Advanced Reverse Proxy and TURN Server configuration
This section describes some advanced configuration scenarios for the reverse proxy and TURN server:
Adding or removing Conferencing Nodes from an existing reverse proxy configuration
To add an additional Conferencing Node, or to remove a Conferencing Node from an existing reverse proxy configuration:
-
Run the following command to edit the Reverse Proxy and TURN Server config file:
sudo nano /etc/nginx/sites-enabled/pexapp
-
To add a Conferencing Node:
In sections upstream pexip and upstream pexip-webrtc at the top of the config file, add additional server statements. In these additional entries, specify the IP address of each additional Conferencing Node; other parameters should be similar to the existing entries.
-
To remove a Conferencing Node:
In sections upstream pexip and upstream pexip-webrtc at the top of the config file, remove the server statements that specify the IP address of each Conferencing Node to be removed.
-
After editing the file, run the following command to reload the nginx configuration gracefully (not interrupting any existing sessions):
sudo service nginx reload
Configuring NAT for the TURN server
To configure NAT, run the following command to edit the TURN server configuration:
sudo nano /etc/turnserver.conf
Anywhere in the config file, add the parameter external-ip=1.2.3.4, where 1.2.3.4 is the public NAT address of the TURN server.
After editing the file, run the following command to make the configuration change take effect:
sudo service rfc5766-turn-server restart
Note that this will interrupt any existing TURN sessions (e.g. any WebRTC or Lync / Skype for Business calls going via the TURN server), therefore these changes should be performed during a maintenance window that is outside of normal operating hours.
Configuring a second NIC
The first, existing NIC must be the internally-facing NIC. When a reverse proxy is deployed and the intention is to have dual NICs, the network configuration provided during the install wizard must be the internally-facing NIC, as SSH access will only be enabled for this initial NIC.
To configure a second NIC, run the following command to edit the network configuration file:
sudo nano /etc/network/interfaces
The existing interfaces file will be similar to this:
# >/etc/network/interfaces # Written at 2014-04-23 10:30:34 UTC by InterfacesFileWriter auto lo eth0 iface lo inet loopback iface eth0 inet static address 10.40.0.2 netmask 255.255.255.0 gateway 198.51.100.129 dns-nameservers 8.8.8.8 8.8.4.4
To add a second NIC:
- Change the line auto lo eth0 to auto lo eth0 eth1.
- Create a new section called iface eth1 inet static, and create entries for address, netmask, gateway and dns-nameservers.
- Remove the existing gateway parameter for eth0 (as eth0 will now be the internally-facing interface and thus should not have a default gateway; the default gateway should belong to the externally-facing eth1).
Important: static routes
If any static routes are needed in this scenario (which is usually the case unless the reverse proxy does not need to access any hosts outside of the internal eth0 subnet), these have to be defined at the bottom of the interfaces file, using syntax as follows:
post-up route add -net 10.0.50.0 netmask 255.255.255.0 gw 10.40.0.1
The above entry will create a static route for 10.0.50.0/24 via 10.40.0.1.
The resulting interfaces file will then look like this:
# >/etc/network/interfaces # Written at 2014-04-23 10:30:34 UTC by InterfacesFileWriter auto lo eth0 eth1 iface lo inet loopback iface eth0 inet static address 10.40.0.2 netmask 255.255.255.0 dns-nameservers 8.8.8.8 8.8.4.4 iface eth1 inet static address 198.51.100.130 netmask 255.255.255.128 gateway 198.51.100.129 dns-nameservers 8.8.8.8 8.8.4.4 post-up route add -net 10.0.50.0 netmask 255.255.255.0 gw 10.40.0.1
After the configuration has been changed and saved, the following command will make the changes take effect:
sudo service networking restart
Alternatively, you can reboot the Reverse Proxy and TURN Server appliance with the command sudo reboot.
TURN server
If the reverse proxy and TURN applications co-exist on the same virtual machine, you must also edit the TURN server configuration file to specify the external IP address.
Run the following command to edit the TURN server configuration file:
sudo nano /etc/turnserver.conf
Change the line that begins relay-ip= to specify the external IP address, e.g. relay-ip=198.51.100.130
After editing the file, run the following command to make the configuration change take effect:
sudo service rfc5766-turn-server restart
Note that this will interrupt any existing TURN sessions (e.g. any WebRTC or Lync / Skype for Business calls going via the TURN server), therefore these changes should be performed during a maintenance window that is outside of normal operating hours.
Changing the TURN server's access credentials
To set new access credentials for the TURN server, run the following command:
sudo turnadmin -k -a -b /etc/turnuserdb.conf -u <username> -r <realm> -p <password>
where <username> and <password> are the credentials to be applied, and <realm> is the domain of your deployment.
You can check the realm in use in your deployment by looking at your TURN server configuration file (by running cat /etc/turnserver.conf) and checking the realm= line.
If you change the credentials, remember to update the TURN server configuration on Pexip Infinity ( ).
Enabling LDAP/AD authentication on the reverse proxy
The reverse proxy supports remote LDAP/AD authentication, meaning that the Infinity Connect Mobile client will have to be configured with a username and password (in ) to allow it to communicate with the reverse proxy.
If you intend to use this feature, please contact your authorized Pexip representative for assistance.