Proxy & Two TURN servers, or just one?

[Marc Bakos]

Hi - we're building an application (oh how nice!). It's been going great, through we have some issues.. 

We're having difficulties when two peers are behind proxy NAT's. I understand our STUN server should pass the relevant information to the TURN server to then start relaying data from both peers. This has worked with basic NAT firewalls (home routers), though not much luck with business grade firewalls.. 

I have two questions;

1. Will the TURN server pass data over a users HTTPS proxy firewall? Ie, only via 443/80? We're having difficulties with users that are behind business grade firewalls, which only pass through secure/web data. 

2. Will the TURN server decide the best port for traffic to pass through on? We see that a link is established on our log, though we don't see any audio data being relayed (audio app only)? Do we need two TURN servers to establish a link with each other? We're not sure what the best way is to configure the ICE/STUN/TURN environment. 

Kind Regards

[Emil Ivov]

On Tue, Feb 10, 2015 at 12:05 PM, Marc Bakos <marc....@gmail.com> wrote:
> Hi - we're building an application (oh how nice!). It's been going great,
> through we have some issues..
>
> We're having difficulties when two peers are behind proxy NAT's. I
> understand our STUN server should pass the relevant information to the TURN
> server to then start relaying data from both peers.

Just to make sure there's no misunderstanding here:

You can look at a STUN server as a kind of a subset for a TURN server.
In other words, you can either have a server that is both STUN and
TURN, or you can have one that is STUN only.

You can't really have a STUN-only server passing information to a
TURN-only server. If you have already been able to relay media through
a server then that was a TURN server (with STUN capabilities).

> This has worked with
> basic NAT firewalls (home routers), though not much luck with business grade
> firewalls..

The main difference between between enterprise and residential
firewalls is their policy on allowing UDP traffic. Enterprise
firewalls often don't.

To make sure you work with those you simply need to make sure that
your TURN server has support for TLS and (for best results) make it
available ont port 443.

> I have two questions;
>
> 1. Will the TURN server pass data over a users HTTPS proxy firewall? Ie,
> only via 443/80? We're having difficulties with users that are behind
> business grade firewalls, which only pass through secure/web data.

Not all TURN servers will do that. You have to make sure that yours
supports it (I know restund does it quite well. Others too) and that
is configured to run on port 443.

> 2. Will the TURN server decide the best port for traffic to pass through on?

Sort of. Not the server though.

First you have to make sure that you have configured your TURN server
to listen on the ports that you want it to. In addition to port 443
for TCP traffic you may also want to setup a UDP listening point as
well.

The clients will then try to use both of the above and they will be
the ones that choose which port to go through (depending on which one
worked).

> We see that a link is established on our log, though we don't see any audio
> data being relayed (audio app only)?
> Do we need two TURN servers to
> establish a link with each other?

No you don't need to support TURN servers. You may

> We're not sure what the best way is to
> configure the ICE/STUN/TURN environment.

Hope this helps a bit,
Emil

--
https://jitsi.org

[Nazmus Shakeeb]

>>1. Will the TURN server pass data over a users HTTPS proxy firewall? Ie, only via 443/80? We're having difficulties with users that are behind business grade firewalls, which >>only pass through secure/web data.

TURN server never uses HTTP or HTTPS protocol. But it can listen to any port to relay data. You can configure TURN server listening on port 80 or 443.

Then client will communicate using TURN protocol with the port 80 or 443 of TURN server. Firewall may allow the traffic as it uses port 80 or 443.

But not all business grade firewalls have such weak security. WebRTC client can not relay using http-proxy.

 

>>2. Will the TURN server decide the best port for traffic to pass through on? We see that a link is established on our log, though we don't see any audio data being relayed

>>(audio app only)? Do we need two TURN servers to establish a link with each other? We're not sure what the best way is to configure the ICE/STUN/TURN environment.

TURN server will not decide the best port.

You don't need two TURN server. One will do.

You may get some hints from http://www.anyfirewall.com

Can you make call using your business grade firewall from  http://www.anyfirewall.com  or https://apprtc.appspot.com/   ?

[Simon Perreault]

On Wed, Feb 11, 2015 at 4:42 AM, Nazmus Shakeeb <sha...@eyeball.com> wrote:

>>1. Will the TURN server pass data over a users HTTPS proxy firewall? Ie, only via 443/80? We're having difficulties with users that are behind business grade firewalls, which >>only pass through secure/web data.

TURN server never uses HTTP or HTTPS protocol. But it can listen to any port to relay data. You can configure TURN server listening on port 80 or 443.

Then client will communicate using TURN protocol with the port 80 or 443 of TURN server. Firewall may allow the traffic as it uses port 80 or 443.

But not all business grade firewalls have such weak security. WebRTC client can not relay using http-proxy.

Well, there's nothing preventing the client from using the HTTP CONNECT method to establish a TCP connection to the TURN server. When using TLS on port 443, it looks just like any other HTTPS connection from the proxy's point of view.

Unless the CONNECT method is also blocked...

Simon