[Users] How To Install & Configure a TURN server for Zimbra Connect

Randy Leiker randy at skywaynetworks.com
Sat Mar 21 21:12:51 CET 2020 

Hi Cine, 

If you would like, you are welcome to re-publish any part of the how-to write-up for setting up a reTurn server in the official Zextras or Zimbra documentaiton, or the Zeta Alliance documentation site. In reading the Zimbra forums, I came across a number of posts where people really seemed to be struggling with getting a TURN server up and running, or did not appear to understand that they needed a TURN server, so I thought it might be good to publish something unofficially. 

>From recent in depth testing of Zimbra Connect, I have also come across a couple of curious things that it does that I am trying to figure out if they are by design or bugs. If you are available for our next Zeta conference call this coming week, I will bring some of those items up to see what you think. 


Randy Leiker ( randy at skywaynetworks.com ) 
Skyway Networks, LLC 
1.800.538.5334 / 913.663.3900 Ext. 100 
[ http://www.skywaynetworks.com/ | https://skywaynetworks.com ] 


From: "Filippo \"Cine\" Cinetto" <cine at mrcine.net> 
To: "users" <users at lists.zetalliance.org> 
Sent: Saturday, March 21, 2020 5:46:35 AM 
Subject: Re: [Users] How To Install & Configure a TURN server for Zimbra Connect 

Hello everyone! 
First of all, kudos for the great write-up Randy! 

Quick FYI - the Zextras Wiki ( [ http://wiki.zextras.com/ | wiki.zextras.com ] ) is indeed outdated. Starting from August 3rd, 2019 you can find the most up to date documentation for our products at [ https://docs.zextras.com/ | https://docs.zextras.com ] . 
While the wiki is not updated anymore and will be soon taken offline, you can contact me on my work email for any error and/or outdated information found in the new documentation hub. 


On Sat, Mar 21, 2020 at 12:40 AM Randy Leiker < [ mailto:randy at skywaynetworks.com | randy at skywaynetworks.com ] > wrote: 



Everyone, 

If you happen to be working on a installing or configuring Zimbra Connect, and you have found in your testing any of the following: 


    * Callers are unable to connect 
    * Callers cannot see each other's video/screen shares 
    * Callers cannot hear each other's audio 
    * Chat messages are not being received 

This indicates you may need to setup a TURN server. One option for a TURN server is the reTURN project from [ https://www.resiprocate.org/Main_Page | https://www.resiprocate.org/Main_Page ] . A TURN server acts as an intermediary relay allowing callers to connect to each other, when they cannot make a direct connection using the WebRTC protocol. 

Zextras has a write-up for installing reTURN on their Wiki, but some of the information appears to be outdated: 


    * RedHat/CentOS: [ https://wiki.zextras.com/wiki/ZxChat_with_a_TURN_server/Annex:_Installing_a_TURN_server_on_Centos_7 | https://wiki.zextras.com/wiki/ZxChat_with_a_TURN_server/Annex:_Installing_a_TURN_server_on_Centos_7 ] 
    * Ubuntu: [ https://wiki.zextras.com/wiki/ZxChat_with_a_TURN_server/Annex:_Installing_a_TURN_server_on_Ubuntu_14.04 | https://wiki.zextras.com/wiki/ZxChat_with_a_TURN_server/Annex:_Installing_a_TURN_server_on_Ubuntu_14.04 ] 

Here is a summary of what I did to get reTURN server working successfully with Zimbra Connect on CentOS 7. These steps should be easily adaptable to Ubuntu by swapping the "yum" commands for the equivalent "apt" commands. 

1.) Install CentOS with the minimal install options, and set the host name, ip address, DNS, gateway options. 

2.) Upon first boot, run "yum upgrade" then reboot. 

3.) Run "yum install epel-release". This installs the repo where the reTURN server can be installed. 

4.) Run "yum install resiprocate-turn-server" 

5.) In the /etc/reTurn/reTurnServer.config file, make these changes: 

Required Settings 
TurnAddress = your server's public IP address (1.2.3.4) 
TurnPort = 3478 
AuthenticationRealm = any valid domain name ( [ http://example.com/ | example.com ] ) 
UserDatabaseHashedPasswords = true 
AllocationPortRangeMin = 49152 
AllocationPortRangeMax = 65535 

Optional Settings 
TlsTurnPort = 443 
TlsServerCertificateFilename = server.pem 

All other settings not mentioned above can be left at their defaults. 

6.) If you set the optional settings noted above, you will need to either setup Let's Encrypt or purchase an SSL certificate. In server.pem, you'll need to include the private key, domain certificate, and CA certificate, in that order, concatenated together in a single file. 

7.) You'll need to create a single user account for Zimbra Connect to authenticate with the reTURN server. For example, if you want to create a user name of "zimbra", a password of "long-password" and you set the AuthenticationRealm value in step 5 above to " [ http://example.com/ | example.com ] ", run this command: 

echo -n zimbra:example.com:long-password | md5sum 

This will create an MD5 hash that looks like: 
403f476b81442de0bf2df8424bad31b3 - 

Next, open the /etc/reTurn/users.txt file, comment out the test user sample and add on a new line add: 

zimbra:403f476b81442de0bf2df8424bad31b3:example.com:authorized 

The syntax is: login:password:realm:state. 

8.) On your reTURN server you will need to open these firewall ports: 


    * Required 
        * TCP 3478, UDP 3478 
        * UDP 49152 - 65535 
    * Optional 
        * TCP 443 

The optional TCP 443 port is only needed if you set the TlsTurnPort and TlsServerCertificateFilename options in step 5 above. 

9.) Start the TURN service: "systemctl restart resiprocate-turn-server", then check the /var/log/messages and /var/log/reTurn/reTurnServer.log log files. If all is working well, you should see log entries similar to: 

Mar 19 16:36:47 turn reTurnServer: INFO | 20200319-163647.815 | | RETURN | 140267831281792 | ReTurnConfig.cxx:293 | Processed 1 user(s) from 23 line(s) in /etc/reTurn/users.txt 

You can also run "netstat -npl | grep -i turn" to confirm that reTURN is listening to the expected ports: 

tcp 0 0 [ http://1.2.3.4:3478/ | Caution: Links containing IP addresses such as the following are often used for phishing: 1.2.3.4:3478 ] 0.0.0.0:* LISTEN 1102/reTurnServer 
tcp 0 0 1.2.3.4 :443 0.0.0.0:* LISTEN 1102/reTurnServer 
tcp6 0 0 :::3478 :::* LISTEN 1102/reTurnServer 
tcp6 0 0 :::443 :::* LISTEN 1102/reTurnServer 
udp 0 0 1.2.3.4 :3478 0.0.0.0:* 1102/reTurnServer 
udp6 0 0 :::3478 :::* 1102/reTurnServer 

10.) Finally, from your Zimbra server, where the mailboxd service is installed, as the Zimbra user, run: 

zxsuite connect iceServer add turn: [ http://1.2.3.4:3478/?transport=udp | Caution: EmailHosting.cloud has detected a possible phishing attempt from "1.2.3.4:3478" claiming to be 1.2.3.4:3478?transport=udp ] credential long-password username zimbra 

Where: 


    * " [ http://1.2.3.4:3478/?transport=udp | Caution: EmailHosting.cloud has detected a possible phishing attempt from "1.2.3.4:3478" claiming to be 1.2.3.4:3478?transport=udp ] " is the public IP address, port number, and transport for your reTURN server 
    * "long-password" is the password that you setup in step 7 
    * "zimbra" is the user name that you setup in step 7 

For more information on this command, refer to: [ https://zimbra.github.io/adminguide/latest/#_stunturn_server | https://zimbra.github.io/adminguide/latest/#_stunturn_server ] . If you need to remove the reTURN server from Zimbra, run: 

zxsuite connect iceServer remove turn: [ http://1.2.3.4:3478/?transport=udp | Caution: EmailHosting.cloud has detected a possible phishing attempt from "1.2.3.4:3478" claiming to be 1.2.3.4:3478?transport=udp ] credential long-password username zimbra 

To see a list of registered TURN servers in Zimbra, use: "zxsuite connect iceServer get" 

Tips 
After the installation of a TURN server and configuration of the TURN server in Zimbra, if callers are still having trouble connecting, or chat messages are not being received, check the WebRTC capabilities of the clients using: 


    * [ https://test.webrtc.org/ | https://test.webrtc.org ] 
    * WebRTC debugging tool in Chrome: chrome://webrtc-internals 


Randy Leiker ( [ mailto:randy at skywaynetworks.com | randy at skywaynetworks.com ] ) 
Skyway Networks, LLC 







-- 
Filippo "Cine" Cinetto 
+39 351 5419766 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20200321/3ab2776a/attachment.html>

More information about the Users mailing list