Edge Architecture

Overall Architecture

edge_archi_highlevelview

As you can see on the schema above the Edge Solution is to be put inside one’s company DMZ.

From the external world only the Edge Solution will be seen. Only HTTPS and TURN flows should be authorized from the external - see Network Flows for more details.

The Edge Solution is composed of three components:

  • a Web Proxy
  • a SIP Proxy
  • and a TURN Server

These components can be installed:

Network Flows

From the outside (WAN to DMZ)

network_flows_external_to_dmz
From To Ports to open Usage

Outside

Any

Web Proxy

DMZ_IP1

  • TCP/443
UC Application from External Users

Outside

Any

TURN Server

DMZ_IP3

  • UDP/3478
  • TCP/3478
STUN/TURN via UDP, TCP

Outside

Any

TURN Server

DMZ_IP3

  • UDP/30000-39999
  • TCP/30000-39999
RTP Flow between remote WebRTC client and TURN Server

Internally (DMZ to LAN)

network_flows_dmz_to_internal
From/To To/From Ports to open Usage

Web Proxy

DMZ_IP1

XiVO CC

LAN_IP1

  • TCP/443
Proxified UC application from Edge towards CC/UC Server

Web Proxy

DMZ_IP1

UC Clients

LAN*

  • TCP/443
UC Application for Internal Users

TURN Server

DMZ_IP3

Mediaservers (inc. Main)

LAN_IP2, LAN_IP3

  • UDP/3478
  • TCP/3478
STUN/TURN request between Asterisk and TURN Server

TURN Server

DMZ_IP3

Mediaservers (inc. Main)

LAN_IP2, LAN_IP3

  • UDP/30000-39999
  • TCP/30000-39999
RTP Flow between Asterisk and TURN Server (when using TURN)

SIP Proxy

DMZ_IP2

Mediaservers (inc. main)

LAN_IP2, LAN_IP3

  • UDP/5060 Both ways
SIP flow between Asterisk(s) and SIP Proxy

Inside DMZ

From/To To/From Ports to open Usage

Web Proxy

DMZ_IP1

SIP Proxy

DMZ_IP2

  • TCP/443
Websocket for SIP

This is probably unneeded (traffic between servers inside the DMZ should be in most of the cases unfiltered), but if it would be the case this flow must be authorized.