Alternative dual NIC reverse proxy/TURN server deployment
This section shows an alternative dual NIC network configuration for the reverse proxy and TURN server.
In this example, the environment is split into two parts: an internal, private network segment and a DMZ network. The private network has two Pexip Infinity Conferencing Nodes and the reverse proxy/TURN server internal interface, while the DMZ perimeter network contains the reverse proxy/TURN server external interface.
Note that all IP addresses in this guide are examples only — actual IP addressing will be deployment specific.
The reverse proxy/TURN server in this case has two network interfaces:
- An internal facing interface (IP address 10.40.0.2) which is connected to the internal LAN network.
- An external facing interface (IP address 198.51.100.130) which is connected to the DMZ network.
The internal interface of the reverse proxy/TURN server is configured on the same subnet as the Conferencing Nodes, while the external interface of the reverse proxy/TURN server is configured on the DMZ subnet. The Conferencing Nodes use 10.40.0.1 as their default gateway. This is also the gateway to the 10.0.50.0/24 management network, from where SSH connections to the internal interface of the reverse proxy/TURN server will originate.
There is no NAT between the outside and the DMZ network segment. The reverse proxy/TURN server uses the DMZ firewall 198.51.100.129 as its default gateway, and is also configured with a static route to the 10.0.50.0/24 management network via the LAN gateway at 10.40.0.1 so that SSH management traffic from this management network can function.
To deploy the reverse proxy/TURN server in this configuration:
- Deploy the Reverse Proxy and TURN Server appliance OVA file and power on the VM instance.
- In the install wizard, define the network configuration (steps 1 and 2 in the install wizard) for what will be the internal interface of the reverse proxy/TURN server (10.40.0.2 in this example).
- For the default gateway (step 3), configure the LAN gateway (10.40.0.1).
- For the trusted hosts/networks (step 4), configure 10.0.50.0 255.255.255.0.
After the install wizard completes, the reverse proxy/TURN server will reboot with the new configuration. When it is back up, connect over SSH to the reverse proxy from a host in the management network (or log in via the VMware console) as user 'pexip' and shut down the virtual machine using the following command:
sudo shutdown –h now
Input the password for user 'pexip' when prompted by sudo.
- After the VM has been shut down, add one additional network interface to this VM instance and power it on again.
Log in to the reverse proxy/TURN server through SSH or VMware console and add the network configuration for the external network interface (198.51.100.130 in this example) and the static route configuration to /etc/network/interfaces, as described in Configuring a second NIC.
In this example, the resulting /etc/network/interfaces file should contain the following (note that the existing gateway entry for interface eth0 is removed as the reverse proxy/TURN server should only have one default gateway defined):
auto lo eth0 eth1 iface lo inet loopback iface eth0 inet static address 10.40.0.2 netmask 255.255.255.0 iface eth1 inet static address 198.51.100.130 netmask 255.255.255.128 gateway 198.51.100.129 dns-nameservers 184.108.40.206 220.127.116.11 post-up route add -net 10.0.50.0 netmask 255.255.255.0 gw 10.40.0.1
To ensure that the eth0 and eth1 interfaces correspond with the correct port group in VMware, running the
ifconfigcommand on the reverse proxy/TURN server will show the hardware MAC addresses of each interface, so that these can be matched against the virtual interfaces in VMware.
- Reboot the reverse proxy/TURN server VM to apply the new network settings.
If the reverse proxy/TURN server is deployed with a dual NIC public/private address, then Conferencing Nodes will typically not be able to discover their public NAT addresses as they will sending their STUN requests to the internal interface of the TURN server.
Therefore, you will need to configure Pexip Infinity with a separate STUN server (see Configuring Pexip Infinity to use a STUN server).