This is a quick guide with the most important things you need to get the Reverse Proxy up and running, for the full deployment guide and additional recommendations, we recommend that you read: https://docs.pexip.com/admin/integrate_rpturn.htm
1. Download the Pexip RP/TURN OVA image at http://download.pexip.com/rp-turn/v3/. Note that there are two OVA files, one for ESXi 5.x and one for ESXi 4.x.
It is recommended to verify the OVA file integrity after downloading the OVA file by calculating the MD5 sum of the downloaded file (For instance using WinMD5 Free - www.winmd5.com) and comparing that with the respective MD5 sum found in file 'md5sums.txt' (Located in the same location as the OVA images)
2. Deploy the OVA file in VMware:
Using the vSphere Web Client, this is done by navigating to 'Hosts and clusters', right-clicking on a host server and choosing 'Deploy OVF Template...'.
Using the vSphere Client for Windows, this is done by clicking 'File' and 'Deploy OVF Template'.
During the OVA deployment, it is recommended to use the default options. Also make sure to assign the correct VMware network/port group for the network interface of the virtual machine.
3. Once deployed, open the VMware console for the Reverse Proxy/TURN virtual machine. This is done by right-clicking on the virtual machine in the vSphere client and choosing 'Open Console'.
The console should show a login prompt.
Input username 'pexip' in the login prompt - This will request a new password to be set for this user. Input the new password twice to trigger the install wizard. The install wizard will request that the new password is input:
4. The install wizard consists of 10 configuration steps, described below. In this example guide, the following configuration items have been set:
- Step 1 - IP address: 198.51.100.5
- Step 2 - Subnet mask: 255.255.255.0
- Step 3 - Default gateway: 198.51.100.1
- Step 4 - Networks allowed to access the Reverse Proxy over SSH: 10.0.0.0 255.0.0.0
- Defining the network 10.0.0.0 255.0.0.0 for SSH access means that any host in the network range 10.0.0.0 - 10.255.255.255 is allowed to access the Reverse Proxy over SSH - This is controlled by the built-in iptables firewall of the Reverse Proxy.
- Step 5 - Hostname: rp-osl
- Step 6 - Domain name: pexip.com
- Configuring a hostname of 'pex-rp-osl' and domain name of 'pexip.com' means that the FQDN (Fully Qualified Domain Name) of the Reverse Proxy is 'pex-rp-osl.pexip.com'
- Step 7 - DNS servers: 18.104.22.168 22.214.171.124
- DNS servers are defined by a space-separated list - in this example, the DNS servers 126.96.36.199 and 188.8.131.52 have been defined (Google public DNS)
- Step 8 - NTP servers: 0.no.pool.ntp.org 1.no.pool.ntp.org
- Similar to DNS servers, NTP servers are also defined by a space-separated list - in this example, two separate Norwegian pools from ntp.org have been defined
- Step 9 - IP addresses of conferencing nodes: 10.20.5.2, 10.20.5.3, 10.20.5.4
- When defining the conferencing nodes which the Reverse Proxy should use for forwarding web requests for Pexip App and WebRTC, the nodes are defined one at a time, by entering the IP address of a conferencing node and pressing <ENTER>. When you are done entering all conferencing nodes, press <ENTER> on an empty line to proceed to the next step.
- Step 10 - TURN server username and password: turnuser SecretPassword!
- In this step we define the username and password for the TURN user account to add to this TURN server. In this example, a username of 'turnuser' and password of 'SecretPassword!' has been set. If TURN is not required on the Reverse Proxy, simply enter 'disable' in this step to disable the built-in TURN server.
Once all 10 steps are completed, the Reverse Proxy will reboot and apply the new settings - The Reverse Proxy is now ready for use.
The RP/TURN appliance has a basic statistics page which is accessible from hosts in the subnet(s) defined in step 4 - this page is accessible via /stats on the RP, e.g. http://rp-osl.pexip.com/stats if 'rp-osl.pexip.com' is the FQDN of the RP.
Recommended next steps after the RP/TURN appliance is deployed is to follow the steps described in https://support.pexip.com/hc/en-us/articles/203598109-Reverse-Proxy-TURN-security-updates-and-housekeeping, to ensure that the RP/TURN appliance gets updated with the latest security patches.
Port usage/firewall ports for RP:
The below ports should be allowed in any firewalls handling traffic to and from RP/TURN.
Inbound towards RP/TURN:
TCP 22 - ssh (for management)
TCP 80 - http
TCP 443 - https
UDP 3478 - TURN/STUN
UDP 49152-65535 - TURN relay media traffic
Outbound from RP/TURN:
TCP 1024-65535 - traffic towards clients
UDP 1024-65535 - traffic towards clients
Hardware requirements for RP:
No specific CPU model required, a CPU from 2009 or later recommended.
2 GB RAM
50 GB disk