Deploying clustered TURN Servers in the DMZ

Deploy the IBM® Sametime® TURN Server cluster in the DMZ and use publicly available IP addresses for them. This configuration allows clients to access the TURN Servers through the firewall using the public IP addresses to verify the source of responses.

The following graphic shows a configuration that requires a little more work than simply hosting the TURN Servers on the Internet, but it also provides more security. The graphic shows different security zones separated by firewalls. The TURN Server cluster is deployed in the DMZ so that a firewall separates the cluster from the Internet. Because the cluster is behind the firewall, their IP addresses must be publicly available so that external clients can access the cluster and verify the addresses; however the firewall can perform some low-level security, such as packet analysis and verification of client addresses.


TURN Server cluster residing in a DMZ with a Sametime Video MCU cluster

A security concern in this scenario is that the firewall between the TURN Server cluster and the Internet must be configured in transparent mode (to allow external clients to connect to the TURN Servers and verify IP addresses) which exposes the cluster to potential hazards. Another concern is that the Video MCU cluster is deployed in the DMZ with the TURN Server cluster, so they also use the transparent firewall and are therefore exposed to the same hazards as the TURN Servers.

The internal clients are hosted on the corporate LAN, so they are less exposed than the Media Manager components or TURN Servers.

When you implement this configuration, make sure that the following requirements are satisfied:

  • You cannot use a NAT (Network Address Translator) with the TURN Server cluster (because the server IP addresses would be hidden from the external clients).
  • Every member of the TURN Server cluster must be listening on the same port (port 3478 is the default).
  • The firewall facing the Internet must be configured to use transparent (bridging) mode so that external clients can connect directly to the TURN Servers behind it.
  • All instances of Sametime Video MCU component must be able to access each member of TURN Server cluster as well as the load balancer fronting the cluster.
  • All internal clients (hosted on the corporate LAN) must be able to access both the Sametime Video MCU component and the load balancer fronting the TURN Server cluster.
  • All external clients (hosted on the Internet) must be able to access each member of the TURN Servers cluster as well as the load balancer fronting the cluster.

Whenever an internal client, external client, or Video MCU requests a connection to the TURN Server cluster, the first allocation request is directed to the load balancer, and from there dispatched to one member of the TURN Server cluster. This TURN Server sends a "300 redirect" message to the originator of the request (the client or the Video MCU), which will then route subsequent requests directly to this TURN Server instead of the load balancer. If external clients cannot connect directly to the TURN Servers in the cluster, configure a redirect host address to route the client connections through the load balancer for the entire session. For more information, see Ensuring that external clients can communicate with a TURN Server.