• Hello Forum,

    we recently started using WebMeetings within webapp.
    Setup is on CentOS7 with nginx proxy, as discribed in the documentation.
    both webapp and webmeetings are available and running. Presence aswell (and its correctly logs who is available)
    Chat function is working well.
    however, if we start a call from outside clients to outside clients (like my homeoffice to my boss homeoffice) the connection comes up, states:

    Remote stream added. null 
    Object { webrtc: {…}, id: "FT797Ofd4NxSdE-[...]
    New stream FT797O[...]
    Local video size:  640 360
    Created offer/answer {  [...]  }
    Connection signaling state change stable FT797Ofd4NxSdE- [...]
    Set local session description.
    Sending answer
    ICE connection state change checking FT797Ofd4NxSdE-[...]
    Conference peer connection state changed checking
    P2P state changed checking FT797Ofd4NxSdE-[...]
    New stream FT797Ofd4NxSdE-[...]
    Switched to new video layout renderer democrazy
    Remote video size:  
    Object { width: 0, height: 0 }
    Incoming stream has no video tracks
    Stream scope is now active FT797Ofd4NxSdE-[...]
    Video state active (assuming connected) FT797Ofd4NxSdE-[...]
    Remote video size:  Object { width: 0, height: 0 }
    

    and disconnects some seconds later on itself.
    Console says:

    End of candidates.
    ICE connection state change failed FT797Ofd4NxSdE-[...]
    ICE failed, add a TURN server and see about:webrtc for more details
    Conference peer connection state changed failed 
    
    
    Conference peer connection state failed 
    {…}
    ​
    closed: true
    ​datachannels: Object {  }
    ​e: Object { 0: {…}, length: 1 }
    ​from: "HR_5nmj5kMDm40jXoL0A-[...]
    ​
    id: "FT797Ofd4NxSdE-[...]
    ​
    initiate: false
    ​
    mediaConstraints: Object { audio: {…}, video: {…} }
    ​
    negotiationNeeded: false
    ​
    offerOptions: Object { offerToReceiveAudio: true, offerToReceiveVideo: true }
    ​
    outgoing: false
    ​
    pcConfig: Object { iceServers: (1) […] }
    ​
    pcConstraints: Object { mandatory: {}, optional: [] }
    ​
    peerconnection: null
    ​
    pendingCandidates: Array []
    ​
    sdpParams: Object { audioSendCodec: "opus/48000", opusStereo: "true", videoSendCodec: "VP8/90000" }
    ​
    streams: Object {  }
    ​
    to: "FT797Ofd4NxSdE-[...]"
    ​
    webrtc: Object { api: {…}, usermediaReady: false, audioMute: false, … }
    ​
    <prototype>: Object { isOutgoing: isOutgoing(), setInitiate: setInitiate(e), getStreamId: getStreamId(e), … }
    
    
    
    Remote stream removed.  MediaStream[... unnaccecary info ...]
    Destroyed scope for call
    Remote Stream removed
    Stream removed
    Peercall close > Object { webrtc  ...  some ids ... }
    Stopped user media Audio level user media changed null
    Conference peer connection state changed closed 
    P2P state changed closed
    Bye received  [some ids]
           Object { Reason: "failed" }
            many many suboptions in this object  -  which one is interessting? - i cant tell
    

    2c4081c0-e535-4b4d-9a49-8b41df58a0a8-grafik.png

    my firefox about:webrtc shows:
    3e6dfe70-8153-4985-90bf-09bf44a962b8-grafik.png

    We are using the opensource STUN/TURN-Server “Coturn TURN SERVER” compiled on the webapp-server and running as a service.
    The Listenport: 3478

    it starts with listening on 3478-3479 for stun/turn upd sessions
    and 5349-5350 for tls connections

    The stunserver is getting the options as stated in the log:

    2515: handle_udp_packet: New UDP endpoint: local addr <INTERNAL-WEBAPP-IP>:3478, remote addr <MY-HOMEOFFICE-EXTERNAL-IP>:7540
    2515: session 000000000000000033: realm <> user <>: incoming packet BINDING processed, success
    2515: handle_udp_packet: New UDP endpoint: local addr <INTERNAL-WEBAPP-IP>:3478, remote addr <MY-HOMEOFFICE-EXTERNAL-IP>:7502
    2515: session 001000000000000039: realm <> user <>: incoming packet BINDING processed, success
    2515: handle_udp_packet: New UDP endpoint: local addr <INTERNAL-WEBAPP-IP>:3478, remote addr <MY-HOMEOFFICE-EXTERNAL-IP>:7418
    2515: session 000000000000000034: realm <> user <>: incoming packet BINDING processed, success
    2515: handle_udp_packet: New UDP endpoint: local addr <INTERNAL-WEBAPP-IP>:3478, remote addr <MY-HOMEOFFICE-EXTERNAL-IP>:7414
    2515: session 001000000000000040: realm <> user <>: incoming packet BINDING processed, success
    2515: handle_udp_packet: New UDP endpoint: local addr <INTERNAL-WEBAPP-IP>:3478, remote addr <MY-HOMEOFFICE-EXTERNAL-IP>:7412
    2515: session 001000000000000041: realm <> user <>: incoming packet BINDING processed, success
    

    in my webrtc debug log i can see the external and local ips from my boss’s pc at his homeoffice

    Our homeoffice Firewalls are deactivated
    Our Company FW is natting the ports 3478-3479 static to webapp-server, same for 5349-5350 (both tcp and udp)

    If one of the pcs is an internal, everyting looks fine.
    Any suggestins, questions or ideas?

    best regards
    Coffee_is_life

  • Kopano

    Hi @Coffee_is_life,

    do you have a turn server configured?

    PS: while not natively available for CentOS I would recommend to take a look at Kopano Meet instead its at the successor of the old WebMeetings.


  • Just edited my original post

    yes it is.

    will take a look at meet - is this integratable into webapp aswell?

    //EDIT: just saw, there is no supported package for centos7 yet. in this case we need to wait for the rpm base packages, since we currently working a lot from homeoffice (no need to state why :) )

  • Kopano

    I would recommend to use our turn service instead of a locally installed for the moment. Its included in your subscription.


  • Thanks for the advice,

    If i configure the stun service within webmeetings plugin (/usr/share/kopano-webapp/plugins/spreedwebrtc/config.php), the stun/turn directive in webmeetings (/etc/kopano/webmeetings.cfg) is igored right?
    or do i need to comment all stun/turn-lines?

    best regards
    Coffee_is_life

  • Kopano

    @Coffee_is_life yes, I do think that was the case. All configuration was through the WebApp plugin.


  • Good Morning @fbartels ,

    the Plugin is now working, thanks for the advice, got the username and pw within minutes :) .

    The last thing i need to implement is the konference functionality, so users can join a group and get a videoconference with more that one. i cant see any option to add someone to the video call or call the whole group.
    is this functionality just deactivaded or does webmeetings wont do this at all?

    best regards,
    coffee_is_life

  • Kopano

    @Coffee_is_life if I remember correctly then for guest users you need a unique url per user. The best way is to send a meeting request and add a webmeetings link from webapp.


  • Thats what i did, wrote a mail and clicked:
    0e399752-255e-410f-805f-b9ef1d9c4643-grafik.png
    ontop of the mail-screen.

    joined the room myself with 3 instances of external users ( ff private mode) and i can only call one, not 2 or 3 users which are all in this room.

    The options ontop of the screen:
    72fb6ba2-bed6-4d66-8ded-58b878c9a17b-grafik.png

    With Meeting request etc are grayed out.

  • Kopano

    @Coffee_is_life ah, that is what you mean. One of the users has to call the others in.

    In Meet groups are “conference style” by default, so there connections will be established with other participants automatically.


  • I have now installed Meet on a seperate server, reason:

    kc is running on centos7 and there is no meet package for RHEL7_PHP56

    i’ve got it running to the point of login. I can connect to the server_url/meet
    nginx is proxy this to the login mask (server_url/signin/[…]):
    9908f695-f9da-4567-aef9-081ddb9fb194-grafik.png

    but there are two issues which i dont know how to get rid of:

    the grapi-package isnt availabe in the meet-packages, but in kc packages. But only for debian 9, im using buster(10) for the meet and centos7 for kc.

    can i install the grapi on my meet-server and point the login to my KC server? - cant find any hint for this setup in the doku.
    can i use the debian 9 grapi-package on debian 10?

    best regards,
    coffee_is_life

  • Kopano

    @Coffee_is_life said in Webmeeting failed peer connection:

    i’ve got it running to the point of login. I can connect to the server_

    The error 500 usually means that it could not connect to kopano-server or its improperly configured. what is logged in connect at this point in time?

    @Coffee_is_life said in Webmeeting failed peer connection:

    the grapi-package isnt availabe in the meet-packages, but in kc packages. But only for debian 9, im using buster(10) for the meet

    If you want to use Debian Buster, then I would recommend to install the kopano-server components from master (just on the meet node, no need to upgrade or mess with the centos installation). Its probably even easier to just use containers and connect back to the kopano installation. You could also have a look at https://github.com/zokradonh/kopano-docker/tree/master/examples/meet.


  • Hello @fbartels,

    the login via meet and backend kc works now, domain users can authenticate - like that.

    But i cant load the contacts, which are received by the grapi (i installed the kopano-grapi from master for debian_10 on the meet-server)

    when logged in and every time i search a contact, the following error shows:

    Failed to fetch contacts: unexpected status: 403
    

    The grapi loggs following:

    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]: 2020-03-23 14:41:57,805 rest0     [10572] INFO     logon failed for user AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAPoBAAB0K01vZmlwb2EwT3E0WWJBUzZNWU5BPT0AAAAA for request /api/gc/v1/users
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]: Traceback (most recent call last):
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:   File "/usr/lib/kopano/python3-kopano10/lib/python3.7/site-packages/kopano/server.py", line 318, in __init__
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:     flags=flags)
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:   File "/usr/lib/python3/dist-packages/MAPI/Util/__init__.py", line 87, in OpenECSession
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:     admin.ConfigureMsgService(uid, 0, 0, profprops)
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:   File "/usr/lib/python3/dist-packages/MAPICore.py", line 1668, in ConfigureMsgService
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:     return _MAPICore.IMsgServiceAdmin_ConfigureMsgService(self, lpUID, ulUIParam, ulFlags, cValues)
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]: MAPI.Struct.MAPIErrorLogonFailed: MAPI error 80040111 (MAPI_E_LOGON_FAILED)
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]: During handling of the above exception, another exception occurred:
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]: Traceback (most recent call last):
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:   File "/usr/lib/python3/dist-packages/grapi/backend/kopano/utils.py", line 291, in _server_store
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:     record = _server(req, options, forceReconnect=forceReconnect)
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:   File "/usr/lib/python3/dist-packages/grapi/backend/kopano/utils.py", line 171, in _server
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:     parse_args=False, store_cache=False, oidc=True, config={})
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:   File "/usr/lib/kopano/python3-kopano10/lib/python3.7/site-packages/kopano/__init__.py", line 77, in __init__
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:     super().__init__(*args, **kwargs)
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:   File "/usr/lib/kopano/python3-kopano10/lib/python3.7/site-packages/kopano/server.py", line 330, in __init__
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]:     password incorrect')
    Mar 23 14:41:57 pwwww001 kopano-grapi[10563]: kopano.errors.LogonError: Could not logon to server: username or password incorrect
    
    

    Kopano Core on another server gehts the auth and logs the following:

    Mon Mar 23 14:41:57 2020: [warning] Authentication by plugin failed for user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAPoBAAB0K01vZmlwb2EwT3E0WWJBUzZNWU5BPT0AAAAA": Trying to authenticate failed: AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAPoBAAB0K01vZmlwb2EwT3E0WWJBUzZNWU5BPT0AAAAA not found in LDAP; username = AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAPoBAAB0K01vZmlwb2EwT3E0WWJBUzZNWU5BPT0AAAAA
    

    is this the behaviour when sso isnt configured? - if yes, then i know why :) - good thing is, KC detect the login now.

    for which server i need to create the keytab than? the Kopano-Core server which handles the login or the kopano-meet server which is the request server?

    // btw is there a way to get the logs from konnectd, grapi, kapi and kwmserver into seperate logs? - they all log to syslog and this is quite confusing

    best regards,
    coffee_is_life

  • Kopano

    @Coffee_is_life said in Webmeeting failed peer connection:

    is this the behaviour when sso isnt configured?

    yes

    @Coffee_is_life said in Webmeeting failed peer connection:

    for which server i need to create the keytab than?

    For none. Keytab implies Kerberos SSO, but for Meet we use OpenID sso.

    You just need to make the changes listed in https://documentation.kopano.io/kopano_meet_manual/installation.html#kopano-configuration to your server.cfg.


  • so just enable sso in the config and the issuer set to be the same

    will try this

    thanks in advance

    coffee_is_life


  • This worked like a charm - many thanks for that -
    thought i need to change everything to sso, not just activate the sso switch in server.cfg

    i’ve got it running now with everything needed.
    just 2 questions left:

    first: i know kopano-meet is in developing state and some features arent available (like the apps-tab on the top right - deactivated calendar and contacts, rerouted the webapp to my actual webapp - so this is fine)
    but is there any outview for the comeing features and maybe a timeline plan when this will aprox. published?

    second: how do i log auth-fails in kwebd/konnectd/meet - fail2ban needs some infos on this and i dont want to expose any our servers without it.

    thanks in advance, best regards and stay healthy
    coffee_is_life


  • This post is deleted!