Using a reverse proxy and TURN server with Infinity Connect
In Pexip Infinity deployments, all Pexip Infinity Connect clients use HTTPS for the call signaling connections towards Conferencing Nodes.
However, with some Pexip deployments, these clients are not able to communicate directly with Pexip Conferencing Nodes, for example in on-prem deployments where the Pexip platform is located on an internal, enterprise LAN network while the clients are located in public networks on the Internet. In these cases it is common to deploy a reverse proxy application in the environment. This is an application which can proxy HTTP and HTTPS traffic from an externally-located client to a web service application located on the internal network — in our case a Pexip Conferencing Node. A reverse proxy can also be referred to as a load balancer.
In addition to providing HTTP/HTTPS connectivity between external Pexip clients and internal Conferencing Nodes, a reverse proxy can also be used for hosting customized Infinity Connect Web App content.
In deployments such as the ones described above, the reverse proxy provides for HTTPS call signaling connectivity between Infinity Connect clients and Conferencing Nodes. However, as the reverse proxy does not handle media, a TURN server is also required to ensure audio/video connectivity between the clients and the Conferencing Nodes.
A TURN server is a media relay/proxy which allows peers to exchange UDP or TCP media traffic whenever one or both parties are behind NAT. When Conferencing Nodes are deployed behind NAT, these nodes will instruct the WebRTC client to send its media packets to the TURN server, which will forward (relay) the packets to the Conferencing Nodes. Since this TURN server is normally located outside of the enterprise firewall, the Conferencing Node will constantly send media packets to this TURN server to "punch holes" in the firewall, allowing this TURN server to relay media packets back to the Conferencing Node, as the firewall will classify this as return traffic.
Pexip's Infinity Connect WebRTC clients (the desktop client; Web App for Chrome, Firefox and Opera; and mobile clients for iOS and Android) use ICE (Interactive Connectivity Establishment) to negotiate optimal media paths with Conferencing Nodes. Microsoft Lync and Skype for Business clients use a similar ICE mechanism, which means that Pexip can use TURN for all of these client types.
Infinity Connect clients on Internet Explorer and Safari browsers use the RTMP protocol, rather than WebRTC. While RTMP clients can connect to Conferencing Nodes via the reverse proxy, they cannot establish audio/video paths to Pexip Infinity via a TURN server. To establish audio/video media connectivity, RTMP clients need a direct TCP connection to a Conferencing Node.
Note that Microsoft Edge browsers (which are WebRTC-compatible) cannot currently use STUN and thus cannot send media to Pexip Infinity via a TURN server.
Depending on the network topology, the reverse proxy can be deployed with one or two network interfaces in various configurations:
- Single NIC, public address
– see Example deployment: single NIC on public address
- Dual NIC, private and public addresses
– see Alternative dual NIC reverse proxy/TURN server deployment
In deployments with more than one Conferencing Node, the reverse proxy can load-balance HTTPS traffic between all Conferencing Nodes using a round-robin algorithm.
For more information about using a reverse proxy, see Pexip Reverse Proxy and TURN Server.