When is a reverse proxy, TURN server or STUN server required?

Since version 16 of Pexip Infinity, we recommend that you deploy Proxying Edge Nodes instead of a reverse proxy and TURN server if you want to allow externally-located clients to communicate with internally-located Conferencing Nodes.

If you do not want to deploy Proxying Edge Nodes, and all of your Conferencing Nodes are privately addressed, you will need to use a reverse proxy and a TURN server to allow external endpoints such as Connect app clients to access your Pexip Infinity services, and you may need to use a TURN server for Skype for Business / Lync clients. A TURN server can also act as a STUN server, however, in some Pexip Infinity deployment scenarios where the TURN server is deployed inside your enterprise firewall, you may need to configure a separate, external STUN server.

When connecting to a privately-addressed Conferencing Node, Connect app WebRTC clients that are behind a NAT may also use a STUN server to find out their public NAT address.

If you are using direct media then you may also want to provision details of a client TURN server to the WebRTC clients.

When using direct media we strongly recommend for enhanced security that you use your own dedicated TURN server that is located in your DMZ.

The following table shows when a reverse proxy, TURN server or STUN server needs to be deployed (if you are not using Proxying Edge Nodes). When used, they must be publicly accessible, and routable from your on-premises Conferencing Nodes.

External endpoint / client Conferencing Node addresses Reverse proxy TURN server STUN server
(for Conferencing Nodes)
STUN server
(for WebRTC clients behind NAT)

Connect app WebRTC clients

Private (on-premises)


(if the TURN server is inside the firewall)

Skype for Business / Lync clients * Private (on-premises) -

(only required if internal Conferencing Node cannot route to the public-facing interface of the SfB/Lync Edge server)


(if the TURN server is inside the firewall)

Any endpoint / client Publicly reachable — either directly or via static NAT - - - -

Connect app WebRTC clients using direct media

-

-

(provisioned as a Client TURN server)

-

* Also requires a Skype for Business / Lync Edge Server when Conferencing Nodes are privately addressed (see Example deployment in an on-premises Skype for Business environment).

Note that you may still want to deploy a reverse proxy in front of your Proxying Edge Nodes if, for example, you want to:

  • host customized Connect web app content
  • use it as a load balancer for Pexip's VMR Scheduling for Exchange service, to proxy requests from Outlook clients to Conferencing Nodes.