Bypass Firewall Restrictions Using ICE Servers

You can use ICE servers to ensure connectivity across networks and restrictive firewall rules. There are two types of ICE servers: STUN and STUN/TURN. STUN/TURN is generally referred to as TURN. STUN and TURN servers both allow clients that are behind NAT to discover their public IP address, which remote clients need to establish a connection. TURN servers differ from STUN servers; TURN servers are capable of serving as a simple relay for traffic between two participants that are behind restrictive firewall rules.

Note

Using LiveSwitch's embedded STUN/TURN to bypass firewall restrictions is the recommended approach. Embedded STUN/TURN is available for SFU, MCU, and P2P connections.

Embedded STUN/TURN

LiveSwitch Media Servers provide built-in STUN and TURN capability. It improves the overall efficiency of relay connections. Also with Regionality, you can easily connect your clients to nearby Media Servers.

To use the built-in feature:

  1. Make sure you have configured your infrastructure to have the right open ports.
  2. Configure the TURN and TURNs bindings in your Deployment Configuration.
  3. Edit the Server-Specific Configuration on each Media Server.
Note

When creating a Connection object, don't set IceServers to null or any other values.

External STUN/TURN

To specify an external ICE server, create an instance of FM.LiveSwitch.IceServer.

  • For STUN servers, you only specify the URI of the STUN server. The URI should include the scheme, domain, and port. The scheme must be stun.
  • For TURN servers, you specify the URI of the TURN server, as well as the username and password to access the TURN server. The scheme must be turn.

The code samples below show how to configure two ICE servers, one for STUN and one for TURN.

Note

About the code examples on this page:

  • For .NET MAUI and Unity, use the C# code.
  • For macOS, use the iOS code.
peerConnection.IceServers = new[]
{
    new FM.LiveSwitch.IceServer("stun:stun.liveswitch.fm:3478"),
    new FM.LiveSwitch.IceServer("turn:turn.liveswitch.fm:3478", "test", "pa55w0rd!")
}

Ice Gather Policy Configuration

LiveSwitch Server Deployment Configuration allows restricting local host ICE candidates for SFU and MCU connections on the client side. These candidates are typically based on private IP addresses that are not usable when media servers are located on the public Internet. To enable this restriction, use the DeploymentConfig V2 REST API and set PreferNonHostClientIceCandidates to true. Environment Variable Deployments:{index}:PreferNonHostClientIceCandidates is also available. This setting is beneficial to significantly reduce the amount of signalling and the number of the connectivity checks at startup.

Note

Do not enable this restriction when a Media Server is located on the same subnet as a client. In such cases, local host candidates are preferred, as they allow more direct communication between the clients and the server.

Even when the restriction is enabled, client side application level code can override this behavior by setting the ICE Gather Policy:

connection.IceGatherPolicy = IceGatherPolicy.All;