Direct media (end-to-end encrypted calls)

Pexip's direct media feature enables end-to-end encrypted calls. When enabled in a VMR, it provides non-transcoded, encrypted, point-to-point calls between any two WebRTC-based participants.

The same VMR can still be used to host conferences with more than two participants, and with different endpoints and call protocols such as SIP and H.323. However, in these cases, the VMR automatically reverts to Pexip Infinity's standard behavior, which is where each conference participant's call media is transcoded and sent via a Conferencing Node.

This topic covers:

How it works

In a direct media call, the two participants negotiate the encryption keys directly with each other. All call signaling is still handled by the Conferencing Node; only the call media is sent directly between the participants:

Direct media call (two WebRTC participants)

Only two WebRTC participants (typically using the Connect apps) can participate in a direct media call.

If additional participants join the conference (using any call protocol such as WebRTC or SIP for the additional participants) the call is escalated to a standard, transcoded call with media sent via Conferencing Nodes, and is no longer a direct media call:

Transcoded media call (escalated for a third participant)

What's noteworthy?

When enabling this feature on a VMR, note that:

  • If the first person to join a direct-media-enabled VMR is a WebRTC participant, they join as a direct media participant immediately and do not get the full set of theme-based splash screens and audio notifications that you would normally get when joining a standard, transcoded call. Instead, they see a "Welcome" or "Waiting for the host" screen until the second participant joins and the media connection is established.
  • If a direct media conference is escalated to a transcoded call:

    • In conference history, the original participants are shown as being transferred to a new call, and new participant history records are created for the new call.
    • If the call de-escalates back to two WebRTC participants then it becomes a direct media call again (with new participant history records again).
  • Presentation / screen sharing, and chat is supported (via the direct media connection). 4k presentation sharing is supported, subject to bandwidth/browser constraints (note that on Chrome and Edge browsers the person sharing has to have their browser active on the 4k monitor to achieve the full outgoing resolution).
  • All of the standard authentication methods for joining the VMR are supported.
  • If a VMR is also configured with an Automatically Dialed Participant (ADP) then the VMR will always use transcoded calls.
  • A Conferencing Node can support a maximum of 5,000 concurrent signaling connections for direct media calls.
  • Within the Connect app, each user can view a Secure check code. Both users should see the same code, proving that media is not being sent via (and transcoded by) a Conferencing Node. To view the check code:

    • In Connect Webapp3, from within your self-view window, select Connection quality.
    • In Connect Webapp2, select Control and then select Get media stats.
  • When using the Administrator interface to monitor calls:
    • When viewing the conference graph, a direct media line is shown between the two participants, plus the signaling connections to the Conferencing Node:

    • Participant media and call quality statistics are available in the current and historic participant status pages.

Enabling direct media on a VMR

Direct media is configurable on a per-VMR basis, and is disabled by default. To enable direct media on a VMR:

  1. Go to the required VMR (Services > Virtual Meeting Rooms).
  2. Expand the Advanced options section.
  3. Set Enable direct media to Best effort. (Use Never to disable direct media.)
  4. Optionally, set the Direct media notification duration to the number of seconds to display any escalation or de-escalation notifications to participants. The notifications are shown as toasts on top of the main conference video.
  5. Save your changes.

Media relay via a TURN server

In some network topologies, for example if the Connect apps are behind a NAT or have firewall restrictions, they may not be able to establish a direct connection between each other. To overcome this, the clients may need to use a TURN server to relay media between each other.

When using direct media we strongly recommend for enhanced security that you use your own dedicated TURN server that is located in your DMZ.

To use a TURN server to relay media:

  1. Install your TURN server in your DMZ.

    We recommend using the Pexip TURN server (see Pexip Reverse Proxy and TURN Server), configured in permissive mode. If you use an alternative TURN server it must be a Coturn implementation.

  2. Configure Pexip Infinity to use that TURN server (Call control > TURN servers).

  3. Configure your system locations with the Client TURN servers to provision to the WebRTC clients (Connect app):

      1. Go to Platform > Locations.
      2. Select the Conferencing Node's location.
      3. Select your Client TURN servers (the TURN server you have installed for direct media).
      4. Optionally, you can select Enforce media routing via a client TURN server if you want to force the WebRTC client to route its media through one of the specified client TURN servers.
      5. Select Save.
      6. Repeat for other locations as necessary.

      When a WebRTC client connects to a Conferencing Node in that location, the Conferencing Node will provide it with the details of the nominated TURN servers. These TURN servers may be used by the client to provide a media connectivity path if it cannot make a direct media connection to another client.

Customization and branding

Direct media calls can be customized and branded in the same way as standard transcoded calls.

Customizing the Connect web app

See Customizing and branding the Connect apps for details about applying branding and styling customizations to the Connect apps.

Customizing the in-call experience (themes)

The in-call experience provided by the splash screens and messages that are seen by the participants can be branded and customized in the usual way by uploading your own theme and assigning it the relevant services. See Rules and requirements for customized themes for details about how to create and upload your customized theme.

However, in a direct media call, only a limited number of splash screens and message labels are used:

  • The following splash screens are used:

    • "direct_media_welcome"
    • "direct_media_waiting_for_host"
    • "direct_media_other_participants_audio_only"
    • "direct_media_escalate"
    • "direct_media_deescalate"
  • The following label keys are used:

    • "welcome": "Welcome"
    • "waiting_for_host": "Waiting for the host..."
    • "other_participants_audio_only": "The other participants are audio only"
    • "direct_media_escalate": "You are about to be transferred into a multi-party conference"
    • "direct_media_deescalate": "You are about to be transferred into a one-to-one call"

Note that:

  • The background image file (background.jpg by default) used for each screen can be customized in the theme in the standard way.
  • The "direct_media_escalate" and "direct_media_deescalate" splash screens are provided for bespoke client development via the client APIs. Within the Connect web apps, the notifications are shown as toasts on top of the main conference video.

See Splash screens and Default label keys and usage for details about the specific splash screens and labels, respectively.

Example: changing the notification messages

This shows some example contents of a themeconfig.json file that would change the text of the escalation and de-escalation notifications:

  "theme_version": 2,
  "splash_screens": {
    "labels": {
      "direct_media_escalate": "Additional participants are joining. Transferring to a transcoded call",
      "direct_media_deescalate": "Transferring to a direct media call"