Getting through firewalls

When a user is in a developed country, at their home or using a mobile Internet connection, they may be behind a NAT router but the firewall on these devices is usually very permissive for connections initiated by the user. In the vast majority of cases, the user will be able to initiate outbound TCP connections to any destination (such as a SIP, XMPP or WebSocket server on any arbitrary port number) and will be able to send and receive UDP.

For some NAT routers, the UDP flows will only work reliably when the peer is using a public IP address. This problem is automatically detected by ICE connectivity checks and it is resolved by sending the UDP packets through the TURN server.

For users with more repressive Internet providers, in some less sophisticated wifi hotspots and in some corporate networks there are more aggressive firewall policies. With a little care, the RTC deployment can be designed to work reliably in many of these environments too.

The first issue is the signalling connection, whether it is SIP, XMPP or WebSockets. More restricted corporate networks block outgoing TCP connections, except for those on port 80 or 443, which they redirect to a transparent proxy.

As a consequence of this TCP blocking, it should be anticipated that the user's softphone may need to use the HTTP proxy for all RTC traffic, including media streaming and signalling.

HTTP Proxy servers have a number of issues. Older proxy servers do not understand the WebSocket protocol and newer proxy servers are not always configured to allow the WebSocket protocol by default. To avoid these problems, it is recommended that the WebSocket connection should always use TLS (WebRTC clients uses a wss:// URL instead of a ws:// URL) and the port 443 only. Many HTTP proxy servers are correctly configured to allow the web browser to use the HTTP CONNECT method to initiate pass-through connections to https:// URLs using the default port, 443. Sometimes, however, the HTTP proxy does not allow any port other than 443. Thanks to the encryption provided by TLS, the proxy server can not observe whether the HTTP CONNECT method is being used to reach a web server, a SIP server, a WebSocket server or even something else such as an ssh server. Therefore, all services, including SIP over TLS, XMPP client connectivity (c2s), TURN over TLS and WebSockets, should listen on port 443 so that any of them can be reached by a user stuck behind a HTTP proxy.

The next issue is the transmission of UDP. In some networks, users simply can not exchange any UDP packets with external hosts. The only resolution to this issue is to tunnel the UDP packets through TCP. Fortunately, the TURN server can also assist, as the TURN specification includes support for tunneling packets through a TLS connection. To maximize the chance of success, it is recommended that the TURN server is also configured to listen on port 443 so that the connection to the TURN server will be able to pass through HTTP proxy servers using the HTTP CONNECT method.

This strategy often requires several different processes (the standard SIP server, the XMPP c2s service, the webserver hosting a WebRTC phone, the WebSocket server and the TURN server) to all listen on the same port, 443. For multiple processes to use the same port, it is necessary to either have a different public IP address for each process or to use a solution for port multiplexing, such as the sslh daemon.

With these strategies, connectivity will be possible for the vast majority of Internet users, whether at home, at the office or on the road.