Firewall traversal on the Pexip Service

This guide describes the benefits of the Pexip Cloud Service’s firewall traversal solution. We discuss the benefits of putting your video systems behind a company’s firewall and having your endpoints and softclients registered to the Pexip Service. An easy method to assess the readiness of a corporate network to permit the registration of video systems to the Pexip Service is discussed, and should network obstacles be encountered which prevent the registration, the firewall configuration needed to enjoy the Pexip Cloud Video Service is described.

Security – firewall traversal

Historically common practice has been to put video systems outside of a company’s firewall. This deployment model was chosen as it was looked upon as the easiest way to enable video communication with other organizations and external bridging services. Such a deployment model opens up for a whole range of security threats. Hackers could relatively easily hack in, take over systems, and potentially eavesdrop on highly sensitive conversations. Also systems on public IP are vulnerable for Denial of Service attacks.

With the cloud service from Pexip you remove the need to place endpoints on the public Internet. Instead, all Pexip registered endpoints and softclients are placed and connected from within the customer’s private network, behind the resident firewall. This provides easy and direct business-to-business video calling, without compromising on security. This is made possible by Pexip’s firewall traversal solution. Pexip registered endpoints and softclients automatically connect out through firewalls securely to Pexip Service points of presence (PoPs). Hence there is a secure trust relationship between the endpoints at the customer premises and the Pexip Service in the cloud. This connection is of course secured by TLS. Pexip ensures privacy of all audio and video calls by enabling (by default) encrypted signaling using SIP TLS and encrypted media using Secure Real-time Transport Protocol (SRTP) for all communications on audio and video.

Also one of the benefits for having your video systems both behind the company’s firewall and at the same registered to the Pexip Service is that the Pexip Cloud Service acts as a shield for your system in front of your firewall. Pexip performs detection and protection from denial-of-service (DoS) attacks by filtering incoming denial-of-service attempts. Also by doing traffic monitoring, pattern recognition and filtering, the Pexip call control service is designed to identify suspect traffic patterns, fraud attempts, and violation of service and breach of policy.

The purpose of a firewall is to control the IP traffic entering your network. Firewalls will generally block unsolicited incoming requests, meaning that any call originating from outside your network will be prevented. However, firewalls can be configured to allow outgoing requests to certain trusted destinations, and to allow responses from those destinations. This principle is used by the Pexip firewall traversal solution to enable secure communications between video devices on an internal network to the Pexip Service Network through any firewall.

The Pexip firewall solution keeps your network security infrastructure intact so no compromises are made to the rest of your business operations when adding IP video capabilities. IT professionals can both secure video conferencing systems behind the firewall and at the same time make it more open for others to call (it is a communication device after all).

The only thing the customer needs to do is to open up a limited number of connections from inside to outside to a reduced set of Pexip owned IP-addresses. The Pexip firewall solution never requires or allows an inbound connection through your firewall. The client/server architecture makes all connections outbound just like other traffic on your network. These trusted and established connections are then maintained via a keepalive process, and traffic from the Pexip Service Network to the customer network reuses these existing connections.

Pexip has exclusive ownership of every public IP address that we use. These IP addresses are not leased or shared in any way with any other organization. The IP addresses that we use have been allocated directly to us by Réseaux IP Européens (RIPE).

Firewall configuration

The purpose of a firewall is to control the IP traffic entering your network. Firewalls will generally block unsolicited incoming requests, meaning that any call originating from outside your network will be prevented. However, firewalls can be configured to allow outgoing requests to certain trusted destinations, and to allow responses from those destinations. This principle is used by the Pexip solution to enable secure traversal of any firewall.

Only a limited number of ports and destination addresses need to be configured in the firewall to be able to securely connect to the Pexip Cloud Video Service. Please note that it is only necessary to open up ports from inside to outside.

Pexip understands that security is of the utmost importance and that customers need to be certain that they are actually communicating with Pexip. IP safelisting is one of the most effective methods of ensuring this. IP safelisting prevents any Internet traffic intended for Pexip from being hijacked or rerouted to a rogue website.

IP safelisting can occur at several different points on a customers’ network, but the most common place is the firewall. When adding or updating IP safelisting, please ensure that any IP restrictions on your firewall match Pexip best practices described in this guide. To also ensure that appropriate Pexip Service domains are safelisted, review the discussion here.

The Pexip firewall traversal solution is designed to work with all primary type of firewalls. The following NAT deployments are supported:

  • Symmetric NAT
  • Full Cone NAT
  • Restricted Cone NAT
  • Port Restricted Cone NAT

For a detailed description of Network Address Translation see the article at https://en.wikipedia.org/wiki/Network_address_translation.

The diagram below illustrates the recommended firewall setup to take advantage of the Pexip firewall traversal solution and benefit from our multiple datacenters in Europe, North America, Middle East, Asia and Oceania. Please note that the destination IP addresses are all Pexip controlled equipment.

Pexip recommends that customers safelist the entire set of IP ranges to prevent any accidental service interruptions. Safelisting the entire set of IP ranges ensures that any necessary maintenance work and any service disruptions will not cause any unintentional downtime. Additional services introduced by Pexip will be staged within these IP ranges as well, so safelisting the entire set of ranges will also future-proof the customer for immediately taking advantage of these services when they become available. To also ensure that appropriate Pexip Service domains are safelisted, review the discussion here.

If your security policy requires a more restricted configuration, Pexip does have the ability to advise on how to scope-down the firewall configuration. You can then decide to only open up the firewall towards one dedicated datacenter and hence only have one IP address to connect to, or to open up towards a specific address range. By going for this configuration strategy however, you will restrict the redundancy capabilities for automatic fail-over if the datacenter you are connected to goes out of service. Please contact Pexip Support before you set up a solution like this. The example below illustrates how this will look like towards one SIP registrar in our datacenter in Oslo, Norway.

Network readiness assessment

Pexip provides customers with a simple tool by which it can be quickly ascertained if the local network on which video softclients and endpoints are to be installed have any potential connectivity barriers to the Pexip Service Network. Using the tool on a Microsoft Windows or Apple Mac Personal Computer which is installed on the same local network as the video device to be registered to Pexip, the Network Readiness Assessment Tool will perform several stages of testing to the closest Pexip datacenter. The tool can be accessed at https://pexip.me/test, and provides users the opportunity to download and install a standalone application on Microsoft Windows and Apple Mac Personal Computers. This Activate Endpoint application can be also be downloaded from Pexip app downloads.

The Network Readiness Assessment Tool evaluates:

  • Whether the local network can reach Pexip Provisioning and Phonebook Services.
  • Whether the local network can communicate to the closest Pexip datacenter using SIP TLS signaling.
  • Whether the local network can send UDP/RTP traffic to the closest Pexip datacenter using representative video/audio traffic ports.
  • What quality of video resolution the local network can support, based on a series of connection speed tests consistent with video traffic at Standard Definition, 720p, and 1080p video resolutions.

In the majority of environments, the Network Readiness Assessment will yield results indicating that the local network is ready to allow video devices to be registered to the Pexip Cloud Video Service. If the assessment results need to be reviewed in detail, the user can choose to View and Save Report.

In the event that a stage of testing fails, this is indication that technical staff responsible for the local firewall need to be engaged to review the firewall settings to implement firewall safelisting rules which permit communications with the Pexip Service Network. The full list of required traffic types, port ranges, and destination IP address ranges which will comprise the firewall rules can be found at https://pexip.me/test/firewall. To also ensure that appropriate Pexip Service domains are safelisted, review the discussion here.

Note that the results of the Network Readiness Assessment Tool provide guidance, but not a guarantee, that registration of video devices on the local network will be immediately successful. Additional factors such as the presence of SIP ALG and HTTP Proxy devices in the network may need to be addressed.