Firewall Traversal

TANDBERG VIDEO COMMUNICATION SERVER ADMINISTRATOR GUIDE

About STUN

STUN is a network protocol that enables a SIP or H.323 client to communicate via UDP or TCP from behind a NAT firewall.

The VCS Border Controller can be configured to provide two types of STUN services to traversal clients. These services are STUN Binding Discovery and STUN Relay.

For detailed information on the base STUN protocol and

the Binding Discovery service, refer to “Session

Traversal Utilities for (NAT) (STUN)” [11].

For detailed information on the STUN Relay service, refer to “Obtaining Relay Addresses from Simple Traversal Underneath NAT (STUN)” [12].

STUN Services

STUN Binding Discovery

The STUN Binding Discovery service provides information back to the client about the binding allocated by the NAT firewall being traversed.

How it works

A client behind a NAT firewall sends a STUN discovery request via the firewall to the VCS Border Controller, which has been configured as a STUN discovery server. Upon receipt of the message, the VCS Border Controller responds to the client with information about the allocated NAT binding, i.e. the public IP address and the ports being used.

The client can then provide this information to other systems which may want to reach it, allowing it to be found even though it is not directly available on the public internet.

STUN Relay

The STUN Relay service (formerly known as TURN) allows a client to ask for data to be relayed to it from specific remote peers via the relay server and through a single connection between the client and the relay server.

How it works

A client behind a NAT firewall sends a STUN Allocate request to the VCS Border Controller which is acting as the STUN relay server. The sending of this request opens a binding on the firewall. Upon receipt of the request, the VCS Border Controller opens a public IP port on behalf of the client, and reports back to the client this IP address and port, as well as details of the firewall binding. The client can then provide this IP address and port to other systems which may want to reach it.

About ICE

Currently, the most likely users of STUN services are ICE endpoints.

ICE (Interactive Connectivity Establishment) is a collaborative algorithm that works together with STUN services (and other NAT traversal techniques) to allow clients to achieve firewall traversal. The individual techniques on their own may allow traversal in certain network topologies but not others. Also some techniques maybe less efficient than others, involving extra hops (e.g. STUN Relay).

ICE involves the collecting of potential (candidate) points of contact (IP address and port combination) via each of the traversal techniques, the verification of peer-to-peer connectivity via each of these points of contact and then the selection of the “best” successful candidate point of contact to use.

The endpoint will only be reachable if the firewall has the Endpoint-Independent Mapping behavior as described in RFC 4787 [13].

The client can restrict the remote address and ports from which the relay should forward on media. Any incoming calls to this IP address and port on the VCS server are relayed via the allocated binding on the NAT to the client.

Introduction

Getting

System

System

H.323 & SIP

Registration

Zones and

Call

Firewall

Bandwidth

Maintenance

Appendices

Started

Overview

Configuration

Configuration

Control

Neighbors

Processing

Traversal

Control

 

 

 

D 14049.01

 

 

 

 

107

 

 

 

 

 

07.2007

 

 

 

 

 

 

 

 

 

Page 107
Image 107
TANDBERG D14049.01 manual About Stun, Stun Services, Stun Binding Discovery, Stun Relay, About ICE