107
D 14049.01
07.2007
107
Introduction
Getting
Started
System
Overview
System
Configuration
H.323 & SIP
Configuration
Registration
Control
Zones and
Neighbors
Call
Processing
Firewall
Traversal
Bandwidth
Control
Maintenance
Appendices
Firewall
Traversal
About STUN
STUN is a network protocol that enables a SIP or H.323 client
to communicate via UDP or TCP from behind a NAT firewall.
The VCS Border Controller can be configured to provide two
types of STUN services to traversal clients. These services are
STUN Binding Discovery and STUN Relay.
STUN Services
STUN Relay
The STUN Relay service (formerly known as TURN) allows a
client to ask for data to be relayed to it from specific remote
peers via the relay server and through a single connection
between the client and the relay server.
How it works
A client behind a NAT firewall sends a STUN Allocate request
to the VCS Border Controller which is acting as the STUN relay
server. The sending of this request opens a binding on the
firewall. Upon receipt of the request, the VCS Border Controller
opens a public IP port on behalf of the client, and reports back
to the client this IP address and port, as well as details of the
firewall binding. The client can then provide this IP address and
port to other systems which may want to reach it.
The client can restrict the remote address and ports from
which the relay should forward on media. Any incoming calls to
this IP address and port on the VCS server are relayed via the
allocated binding on the NAT to the client.
STUN Binding Discovery
The STUN Binding Discovery service provides information back
to the client about the binding allocated by the NAT firewall
being traversed.
How it works
A client behind a NAT firewall sends a STUN discovery request
via the firewall to the VCS Border Controller, which has been
configured as a STUN discovery server. Upon receipt of the
message, the VCS Border Controller responds to the client with
information about the allocated NAT binding, i.e. the public IP
address and the ports being used.
The client can then provide this information to other systems
which may want to reach it, allowing it to be found even though
it is not directly available on the public internet.
The endpoint will only be reachable if the firewall has
the Endpoint-Independent Mapping behavior as
described in RFC 4787 [13].
About ICE
Currently, the most likely users of STUN services are ICE
endpoints.
ICE (Interactive Connectivity Establishment) is a collaborative
algorithm that works together with STUN services (and other
NAT traversal techniques) to allow clients to achieve firewall
traversal. The individual techniques on their own may allow
traversal in certain network topologies but not others. Also
some techniques maybe less efficient than others, involving
extra hops (e.g. STUN Relay).
ICE involves the collecting of potential (candidate) points
of contact (IP address and port combination) via each of
the traversal techniques, the verification of peer-to-peer
connectivity via each of these points of contact and then the
selection of the “best” successful candidate point of contact
to use.
For detailed information on the base STUN protocol and
the Binding Discovery service, refer to “Session
Traversal Utilities for (NAT) (STUN)” [11].
For detailed information on the STUN Relay service, refer to
“Obtaining Relay Addresses from Simple Traversal Underneath
NAT (STUN)” [12].
TANDBERG VIDEO COMMUNICATION SERVER
ADMINISTRATOR GUIDE
Firewall Traversal