Introduction to using the Reverse Proxy and TURN Server

A reverse proxy and a TURN server are typically used in Pexip Infinity deployments where some clients cannot communicate directly with Pexip Conferencing Nodes, for example in on-premises deployments where the Pexip platform is located on an internal, enterprise LAN network while the clients are located in public networks on the Internet. In these cases a reverse proxy can be used to proxy the call signaling traffic between the externally-located client and the internal Conferencing Node. In addition, as the reverse proxy does not handle media, a TURN server acts as a media relay between the external client and the internal nodes.

Deployment recommendations

Since version 16 of Pexip Infinity, we recommend that you deploy Proxying Edge Nodes instead of a reverse proxy and TURN server if you want to allow externally-located clients to communicate with internally-located Conferencing Nodes. A Proxying Edge Node handles all media and signaling connections with an endpoint or external device, but does not host any conferences — instead it forwards the media on to a Transcoding Conferencing Node for processing.

Note that you may still want to deploy a reverse proxy in front of your Proxying Edge Nodes if, for example, you want to:

  • host customized Connect web app content
  • use it as a load balancer for Pexip's VMR Scheduling for Exchange service, to proxy requests from Outlook clients to Conferencing Nodes.

The following diagram shows how the reverse proxy could be used in conjunction with Connect app clients and Proxying Edge Nodes:

Deployments that do not use Proxying Edge Nodes

If you do not want to deploy Proxying Edge Nodes and thus want to route all signaling and media from external clients via a reverse proxy and a TURN server to your internal/on-premises nodes, then you should follow the rest of this Reverse Proxy and TURN Server guide and configure your on-premises nodes as Transcoding Conferencing Nodes.

Supported clients when using a reverse proxy/TURN

WebRTC clients (the Connect web app on the latest browsers, and the desktop and mobile clients) use ICE (Interactive Connectivity Establishment) to negotiate optimal media paths with Conferencing Nodes. Skype for Business clients use a similar ICE mechanism, which means that Pexip can use TURN for all of these client types.

Note that Microsoft Edge browser version 44 and earlier (which is WebRTC-compatible) cannot use STUN and thus cannot send media to Pexip Infinity via a TURN server.

Deployment options

Any type of HTTPS reverse proxy/load balancer or TURN server may be used with Pexip Infinity. However, this guide describes how to deploy these applications using the Reverse Proxy and TURN Server VMware appliance provided by Pexip.

This virtual VMware appliance is available as an OVA template which can be deployed on VMware ESXi 5 or later. The virtual appliance contains both reverse proxy and TURN applications.

The server hosting the reverse proxy requires a minimum of 2 vCPU, 2 GB RAM and 50 GB storage.

Depending on the network topology, the reverse proxy can be deployed with one or two network interfaces in various configurations:

In deployments with more than one Conferencing Node, the reverse proxy can load-balance HTTPS traffic between all Conferencing Nodes using a round-robin algorithm.

We recommend that the reverse proxy is configured with at least 3 Conferencing Nodes for resiliency as backend/upstream servers.

As general good practice, we always recommend deploying the TURN server in a suitably secured network segment, such as a DMZ.

Prerequisites and requirements

Ensure that the following prerequisites are in place:

The reverse proxy and TURN applications require Pexip Infinity version 9 or later.

Security considerations

Connect app clients (for conferencing services) and Outlook clients (for scheduling services) can only use encrypted HTTPS when communicating with Conferencing Nodes. The reverse proxy must therefore provide HTTPS interfaces through which the Connect app and Outlook clients can communicate.

When configured correctly, the reverse proxy will allow HTTPS traffic to flow between the Connect app and Outlook clients and the Conferencing Nodes only. Externally located clients will not be able to access other internal resources through the reverse proxy.

When installing/enabling the TURN server in restricted configuration mode you must specify the IP addresses of the Conferencing Nodes that will use the TURN server for media relay. This locks down the IP addresses that are allowed (safelisted) to communicate with the TURN server over UDP/3478.

When installing/enabling the TURN server in permissive configuration mode (e.g. for direct media) we strongly recommend for enhanced security that you use your own dedicated TURN server that is located in your DMZ.

For conferencing services, we recommend that you install your own SSL/TLS certificates on the reverse proxy for maximum security. If you are using VMR Scheduling for Exchange you must install your own certificates. For more information, see Replacing the default SSL certificate on the reverse proxy.

Version 4 of the reverse proxy introduced the fail2ban service which provides protection against brute force attacks on PIN-protected conferences. Note that fail2ban is disabled by default. For more information, and instructions on how to enable fail2ban, see Enabling fail2ban on the reverse proxy.