New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 769997 link

Starred by 8 users
Status: Assigned
Owner:
sduraisamy@chromium.org
Last visit > 30 days ago
Cc:
pmarko@chromium.org
jayhlee@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature



Sign in to add a comment

[FR] WebRTCUdpRangePolicy available as Device Setting

Project Member Reported by jgodinez@chromium.org, Sep 28 2017 
Description:

This feature was implemented as a user setting aiming to be available through all the platforms as per:  crbug.com/342476 . However, kiosk and public session were left out of the scope.

Add a configuration option to limit the ports used by WebRTC UDP traffic for Chrome devices running in kiosk mode. Presumably, this would fall under Admin->Device management->Chrome management->Device settings.


Use case:
In highly restrictive network environments the firewall administrator limits the ports allowed for traffic. We need to be able to configure the ports used by WebRTC for Chrome devices running in kiosk mode. 
An administrator would go to Admin->Device management->Chrome management->Device settings, and then select the sub-organization requiring the setting. 
Presumably, the option would fall under the "Other" section. From there, the administrator would define the range of ports allowed for WebRTC UDP traffic. This feature would work as others do and allow overriding settings which were defined higher in the organizational tree. 
Saving the data might validate that the port range is valid.


Motivation:
We are deploying Chrome-based devices in kiosk mode running a custom app. The app utilizes WebRTC for communication. As we deploy devices in more and more facilities, we are running into situations where the firewall configuration is highly restrictive. The firewall administrator requires that we supply a range of ports that we will use to communicate with peers on the Internet. Of course, WebRTC does not define a specific port or range of ports. We need to be able to limit the ports used for WebRTC UDP traffic to a range that can be defined by the firewall administrator. We discovered an existing solution for Chrome which allows the WebRtcUdpPortRange to be configured via policy, but it is a user-level policy which is only available when a user is logged in. Having the ability to configure a port range for kiosk-mode devices would allow us to satisfy the firewall administrator's desire to limit traffic to an approved port range. 
It would seem that this feature is *mostly* implemented since Chrome already supports WebRTC port range restrictions. The required implementation would be in updating the Chrome management console and the methodology for delivering the setting to the devices. At least that is my assumption.


Existing workarounds:
Presumably, we could NOT run our devices in kiosk mode and configure a user-based policy (WebRtcUdpPortRange) to limit the port range. However, this is undesirable as the approach loses some of the inherent simplicity and security of running Chrome devices in kiosk mode.

Comment 1 by ryutas@chromium.org, Sep 29 2017

Cc: jayhlee@chromium.org
Labels: Hotlist-Enterprise
Case#: 13615204

Comment 2 by igorcov@chromium.org, Oct 4 2017

Status: Available (was: Untriaged)

Comment 3 by pmarko@chromium.org, Oct 9 2017

Owner: sduraisamy@chromium.org
+Raj due to PS/Kiosk context.

This has been split off  bug 342476 .
As I assume WebRTC is not active before user session start / public session start / kiosk app start, it could be enough to set the user policy for the kiosk app / public session[1]. This would be a CPanel-only change then.

[1] Note that kiosk and public session are both "device-local accounts" which also get cloud policy.

Comment 4 by pmarko@chromium.org, Oct 9 2017

Cc: pmarko@chromium.org

Comment 5 by benhenry@chromium.org, Aug 1

Status: Assigned (was: Available)

Sign in to add a comment