STUN and TURN Server Settings

estos UCServer make central configuration of STUN and TURN possible for estos ProCall clients. The estos ProCall client will require these settings if the audio or video chat features should be used. A STUN and TURN server will always be required if at least one client is outside of the local network. In particular, this will affect the apps and browser applications. STUN and TURN servers are typically found on the Internet and are not components of estos UCServer for that reason. The settings that describe how STUN and TURN servers located on the Internet can be accessed can be made on estos UCServer’s configuration page (under services -> STUN & TURN). The configuration parameters will be provided by the operators of the STUN and TURN servers.
The STUN and TURN servers may be located on identical systems or use the same URLs or IP addresses, however, they may also be located on different systems or use different URLs or IP addresses (and ports).

estos UCServer supports multiple options for using STUN and TURN servers.

  • Using an internal server
    Customer internal STUN and TURN server(s) may be used. To do so, configure the following parameters:
    • STUN URI
      Enter the STUN server's name here. The default STUN port is 3478. Valid STUN URI’s include:
      • stun:my.server.com
      • stun:stun.l.google.com:19302
    • TURN URI
      Enter one or more URIs for the internal server(s) here. The standard TURN port is 3478. Valid TURN URIs include:
      • turn:my.server.com
      • turn:my.server.com:3478
      • turn:my.server.com:3478?transport=udp
      • turn:my.server.com:443?transport=tcp
    • TURN Authentication
      Access to a TURN server always requires authentication to prevent unauthorized usage. Since the media channels passed through as well as computer performance will use Internet bandwidth for the TURN service, the TURN service must be protected against uncontrolled, mass usage. The following authentication methods are supported.
      • Authentication using User Name & Password
        Enter the user name and password. Note: if client applications are used in the browser through the Internet, the access data will not be protected against access.
      • Shared Secret (TURN REST API)
        The Shared Secret is a key that is known to both the TURN server as well as UCServer. UCServer will generate valid access data every 24 hours based on the shared secret, which will be transferred to the clients.
    • Using UCConnect
      Log into UCConnect in order to use STUN and TURN servers automatically.
  • Use External Provider
    There are several providers who operate STUN and TURN servers. To do so, log into a provider. Enter the necessary access data received from the provider on the Configure Provider dialog. estos UCServer will periodically retrieve new access data for the TURN server from the respective provider and make it available to the clients. The access data will typically be valid for 24 hours.

STUN & TURN Diagnostics
The actual settings described above can be verified by pressing the "Start diagnostics" button. The test result appears in the text field near the button, for example "STUN test passed, TURN test passed".
Once a log file has been created and estos UCServer has access to the file, the Open Log File button can be clicked. The diagnostics will be created with the help of a utility, ICE-Test2.exe. The Execute Diagnostics button will remain gray if the utility is not available to the estos UCServer Administration program.

What is a STUN server?
STUN (Session Traversal Utilities for NAT) is a client-server protocol which returns the public IP address to the client. It allows a client to discover its public IP address at the internet if the client is located in a LAN behind a NAT. Additional information is provided enabling the client to make conclusions about the type of NAT. Thus a STUN server shall not be accessible via internal IP addresses of a LAN, for example if the STUN server resides in the DMZ of an enterprise network. The STUN server need to be addressed by the client always by using IP addresses of the public address space.

What is a TURN server?
TURN (Traversal Using Relays around NAT) servers are used when direct peer-to-peer communication is disabled by a firewall. A TURN server relayes media streams between the endpoinds avoiding such direct peer-to-peer communication.
Such requirements are frequently required in particular for connections from a mobile network, meaning that a mobile client on a cell phone will attempt to create audio-video communication through the Internet. Similarly, especially restrictive NAT devices (the transition point between an internal LAN and the external Internet) may require the use of a TURN server.

What is a NAT device?
NAT stands for "Network Address Translation" and translates the "internal" IP addresses (and ports) to the external IP addresses (and ports). A NAT device is for example a router connecting a LAN with the public internet.

What is a symmetric NAT?
A remote station at the internet may reply data back to a client only if the remote station replies from the same system (using the same IP address and port number). If the remote station answers from a different location it fails because the NAT device opens a new NAT table entry. Using symmetric NAT devices no VoIP connection can be established without using a TURN server.

When do I need STUN or TURN servers?
All Audio/VideoChat clients are at the same local network (LAN): there is no need for configuring STUN and TURN servers.
The Audio/VideoChat clients are using also the internet to communicate to each other. No symmteric NAT is used: a STUN server configuration is required, configuring a TURN server is optional.
The audio/video chat clients must also communicate with each other through the Internet. The environment is unknown. Someone is using a symmetric NAT or cell phone to communicate through the public Internet. STUN and TURN server settings will be required.

Are there any public STUN and TURN servers?
There are several public STUN servers, such as stun:stun.l.google.com:19302.
There are no publicly available TURN servers. There is a TURN server provider from whom this service can be rented. UCConnect can also make STUN and TURN servers available.

Which software should I use to run my own STUN and TURN server(s)?
The coturn software supports all of the required features required to run WebRTC applications. See https://github.com/coturn/coturn also.

Version ProCall_Enterprise_7.5