WebRTC Assumptions and Scenarios

The implementation described in this guide generally assumes and recommends the following information about the environment and nature of the Polycom WebRTC solution deployment:
  • The RealPresence Access Director system is used as the STUN/TURN server, with the following characteristics:
    • It is deployed in the Demilitarized Zone (DMZ).
    • Its STUN/TURN service is homed on a single publicly reachable interface.
    • The interface is typically an internal/private IP address that is mapped to an external/public address on the firewall using a static NAT mapping.
    • The NAT must be set to a special mode that preserves the source IP address of packets sent to the RealPresence Access Director system external address.
  • WebRTC ICE clients are given the public address of the RealPresence Access Director system STUN/TURN server.
  • Firewall rules block inbound UDP traffic and may also disallow outbound UDP traffic except through the RealPresence Access Director system.
    • If outbound UDP is allowed from internal IP addresses to any external address over a wide range of ports, then media streams between internal and external devices typically use server reflexive candidates determined using STUN. This can reduce the load on the TURN server (the RealPresence Access Director system), but limits your organizational ability to control and monitor internal-to-external media flows.

      Exception: If both the local firewall and remote firewall are symmetric NATs, which are not STUN-compatible, the clients must use a TURN relay candidate.

    • If outbound UDP traffic is blocked, then internal UDP connections are allowed only to the RealPresence Access Director system public TURN server IP address on UDP port 3478. In this case, media streams between internal and external devices always use a TURN relay candidate allocated by the internal client (mesh calls) or the MCU (bridge calls).
    • In either case, external UDP connections are allowed only to the RealPresence Access Director system public IP address on port 3478 or a port in the TURN relay range defined in the RealPresence Access Director system.

      Media streams for external-to-external mesh calls use host candidates, server reflexive candidates, or relay candidates depending on the NAT/firewall situation of each endpoint.

  • To protect against a malicious intrusion or DOS attempt using the TURN server as an attack vector/proxy, firewall rules must block inbound access from the RealPresence Access Director system TURN relay range into the organizational network.