Introduction to using the Reverse Proxy and TURN Server

A reverse proxy and a TURN server are typically used in Pexip Infinity deployments where some clients cannot communicate directly with Pexip Conferencing Nodes, for example in on-premises deployments where the Pexip platform is located on an internal, enterprise LAN network while the clients are located in public networks on the Internet. In these cases a reverse proxy can be used to proxy the call signaling traffic between the externally-located client and the internal Conferencing Node. In addition, as the reverse proxy does not handle media, a TURN server acts as a media relay between the external client and the internal nodes.

Deployment recommendations

Since version 16 of Pexip Infinity, we recommend that you deploy Proxying Edge Nodes instead of a reverse proxy and TURN server if you want to allow externally-located clients to communicate with internally-located Conferencing Nodes. A Proxying Edge Node handles all media and signaling connections with an endpoint or external device, but does not host any conferences — instead it forwards the media on to a Transcoding Conferencing Node for processing.

Note that you may still want to deploy a reverse proxy in front of your Proxying Edge Nodes if, for example, you want to:

  • host customized Infinity Connect web app content
  • use it as a load balancer for Pexip's VMR Scheduling for Exchange service, to proxy requests from Outlook clients to Conferencing Nodes.

The following diagram shows how the reverse proxy could be used in conjunction with Infinity Connect clients and Proxying Edge Nodes:

Deployments that do not use Proxying Edge Nodes

If you do not want to deploy Proxying Edge Nodes and thus want to route all signaling and media from external clients via a reverse proxy and a TURN server to your internal/on-premises nodes, then you should follow the rest of this Reverse Proxy and TURN Server guide and configure your on-premises nodes as Transcoding Conferencing Nodes.

Supported clients when using a reverse proxy/TURN

Pexip's Infinity Connect WebRTC clients (web app for Chrome, Firefox, Opera and Safari (version 11 onwards), the mobile clients for iOS and Android, and the desktop client) use ICE (Interactive Connectivity Establishment) to negotiate optimal media paths with Conferencing Nodes. Microsoft Skype for Business and Lync clients use a similar ICE mechanism, which means that Pexip can use TURN for all of these client types.

However, Infinity Connect clients on Internet Explorer and Safari (versions 6-10) browsers use the RTMP protocol, rather than WebRTC. While RTMP clients can connect to Conferencing Nodes via the reverse proxy, they cannot establish audio/video paths to Pexip Infinity via a TURN server. To establish audio/video media connectivity, RTMP clients need a direct TCP connection to a Conferencing Node.

An additional benefit of deploying Proxying Edge Nodes is that they provide connectivity for all browsers — WebRTC and RTMP-based.

Note that Microsoft Edge browsers (which are WebRTC-compatible) cannot currently use STUN and thus cannot send media to Pexip Infinity via a TURN server.

What's new in this release?

Version 6.0.10 of the OVA template was released in May 2019 and includes the following changes:

  • Resolved coTURN, TURN and STUN server security vulnerabilities CVE-2018-4056, CVE-2018-4058 and CVE-2018-4059.
  • Improved logging:

    • Sensitive parameters such as client API conference tokens are now redacted in log output.
    • Better log rotation to prevent leaving nginx log files that are too large.
    • Ensure that log messages are written to the correct nginx log file.
  • Prevent unwanted dialogs appearing when using apt-get to upgrade the libpam-systemd and grub-pc Ubuntu packages.
  • Now also available as an Amazon Machine Image (AMI) on Amazon Web Services (AWS).

Version 6.0.7 of the OVA template was released in November 2018 and includes the following changes:

  • Enhanced installation wizard that contains options to:

    • select whether either the reverse proxy, the TURN server, or both applications are enabled
    • configure dual network interfaces
    • configure the TURN server for TCP relay via port 443
    • enable fail2ban
    • enable SNMPv2c
    • offer previous settings as the default when rerunning the wizard.
  • Security improvements:

    • Updated underlying Ubuntu OS to ensure ongoing support for future security patches.
    • HSTS (HTTP Strict Transport Security) has been enabled. This means that if your deployment moves from using a valid TLS certificate to using an invalid certificate (e.g. you redeploy the reverse proxy, or your certificate expires or is invalidated for some reason) then certain web browsers will stop you from accessing the appliance via the web when using its DNS name, until you correct the certificate issue.
    • TLS v1.0 is disabled for HTTPS inbound connections.

There is no migration path from previous versions to version 6. You must uninstall the previous appliance and then perform a fresh install of version 6 using the same network and Conferencing Node addresses etc.

Version 5.0.5 of the OVA template was released in December 2017 and includes the following changes:

  • Support for collecting usage statistics from the next-generation web app.

Version 5.0.3 of the OVA template was released in August 2017 and includes the following changes:

  • The OVA template can now be deployed to VMware ESXi using vSphere web client 6.5.0.
  • Content Security Policy no longer logs that it has blocked access to * when used with Pexip's VMR Scheduling for Exchange add-in for Outlook clients.
  • By default the TURN server now supports 15,000 sessions (previously 2,000).

Version 5 of the OVA template was released in April 2017 and includes the following changes and enhancements:

  • The installation wizard contains a new option to enable Content Security Policy. This provides enhanced security against cross site scripting attacks.
  • The fail2ban service no longer attempts to send mail (as there is no sendmail user).
  • NTP synchronization now works correctly.
  • TLS connections no longer use Triple DES.

Version 4 of the OVA template was released in November 2016 and offers improved scaling, OS security updates, and faster installation. It also includes the fail2ban service which provides protection against brute force attacks on PIN-protected conferences. Note that fail2ban is disabled by default. For more information, and instructions on how to enable fail2ban, see Enabling fail2ban on the reverse proxy.

Deployment options

Any type of HTTPS reverse proxy/load balancer or TURN server may be used with Pexip Infinity. However, this guide describes how to deploy these applications using the Reverse Proxy and TURN Server VMware appliance provided by Pexip.

This virtual VMware appliance is available as an OVA template which can be deployed on VMware ESXi 5 or later. The virtual appliance contains both reverse proxy and TURN applications.

The server hosting the reverse proxy requires a minimum of 2 vCPU, 2 GB RAM and 50 GB storage.

Depending on the network topology, the reverse proxy can be deployed with one or two network interfaces in various configurations:

In deployments with more than one Conferencing Node, the reverse proxy can load-balance HTTPS traffic between all Conferencing Nodes using a round-robin algorithm.

We recommend that the reverse proxy is configured with at least 3 Conferencing Nodes for resiliency as backend/upstream servers.

Prerequisites and requirements

Ensure that the following prerequisites are in place:

The reverse proxy and TURN applications require Pexip Infinity version 9 or later.

Security considerations

Infinity Connect clients (for conferencing services) and Outlook clients (for scheduling services) can only use encrypted HTTPS when communicating with Conferencing Nodes. The reverse proxy must therefore provide HTTPS interfaces through which the Infinity Connect and Outlook clients can communicate.

When configured correctly, the reverse proxy will allow HTTPS traffic to flow between the Infinity Connect and Outlook clients and the Conferencing Nodes only. Externally located clients will not be able to access other internal resources through the reverse proxy.

For conferencing services, we recommend that you install your own SSL/TLS certificates on the reverse proxy and TURN server for maximum security. If you are using VMR Scheduling for Exchange you must install your own valid certificates. For more information, see Replacing the default SSL certificate on the reverse proxy.

Version 4 of the reverse proxy introduced the fail2ban service which provides protection against brute force attacks on PIN-protected conferences. Note that fail2ban is disabled by default. For more information, and instructions on how to enable fail2ban, see Enabling fail2ban on the reverse proxy.