Difference between revisions of "STUN TURN Guide"
Revision as of 21:51, 28 April 2020
Zimbra Connect STUN/TURN Server Overview
For a Zimbra Connect implementation to communicate across network firewalls, you must integrate a STUN/TURN server. Typically, users within the same network can use Zimbra Connect video calls with no additional networking support. However, without a STUN/TURN server, Zimbra Connect peer-to-peer connections between networks fail.
Failure of peer-to-peer connections between networks is not a Zimbra Connect bug. Such failures are a result of network configuration and how WebRTC communicates between clients. Zimbra Connect uses WebRTC, a peer to peer protocol that crosses different networks.
Zimbra created this wiki to provide you, our customers, with an overview and guidance for STUN/TURN server implementation.
What is a STUN Server?
A STUN server (Session Traversal of User Datagram Protocol [UDP] Through Network Address Translators [NATs]) allows NAT clients to set up voice calls to a VoIP provider hosted outside the local network.
What is a TURN Server?
A TURN server (Traversal Using Relay NAT) is used for multimedia applications to assist traversal of network addresses translators (NAT) or firewalls. End-to-end communication between pairs of endpoints does not reside on public networks but within private address spaces behind network address translators. A TURN server is needed to bridge the networks: WebRTC traffic between different networks requires a TURN Server to relay the traffic between peers who reside on different networks.
What is WebRTC?
WebRTC (Web Real-Time Communications) provides peer-to-peer communication within browsers and mobile applications through an application programming interface (API). It includes audio, video, and data transfer, eliminating the need for plugins or native apps. The latest releases of Chrome and Firefox support it. Zimbra Connect customers report that Chrome provides the best experience.
If your users are experiencing the following issues, you need a TURN server:
- Some callers cannot connect.
- Video and screen sharing are not working for some attendees.
- Audio is not working for some attendees.
- Chat is not working for some attendees.
Zimbra Connect itself doesn't need a STUN/TURN server. A STUN/TURN server is needed by the remote clients on a video call so that they can see each others' video streams. When users' workstations are NAT'd on different networks in different locations (i.e., they have IP addresses like
10.0.15.168), those two workstations route their video stream traffic through the STUN/TURN server, not through the Zimbra Connect server.
STUN/TURN Setup Options
You have many choices for setting up a STUN/TURN server, and you can choose between many TURN PaaS (Platform-as-a-Service) Providers. Zimbra recommends that you review your options and choose what best meets your needs.
Zimbra Support does not recommend using Free STUN/TURN server providers. We can't say it any better than the explanation given in this wiki from bloggeek.me: Why Doesn't Google Provide a Free TURN Server?.
Zimbra Support does not support the setup, troubleshooting, or maintenance of a STUN/TURN server. Zimbra Support recommends reviewing and understanding all setup requirements for your selected STUN/TURN server before proceeding with the Zimbra Connect installation.
If you choose to manage your server instead of using a TURN PaaS Provider, most software packages contain both the TURN and STUN server functionality. Open-source versions like ReSIPprocate, Coturn, and Restund are community-maintained and are reliable.
If you run a local instance of a STUN/TURN server, setting up a system can be complex based on your network and security requirements. We have seen customers run into issues with:
- WebSocket Traffic blocked by Firewall
- Implementing multiple STUN/TURN servers with load balancers/proxy servers
- STUN/TURN Server tuning
If you use coTurn or reTurn, here are some helpful wikis:
The following link provides a good understanding of Standard Firewall Ports needed for reverse proxy and Turn servers:
For more guidance on installing a TURN server, please see this Zimbra forum post by Randy Leiker at Skyway Networks.
STUN/TURN Server Sizing Recommendation:
Each STUN/TURN implementation has its recommendation, and Zimbra Support recommends reviewing the STUN/TURN documentation for guidance. However, Zimbra Support has seen several postings and recommendations stating the following as minimum requirements:
- At least 2 CPU
- 8 GB of Memory, SSD may be used but not required
Your network is the most important factor in the performance of a STUN/TURN server.
You need to ensure the network supporting the STUN/TURN server has:
- HPPS (High package per second) performance
- Low network jitter (<=30ms)
- Low latencies (<-150ms)
Zimbra Connect uses WebRTC, and all connections are peer-to-peer. Customers have reported bandwidth usage at the client level ranging between 200 - 400 kb/second/attendee for stable audio and video. There are separate inbound and outbound connections for each attendee, each using 200 - 400 kb/sec. Usage increases by this range for each additional attendee.
200 * x = total bandwidth inbound + 200 * x = total bandwidth outbound
Client system performance also affects the user experience.
The default setting for the maximum number of attendees with Zimbra Connect is
5. From experience, we have seen conferences over 5 tend to develop performance issues, with 7-9 being the maximum number of attendees before the browser begins having more severe issues.
Client Side Testing:
Once the STUN/TURN server has been set up with Zimbra Connect configured, we recommend this test: start a 2 person session and increase attendees until users start experiencing performance issues. Then use chrome WebRTC debugging to obtain client-side performance data by going to the following URL within the latest release of the browser:
Review the STUN/TURN server logs for connection issues. End Users and Admins can test the WebRTC performance by going to:
To test the WebRTC of the TURN server, you need to enter the same Server information you used to set up Zimbra Connect.
Other issues to be aware of:
Hairpinning: Hairpinning is a NAT loopback where two hosts on the same network or within proximity send their media data to remote TURN servers. For example, two hosts in India send their media data to a TURN server within the Americas.