Deploying clustered TURN Servers in an edge DMZ

Deploy the IBM Sametime® TURN Server cluster in an additional "edge" DMZ that separates it both from the Internet and from the DMZ hosting the Media Manager components, and use publicly available IP addresses for the TURN Servers. This configuration allows clients to access the TURN Servers through the firewall using the public IP addresses to verify the source of responses, but separates the cluster from other IBM® Sametime servers.

This configuration requires the most work, but in return, provides the most security.

The following graphic shows a TURN Server cluster in an additional "edge" DMZ that separates it both from the Internet and from the DMZ hosting the Media Manager components.


TURN Server cluster residing in an edge DMZ

In the image, different security zones appear in different colors and are separated by firewalls. Notice that there are two DMZ zones - one is used for separating the TURN Server cluster from the Internet, and another to separate that cluster from other Sametime servers. Here, the TURN Server cluster is deployed in an additional demilitarized zone so that a firewall separates the cluster from the Internet. The firewall must be configured in transparent mode so that external clients can connect to the TURN Servers and verify their IP addresses; this exposes the TURN Server cluster to potential security hazards.

The Sametime Media Manager components are deployed in a separate DMZ, which places a firewall between them and the TURN Server cluster and helps protect those servers from any problems that the TURN Server cluster may encounter. The firewall separating the Media Manager components from the TURN Server cluster can be configured in routing mode to provide additional security.

The internal clients are hosted on the corporate LAN, so they are less exposed than the Media Manager or TURN Servers.

When you implement this configuration, make sure that the following requirements are satisfied:

  • You cannot use a NAT (Network Address Translator) with the TURN Server cluster (because the server IP addresses would be hidden from the external clients).
  • Every member of the TURN Server cluster must be on the same listening port (port 3478 is the default).
  • The firewall facing the Internet must be configured to use transparent (bridging) mode so that external clients can connect directly to the TURN Servers behind it.
  • All instances of Sametime Video MCU must be able to access each member of TURN Server cluster as well as the load balancer fronting the cluster.
  • All internal clients (hosted on the corporate LAN) must be able to access both the Sametime Video MCU and the load balancer fronting the TURN Server cluster.
  • All external clients (hosted on the Internet) must be able to access each member of the TURN Servers cluster as well as the load balancer fronting the cluster.

Whenever an internal client, external client, or Video MCU requests a connection to the TURN Server cluster, the first allocation request is directed to the load balancer, and from there dispatched to one member of the TURN Server cluster. This TURN Server sends a "300 redirect" message to the originator of the request (the client or the Video MCU), which will then route subsequent requests directly to this TURN Server instead of the load balancer. If external clients cannot connect directly to the TURN Servers in the cluster, configure a redirect host address to route the client connections through the load balancer for the entire session. For more information, see Ensuring that external clients can communicate with a TURN Server.