Extending audio and video to external clients and mobile users

External clients and mobile clients can use peer-to-peer audio and video chat, as well as multi-person audio and video conferencing in IBM® Sametime® meetings. Check the Sametime System Requirements for hardware, CPUs, and RAM for audio and video for external clients.

To provide external clients with access to audio and video features, you need to deploy two specialized servers:

IBM Sametime TURN Server, which enables communications from external clients to traverse a network address translator (NAT).
IBM SIP Edge Proxy Server, which enables external clients to traverse the external firewall, and provides SIP registration for those clients.

Sametime TURN Server

If there is no firewall or NAT between two clients (for example, two internal users on the same intranet), they can communicate directly using peer-to-peer chat. Otherwise, a Sametime TURN Server is necessary for traversing the firewall or NAT.

Network considerations

Port 3478 must be open to all clients, using TCP for internal clients and UDP for external clients.
RTP ports must be open between the TURN Server and the Video MCU component of the Sametime Media Manager.

Deployment

The Sametime TURN Server can be installed on its own computer or on a computer shared with another service. For high availability, deploy multiple TURN Servers behind a load balancer.

IBM SIP Edge Proxy Server

The IBM SIP Edge Proxy Server connects external clients to the SIP Proxy/Registrar component of the Sametime Media Manager. The SIP Edge Proxy Server is a specialized version of the SIP/Proxy Registrar, and is hosted in the DMZ to enable secure communications between internal and external clients. External clients attend an audio/video conference by connecting to the SIP Edge Proxy Server, which then connects to the SIP/Proxy Registrar over the SIP/SIPS ports.

Network considerations

Both external and internal clients receive a host name for the SIP Proxy/Registrar:
- For internal clients, this host name should resolve to the IP address of the SIP Proxy/Registrar deployed in the intranet, enabling internal clients to connect directly.
- For external clients, the host name should resolve to the IP address of the SIP Edge Proxy Server deployed in the DMZ.
You can use a split-horizon DNS to provide different host names to clients based on the source address of the DNS request.
The host names for the SIP Proxy/Registrar, Conference Manager, Video MCU, and Sametime Community Server must be all different.

Deployment

Deploy the SIP Edge Proxy Server as a stand-alone cell in the DMZ.
Follow the same rules for clustering as for the internal SIP Proxy/Registrar.

Example 1: Extending audio and video to external clients

The following graphic shows how you might deploy a Sametime TURN Server and IBM SIP Edge Proxy Server to enable clients to send audio and video communications across a NAT or firewall. External clients connect to the Sametime deployment through the Sametime TURN Server for audio and video communications; connections from internal clients are routed to external clients through the Sametime Proxy Server.

The following servers are deployed in the intranet:

LDAP server
DB2® server
Sametime System Console
Sametime Community Server
Sametime Meeting Server
Sametime Media Manager components:
- SIP Proxy/Registrar
- Conference Manager
- Video Manager
- Video MCU

The following servers are deployed in the DMZ:

IBM SIP Edge Proxy Server
Sametime TURN Server

The following protocols and port numbers are used between the components:

Internal clients
Internal clients communicate with external and mobile users by connecting to the following servers:
- Sametime Proxy Server: TCP 80 or 443 for instant messaging and web chat
- Sametime Meeting Server: TCP 80 or 443 for web conference
Internal clients communicate in A/V sessions with external and mobile users by connecting to the following servers:
- Sametime TURN Server: UDP 49152 through 65535 for peer-to-peer A/V chat
- Video MCU: UDP - for A/V conferences
  - 40000 to 49999 UDP - (Starting with S9 GA until OpenSSL Security Bulletin released in September, 2015)
  - 49152-59151 UDP - (Starting with OpenSSL Security Bulletin released in September, 2015)
- SIP Proxy/Registrar: TCP 5060 or TCP 5061 for A/V conferences
External clients
External clients and mobile users communicate with internal clients by connecting to the following servers:
- Sametime Proxy Server: TCP 80 or 443 for instant messaging and web chat
- IBM WebSphere® HTTP proxy server: TCP 80 or 443 for web conferences
External clients and mobile users communicate in A/V sessions with internal clients by connecting to the following servers:
- Sametime TURN Server: UDP 3478 for instant messaging and web chat
- IBM SIP Edge Proxy: TCP 5060 (or TCP 5061) for A/V conferences
SIP Proxy/Registrar and SIP Edge Proxy Server: TCP 5060 or TCP 5061
Video MCU and Sametime TURN Server: UDP 49152 through 65535

Extending audio and video to external clients

Example 2: Extending audio and video to mobile users

The following graphic shows how you might deploy a Sametime TURN Server and IBM SIP Edge Proxy Server to enable mobile clients to connect to your Sametime deployment using audio and video. This deployment is similar to the deployment supporting external users, but adds the Apple Push Notification Server and the Google Connection Server to support communications with mobile devices. Mobile users connect to the deployment using audio and video ports on the Sametime TURN Server. Messages from internal clients are routed to mobile users through the Sametime Proxy Server, which in turn connects to the Apple Push Notification Server and the Google Connection Server.

The following components are deployed in the intranet:

LDAP server
DB2 server
Sametime System Console
Sametime Community Server
Sametime Meeting Server
Sametime Media Manager components:
- SIP Proxy/Registrar
- Conference Manager
- Video Manager
- Video MCU

The following components are deployed in the DMZ:

Sametime Proxy Server
IBM WebSphere HTTP proxy server
Sametime TURN Server
IBM SIP Edge Proxy Server

The following third-party servers are available on the Internet:

Apple Push Notification Server
Google Connection Server

The following protocols and port numbers are used between components:

Internal clients
Internal clients communicate with external and mobile users by connecting to the following servers:
- Sametime Proxy Server: TCP 80 or 443 for instant messaging and web chat
- Sametime Meeting Server: TCP 80 or 443 for web conference
Internal clients communicate in A/V sessions with external and mobile users by connecting to the following servers:
- Sametime TURN Server: UDP 49152 through 65535 for peer-to-peer A/V chat
- Video MCU: UDP - for A/V conferences
  - 40000 to 49999 UDP - (Starting with S9 GA until OpenSSL Security Bulletin released in September, 2015)
  - 49152-59151 UDP - (Starting with OpenSSL Security Bulletin released in September, 2015)
- SIP Proxy/Registrar: TCP 5060 or TCP 5061 for A/V conferences
External clients
External clients and mobile users communicate with internal clients by connecting to the following servers:
- Sametime Proxy Server: TCP 80 or 443 for instant messaging and web chat
- IBM WebSphere HTTP proxy server: TCP 80 or 443 for web conferences
External clients and mobile users communicate in A/V sessions with internal clients by connecting to the following servers:
- Sametime TURN Server: UDP 3478 for instant messaging and web chat
- IBM SIP Edge Proxy: TCP 5060 (or TCP 5061) for A/V conferences
Sametime Proxy Server to Apple Push Notification Server: TCP 2195 or TCP 2196
Sametime Proxy Server to Google Connection Server: TCP 443
SIP Proxy/Registrar and SIP Edge Proxy Server: TCP 5060 or TCP 5061
Video MCU and Sametime TURN Server: UDP 49152 through 65535

Extending audio and video to mobile users