Stun services, About stun, About ice – TANDBERG Security Camera User Manual
Page 158: Stun binding discovery, How it works, Stun relay, About stun about ice stun binding discovery, Ice firewall traversal, Protocol, Configuring the vcs as a traversal server
158
D14049.03
MAY 2008
Grey Headline (continued)
TANDBERG
VIDEO COMMUNICATIONS SERVER
ADMINISTRATOR GUIDE
Configuring the VCS as a Traversal Server
About STUN
STUN is a network protocol that enables a SIP or H.323 client to
communicate via UDP or TCP from behind a NAT firewall.
The VCS Expressway can be configured to provide two types of
STUN services to traversal clients. These services are STUN
Binding Discovery and STUN Relay. Currently the VCS supports
STUN over UDP only.
STUN Services
STUN Relay
The STUN Relay service (formerly known as TURN) allows a client
to ask for data to be relayed to it from specific remote peers via
the relay server and through a single connection between the
client and the relay server.
How it works
A client behind a NAT firewall sends a STUN Allocate request to
the VCS Expressway which is acting as the STUN relay server.
The sending of this request opens a binding on the firewall. Upon
receipt of the request, the VCS Expressway opens a public IP
port on behalf of the client, and reports back to the client this IP
address and port, as well as details of the firewall binding. The
client can then provide this IP address and port to other systems
which may want to reach it.
The client can restrict the remote address and ports from which
the relay should forward on media. Any incoming calls to this IP
address and port on the VCS server are relayed via the allocated
binding on the NAT to the client.
STUN Binding Discovery
The STUN Binding Discovery service provides information back
to the client about the binding allocated by the NAT firewall being
traversed.
How it works
A client behind a NAT firewall sends a STUN discovery request
via the firewall to the VCS Expressway, which has been
configured as a STUN discovery server. Upon receipt of the
message, the VCS Expressway responds to the client with
information about the allocated NAT binding, i.e. the public IP
address and the ports being used.
The client can then provide this information to other systems
which may want to reach it, allowing it to be found even though it
is not directly available on the public internet.
The endpoint will only be reachable if the firewall has the
Endpoint-Independent Mapping behavior as described in
.
About ICE
Currently, the most likely users of STUN services are ICE
endpoints.
ICE (Interactive Connectivity Establishment) is a collaborative
algorithm that works together with STUN services (and other
NAT traversal techniques) to allow clients to achieve firewall
traversal. The individual techniques on their own may allow
traversal in certain network topologies but not others. Also some
techniques maybe less efficient than others, involving extra
hops (e.g. STUN Relay).
ICE involves the collecting of potential (candidate) points of
contact (IP address and port combination) via each of the
traversal techniques, the verification of peer-to-peer connectivity
via each of these points of contact and then the selection of the
“best” successful candidate point of contact to use.
For detailed information on the base STUN protocol and
the Binding Discovery service, refer to
Utilities for (NAT) (STUN) [11]
.
For detailed information on the STUN Relay service, refer to
Obtaining Relay Addresses from Simple Traversal Underneath
NAT (STUN) [12]
.
STUN Relays consume traversal call licences (three
relays take one licence) but they do not actually pass
through the traversal subzone.