Intel® Collaboration Suite for WebRTC
Community support and discussions on the Intel® Collaboration Suite for WebRTC (Intel® CS for WebRTC).
Announcements
Welcome to the Intel Community. If you get an answer you like, please mark it as an Accepted Solution to help others. Thank you!
For the latest information on Intel’s response to the Log4j/Log4Shell vulnerability, please see Intel-SA-00646
1136 Discussions

Deploy STUN server in Demilitarized Zone(DMZ) area?

Chandramouli_P
Beginner
431 Views

Hello Team,

As I noticed, application (client side) is not interacting and not dealing with STUN/TURN server directly. webrtc_agent is interacting with STUN/TURN server in the framework. So, I think that we no need to assign public IP address to STUN/TURN server. Can I deploy STUN/TURN server in Demilitarized Zone(DMZ) area with respect to Intel CS for WebRTC? Do I need to must assign public IP address to STUN/TURN server?

Thank you.

Best Regards,
Chandramouli.

0 Kudos
1 Solution
Lei_Z_Intel1
Employee
431 Views

Hi, Chandramouli

MCU server only support STUN server, clients can support both STUN and TURN server. We don't restrict where STUN/TURN server put, but it should have public IP to act for NAT traversal capability.

 

 

View solution in original post

8 Replies
Chandramouli_P
Beginner
431 Views

Hello Team,

I tried giving the private IP address of STUN/TURN server in webrtc_agent/agent.toml file and working fine. Is it the correct approach to hide the STUN/TURN server from the public?

Thank you.

Best Regards,
Chandramouli.

Xiande_D_Intel
Employee
431 Views

In Intel CS for WebRTC, STUN/TURN server is supposed to help clients to build the peerconnection, not for the server(webrtc-agent).

Chandramouli_P
Beginner
431 Views

Hello Xiande,

Thank you for your reply. Do you mean, If we use MCU/SFU, we no need to use/depend on STUN/TURN server? Please clarify. For your information, we deployed our MCU server in AWS.

Thank you.

Best Regards,
Chandramouli.

Chandramouli_P
Beginner
431 Views

Hello Xiande,

I tried MCU with out using STUN/TURN server and didn't work. So, we need STUN/TURN server to work with MCU. But, my question is STUN/TURN server requires public IP address or not? If not required, I will put STUN/TURN server in Demilitarized Zone(DMZ).

Any update would be appreciated. Thank you.

Best Regards,
Chandramouli.

Xiande_D_Intel
Employee
431 Views

It depends on where your client devices locate, If clients outside needs to access to conference behind DMZ, then your STUN/TURN server needs to be deployed in DMZ.

 

Chandramouli_P
Beginner
431 Views

Hello Xiande,

Thanks for your reply. I believe that there is some communication gap in explaining my query. Obviously, end users (clients) may or may not behind the NAT and can assume that end users (client) connects from outside of the network. I am just simply following the "Security Recommendations" in official Conference server documentation. Please find my below queries:

1) According to the diagram in the documentation, where I can put our STUN/TURN server? Do you want me to deploy along with RabbitMQ, MongoDB servers OR along with Manager and worker servers?

2) If you want me to deploy STUN/TURN server along with Manager and worker servers, Do I need to must assign the public IP address to STUN/TURN server? Because, As I explained in my first post, I had given private IP address of the STUN/TURN server in webrtc_agent/agent.toml file and worked successfully. Please clarify.

Thank you.

Best Regards,
Chandramouli.

Lei_Z_Intel1
Employee
432 Views

Hi, Chandramouli

MCU server only support STUN server, clients can support both STUN and TURN server. We don't restrict where STUN/TURN server put, but it should have public IP to act for NAT traversal capability.

 

 

View solution in original post

Chandramouli_P
Beginner
431 Views

Hello Lei Zhai,

Thank you for your reply and information.

Best Regards,
Chandramouli.

Reply