You are here: Installation > Planning and prerequisites > Network deployment options

Network deployment options

If you need to support business-to-business video calls and provide access to Pexip Infinity resources from external systems and endpoints such as remote or federated Lync / Skype for Business clients, remote SIP and H.323 endpoints, and Infinity Connect clients, you need to consider how to deploy your Pexip Infinity Conferencing Nodes.

This section explains how the Pexip Infinity platform fits into typical network deployment scenarios:

  • a private "on-premises" deployment of privately-addressed Pexip Infinity nodes
  • a public DMZ deployment with publicly-addressable Pexip Infinity nodes (with optional static NAT)
  • a combination of public DMZ and "on-premises" nodes.

The Pexip Infinity platform can also be deployed as a cloud service via Amazon Web Services (AWS) or Microsoft Azure, with private, public or hybrid deployment options.

General network requirements

Note that in all Pexip Infinity deployment scenarios:

  • All Pexip nodes must be fully routable to each other (full mesh) in both directions. This means that the Management Node must be able to reach every Conferencing Node, and each Conferencing Node must be able to reach every other Conferencing Node.
  • Any internal firewalls must be configured to allow UDP port 500 and traffic using IP protocol 50 (ESP) in both directions between all Pexip nodes.
  • There cannot be a NAT between any Pexip nodes.

For information about using the Pexip Reverse Proxy and TURN Server and how to configure your specific call management system to work with Pexip Infinity, see Integrating Pexip Infinity with other systems.

Privately-addressed "on-premises" nodes

A typical "on-premises" deployment of privately-addressed Pexip Infinity nodes is shown below:

Privately-addressed Pexip Infinity nodes

In this type of deployment:

  • The Management Node and the Conferencing Nodes are deployed with private IP addresses in the local enterprise network.
  • External SIP and H.323 endpoints and other forms of business-to-business video calls connect via a firewall traversal / video call control solution such as a Cisco VCS.
  • External Lync / Skype for Business clients connect to Pexip Infinity via a Lync / Skype for Business Edge server and media is routed through a TURN server. For Lync / Skype for Business communications, a separate STUN server is required if the TURN server is behind the same NAT device as your Conferencing Nodes.
  • Infinity Connect WebRTC clients connect via a reverse proxy and route their media through a TURN server. (Note that RTMP clients cannot establish audio/video media paths with Pexip Infinity via a TURN server.)
  • The external firewall can optionally be a NAT device.

Publicly-addressed DMZ nodes

A typical deployment of publicly-routable Pexip Infinity nodes is shown below:

Pexip Infinity nodes in a public DMZ (with optional static NAT)

In this type of deployment:

  • One or more Conferencing Nodes are deployed in a public DMZ. They have publicly-reachable IP addresses — either directly or via static NAT.
  • External SIP and H.323 endpoints and other forms of business-to-business video calls can connect directly to the public-facing IP addresses of the Conferencing Nodes.
  • External Lync / Skype for Business clients connect to Pexip Infinity and media can be routed directly through the public-facing IP addresses of the Conferencing Nodes (an on-premises Lync / Skype for Business server is not needed). As Conferencing Nodes support ICE, a TURN server is not required.
  • Infinity Connect clients can connect to Pexip Infinity and media can be routed directly to the Conferencing Nodes. You can optionally deploy a reverse proxy for load balancing or branding.
  • Note that the Management Node will typically be deployed with a private IP address in the local enterprise network. You must ensure that there is no NAT between the Management Node and the Conferencing Nodes in the DMZ.

For more information about how to configure Conferencing Nodes that are deployed behind a static NAT device, see Configuring Pexip Infinity for public DMZ deployments.

Combining public DMZ and privately-addressed nodes

Depending on your requirements, aspects of the privately-addressed and public DMZ scenarios can be combined. For example, as shown below, you may want to:

  • deploy some publicly-accessible Pexip Infinity nodes for external Lync / Skype for Business and Infinity Connect client access
  • deploy some privately-accessible nodes and route external SIP and H.323 endpoints and other forms of business-to-business video calls to them via a video call control solution.

Public and privately-addressed Conferencing Nodes

In this example deployment:

  • One or more Conferencing Nodes are deployed in a public DMZ. They have publicly-reachable IP addresses — either directly or via static NAT.
  • Additional Conferencing Nodes are deployed with private IP addresses in the local enterprise network. They must be assigned to a different system location than the publicly-addressable nodes.
  • External SIP and H.323 endpoints and other forms of business-to-business video calls are routed via a video call control solution such as a Cisco VCS. Alternatively, SIP and H.323 endpoints can register to Conferencing Nodes in the DMZ and route their calls through those nodes.
  • External Lync / Skype for Business clients connect to Pexip Infinity and media can be routed directly through the public-facing IP addresses of the Conferencing Nodes (an on-premises Lync / Skype for Business server is not needed). As Conferencing Nodes support ICE, a TURN server is also not required.
  • Infinity Connect clients can connect to Pexip Infinity and media can be routed directly to the Conferencing Nodes. You can optionally still deploy a reverse proxy for load balancing or branding.
  • Geo backplanes are established between the privately-addressed nodes and the publicly-addressed nodes as and when required. Note that there cannot be a NAT between Pexip Infinity nodes (any nodes in the local enterprise network and the nodes in the DMZ).
  • Static routing configuration may be required to allow those nodes in the public DMZ to communicate with Pexip Infinity nodes or other systems in the local enterprise network.

For more information about how to configure Conferencing Nodes that are deployed behind a static NAT device, and how to set up routing between Conferencing Nodes that are deployed in a local network and in a DMZ, see Configuring Pexip Infinity for public DMZ deployments.

Deploying as a cloud service via Amazon Web Services or Microsoft Azure

The Pexip Infinity platform can be deployed in the Amazon Web Services (AWS) or Microsoft Azure cloud.

There are three main deployment options for your Pexip Infinity platform when using a cloud service:

  • Private cloud: all nodes are deployed within a private cloud service. Private addressing is used for all nodes and connectivity is achieved by configuring a VPN tunnel from the corporate network to the cloud network. As all nodes are private, this is equivalent to an on-premises deployment which is only available to users internal to the organization.
  • Public cloud: all nodes are deployed within the cloud network. All nodes have a private address but, in addition, public IP addresses are allocated to each node. The node's private addresses are only used for inter-node communications. Each node's public address is then configured on the relevant node as a static NAT address. Access to the nodes is permitted from the public internet, or a restricted subset of networks, as required. Any systems or endpoints that will send signaling and media traffic to those Pexip Infinity nodes must send that traffic to the public address of those nodes. If you have internal systems or endpoints communicating with those nodes then you must ensure that your local network allows this.
  • Hybrid cloud: the Management Node, and optionally some Conferencing Nodes, are deployed in the corporate network. A VPN tunnel is created from the corporate network to the cloud network. Additional Conferencing Nodes are deployed in the cloud network and are managed from the on-premises Management Node. The cloud-hosted Conferencing Nodes can be either internally-facing, privately-addressed (private cloud) nodes; or externally-facing, publicly-addressed (public cloud) nodes; or a combination of private and public nodes (where the private nodes are in a different Pexip Infinity system location to the public nodes).

See Deploying Pexip Infinity on Amazon Web Services (AWS) and Deploying Pexip Infinity on Microsoft Azure for more information.