Intel® Collaboration Suite for WebRTC
Community support and discussions on the Intel® Collaboration Suite for WebRTC (Intel® CS for WebRTC).

Deploy STUN server in Demilitarized Zone(DMZ) area?

Chandramouli_P
Beginner
1,165 Views

Hello Team,

As I noticed, application (client side) is not interacting and not dealing with STUN/TURN server directly. webrtc_agent is interacting with STUN/TURN server in the framework. So, I think that we no need to assign public IP address to STUN/TURN server. Can I deploy STUN/TURN server in Demilitarized Zone(DMZ) area with respect to Intel CS for WebRTC? Do I need to must assign public IP address to STUN/TURN server?

Thank you.

Best Regards,
Chandramouli.

0 Kudos
1 Solution
Lei_Z_Intel1
Employee
1,165 Views

Hi, Chandramouli

MCU server only support STUN server, clients can support both STUN and TURN server. We don't restrict where STUN/TURN server put, but it should have public IP to act for NAT traversal capability.

 

 

View solution in original post

0 Kudos
8 Replies
Chandramouli_P
Beginner
1,165 Views

Hello Team,

I tried giving the private IP address of STUN/TURN server in webrtc_agent/agent.toml file and working fine. Is it the correct approach to hide the STUN/TURN server from the public?

Thank you.

Best Regards,
Chandramouli.

0 Kudos
Xiande_D_Intel
Employee
1,165 Views

In Intel CS for WebRTC, STUN/TURN server is supposed to help clients to build the peerconnection, not for the server(webrtc-agent).

0 Kudos
Chandramouli_P
Beginner
1,165 Views

Hello Xiande,

Thank you for your reply. Do you mean, If we use MCU/SFU, we no need to use/depend on STUN/TURN server? Please clarify. For your information, we deployed our MCU server in AWS.

Thank you.

Best Regards,
Chandramouli.

0 Kudos
Chandramouli_P
Beginner
1,165 Views

Hello Xiande,

I tried MCU with out using STUN/TURN server and didn't work. So, we need STUN/TURN server to work with MCU. But, my question is STUN/TURN server requires public IP address or not? If not required, I will put STUN/TURN server in Demilitarized Zone(DMZ).

Any update would be appreciated. Thank you.

Best Regards,
Chandramouli.

0 Kudos
Xiande_D_Intel
Employee
1,165 Views

It depends on where your client devices locate, If clients outside needs to access to conference behind DMZ, then your STUN/TURN server needs to be deployed in DMZ.

 

0 Kudos
Chandramouli_P
Beginner
1,163 Views

Hello Xiande,

Thanks for your reply. I believe that there is some communication gap in explaining my query. Obviously, end users (clients) may or may not behind the NAT and can assume that end users (client) connects from outside of the network. I am just simply following the "Security Recommendations" in official Conference server documentation. Please find my below queries:

1) According to the diagram in the documentation, where I can put our STUN/TURN server? Do you want me to deploy along with RabbitMQ, MongoDB servers OR along with Manager and worker servers?

2) If you want me to deploy STUN/TURN server along with Manager and worker servers, Do I need to must assign the public IP address to STUN/TURN server? Because, As I explained in my first post, I had given private IP address of the STUN/TURN server in webrtc_agent/agent.toml file and worked successfully. Please clarify.

Thank you.

Best Regards,
Chandramouli.

0 Kudos
Lei_Z_Intel1
Employee
1,166 Views

Hi, Chandramouli

MCU server only support STUN server, clients can support both STUN and TURN server. We don't restrict where STUN/TURN server put, but it should have public IP to act for NAT traversal capability.

 

 

0 Kudos
Chandramouli_P
Beginner
1,164 Views

Hello Lei Zhai,

Thank you for your reply and information.

Best Regards,
Chandramouli.

0 Kudos
Reply