Deploying clustered TURN Servers on the Internet

Deploy the IBM® Sametime® TURN Server cluster outside of the corporate firewall (in the Internet zone). This configuration allows clients to access the TURN servers directly and verify the source IP address of responses.

The following graphic shows a configuration that is the simplest solution, but it is also the least secure because it does not protect the TURN Servers with a firewall. This configuration is not recommended for deployments where security is a concern.


TURN Server cluster residing directly on the Internet

In the image, the different security zones, Intranet and DMZ, are separated by firewalls. Here, the TURN Server and the load balancer are deployed directly on the Internet and there is no firewall separating them from the external clients (or from anyone else on the Internet). This configuration leaves the TURN Server cluster exposed because there is no firewall to perform basic security or block unwanted connections.

The other Sametime Media Manager components are deployed in the demilitarized zone, so they are protected by the firewall that separates them from the TURN Server cluster.

The internal clients are hosted on the corporate LAN, so they are less exposed than the Media Manager or TURN servers.

When you implement this configuration, make sure that the following requirements are satisfied:

  • You cannot use a NAT (Network Address Translator) with the TURN Server cluster (because the server IP addresses would be hidden from the external clients).
  • Every member of the TURN Server cluster must be on the same listening port (port 3478 is the default).
  • Sametime Video MCU component (residing in the DMZ) must be able to access the load balancer fronting the TURN Server cluster as well as every member of the TURN Server cluster.
  • All internal clients (hosted on the corporate LAN) must be able to access both the Sametime Video MCU components and the load balancer fronting the TURN Server cluster as well as every member of the TURN Server cluster.

Whenever an internal client, external client, or Video MCU requests a connection to the TURN Server cluster, the first allocation request is directed to the load balancer, and from there dispatched to one member of the TURN Server cluster. This TURN Server sends a "300 redirect" message to the originator of the request (the client or the Video MCU), which will then route subsequent requests directly to this TURN Server instead of the load balancer. If external clients cannot connect directly to the TURN Servers in the cluster, configure a redirect host address to route the client connections through the load balancer for the entire session. For more information, see Ensuring that external clients can communicate with a TURN Server.