.
I use the following turnserver.conf:
Code: Select all
external-ip=192.0.2.42
lt-cred-mech
realm=zimbra.example
cert=/opt/zimbra/ssl/zimbra/commercial/commercial.crt
pkey=/opt/zimbra/ssl/zimbra/commercial/commercial.key
syslog
verbose
Code: Select all
turnadmin -a -u zimbra -r zimbra.example -p password
Now I'd still like to know how to debug the browser/Zimbra Talk part to make sure it actually uses the TURN server.
Re: Zimbra Talk V2: How to debug WebRTC/TURN?
I'm also trying to get a TURN server working with Talk v2. I also see video working when on the same network. When I test across NAT each party is able to initiate a session, we see our own webcam image, but the connection times out and the window disappears.
I've tried 3 different TURN servers on ubuntu, all the same result. I am currently also using coturn and I believe problem a similar setup to you.
Something on my network which I'm not sure how this affects things... My mailbox server runs in private IP space behind public facing proxy & mta servers. When I initiate a conference, I do see logs in the turn server, which I believe implies the clients are attempting to utilize it.
If you have had any luck since posting, I'd be interested to know what you did to get your environment up & running.
Cheers,
gary
I've tried 3 different TURN servers on ubuntu, all the same result. I am currently also using coturn and I believe problem a similar setup to you.
Something on my network which I'm not sure how this affects things... My mailbox server runs in private IP space behind public facing proxy & mta servers. When I initiate a conference, I do see logs in the turn server, which I believe implies the clients are attempting to utilize it.
If you have had any luck since posting, I'd be interested to know what you did to get your environment up & running.
Cheers,
gary
Re: Zimbra Talk V2: How to debug WebRTC/TURN?
I didn't have any success yet either and still have Case 00712698 on that issue open. I found a few ways of debugging this issue though (which like in your case all point into the direction that everything *should* work but doesn't). I'll update this post when I've got a spare minute.
-
- Posts: 1
- Joined: Mon Jul 30, 2018 1:50 pm
Re: Zimbra Talk V2: How to debug WebRTC/TURN?
Hi folks!
We had the same problem here, so after sometime debugging we found a way to solve that:
1. If you install the tunserver behind of firewall with NAT, is necessary to create the PREROUTING rules:
iptables -A PREROUTING -t nat -i [EXTERNAL_INT] -p udp -m multiport -d [EXTERNAL_IP] --dports 3478 -j DNAT --to [TURN_SERVER_IP]
iptables -A PREROUTING -t nat -i [EXTERNAL_INT] -p udp -m multiport -d [EXTERNAL_IP] --dports 49152:65535 -j DNAT --to [TURN_SERVER_IP]
2. Configure the tunserver with minimal (just to test we are using Centos 7):
user=USERNAME:XXXxxxxxXXXXxxx
listening-port=3478
listing-ip=[TURNSERVER_IP]
verbose
syslog
3. Start de server:
systemctl start turnserver
(You can see all the messages on: /var/log/messages)
4. Configure the zimlet on Zimbra to use the STUN/TURN server by user or by COS:
zxsuite chat iceServer add turn:[EXTERNAL_IP_TURNSERVER]:3478?transport=udp credential [PASSWORD] username [USERNAME] account [LOGIN@DOMAIN]
zxsuite chat iceServer add turn:[EXTERNAL_IP_TURNSERVER]:3478?transport=udp credential [PASSWORD] username [USERNAME] cos [COS]
5. Check if the COS was correctly set on zx_suite:
Ex:
zxsuite config cos get standard
cos 14d6a755-d050-XXXXX-XXXXXX
values
attribute debranded
inheritedValue false
inheritedFrom default
attribute historyEnabled
inheritedValue true
inheritedFrom default
attribute videoChatEnabled
inheritedValue true
inheritedFrom default
attribute teamChatEnabled
value true
attribute teamChatIceServerList
value
credential XXXXxxxxxXXXXX
url turn:[EXTERNAL_IP_TURNSERVER]:3478?transport=udp
username USERNAME
zxsuite config account get LOGIN@DOMAIN
account 5a81aeef-bc7b-XXXXXX-XXXXXXX
values
attribute debranded
inheritedValue false
inheritedFrom default
attribute historyEnabled
inheritedValue true
inheritedFrom default
attribute videoChatEnabled
inheritedValue true
inheritedFrom default
attribute domainAdminMaxMailQuota
inheritedValue -1
inheritedFrom default
attribute teamChatEnabled
inheritedValue true
inheritedFrom cos cos/14d6a755-d050-4214-8fb7-24cf1aba41c9
attribute teamChatIceServerList
inheritedValue
credential XXXXxxxxxXXXXX
url turn:[EXTERNAL_IP_TURNSERVER]:3478?transport=udp
username
inheritedFrom cos cos/14d6a755-d050-4214-XXXX-XXXXX
Important: If you see messages like: user <>: incoming packet message processed, error 401: Unauthorised, check again with the configuration on zx_suite chat is correctly.
We had the same problem here, so after sometime debugging we found a way to solve that:
1. If you install the tunserver behind of firewall with NAT, is necessary to create the PREROUTING rules:
iptables -A PREROUTING -t nat -i [EXTERNAL_INT] -p udp -m multiport -d [EXTERNAL_IP] --dports 3478 -j DNAT --to [TURN_SERVER_IP]
iptables -A PREROUTING -t nat -i [EXTERNAL_INT] -p udp -m multiport -d [EXTERNAL_IP] --dports 49152:65535 -j DNAT --to [TURN_SERVER_IP]
2. Configure the tunserver with minimal (just to test we are using Centos 7):
user=USERNAME:XXXxxxxxXXXXxxx
listening-port=3478
listing-ip=[TURNSERVER_IP]
verbose
syslog
3. Start de server:
systemctl start turnserver
(You can see all the messages on: /var/log/messages)
4. Configure the zimlet on Zimbra to use the STUN/TURN server by user or by COS:
zxsuite chat iceServer add turn:[EXTERNAL_IP_TURNSERVER]:3478?transport=udp credential [PASSWORD] username [USERNAME] account [LOGIN@DOMAIN]
zxsuite chat iceServer add turn:[EXTERNAL_IP_TURNSERVER]:3478?transport=udp credential [PASSWORD] username [USERNAME] cos [COS]
5. Check if the COS was correctly set on zx_suite:
Ex:
zxsuite config cos get standard
cos 14d6a755-d050-XXXXX-XXXXXX
values
attribute debranded
inheritedValue false
inheritedFrom default
attribute historyEnabled
inheritedValue true
inheritedFrom default
attribute videoChatEnabled
inheritedValue true
inheritedFrom default
attribute teamChatEnabled
value true
attribute teamChatIceServerList
value
credential XXXXxxxxxXXXXX
url turn:[EXTERNAL_IP_TURNSERVER]:3478?transport=udp
username USERNAME
zxsuite config account get LOGIN@DOMAIN
account 5a81aeef-bc7b-XXXXXX-XXXXXXX
values
attribute debranded
inheritedValue false
inheritedFrom default
attribute historyEnabled
inheritedValue true
inheritedFrom default
attribute videoChatEnabled
inheritedValue true
inheritedFrom default
attribute domainAdminMaxMailQuota
inheritedValue -1
inheritedFrom default
attribute teamChatEnabled
inheritedValue true
inheritedFrom cos cos/14d6a755-d050-4214-8fb7-24cf1aba41c9
attribute teamChatIceServerList
inheritedValue
credential XXXXxxxxxXXXXX
url turn:[EXTERNAL_IP_TURNSERVER]:3478?transport=udp
username
inheritedFrom cos cos/14d6a755-d050-4214-XXXX-XXXXX
Important: If you see messages like: user <>: incoming packet message processed, error 401: Unauthorised, check again with the configuration on zx_suite chat is correctly.
Re: Zimbra Talk V2: How to debug WebRTC/TURN?
Hi.
If you use NAT with TURN/STURN, you will need to set the external-ip option turnserver.conf, so it can map.
You can use turnutils_natdiscovery turnutils_oauth turnutils_peer turnutils_stunclient turnutils_uclient commands from "coturn" package on ubuntu.
It is the easiest way to set up a static user/pass for the turn server communication (and not a peruser one) and in " zxsuite connect iceserver add"
error 401 can also occur if you use the no-loopback-peers option and the zimbra and the turnserver sits on the smae machine.
Also, for error 401 check the realm settings and the user/realm mappings in turnserver,, and ensure that zimbra uses the smae combination.
If you use NAT with TURN/STURN, you will need to set the external-ip option turnserver.conf, so it can map.
You can use turnutils_natdiscovery turnutils_oauth turnutils_peer turnutils_stunclient turnutils_uclient commands from "coturn" package on ubuntu.
It is the easiest way to set up a static user/pass for the turn server communication (and not a peruser one) and in " zxsuite connect iceserver add"
error 401 can also occur if you use the no-loopback-peers option and the zimbra and the turnserver sits on the smae machine.
Also, for error 401 check the realm settings and the user/realm mappings in turnserver,, and ensure that zimbra uses the smae combination.