bigbluebutton · znerol · May 11, 2020
diff --git a/_posts/2018-06-03-install.md b/_posts/2018-06-03-install.md
@@ -625,8 +625,6 @@ Edit the file `/opt/freeswitch/conf/sip_profiles/external.xml` and look for a li
 
 If you have a firewall on your server and have opened port 5066, change the rule to now open port 7443 instead.  
 
-Also, if your BigBlueButton server is behind a firewall, you may need to speciify the `value` with an external IP address `EXTERNAL_IP_ADDRESS:7443` to avoid getting an error 1002 in the client.  For more details see [Configure BigBlueButton behind a firewall](#configure-bigbluebutton-behind-a-firewall).
-
 Next, the websocket forwarding address in nginx.  Edit the file `/etc/bigbluebutton/nginx/sip.nginx` and change the protocol and port on the proxy_pass line as shown:
 
 <pre><code>location /ws {
@@ -781,9 +779,9 @@ As described in the introduction, a common setup is to have your BigBlueButton s
 
 ![Install](/images/11-install-net2.png)
 
-For WebRTC audio to work, you need to change the configuration of FreeSWITCH to listen for connections on the external IP address of the firewall.  If you haven't modified your firewall to forward ports to your BigBlueButton server, see [configure a firewall](#configure-the-firewall-if-required).
+For WebRTC audio to work, you need to change the configuration of FreeSWITCH to be aware of the external IP address of the firewall.  If you haven't modified your firewall to forward ports to your BigBlueButton server, see [configure a firewall](#configure-the-firewall-if-required).
 
-With the firewall configured to forward incoming connections to the BigBlueButton server, the next step is to configure FreeSWITCH to bind to the firewall's external IP address.
+With the firewall configured to forward incoming connections to the BigBlueButton server, the next step is to configure FreeSWITCH to advertise the firewall's external IP address to WebRTC peers.
 
 Edit the following files and substitute EXTERNAL\_IP\_ADDRESS for the external IP address (not the external hostname).
 
@@ -825,65 +823,18 @@ to
     <param name="ext-sip-ip" value="$${external_sip_ip}"/>
 ```
 
-Next, edit `/usr/share/red5/webapps/sip/WEB-INF/bigbluebutton-sip.properties`, and make sure the values of `bbb.sip.app.ip` and `freeswitch.ip` have the internal IP address.
-
-```properties
-bbb.sip.app.ip=<internal_ip>
-bbb.sip.app.port=5070
-
-freeswitch.ip=<internal_ip>
-freeswitch.port=5060
-```
-
-Edit `/etc/bigbluebutton/nginx/sip.nginx` to connect to the external IP address.
-
-If you have configured SSL, use port 7443:
-
-```nginx
-location /ws {
-        proxy_pass https://EXTERNAL_IP_ADDRESS:7443;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_read_timeout 6h;
-        proxy_send_timeout 6h;
-        client_body_timeout 6h;
-        send_timeout 6h;
-}
-```
+And change:
 
-If you are not using SSL, use port 5066:
-
-```nginx
-location /ws {
-        proxy_pass http://EXTERNAL_IP_ADDRESS:5066;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_read_timeout 6h;
-        proxy_send_timeout 6h;
-        client_body_timeout 6h;
-        send_timeout 6h;
-}
-```
-
-If you have the HTML5 client installed, you may need to a few more changes.  If `enableListenOnly` is set to true in `/usr/share/meteor/bundle/programs/server/assets/app/config/settings-production.json`, as in
-
-```bash
-$ cat /usr/share/meteor/bundle/programs/server/assets/app/config/settings-production.json | grep enableListenOnly
-      "enableListenOnly": true
+```xml
+    <param name="local-network-acl" value="localnet.auto"/>
 ```
 
-then Kurento is providing a listen only audio stream for users of the HTML5 client (just as red5 provides listen only audio stream for Flash users). In this case, edit `/usr/local/bigbluebutton/bbb-webrtc-sfu/config/default.yml` change the value to `ip` to match the external IP address of the server.  For example, if the servers external IP address is `203.0.113.1`, then edit this file so the value for `ip` is as follows
+to
 
-```yaml
-freeswitch:
-    ip: '203.0.113.1'
-    port: '5066'
+```xml
+    <param name="local-network-acl" value="none"/>
 ```
 
-You also need to [setup Kurento to use a STUN server](http://docs.bigbluebutton.org/html/html5-install.html#extra-steps-when-server-is-behind-nat).
-
 After making the above changes, restart BigBlueButton.
 
 ```bash
@@ -901,7 +852,7 @@ Detected the following WebRTC issue: Error 1002: Could not make a WebSocket conn
 | 1002: Could not make a WebSocket connection | Note 1         |
 | 1007: ICE negotiation failed                | Note 2         |
 
-For Error 1002, check IP address for `proxy_pass` in `/etc/bigbluebutton/nginx/sip.nginx` is pointing to the external IP address of the firewall.  Next, check that FreeSWITCH has started without errors
+For Error 1002, check that FreeSWITCH has started without errors
 
 <pre><code># systemctl status freeswitch
 ● freeswitch.service - freeswitch
@@ -922,106 +873,12 @@ Mar 03 23:13:07 t4 freeswitch[19349]: FreeSWITCH[19349] System Ready pid:19361
 Mar 03 23:13:07 t4 systemd[1]: Started freeswitch.
 </code></pre>
 
-You should see `active (running)`.  If FreeSWITCH is not running, you can check it's output log for clues on why it's not running `journalctl -u freeswitch.service`. If you continue to see the Error 1002, check the diagnostic stops below, under [Configure a dummy NIC](#configure-a-dummy-nic-if-required).
+You should see `active (running)`.  If FreeSWITCH is not running, you can check it's output log for clues on why it's not running `journalctl -u freeswitch.service`.
 
 For Error 1007, it means that the web socket connect was successful (FreeSWITCH is running and received the request from the browser to setup a media path), but none of the IP/Port combinations returned by FreeSWITCH enabled the browser to connect and start transmitting media. To diagnose this error, open `about:webrtc` in FireFox and click ‘show details’ for the most recent connection. Look under the column Remote Candidate and check if you see the internal IP address of the BigBlueButton server. If so, you probably have a misconfiguration in the FreeSWITCH settings. Re-check against the examples shown above.
 
 If the correct IP address is shown, you probably have an issue where your firewall isn't allowing UDP packets through in both directions on the required ports. Check your firewall documentation for help, or ask the BigBlueButton community mailing list.
 
-## Configure a dummy NIC (if required)
-
-If you are encountering error 1002 when trying to connect to WebRTC audio, it might be that your firewall does not support "hairpin NAT", which means when the BigBlueButton server connects to the firewall's IP address, the firewall is not sending the connection right back.
-
-You can test if hairpin NAT is working using following command on your BigBlueButton server. Replace `EXTERNAL-IP-ADDRESS` with the external IP address of your firewall.
-
-```bash
-$ curl --trace-ascii - -k https://EXTERNAL-IP-ADDRESS:443/bigbluebutton/api
-```
-
-Here's the sample output from a success test.
-
-```
-~# curl --trace-ascii - -k https://203.0.113.1:443/bigbluebutton/api
-== Info:   Trying 203.0.113.1...
-== Info: Connected to 203.0.113.1 (203.0.113.1) port 443 (#0)
-== Info: found 173 certificates in /etc/ssl/certs/ca-certificates.crt
-== Info: found 692 certificates in /etc/ssl/certs
-== Info: ALPN, offering http/1.1
-== Info: SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
-== Info:         server certificate verification SKIPPED
-== Info:         server certificate status verification SKIPPED
-== Info:         common name: HOSTNAME (does not match '203.0.113.1')
-== Info:         server certificate expiration date OK
-== Info:         server certificate activation date OK
-== Info:         certificate public key: RSA
-== Info:         certificate version: #3
-== Info:         subject: CN=bbb02.monasticeducation.net
-== Info:         start date: Fri, 24 Feb 2017 06:20:00 GMT
-== Info:         expire date: Thu, 25 May 2017 06:20:00 GMT
-== Info:         issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
-== Info:         compression: NULL
-== Info: ALPN, server accepted to use http/1.1
-=> Send header, 93 bytes (0x5d)
-0000: GET /bigbluebutton/api HTTP/1.1
-0021: Host: 203.0.113.1
-0035: User-Agent: curl/7.47.0
-004e: Accept: */*
-005b:
-<= Recv header, 17 bytes (0x11)
-...
-<response><returncode>SUCCESS</returncode><version>1.0</version></response>== Info: Connection #0 to host 203.0.113.1 left intact
-```
-
-You should see the `<response>...</response>` at the end.  
-
-If you don't see this, follow the steps below on your BigBlueButton server to setup a dummy NIC that has the same IP address as your firewall.  Here's a sample diagram of how it works.
-
-![Install](/images/11-install-net3.png)
-
-In this diagram, we've setup a dummy NIC for 203.0.113.1, which will allow FreeSWITCH to connect back to itself.  This way, when FreeSWICH receives an internal connection from other parts of BigBlueButton, it will think that it's on the external interface. This will cause it to use the correct IP address on the response.
-
-To setup a dummy NIC, on your BigBlueButton enter the following command and substitute `EXTERNAL_IP_ADDRESS` with the external IP address of your firewall.
-
-```bash
-$ sudo ip addr add EXTERNAL\_IP\_ADDRESS/32 dev lo
-```
-
-Next, check that the dummy NIC was created using the command `ip addr`.
-
-```bash
-$ ip addr
-1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
-    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
-    inet 127.0.0.1/8 scope host lo
-       valid_lft forever preferred_lft forever
-    inet EXTERNAL_IP_ADDRESS/32 scope global lo
-       valid_lft forever preferred_lft forever
-    inet6 ::1/128 scope host
-       valid_lft forever preferred_lft forever
-```
-
-You should see the EXTERNAL\_IP\_ADDRESS for your firewall listed above.
-
-Next, edit `/opt/freeswitch/conf/sip_profiles/external.xml` and ensure the value for `wss-binding` uses the external IP address
-
-```xml
-<param name="wss-binding"  value="EXTERNAL_IP_ADDRESS:7443"/>
-```
-
-At this point, restart your BigBlueButton server with `bbb-conf --restart`, then try connecting to the WebRTC media again.
-
-Finally, to ensure this dummy NIC to be automatically created on restart, edit `/etc/network/interfaces` and add the following
-
-```
-# The loopback network interface
-auto lo
-iface lo inet loopback
-        post-up ip addr add EXTERNAL_IP_ADDRESS/32 dev lo
-        pre-down ip addr del EXTERNAL_IP_ADDRESS/32 dev lo
-```
-
-The above will enable users outside the firewall to access your BigBlueButton server.  For users themselves who are behind a firewall, you will want to setup a TURN server (next section).
-
 # Setup a TURN server
 
 BigBlueButton normally requires a wide range of UDP ports to be available for WebRTC communication. In some network restricted sites or development environments, such as those behind NAT or a firewall that restricts outgoing UDP connections, users may be unable to make outgoing UDP connections to your BigBlueButton server.