diff --git a/docker-compose.kwmbridge-dnat.yml b/docker-compose.kwmbridge-dnat.yml
index c5d5616..26aca5c 100644
--- a/docker-compose.kwmbridge-dnat.yml
+++ b/docker-compose.kwmbridge-dnat.yml
@@ -16,7 +16,8 @@ services:
     environment:
       - INSECURE=${INSECURE}
       - oidc_issuer_identifier=https://${FQDN}
-      - kwm_server_urls=https://${FQDN}
+      - kwm_server_urls=http://kwmserver:8778
+      #- kwm_server_urls=https://${FQDNCLEANED}:8443
       - use_nat_1to1_ips=${PUBLICIP}
       - use_nat_1to1_candidate_type=host
       - ice_udp_port_range=65435:65535
diff --git a/docker-compose.kwmbridge.yml b/docker-compose.kwmbridge.yml
index 0c12bed..232566b 100644
--- a/docker-compose.kwmbridge.yml
+++ b/docker-compose.kwmbridge.yml
@@ -1,6 +1,9 @@
 version: "3.5"
 
 services:
+  web:
+    ports:
+      - "8443:8443" # this port should be firewalled off so that only known instances of kwmbridge can connect tot it
   kopano_kwmserver:
     environment:
       - enable_mcu_api=yes
@@ -14,7 +17,7 @@ services:
     environment:
       - INSECURE=${INSECURE}
       - oidc_issuer_identifier=https://${FQDN}
-      - kwm_server_urls=https://${FQDN}
+      - kwm_server_urls=https://${FQDNCLEANED}:8443
     env_file:
       - kopano_kwmbridge.env
     volumes:
diff --git a/web/kweb.cfg b/web/kweb.cfg
index d83a6c9..516a459 100644
--- a/web/kweb.cfg
+++ b/web/kweb.cfg
@@ -137,6 +137,10 @@
 		to /upstreams/kwmserver/{path}
 	}
 
+	# block access to internal endpoints
+	internal /upstreams/kwmserver/api/kwm/v2/admin
+	internal /upstreams/kwmserver/api/kwm/v2/mcu
+
 	proxy /meet/ {%KWEBD_DNS_MEET%}:9080 {
 		fail_timeout 10s
 		try_duration 30s
@@ -247,3 +251,22 @@
 
 	import /etc/kweb-extras/*
 }
+
+{%FQDN%}:8443 {
+	log stdout
+	errors stdout
+
+	gzip
+	header / Server kweb
+
+	# tls settings. defaults to tls_auto
+	import /etc/{%TLS_MODE%}
+
+	# serve static content from /var/www/
+	root /var/www/
+
+	proxy /api/kwm/v2/mcu/ {%KWEBD_DNS_KWMSERVER%}:8778 {
+		websocket
+		transparent
+	}
+}