Introduction to using the Reverse Proxy and TURN Server
A reverse proxy and a TURN server are typically used in Pexip Infinity deployments where some clients cannot communicate directly with Pexip Conferencing Nodes, for example in on-premises deployments where the Pexip platform is located on an internal, enterprise LAN network while the clients are located in public networks on the Internet. In these cases a reverse proxy can be used to proxy the call signaling traffic between the externally-located client and the internal Conferencing Node. In addition, as the reverse proxy does not handle media, a TURN server acts as a media relay between the external client and the internal nodes.
Deployment recommendations
Since version 16 of Pexip Infinity, we recommend that you deploy
Note that you may still want to deploy a reverse proxy in front of your Proxying Edge Nodes if, for example, you want to:
- host customized Connect web app content
- use it as a load balancer for Pexip's VMR Scheduling for Exchange service, to proxy requests from Outlook clients to Conferencing Nodes.
The following diagram shows how the reverse proxy could be used in conjunction with Connect app clients and Proxying Edge Nodes:
Deployments that do not use Proxying Edge Nodes
If you do not want to deploy Proxying Edge Nodes and thus want to route all signaling and media from external clients via a reverse proxy and a TURN server to your internal/on-premises nodes, then you should follow the rest of this Reverse Proxy and TURN Server guide and configure your on-premises nodes as Transcoding Conferencing Nodes.
Supported clients when using a reverse proxy/TURN
WebRTC clients (the Connect web app on the latest browsers, and the desktop and mobile clients) use ICE (Interactive Connectivity Establishment) to negotiate optimal media paths with Conferencing Nodes. Skype for Business clients use a similar ICE mechanism, which means that Pexip can use TURN for all of these client types.
Note that Microsoft Edge browser version 44 and earlier (which is WebRTC-compatible) cannot use STUN and thus cannot send media to Pexip Infinity via a TURN server.
Deployment options
Any type of HTTPS reverse proxy/load balancer or TURN server may be used with Pexip Infinity. However, this guide describes how to deploy these applications using the Reverse Proxy and TURN Server VMware appliance provided by Pexip.
This virtual VMware appliance is available as an OVA template which can be deployed on VMware ESXi 5 or later. The virtual appliance contains both reverse proxy and TURN applications.
The server hosting the reverse proxy requires a minimum of 2 vCPU, 2 GB RAM and 50 GB storage.
Depending on the network topology, the reverse proxy can be deployed with one or two network interfaces in various configurations:
- Single NIC, public address – see Example reverse proxy / TURN server deployment: single NIC on public address
- Dual NIC, private and public addresses – see Alternative dual NIC reverse proxy/TURN server deployment
In deployments with more than one Conferencing Node, the reverse proxy can load-balance HTTPS traffic between all Conferencing Nodes using a round-robin algorithm.
We recommend that the reverse proxy is configured with at least 3 Conferencing Nodes for resiliency as backend/upstream servers.
As general good practice, we always recommend deploying the TURN server in a suitably secured network segment, such as a DMZ.
Prerequisites and requirements
Ensure that the following prerequisites are in place:
- The Pexip Infinity deployment (i.e. a Management Node and at least one Conferencing Node) must be configured and in a working state.
- Appropriate DNS SRV records must have been created in accordance with Using the reverse proxy with the Connect app desktop and mobile clients.
The reverse proxy and TURN applications require Pexip Infinity version 9 or later.
Security considerations
Connect app clients (for conferencing services) and Outlook clients (for scheduling services) can only use encrypted HTTPS when communicating with Conferencing Nodes. The reverse proxy must therefore provide HTTPS interfaces through which the Connect app and Outlook clients can communicate.
When configured correctly, the reverse proxy will allow HTTPS traffic to flow between the Connect app and Outlook clients and the Conferencing Nodes only. Externally located clients will not be able to access other internal resources through the reverse proxy.
When installing/enabling the TURN server in restricted configuration mode you must specify the IP addresses of the Conferencing Nodes that will use the TURN server for media relay. This locks down the IP addresses that are allowed (safelisted) to communicate with the TURN server over UDP/3478.
When installing/enabling the TURN server in permissive configuration mode (e.g. for direct media) we strongly recommend for enhanced security that you use your own dedicated TURN server that is located in your DMZ.
For conferencing services, we recommend that you install your own SSL/TLS certificates on the reverse proxy for maximum security. If you are using VMR Scheduling for Exchange you must install your own certificates. For more information, see Replacing the default SSL certificate on the reverse proxy.
Version 4 of the reverse proxy introduced the fail2ban service which provides protection against brute force attacks on PIN-protected conferences. Note that fail2ban is disabled by default. For more information, and instructions on how to enable fail2ban, see Enabling fail2ban on the reverse proxy.