Edge Architecture

Overall Architecture

edge_archi_highlevelview

As you can see on the schema above the Edge Solution is to be put inside one’s company DMZ.

From the external world only the Edge Solution will be seen. Only HTTPS and TURN flows should be authorized from the external - see Network Flows for more details.

The Edge Solution is composed of three components:

  • a Web Proxy

  • a SIP Proxy

  • and a TURN Server

These components can be installed:

Network Flows

From the outside (WAN to DMZ)

network_flows_external_to_dmz

From

To

Ports to open

Usage

Outside

Any

Web Proxy

DMZ_IP1

  • TCP/443

UC Application from External Users

Outside

Any

TURN Server

DMZ_IP3

  • UDP/3478

  • TCP/3478

STUN/TURN via UDP, TCP

Outside

Any

TURN Server

DMZ_IP3

  • UDP/30000-39999

  • TCP/30000-39999

RTP Flow between remote WebRTC client and TURN Server

Internally (DMZ to LAN)

network_flows_dmz_to_internal

From

To

Ports destination

Usage

Web Proxy

DMZ_IP1

XiVO CC

LAN_IP1

  • TCP/443

Proxified UC application from Edge towards CC/UC Server

TURN Server

DMZ_IP3

Mediaservers (inc. Main)

LAN_IP2, LAN_IP3

  • UDP/10000-20000

RTP flow between TURN Server and Asterisk(s)

SIP Proxy

DMZ_IP2

Mediaservers (inc. main)

LAN_IP2, LAN_IP3

  • UDP/5060

SIP flow between Asterisk(s) and SIP Proxy

Supplementary ports for Meetingroom (DMZ to LAN)

If you have a Meetingroom server in your installation you must also open these ports from the DMZ towards the LAN:

From

To

Ports to open

Usage

Web Proxy

DMZ_IP1

XiVO

LAN_IP2

  • TCP/443

Proxified Meetingroom API from Edge towards XiVO Server

TURN Server

DMZ_IP3

Meetingroom

LAN_IP4

  • UDP/10000

RTP flow between TURN Server and Meetingroom (when using TURN)

Internally (LAN to DMZ)

network_flows_internal_to_dmz

Here are the flow to open between the LAN towards the Edge servers (LAN to DMZ):

From

To

Ports to open

Usage

UC Clients

Any LAN

Web Proxy

DMZ_IP1

  • TCP/443

UC Application for Internal Users

UC Clients

Any LAN

TURN Server

DMZ_IP3

  • UDP/3478

  • TCP/3478

STUN/TURN requests between UC Clients and TURN Server

Mediaservers (inc. Main)

LAN_IP2, LAN_IP3

SIP Proxy

DMZ_IP2

  • UDP/5060

SIP flow between Asterisk(s) and SIP Proxy

Mediaservers (inc. Main)

LAN_IP2, LAN_IP3

TURN Server

DMZ_IP3

  • UDP/3478

  • TCP/3478

STUN/TURN requests between Mediaservers and TURN Server

Mediaservers (inc. Main)

LAN_IP2, LAN_IP3

TURN Server

DMZ_IP3

  • UDP/30000-39999

  • TCP/30000-39999

RTP flow between Asterisk(s) and TURN Server

Supplementary ports for Meetingroom (LAN to DMZ)

If you have a Meetingroom server in your installation you must also open these ports from the LAN towards the DMZ:

From

To

Ports to open

Usage

Meetingroom

LAN_IP4

TURN Server

DMZ_IP3

  • UDP/3478

  • TCP/3478

STUN/TURN requests between Meetingroom and TURN Server

Meetingroom

LAN_IP4

TURN Server

DMZ_IP3

  • UDP/30000-39999

  • TCP/30000-39999

RTP flow between Meetingroom and TURN Server

Inside DMZ

From/To

To/From

Ports to open

Usage

Web Proxy

DMZ_IP1

SIP Proxy

DMZ_IP2

  • TCP/443

Websocket for SIP

This is probably unneeded (traffic between servers inside the DMZ should be in most of the cases unfiltered), but if it would be the case this flow must be authorized.