The Media Servers will attempt to establish non-relayed media sessions when possible by using a STUN server. When a media relay is required to traverse far-end NAT, the Session Manager has an embedded TURN server. To ensure the highest probability of browsers being able to establish media sessions with the Media Server, it is recommended to configure the TURN server on a separate IP address using port 443 for TCP, UDP, and TLS.
To configure the network traversal for your WebRTC server:
- Log in to the Admin UI using your account.
For more information, see Logging in to the Admin Portal.
- Click the CONFIGURATIONS tab.
- Click the Advanced subtab.
You can use the default settings or configure based on your network preference.
In order for the Media Servers to attempt to establish non-relayed media streams, they must use a STUN server on the outside of the NAT (usually on the Internet). By default they will use a public STUN server on the Internet. To override the default and specify a specific STUN server, deselect the Use default STUN server checkbox and enter the URI of your preferred server.
- Select Custom port (requires dedicated IP) from the Client Media Relay Port (TURN server listening port) drop-down if you do not want to use the default TURN port (3478), or to turn off the TURN server.
This is recommended for the greatest success in enabling browsers behind NAT, firewalls, and web proxies so that calls can be established.
If you select Custom Port (requires dedicated IP), you need a dedicated IP address for the TURN server on the same subnet as your Production IP address. A dedicated FQDN (if TLS is to be enabled) must also be configured. When configuring a custom port, it is recommended to set the Media Relay Port to 443.
- Select the Enable TURN over TLS checkbox to allow tunneling media streams over TLS, which is sometimes required for traversing firewalls and web proxies.
It is recommended to configure the Port as 443.
Configuring the Media Relay Port (which is UDP and TCP) and the TLS port to 443 is permissible and recommended.
Upon enabling TURN over TLS, you need to add certificates for the TLS connection.
- Select the Use existing HTTPS certificate (must be SAN or wildcard) checkbox if you have SAN or wildcard certificates already configured on the Security page, and the existing HTTPS certificate will be used.
If you do not have a SAN or wildcard certificate or want to use a different certificate for this FQDN, deselect the Use existing HTTPS certificate (must be SAN or wildcard) checkbox and upload your certificates in the same manner that you do for security configurations.