[Users] How To Install & Configure a TURN server for Zimbra Connect

Filippo Cinetto cine at mrcine.net
Sat Mar 21 11:46:35 CET 2020 

Hello everyone!

First of all, kudos for the great write-up Randy!

Quick FYI - the Zextras Wiki (wiki.zextras.com) is indeed outdated.
Starting from August 3rd, 2019 you can find the most up to date
documentation for our products at https://docs.zextras.com.
While the wiki is not updated anymore and will be soon taken offline, you
can contact me on my work email for any error and/or outdated information
found in the new documentation hub.


On Sat, Mar 21, 2020 at 12:40 AM Randy Leiker <randy at skywaynetworks.com>
wrote:

> Everyone,
>
> If you happen to be working on a installing or configuring Zimbra Connect,
> and you have found in your testing any of the following:
>
>    - Callers are unable to connect
>    - Callers cannot see each other's video/screen shares
>    - Callers cannot hear each other's audio
>    - Chat messages are not being received
>
> This indicates you may need to setup a TURN server.  One option for a TURN
> server is the reTURN project from https://www.resiprocate.org/Main_Page
> .  A TURN server acts as an intermediary relay allowing callers to connect
> to each other, when they cannot make a direct connection using the WebRTC
> protocol.
>
> Zextras has a write-up for installing reTURN on their Wiki, but some of
> the information appears to be outdated:
>
>    - RedHat/CentOS:
>    https://wiki.zextras.com/wiki/ZxChat_with_a_TURN_server/Annex:_Installing_a_TURN_server_on_Centos_7
>    - Ubuntu:
>    https://wiki.zextras.com/wiki/ZxChat_with_a_TURN_server/Annex:_Installing_a_TURN_server_on_Ubuntu_14.04
>
> Here is a summary of what I did to get reTURN server working successfully
> with Zimbra Connect on CentOS 7.  These steps should be easily adaptable to
> Ubuntu by swapping the "yum" commands for the equivalent "apt" commands.
>
> 1.) Install CentOS with the minimal install options, and set the host
> name, ip address, DNS, gateway options.
>
> 2.) Upon first boot, run "yum upgrade" then reboot.
>
> 3.) Run "yum install epel-release".  This installs the repo where the
> reTURN server can be installed.
>
> 4.) Run "yum install resiprocate-turn-server"
>
> 5.) In the /etc/reTurn/reTurnServer.config file, make these changes:
>
> *Required Settings*
> TurnAddress = your server's public IP address (1.2.3.4)
> TurnPort = 3478
> AuthenticationRealm = any valid domain name (example.com)
> UserDatabaseHashedPasswords = true
> AllocationPortRangeMin = 49152
> AllocationPortRangeMax = 65535
>
> *Optional Settings*
> TlsTurnPort = 443
> TlsServerCertificateFilename = server.pem
>
> All other settings not mentioned above can be left at their defaults.
>
> 6.) If you set the optional settings noted above, you will need to either
> setup Let's Encrypt or purchase an SSL certificate.  In server.pem, you'll
> need to include the private key, domain certificate, and CA certificate, in
> that order, concatenated together in a single file.
>
> 7.) You'll need to create a single user account for Zimbra Connect to
> authenticate with the reTURN server.  For example, if you want to create a
> user name of "zimbra", a password of "long-password" and you set the
> AuthenticationRealm value in step 5 above to "example.com", run this
> command:
>
> echo -n zimbra:example.com:long-password | md5sum
>
> This will create an MD5 hash that looks like:
> 403f476b81442de0bf2df8424bad31b3  -
>
> Next, open the /etc/reTurn/users.txt file, comment out the test user
> sample and add on a new line add:
>
> zimbra:403f476b81442de0bf2df8424bad31b3:example.com:authorized
>
> The syntax is: login:password:realm:state.
>
> 8.) On your reTURN server you will need to open these firewall ports:
>
>    - Required
>    - TCP 3478, UDP 3478
>       - UDP 49152 - 65535
>       - Optional
>    - TCP 443
>
> The optional TCP 443 port is only needed if you set the TlsTurnPort and
> TlsServerCertificateFilename options in step 5 above.
>
> 9.) Start the TURN service: "systemctl restart resiprocate-turn-server",
> then check the /var/log/messages and /var/log/reTurn/reTurnServer.log log
> files.  If all is working well, you should see log entries similar to:
>
> Mar 19 16:36:47 turn reTurnServer: INFO | 20200319-163647.815 |  | RETURN
> | 140267831281792 | ReTurnConfig.cxx:293 | Processed 1 user(s) from 23
> line(s) in /etc/reTurn/users.txt
>
> You can also run "netstat -npl | grep -i turn" to confirm that reTURN is
> listening to the expected ports:
>
> tcp        0      0 1.2.3.4:3478     0.0.0.0:*               LISTEN
> 1102/reTurnServer
> tcp        0      0 1.2.3.4 :443      0.0.0.0:*               LISTEN
> 1102/reTurnServer
> tcp6       0      0 :::3478                 :::*
> LISTEN      1102/reTurnServer
> tcp6       0      0 :::443                  :::*
> LISTEN      1102/reTurnServer
> udp        0      0 1.2.3.4 :3478     0.0.0.0:*
> 1102/reTurnServer
> udp6       0      0 :::3478
> :::*                                1102/reTurnServer
>
> 10.) Finally, from your Zimbra server, where the mailboxd service is
> installed, as the Zimbra user, run:
>
> zxsuite connect iceServer add turn:1.2.3.4:3478?transport=udp credential
> long-password username zimbra
>
> Where:
>
>    - "1.2.3.4:3478?transport=udp" is the public IP address, port number,
>    and transport for your reTURN server
>    - "long-password" is the password that you setup in step 7
>    - "zimbra" is the user name that you setup in step 7
>
> For more information on this command, refer to:
> https://zimbra.github.io/adminguide/latest/#_stunturn_server .  If you
> need to remove the reTURN server from Zimbra, run:
>
> zxsuite connect iceServer remove turn:1.2.3.4:3478?transport=udp
> credential long-password username zimbra
>
> To see a list of registered TURN servers in Zimbra, use: "zxsuite connect
> iceServer get"
>
> *Tips*
> After the installation of a TURN server and configuration of the TURN
> server in Zimbra, if callers are still having trouble connecting, or chat
> messages are not being received, check the WebRTC capabilities of the
> clients using:
>
>    - https://test.webrtc.org
>    - WebRTC debugging tool in Chrome: chrome://webrtc-internals
>
>
>
> Randy Leiker ( randy at skywaynetworks.com )
> Skyway Networks, LLC
>
>
>

-- 
Filippo "Cine" Cinetto
+39 351 5419766
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20200321/a9cc529c/attachment.html>

More information about the Users mailing list