diff --git a/Apache-Guacamole-managed-by-EGroupware.md b/Apache-Guacamole-managed-by-EGroupware.md
index 3e4d09c..dc4cff6 100644
--- a/Apache-Guacamole-managed-by-EGroupware.md
+++ b/Apache-Guacamole-managed-by-EGroupware.md
@@ -47,4 +47,19 @@ tcp        0      0 172.17.0.1:3306         0.0.0.0:*               LISTEN
 ```
 docker logs -f guacamole
 ```
-* enable OpenID Connect request log in EGroupware (Administration > Applications > OpenID Connect / OAuth > Request log)
\ No newline at end of file
+* enable OpenID Connect request log in EGroupware (Administration > Applications > OpenID Connect / OAuth > Request log)
+* if Guacamole can not talk to EGroupware (because your firewall is blocking access from inside to the external IP / NAT traversal), you can set the docker0 IP for the external hostname by uncommenting the following in /etc/egroupware-guacamole/docker-compose.yaml (be careful as indention by space is important in YAML files!)
+```
+    # set the ip-address of your docker host AND your official DNS name so Guacamole
+    # can access EGroupware without the need to go over your firewall
+    extra_hosts:
+    - "example.org:172.17.0.1"
+```
+After uncommenting and replacing example.org with your actual domain you need to recreate the container:
+```
+cd /etc/egroupware-guacamole
+docker-compose stop guacamole
+docker-compose rm -f guacamole
+docker-compose up -d guacamole
+```
+* Guacamole requires a websocket connection! If you use your firewall or something else to terminate https (eg. a Synology), you have to configure it to proxy websockets too! Use developer tools of your browser an check for failed websocket messages on the console or pending websockets in the network tab.
\ No newline at end of file