Overview – Network & Port Forwarding
You need to provide external users such as partners, clients or remote employees the ability to connect to Zoom services from outside the firewall or intranet. You also need ensure internal users continue to connect to Zoom from within the firewall without looping out and coming back through an external IP address. You might also wish to have Zoom services access via standard 443 (HTTP SSL/TLS), 80 (HTTP) ports to avoid users hitting firewall blocking of non-standard ports. Visually, you want to setup access as below:
Solution for External to Internal NAT
Setup DNS entries such that in the internal network, the host name resolves to internal IP address and to the external IP address outside the firewall. For example in the above diagram, zmsrv.evolphin.net resolves to IP 10.1.10.7 and externally to IP 126.96.36.199
Now configure the Zoom settings in the Web administration console as below:
- Go to Server Control Panel. Click on Network Settings to change Zoom server Host name/IP address to point to the DNS host name for e.g. zmsrv.evolphin.net
- In the Server Control Panel click on Admin Server config to change Admin Server Host/IP to point to the DNS host name for e.g. zmsrv.evolphin.net
- 5.1 or higher: Edit the server.xml and preview-server.xml for Preview server settings to point to the DNS host name.
- 5.0 or below: In the Server Control Panel click on Review Server Settings to change Server Host/IP to point to the DNS host name for e.g. zmsrv.evolphin.net
- Forward Zoom ports from external IP to internal. Default ports are: 8880 (Zoom), 8873 (Preview), 8443 (Configuration & admin)
- Restart the Zoom Asset Browser on the client desktop and use the DNS host name (for e.g. zmsrv.evolphin.net from above scenario) to connect to the Zoom server
- If only Web Client access is desired from outside the firewall, forward only the 8873 (Preview) port.
Solution for Port Forwarding
You can use the solutions described below to forward any Zoom port including 8880, 8443, 9880, 8973, 8443, 9443.
You can change the default ports via the Web Administration Console as described in the previous sections. For e.g. you could change the Preview Server port to listen on port 443 instead of 8873 or 8973 (SSL). Windows does not have restriction on privileged ports (< 1024) like UNIX, so simply changing the ports can work.
Other option would be to setup port forwarding on the Windows Server using the netsh CLI. For example the rule below will forward traffic on HTTPS port 443 to the Zoom Preview Server SSL port.
On UNIX system any port < 1024 is treated as a privileged port and a non-root process can’t bind to it. Zoom services like DAM/MAM server, Preview server by default are run as non-root user such as ‘evolphin’. In order for such services to listen on privileged ports, port forwarding can be setup in the Linux kernel. The steps below assume firewalld (wrapper on top of iptables) has been installed:
- Check the active zones
[root@srdam-zoom ~]# firewall-cmd --get-active-zones
- Add the port forward rule to the appropriate Zone (public/external/trusted etc). Please see the documentation for firewalld if needed.
[root@srdam-zoom ~]# firewall-cmd --permanent --zone=trusted --add-forward-port=port=443:proto=tcp:toport=8973
[root@srdam-zoom ~]# firewall-cmd --reload
- Confirm if the port was forwarded
[root@srdam-zoom ~]# firewall-cmd --list-forward-ports
- Try accessing the service now over the standard secure port via an HTTPS URL. For e.g.