Article written by Akash U Dhoot and Shailendra Moyal
TURN Server single node deployment:
Scenario 1
The IBM Sametime TURN Server is deployed into the DMZ. Other media components are deployed on the internal network and do not have any direct connectivity with the TURN Server.
Port/Port Range | Transport | From | To |
3478 | UDP/TCP | Internal Client, External Client | TURN Server |
49152-65535 | UDP | Internal Client | TURN Server |
20830-20930 | UDP | TURN Server | Internal Client |
49152-65535 | UDP | VMCU | TURN Server |
40000 to 49999 UDP
(Starting with S9 GA until OpenSSL Security Bulletin released in September 2015)
49152-59151 UDP
( Starting with OpenSSL Security Bulletin released in September 2015 ) | UDP | TURN Server | VMCU |
40000 to 49999 UDP
(Starting with S9 GA until OpenSSL Security Bulletin released in September 2015)
49152-59151 UDP
( Starting with OpenSSL Security Bulletin released in September 2015 ) | UDP | Internal Client | VMCU |
20830-20930 | UDP | VMCU | Internal Client |
General Configuration
The TURN Server has one interface.
No changes are required to the TurnServer.properties file.
The TURN Server has multiple interfaces ( Private and Public ):
turn.local.hostname.ipv4=turn public interface ip
turn.allocation.hostname.ipv4=turn private interface ip
Note: If internal clients are in same subnet, it is not necessary that clients connect to the TURN Server. To achieve this configuration, the TURN Server implements split horizon DNS so that the internal client resolves the TURN Server host name to 0.0.0.0 and the external client resolves the TURN Server host name to public IP.
Scenario 2
The TURN Server is deployed into the DMZ. Other media components are also deployed on the DMZ network and do have direct connectivity with the TURN Server.
Ports Configuration
Port/Port Range | Transport | From | To |
3478 | UDP/TCP | Internal Client, External Client | Internal Client |
49152-65535 | UDP | Internal Client | TURN Server |
20830-20930 | UDP | TURN Server | Internal Client |
49152-65535 | UDP | VMCU | TURN Server |
40000 to 49999 UDP
(Starting with S9 GA until OpenSSL Security Bulletin released in September 2015)
49152-59151 UDP
( Starting with OpenSSL Security Bulletin released in September 2015 ) | UDP | TURN Server | VMCU |
40000 to 49999 UDP
(Starting with S9 GA until OpenSSL Security Bulletin released in September 2015)
49152-59151 UDP
( Starting with OpenSSL Security Bulletin released in September 2015 ) | UDP | Internal Client | VMCU |
20830-20930 | UDP | VMCU | Internal Client |
General Configuration
The TURN Server has one interface.
No changes are required in the TurnServer.properties file.
The TURN Server has multiple interfaces ( Private and Public )
turn.local.hostname.ipv4=turn public interface ip
turn.allocation.hostname.ipv4=turn private interface ip
Note: If internal clients are in the same subnet, it is not necessary that clients connect to the TURN Server. To achieve this configuration, the TURN Server implements split horizon DNS so that the internal client resolves the TURN host name to 0.0.0.0 and the external client resolves the TURN Server host name to a public IP.
TURN Server cluster deployment
There are two TURN Server cluster deployments discussed here:
1. Setting up the TURN Server cluster deployment using the IBM Load-Balancer. For more information, see this procedure:
2. Setting up the TURN Server cluster deployment using the Big IP F5 Load-Balancer. For more information, see Case 1 in this article.
Case 1: TURN Server Fronted by F5 Load-Balancer
- The Sametime TURN Server needs an internal IP address assigned. Configure these properties in the TurnServer.properties file:
turn.local.hostname.ipv4=
TURN_Server_NIC_Internal_IP_Addr
turn.allocation.hostname.ipv4=
TURN_Server_NIC_Internal_IP_Addr
2. Create two virtual hosts on the Big IP (F5) for UDP-3478 and TCP-3478.
3. Enure the virtual hosts have a server pool defined which has all of the TURN Server nodes added as pool members. The TURN server pool members connect to the TURN NIC internal interface.
4. Ensure that the same client connection connects to the same TURN Server member and requires a persistence rule to be applied on the TURN Server virtual host. Complete these steps:
- Log in to F5 admin console.
- Navigate to Local Traffic -- Virtual Servers -- Virtual Server List.
- Search for the TURN Server virtual host and click the link.
- In the Resources section, in Default Persistence Profile, select source_add.
- Click Update.
The F5 Virtual Host allocated for the TURN Server must have a Public IP assigned and be accessible from the client computer.
Port Configuration
Port/ Port Range | Transport | From | To |
3478 | UDP/TCP | Internal Client, External Client | TURN Server F5 VH |
49152-65535 | UDP | Internal Client | TURN Server Internal IP |
20830-20930 | UDP | TURN Server Internal IP | Internal Client |
49152-65535 | UDP | VMCU | TURN Server Internal IP |
40000 to 49999 UDP
(Starting with S9 GA until OpenSSL Security Bulletin released in September 2015)
49152-59151 UDP
( Starting with OpenSSL Security Bulletin released in September 2015 ) | UDP | TURN Server Internal IP | VMCU |
40000 to 49999 UDP
(Starting with S9 GA until OpenSSL Security Bulletin released in September 2015)
49152-59151 UDP
( Starting with OpenSSL Security Bulletin released in September 2015 ) | UDP | Internal Client | VMCU |
20830-20930 | UDP | VMCU | Internal Client |
Case 2: External (Public) address available for TURN Server nodes
The Sametime TURN Server needs two network interface cards: NIC-Public and NIC-Internal.
1. Configure these properties in the TurnServer.properties file:
turn.local.hostname.ipv4=
TURN_Server_NIC_Public_IP_Addr
turn.allocation.hostname.ipv4=
TURN_Server_NIC_Internal_IP_Addr
turn.loopback.hostname.ipv4=
TURN_Server_NIC_Internal_IP_Addr
turn.redirect.hostname.ipv4=
TURN_Server_NIC_Public_IP_Addr
2. Create two virtual hosts on the Big IP (F5) for UDP-3478 and TCP-3478.
3. Ensure that the virtual host (VH1) has a pool defined with all TURN Server nodes added as pool members. All TURN server pool members connect to the TURN NIC internal interface.
4. Ensure that the virtual host and all TURN Server nodes have a Public IP assigned and are accessible from the client computer.
Port Configuration
Port/Port Range | Transport | From | To |
3478 | UDP / TCP | Internal Client, External Client | TURN Server nodes and TURN F5 VH |
49152-65535 | UDP | Internal Client | TURN Server Internal IP |
20830-20930 | UDP | TURN Server Internal IP | Internal Client |
49152-65535 | UDP | VMCU | TURN Server Internal IP |
40000 to 49999 UDP
(Starting with S9 GA until OpenSSL Security Bulletin released in September 2015)
49152-59151 UDP
( Starting with OpenSSL Security Bulletin released in September 2015 ) | UDP | TURN Server Internal IP | VMCU |
40000 to 49999 UDP
(Starting with S9 GA until OpenSSL Security Bulletin released in September 2015)
49152-59151 UDP
( Starting with OpenSSL Security Bulletin released in September 2015 ) | UDP | Internal Client | VMCU |
20830-20930 | UDP | VMCU | Internal Client |
Case 3: External address not available for TURN Server
- The TURN Server should have two network interface cards: NIC-1 and NIC-2. Configure the following properties in the TurnServer.properties file:
turn.local.hostname.ipv4=
TURN_Server_NIC_1_IP_Addr
turn.allocation.hostname.ipv4=
TURN_Server_NIC_1_IP_Addr
turn.loopback.hostname.ipv4=
TURN_Server_NIC_2_IP_Addr
turn.redirect.hostname.ipv4=
TURN_Server_F5_Virtual_Host_Dedicated_To_This_Node
2. Create N+1 virtual hosts on the Big IP F5 ('N' represents number of TURN Server nodes)
3. Ensure that one virtual host (VH1) has a server pool defined which has all TURN Server nodes added as pool members. The Turn server pool members connect to TURN NIC-2.
4. Ensure that other virtual hosts have pools assigned where those pools have one to one mapping with TURN Server node and those pool members are connecting TURN servers NIC-1.
5. Ensure that all N+1 virtual hosts have a Public IP assigned and accessible from the client computer.
Port Configuration:
Port/Port Range | Transport | From | To |
3478 | UDP/TCP | Internal Client, External Client | All N+1 TURN Server F5 VH |
49152-65535 | UDP | Internal Client | TURN Server Internal IP |
20830-20930 | UDP | TURN Server Internal IP | Internal Client |
49152-65535 | UDP | VMCU | TURN Server Internal IP |
40000 to 49999 UDP
(Starting with S9 GA until OpenSSL Security Bulletin released in September 2015)
49152-59151 UDP
( Starting with OpenSSL Security Bulletin released in September 2015 ) | UDP | TURN Server Internal IP | VMCU |
40000 to 49999 UDP
(Starting with S9 GA until OpenSSL Security Bulletin released in September 2015)
49152-59151 UDP
( Starting with OpenSSL Security Bulletin released in September 2015 ) | UDP | Internal Client | VMCU |
20830-20930 | UDP | VMCU | Internal Client |