Difference between revisions of "STUN TURN Guide"

(Zimbra Connect TURN/STUN Server Overview)
Line 1: Line 1:
 +
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}||}}
  
 +
=Zimbra Connect STUN/TURN Server Overview=
  
{{KB|{{ZC}}|{{ZCS 8.8.15}}<br>|{{ZCS 9.0}}|}}
+
For a Zimbra Connect implementation to communicate across network firewalls, you must integrate a STUN/TURN server. Typically, users within the same network can use Zimbra Connect video calls with no additional networking support. However, without a STUN/TURN server, Zimbra Connect peer-to-peer connections between networks fail.  
 
 
=Zimbra Connect TURN/STUN Server Overview=
 
 
 
For a successful Zimbra Connect implementation, a TURN/STUN server needs to be implemented. Typically, users within the same network will not have issues with Zimbra Connect. However, without a TURN/STUN server, Zimbra Connect peer-to-peer connections between networks will fail.  
 
 
   
 
   
'''''Failure of peer-to-peer connections between networks is not a Zimbra Connect bug.''''' This failure is a result of how networks are configured and how WebRTC communicates between clients. Zimbra Connect uses WebRTC, a peer to peer protocol that crosses different networks.  
+
'''''Failure of peer-to-peer connections between networks is not a Zimbra Connect bug.''''' Such failures are a result of network configuration and how WebRTC communicates between clients. Zimbra Connect uses WebRTC, a peer to peer protocol that crosses different networks.  
 
   
 
   
Zimbra created this wiki to provide our customers an overview and guidance on the STUN/TURN server implementation.
+
Zimbra created this wiki to provide you, our customers, with an overview and guidance for STUN/TURN server implementation.
  
 
==What is a STUN Server?==
 
==What is a STUN Server?==
Line 17: Line 15:
 
==What is a TURN Server?==
 
==What is a TURN Server?==
  
A TURN server (Traversal Using Relay NAT) is used for multimedia applications to assist traversal of network addresses translators (NAT) or firewalls. End-to-end communication between pairs of endpoints does not reside on public networks but within private address spaces behind network address translators. A TURN Server is needed to bridge the networks: WebRTC traffic between different networks requires a TURN Server to relay the traffic between peers who reside on different networks.  
+
A TURN server (Traversal Using Relay NAT) is used for multimedia applications to assist traversal of network addresses translators (NAT) or firewalls. End-to-end communication between pairs of endpoints does not reside on public networks but within private address spaces behind network address translators. A TURN server is needed to bridge the networks: WebRTC traffic between different networks requires a TURN Server to relay the traffic between peers who reside on different networks.  
  
==What is WebRTC==
+
==What is WebRTC?==
  
WebRTC (Web Real-Time communications) provides peer-to-peer communication within browsers and mobile applications through an applications programming interface (API). It includes audio, video and data transfer, eliminating the need for plugins or native apps. It is supported by the latest releases of Chrome and Firefox. Zimbra Connect customers report that Chrome provides the best experience.  
+
WebRTC (Web Real-Time Communications) provides peer-to-peer communication within browsers and mobile applications through an application programming interface (API). It includes audio, video, and data transfer, eliminating the need for plugins or native apps. The latest releases of Chrome and Firefox support it. Zimbra Connect customers report that Chrome provides the best experience.  
  
If your users are experiencing the following issues, you will need a TURN server:
+
If your users are experiencing the following issues, you need a TURN server:
  
<ol>
+
# Some callers cannot connect.
<li>Some callers cannot connect. </li>
+
# Video and screen sharing are not working for some attendees.
<li>Video and screen sharing is not working for some attendees.</li>
+
# Audio is not working for some attendees.
<li>Audio is not working for some attendees.</li>
+
# Chat is not working for some attendees.
<li>Chat is not working for some attendees</li>
 
</ol>
 
  
  
Zimbra Connect itself doesn’t need a TURN/STUN server. A TURN/STUN server is needed by the remote clients on a video call, so that they can see each others’ video streams. When users’ workstations are NAT’d on different networks in different locations (i.e. they have IP addresses like 192.168.1.230 and 10.0.15.168), those two workstations route their video stream traffic through the TURN/STUN server, not through the Zimbra Connect server.
+
Zimbra Connect itself doesn't need a STUN/TURN server. A STUN/TURN server is needed by the remote clients on a video call so that they can see each others' video streams. When users' workstations are NAT'd on different networks in different locations (i.e., they have IP addresses like <code>192.168.1.230</code> and <code>10.0.15.168</code>), those two workstations route their video stream traffic through the STUN/TURN server, not through the Zimbra Connect server.
  
 
==STUN/TURN Setup Options==
 
==STUN/TURN Setup Options==
 
   
 
   
You have many choices for setting up a TURN/STUN server, and you can choose between many TURN PaaS (Platforms as a service) Providers.  Zimbra recommends that you review your options and choose what best meets your needs.
+
You have many choices for setting up a STUN/TURN server, and you can choose between many TURN PaaS (Platform-as-a-Service) Providers.  Zimbra recommends that you review your options and choose what best meets your needs.
 
   
 
   
Zimbra Support does not recommend using Free TURN/STUN server providers. Read this wiki from bloggeek.me to see why:
+
Zimbra Support does not recommend using Free STUN/TURN server providers. We can't say it any better than the explanation given in this wiki from ''bloggeek.me'': [https://bloggeek.me/google-free-turn-server/ Why Doesn't Google Provide a Free TURN Server?].
 
 
https://bloggeek.me/google-free-turn-server/
 
 
   
 
   
'''Zimbra Support does not support the setup, troubleshooting or maintenance of a TURN/STUN server. Zimbra Support recommends reviewing and understanding all setup requirements for your selected TURN/STUN server before proceeding with the Zimbra Connect installation.'''
+
'''Zimbra Support does not support the setup, troubleshooting, or maintenance of a STUN/TURN server. Zimbra Support recommends reviewing and understanding all setup requirements for your selected STUN/TURN server before proceeding with the Zimbra Connect installation.'''
 
   
 
   
If you choose to manage your own server instead of using a TURN PaaS Provider, most software packages contain both the TURN and STUN server functionality. Open source versions like ReSIPprocate, Coturn and Restund are maintained by the community and are reliable.   
+
If you choose to manage your server instead of using a TURN PaaS Provider, most software packages contain both the TURN and STUN server functionality. Open-source versions like ReSIPprocate, Coturn, and Restund are community-maintained and are reliable.   
 
   
 
   
If you run a local instance of a TURN/STUN server, setting up a system can be complex based on your network and security requirements. We have seen customers run into issues with:
+
If you run a local instance of a STUN/TURN server, setting up a system can be complex based on your network and security requirements. We have seen customers run into issues with:
 
   
 
   
<ol>
+
# WebSocket Traffic blocked by Firewall
<li>WebSocket Traffic being blocked by Firewall</li>
+
# Implementing multiple STUN/TURN servers with load balancers/proxy servers
<li>Implementing multiple TURN/STUN servers with load balancers / proxy servers</li>
+
# STUN/TURN Server tuning   
<li>TURN/STUN Server tuning</li>  
+
# Networks
<li>Networks</li>
 
</ol>
 
  
If you use coTturn or retund, here are some helpful wikis: 
 
  
<ol>
+
If you use ''coTurn'' or ''reTurn'', here are some helpful wikis:   
coTurn https://github.com/coturn/coturn/wiki
 
<br>
 
reTurn https://www.resiprocate.org/ReTurn_Overview
 
</ol>
 
  
 +
* coTurn  https://github.com/coturn/coturn/wiki
 +
* reTurn  https://www.resiprocate.org/ReTurn_Overview
  
The following link provides a good understanding of Standard Firewall Port needed for reverse proxy and Turn Server:   
+
 
<br>
+
The following link provides a good understanding of Standard Firewall Ports needed for reverse proxy and Turn servers:   
<ol>
+
 
https://docs.pexip.com/rp_turn/rpturn_ports.htm
+
* https://docs.pexip.com/rp_turn/rpturn_ports.htm
</ol>
+
 
<br>
+
 
Please also see Zimbra Connect section within the Zimbra Admin Guide at:
+
Please also see the [https://zimbra.github.io/adminguide/latest/#_zimbra_connect Zimbra Connect],  and [https://zimbra.github.io/adminguide/latest/#_stunturn_server STUN/TURN Server] sections of the  Zimbra Admin Guide.
<br>
+
 
<ol>
+
For more guidance on installing a TURN server, please see [https://forums.zimbra.com/viewtopic.php?f=45&t=67960&sid=2f85903f49bd050cd9116a9beb38d661 this Zimbra forum post] by Randy Leiker at Skyway Networks.
https://zimbra.github.io/adminguide/latest/#_zimbra_connect
+
 
</ol>
+
==STUN/TURN Server Sizing Recommendation:==
<br>
 
And TURN/STUN Server setting at:
 
<br>
 
<ol>
 
https://zimbra.github.io/adminguide/latest/#_stunturn_server
 
</ol>
 
<br>
 
For more guidance on installing a TURN server, please see the following posting on the Zimbra forums by Randy Leiker at Skyway Networks:
 
<br>
 
<ol>
 
http://forums.zimbra.com/viewtopic.php?f=45&t=67960&sid=2f85903f49bd050cd9116a9beb38d661
 
</ol>
 
<br>
 
==TURN/STUN Server Sizing Recommendation:==
 
 
   
 
   
Each TURN/STUN instance has its own recommendation, and Zimbra Support recommends reviewing the TURN/STUN documentation for guidance. However, Zimbra Support has seen a number of postings and recommendations stating the following as minimum requirements:  
+
Each STUN/TURN implementation has its recommendation, and Zimbra Support recommends reviewing the STUN/TURN documentation for guidance. However, Zimbra Support has seen several postings and recommendations stating the following as minimum requirements:  
 
   
 
   
<ol>
+
* At least 2 CPU
At least 2 CPU
+
* 8 GB of Memory, SSD may be used but not required
<br>
+
 
8 GB of Memory, SSD my be used but not required
 
</ol>
 
  
 +
'''Your network is the most important factor in the performance of a STUN/TURN server.'''
  
'''Your network is the most important factor in the performance of a TURN/STUN server.'''
+
You need to ensure the network supporting the STUN/TURN server has:
  
You need to ensure the network supporting the TURN/STUN has at least:
+
* HPPS (High package per second) performance
+
* Low network jitter (<=30ms)
<ol>
+
* Low latencies (<-150ms)
PPS (High package per second) performance <br>
 
Low network jitter (<=30ms) <br>
 
Low latencies (<-150ms)<br>
 
</ol>
 
  
 
==Bandwidth:==
 
==Bandwidth:==
  
 +
[[File:Zimbra_connect.png | right]]
  
<p style="text-align:center;">[[File:Zimbra_connect.png | alt="centered image"]]</p>
+
Zimbra Connect uses WebRTC, and all connections are peer-to-peer.  Customers have reported bandwidth usage at the client level ranging between 200 - 400 kb/second/attendee for stable audio and video. There are separate inbound and outbound connections for each attendee, each using 200 - 400 kb/sec. Usage increases by this range for each additional attendee.  
 
 
Zimbra Connect uses WebRTC, and all connections are peer-to-peer.  Customers have reported bandwidth usage at the client level ranging between 200 - 400 kb / second / attendee for stable audio and video. There are separate inbound and outbound connections for each attendee, each using 200 - 400 kb / sec. Usage increases by this range for each additional attendee.  
 
 
 
<ol>
 
200 * x = total bandwidth inbound + 200 * x = total bandwidth outbound
 
</ol>
 
  
 +
  200 * x = total bandwidth inbound + 200 * x = total bandwidth outbound
  
Client system performance will also affect the user experience.
+
Client system performance also affects the user experience.
  
The default setting for the maximum number of attendees with Zimbra Connect is configured as 5. From experience, we have seen conferences over 5 tend to develop performance issues, with 7-9 being the maximum number of attendees before the browser begins having more serious issues.
+
The default setting for the maximum number of attendees with Zimbra Connect is <code>5</code>. From experience, we have seen conferences over 5 tend to develop performance issues, with 7-9 being the maximum number of attendees before the browser begins having more severe issues.
  
 
==Client Side Testing:==
 
==Client Side Testing:==
  
Once the TURN/STUN server has been set up with Zimbra Connect configured, we recommend this test: start a 2 person session and increase attendees until users start experiencing performance issues. Then use chrome WebRTC debugging to obtain client side performance data by going to the following URL within the latest release of the browser:
+
Once the STUN/TURN server has been set up with Zimbra Connect configured, we recommend this test: start a 2 person session and increase attendees until users start experiencing performance issues. Then use chrome WebRTC debugging to obtain client-side performance data by going to the following URL within the latest release of the browser:
 
   
 
   
<ol>
+
* <nowiki>chrome://webrtc-internals/</nowiki>
chrome://webrtc-internals/ <br>
 
</ol>
 
  
  
Also review the TURN/STUN server logs for connection issues.
+
Review the STUN/TURN server logs for connection issues.
End Users and Admin’s can test the WebRTC performance by going to:
+
End Users and Admins can test the WebRTC performance by going to:
 
   
 
   
<ol>
+
* <nowiki>https://test.webrtc.org/</nowiki>
https://test.webrtc.org/ <br>
 
</ol>
 
  
  
To test the WebRTC of the TURN server, you will need to enter the same Server information you used to setup Zimbra Connect.
+
To test the WebRTC of the TURN server, you need to enter the same Server information you used to set up Zimbra Connect.
  
===''Other issues to be aware of:===
+
=== Other issues to be aware of:===
 
   
 
   
''Hairpinning:'' Hairpinning is a NAT loopback where two hosts on the same network or within close proximity send their media data to remote TURN servers. For example, two hosts in India send their media data to a TURN server within the Americas.
+
'''Hairpinning:''' Hairpinning is a NAT loopback where two hosts on the same network or within proximity send their media data to remote TURN servers. For example, two hosts in India send their media data to a TURN server within the Americas.

Revision as of 19:37, 28 April 2020

   KB 23919        Last updated on 2020-04-28  




5.00
(one vote)

Zimbra Connect STUN/TURN Server Overview

For a Zimbra Connect implementation to communicate across network firewalls, you must integrate a STUN/TURN server. Typically, users within the same network can use Zimbra Connect video calls with no additional networking support. However, without a STUN/TURN server, Zimbra Connect peer-to-peer connections between networks fail.

Failure of peer-to-peer connections between networks is not a Zimbra Connect bug. Such failures are a result of network configuration and how WebRTC communicates between clients. Zimbra Connect uses WebRTC, a peer to peer protocol that crosses different networks.

Zimbra created this wiki to provide you, our customers, with an overview and guidance for STUN/TURN server implementation.

What is a STUN Server?

A STUN server (Session Traversal of User Datagram Protocol [UDP] Through Network Address Translators [NATs]) allows NAT clients to set up voice calls to a VoIP provider hosted outside the local network.

What is a TURN Server?

A TURN server (Traversal Using Relay NAT) is used for multimedia applications to assist traversal of network addresses translators (NAT) or firewalls. End-to-end communication between pairs of endpoints does not reside on public networks but within private address spaces behind network address translators. A TURN server is needed to bridge the networks: WebRTC traffic between different networks requires a TURN Server to relay the traffic between peers who reside on different networks.

What is WebRTC?

WebRTC (Web Real-Time Communications) provides peer-to-peer communication within browsers and mobile applications through an application programming interface (API). It includes audio, video, and data transfer, eliminating the need for plugins or native apps. The latest releases of Chrome and Firefox support it. Zimbra Connect customers report that Chrome provides the best experience.

If your users are experiencing the following issues, you need a TURN server:

  1. Some callers cannot connect.
  2. Video and screen sharing are not working for some attendees.
  3. Audio is not working for some attendees.
  4. Chat is not working for some attendees.


Zimbra Connect itself doesn't need a STUN/TURN server. A STUN/TURN server is needed by the remote clients on a video call so that they can see each others' video streams. When users' workstations are NAT'd on different networks in different locations (i.e., they have IP addresses like 192.168.1.230 and 10.0.15.168), those two workstations route their video stream traffic through the STUN/TURN server, not through the Zimbra Connect server.

STUN/TURN Setup Options

You have many choices for setting up a STUN/TURN server, and you can choose between many TURN PaaS (Platform-as-a-Service) Providers. Zimbra recommends that you review your options and choose what best meets your needs.

Zimbra Support does not recommend using Free STUN/TURN server providers. We can't say it any better than the explanation given in this wiki from bloggeek.me: Why Doesn't Google Provide a Free TURN Server?.

Zimbra Support does not support the setup, troubleshooting, or maintenance of a STUN/TURN server. Zimbra Support recommends reviewing and understanding all setup requirements for your selected STUN/TURN server before proceeding with the Zimbra Connect installation.

If you choose to manage your server instead of using a TURN PaaS Provider, most software packages contain both the TURN and STUN server functionality. Open-source versions like ReSIPprocate, Coturn, and Restund are community-maintained and are reliable.

If you run a local instance of a STUN/TURN server, setting up a system can be complex based on your network and security requirements. We have seen customers run into issues with:

  1. WebSocket Traffic blocked by Firewall
  2. Implementing multiple STUN/TURN servers with load balancers/proxy servers
  3. STUN/TURN Server tuning
  4. Networks


If you use coTurn or reTurn, here are some helpful wikis:


The following link provides a good understanding of Standard Firewall Ports needed for reverse proxy and Turn servers:


Please also see the Zimbra Connect, and STUN/TURN Server sections of the Zimbra Admin Guide.

For more guidance on installing a TURN server, please see this Zimbra forum post by Randy Leiker at Skyway Networks.

STUN/TURN Server Sizing Recommendation:

Each STUN/TURN implementation has its recommendation, and Zimbra Support recommends reviewing the STUN/TURN documentation for guidance. However, Zimbra Support has seen several postings and recommendations stating the following as minimum requirements:

  • At least 2 CPU
  • 8 GB of Memory, SSD may be used but not required


Your network is the most important factor in the performance of a STUN/TURN server.

You need to ensure the network supporting the STUN/TURN server has:

  • HPPS (High package per second) performance
  • Low network jitter (<=30ms)
  • Low latencies (<-150ms)

Bandwidth:

Zimbra connect.png

Zimbra Connect uses WebRTC, and all connections are peer-to-peer. Customers have reported bandwidth usage at the client level ranging between 200 - 400 kb/second/attendee for stable audio and video. There are separate inbound and outbound connections for each attendee, each using 200 - 400 kb/sec. Usage increases by this range for each additional attendee.

 200 * x = total bandwidth inbound + 200 * x = total bandwidth outbound 

Client system performance also affects the user experience.

The default setting for the maximum number of attendees with Zimbra Connect is 5. From experience, we have seen conferences over 5 tend to develop performance issues, with 7-9 being the maximum number of attendees before the browser begins having more severe issues.

Client Side Testing:

Once the STUN/TURN server has been set up with Zimbra Connect configured, we recommend this test: start a 2 person session and increase attendees until users start experiencing performance issues. Then use chrome WebRTC debugging to obtain client-side performance data by going to the following URL within the latest release of the browser:

  • chrome://webrtc-internals/


Review the STUN/TURN server logs for connection issues. End Users and Admins can test the WebRTC performance by going to:

  • https://test.webrtc.org/


To test the WebRTC of the TURN server, you need to enter the same Server information you used to set up Zimbra Connect.

Other issues to be aware of:

Hairpinning: Hairpinning is a NAT loopback where two hosts on the same network or within proximity send their media data to remote TURN servers. For example, two hosts in India send their media data to a TURN server within the Americas.

Jump to: navigation, search