You are here: Integration > Reverse proxy and TURN server > Advanced configuration

Advanced Reverse Proxy and TURN Server configuration

This section describes some advanced configuration scenarios for the reverse proxy and TURN server:

Adding or removing Conferencing Nodes from an existing reverse proxy configuration

To add an additional Conferencing Node, or to remove a Conferencing Node from an existing reverse proxy configuration:

  1. Run the following command to edit the Reverse Proxy and TURN Server config file:

    sudo nano /etc/nginx/sites-available/pexapp

  2. To add a Conferencing Node:

    In sections upstream pexip and upstream pexip-webrtc at the top of the config file, add additional server statements. In these additional entries, specify the IP address of each additional Conferencing Node; other parameters should be similar to the existing entries.

  3. To remove a Conferencing Node:

    In sections upstream pexip and upstream pexip-webrtc at the top of the config file, remove the server statements that specify the IP address of each Conferencing Node to be removed.

  4. After editing the file, run the following command to reload the nginx configuration gracefully (not interrupting any existing sessions):

    sudo service nginx reload

Configuring NAT for the TURN server

To configure NAT, run the following command to edit the TURN server configuration:

sudo nano /etc/turnserver.conf

Anywhere in the config file, add the parameter external-ip=1.2.3.4, where 1.2.3.4 is the public NAT address of the TURN server.

After editing the file, run the following command to make the configuration change take effect:

sudo service rfc5766-turn-server restart

Note that this will interrupt any existing TURN sessions (e.g. any WebRTC or Lync / Skype for Business calls going via the TURN server), therefore these changes should be performed during a maintenance window that is outside of normal operating hours.

Configuring a second NIC

The first, existing NIC must be the internally-facing NIC. When a reverse proxy is deployed and the intention is to have dual NICs, the network configuration provided during the install wizard must be the internally-facing NIC, as SSH access will only be enabled for this initial NIC.

To configure a second NIC, run the following command to edit the network configuration file:

sudo nano /etc/network/interfaces

The existing interfaces file will be similar to this:

# >/etc/network/interfaces
# Written at 2014-04-23 10:30:34 UTC by InterfacesFileWriter
auto lo eth0
iface lo inet loopback

iface eth0 inet static
   address 10.40.0.2
   netmask 255.255.255.0
   gateway 198.51.100.129
   dns-nameservers 8.8.8.8 8.8.4.4

To add a second NIC:

  1. Change the line auto lo eth0 to auto lo eth0 eth1.
  2. Create a new section called iface eth1 inet static, and create entries for address, netmask, gateway and dns-nameservers.
  3. Remove the existing gateway parameter for eth0 (as eth0 will now be the internally-facing interface and thus should not have a default gateway; the default gateway should belong to the externally-facing eth1).

Important: static routes

If any static routes are needed in this scenario (which is usually the case unless the reverse proxy does not need to access any hosts outside of the internal eth0 subnet), these have to be defined at the bottom of the interfaces file, using syntax as follows:

post-up route add -net 10.0.50.0 netmask 255.255.255.0 gw 10.40.0.1

The above entry will create a static route for 10.0.50.0/24 via 10.40.0.1.

The resulting interfaces file will then look like this:

# >/etc/network/interfaces
# Written at 2014-04-23 10:30:34 UTC by InterfacesFileWriter
auto lo eth0 eth1
iface lo inet loopback

iface eth0 inet static
   address 10.40.0.2
   netmask 255.255.255.0
   dns-nameservers 8.8.8.8 8.8.4.4

iface eth1 inet static
   address 198.51.100.130
   netmask 255.255.255.128
   gateway 198.51.100.129
   dns-nameservers 8.8.8.8 8.8.4.4

post-up route add -net 10.0.50.0 netmask 255.255.255.0 gw 10.40.0.1

After the configuration has been changed and saved, the following command will make the changes take effect:

sudo service networking restart

Alternatively, you can reboot the Reverse Proxy and TURN Server appliance with the command sudo reboot.

TURN server

If the reverse proxy and TURN applications co-exist on the same virtual machine, you must also edit the TURN server configuration file to specify the external IP address.

Run the following command to edit the TURN server configuration file:

sudo nano /etc/turnserver.conf

Change the line that begins relay-ip= to specify the external IP address, e.g. relay-ip=198.51.100.130

After editing the file, run the following command to make the configuration change take effect:

sudo service rfc5766-turn-server restart

Note that this will interrupt any existing TURN sessions (e.g. any WebRTC or Lync / Skype for Business calls going via the TURN server), therefore these changes should be performed during a maintenance window that is outside of normal operating hours.

Changing the TURN server's access credentials

To set new access credentials for the TURN server, run the following command:

sudo turnadmin -k -a -b /etc/turnuserdb.conf -u <username> -r <realm> -p <password>

where <username> and <password> are the credentials to be applied, and <realm> is the domain of your deployment.

You can check the realm in use in your deployment by looking at your TURN server configuration file (by running cat /etc/turnserver.conf) and checking the realm= line.

If you change the credentials, remember to update the TURN server configuration on Pexip Infinity (Call control > TURN servers).

Enabling LDAP/AD authentication on the reverse proxy

The reverse proxy supports remote LDAP/AD authentication, meaning that the Infinity Connect Mobile client will have to be configured with a username and password (in Connection Settings) to allow it to communicate with the reverse proxy.

If you intend to use this feature, please contact your Pexip authorized support representative for assistance.