to using the Reverse Proxy and TURN Server
In Pexip Infinity deployments, all Pexip Infinity Connect clients use HTTPS for the call signaling connections towards Conferencing Nodes.
However, with some Pexip deployments, these clients are not able to communicate directly with Pexip Conferencing Nodes, for example in on-prem deployments where the Pexip platform is located on an internal, enterprise LAN network while the clients are located in public networks on the Internet. In these cases it is common to deploy a reverse proxy application in the environment. This is an application which can proxy HTTP and HTTPS traffic from an externally-located client to a web service application located on the internal network — in our case a Pexip Conferencing Node. A reverse proxy can also be referred to as a load balancer.
In addition to providing HTTP/HTTPS connectivity between external Pexip clients and internal Conferencing Nodes, a reverse proxy can also be used for hosting customized Infinity Connect Web App content.
In deployments such as the ones described above, the reverse proxy provides for HTTPS call signaling connectivity between Infinity Connect clients and Conferencing Nodes. However, as the reverse proxy does not handle media, a TURN server is also required to ensure audio/video connectivity between the clients and the Conferencing Nodes.
A TURN server is a media relay/proxy which allows peers to exchange UDP or TCP media traffic whenever one or both parties are behind NAT. When Conferencing Nodes are deployed behind NAT, these nodes will instruct the WebRTC client to send its media packets to the TURN server, which will forward (relay) the packets to the Conferencing Nodes. Since this TURN server is normally located outside of the enterprise firewall, the Conferencing Node will constantly send media packets to this TURN server to "punch holes" in the firewall, allowing this TURN server to relay media packets back to the Conferencing Node, as the firewall will classify this as return traffic.
Pexip's Infinity Connect WebRTC clients (the desktop client; Web App for Chrome, Firefox and Opera; and mobile clients for iOS and Android) use ICE (Interactive Connectivity Establishment) to negotiate optimal media paths with Conferencing Nodes. Microsoft Lync and Skype for Business clients use a similar ICE mechanism, which means that Pexip can use TURN for all of these client types.
Infinity Connect clients on Internet Explorer and Safari browsers use the RTMP protocol, rather than WebRTC. While RTMP clients can connect to Conferencing Nodes via the reverse proxy, they cannot establish audio/video paths to Pexip Infinity via a TURN server. To establish audio/video media connectivity, RTMP clients need a direct TCP connection to a Conferencing Node.
Note that Microsoft Edge browsers (which are WebRTC-compatible) cannot currently use STUN and thus cannot send media to Pexip Infinity via a TURN server.
Any type of HTTPS reverse proxy/load balancer or TURN server may be used with Pexip Infinity. However, this guide describes how to deploy these applications using the Reverse Proxy and TURN Server VMware appliance provided by Pexip.
Version 4 of the OVA template was released in November 2016 and offers improved scaling, OS security updates, and faster installation. It also includes the fail2ban service which provides protection against brute force attacks on PIN-protected conferences. Note that fail2ban is disabled by default. For more information, and instructions on how to enable fail2ban, see Enabling fail2ban on the reverse proxy.
This virtual VMware appliance is available as an OVA template which can be deployed on VMware ESXi 5 or later. The virtual appliance contains both reverse proxy and TURN applications.
Depending on the network topology, the reverse proxy can be deployed with one or two network interfaces in various configurations:
- Single NIC, public address
– see Example deployment: single NIC on public address
- Dual NIC, private and public addresses
– see Alternative dual NIC reverse proxy/TURN server deployment
In deployments with more than one Conferencing Node, the reverse proxy can load-balance HTTPS traffic between all Conferencing Nodes using a round-robin algorithm.
We recommend that the reverse proxy is configured with at least 3 Conferencing Nodes for resiliency as backend/upstream servers.
Ensure that the following prerequisites are in place:
- The Pexip Infinity deployment (i.e. a Management Node and at least one Conferencing Node) must be configured and in a working state.
- Appropriate DNS SRV records must have been created in accordance with Using the reverse proxy with the Infinity Connect desktop client and Infinity Connect Mobile client.
The reverse proxy and TURN applications require Pexip Infinity version 9 or later.
The Infinity Connect Mobile client and Infinity Connect can only use encrypted HTTPS when communicating with Conferencing Nodes. The reverse proxy must therefore provide HTTPS interfaces through which the Infinity Connect Mobile client and Infinity Connect clients can communicate.
When configured correctly, the reverse proxy will allow HTTPS traffic to flow between the Infinity Connect Mobile client / Infinity Connect clients and the internal Conferencing Nodes only. Externally located clients will not be able to access other internal resources through the reverse proxy.
We recommend that you install your own SSL/TLS certificates on the reverse proxy and TURN server for maximum security. For more information, see Replacing the default SSL certificate on the reverse proxy.
Version 4 of the reverse proxy includes the fail2ban service which provides protection against brute force attacks on PIN-protected conferences. Note that fail2ban is disabled by default. For more information, and instructions on how to enable fail2ban, see Enabling fail2ban on the reverse proxy.