Skip to content

Federated eduMEET Infrastructure for Helmholtz

Help build a reliable video infrastructure by contributing media-node capacity to a shared, federated network within Helmholtz.

Information subject to change

The details in this document may be updated while the first proof‑of‑concept is being established.

Overview

The Let’s meet! service operates on a federated architecture that allows multiple Helmholtz centers to contribute media nodes to a shared infrastructure. This federation enables:

  • Geographic load distribution: Participants are automatically routed to the geographically nearest media node

  • Scalability: If one node reaches maximum capacity, new participants are routed to alternative nodes

  • Sovereignty: Each center operates its own infrastructure while participating in the shared service

This section provides technical instructions for IT staff at Helmholtz centers who wish to operate their own eduMEET media node.

Technical Requirements for Media Node Operators

Server Specifications

Media nodes must meet the following baseline requirement:
1 CPU core + 50 Mbps outgoing bandwidth per 10 concurrent participants.

We recommend one of the following server configurations:

Configuration CPU Cores RAM Storage Network
Small Up to 16 cores 8 GB 40 GB SSD/HDD 1 Gbps
Medium Up to 48 cores 16 GB 40 GB SSD/HDD 2.5 Gbps
Large Up to 128 cores 32 GB 40 GB SSD/HDD 10 Gbps

Additional Requirements:

  • Public IPv4 address accessible from the Internet

  • Physical or virtualized server

Firewall Configuration

Configure the firewall to allow the following incoming traffic:

Protocol Port(s) Source Purpose
TCP 80 ALL Let’s Encrypt HTTP-01 challenge (if applicable)
TCP 3443 192.108.23.57 HTTPS/WSS (management server)
TCP 40250-40499 ALL DTLS/SRTP/SRTCP (Media)
UDP 40250-40499 ALL DTLS/SRTP/SRTCP (Media)

SSL/TLS Certificate Requirements

Important: Each media node operator must provide their own SSL/TLS certificate for secure communication.

For automated certificate management, you can use Certbot:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# Install Certbot
sudo apt install certbot

# Obtain certificate (standalone mode - requires port 80 to be free temporarily)
# <fully-qualified-domain-name>, e.g. letsmeet-media.your-helmholtz-center.de
sudo certbot certonly --standalone -d <fully-qualified-domain-name>

# Test renewal and ensure the Docker container picks up the new certificate via Post-Hook
# Once this dry run succeeds, the hook is saved in the renewal config
sudo certbot renew --dry-run --post-hook "docker restart edumeet-media-node"

# Certificates will be stored in:
# /etc/letsencrypt/live/<fully-qualified-domain-name>/fullchain.pem
# /etc/letsencrypt/live/<fully-qualified-domain-name>/privkey.pem

Deploying the Media Node Container

Prerequisites

  • Docker or Podman installed

  • Public IPv4 address configured

  • Firewall rules applied (see above)

  • SSL certificate and key files prepared (see above)

Docker Run Command

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
docker run -d \
  --name edumeet-media-node \
  --restart unless-stopped \
  --network host \
  --security-opt seccomp=unconfined \
  -v /etc/letsencrypt/live/<fully-qualified-domain-name>:./certs:ro \
  edumeet/edumeet-media-node:<edumeet-image-tag> \
  DEBUG="mediasoup:WARN*" \
  --listenPort 3443 \
  --rtcMinPort 40250 \
  --rtcMaxPort 40499 \
  --ip <public-ipv4-address> \
  --secret <secure-random-string> \
  --announcedIp <public-ipv4-address> \
  --cert ./certs/fullchain.pem \
  --key ./certs/privkey.pem

Notes:

  • Replace <edumeet-image-tag> with the actual image reference (e.g., 4.2-20260417-stable)

  • The --network host flag is required for proper media port handling

  • --security-opt seccomp=unconfined is necessary for mediasoup functionality

  • Use --restart unless-stopped to ensure the container survives system reboots

  • --cert and --key parameters point to the certificate and key files inside the container

  • <secure-random-string> is a shared secret provided to you

Maintenance & Operations

Support Contacts

Purpose Contact
Joining the federation hifis-admins@lists.dkfz.de
Technical support support@hifis.net

Media Node Operator FAQ

Q: Can I operate a media node without joining the federation?
A: No. Media nodes are designed to work as part of the federated infrastructure. Contact hifis-admins@lists.dkfz.de to participate.

Q: What happens if my media node goes offline?
A: Participants are automatically rerouted to other available nodes in the federation. Ensure high availability for production use.

Q: Do I need to manage eduMEET media node updates?
A: Yes. The <edumeet-image-tag> must be kept in sync within the federation. We will notify you accordingly if a new image needs to be pulled for the eduMEET media node.

Q: Can I customize the media node configuration?
A: Core configuration is managed centrally. Contact support@hifis.net for special requirements.