TURN Server

TURN stands for Traversal Using Relays around NAT. Basically it is a device that sits on the public Internet that sends and receives media. To function correctly, it must be reachable by both the external devices on the Internet and internal devices, such as CMS, so that audio and video traffic can flow into and out of an organization. The TURN server in this case acts as an anchor point for the media that is trusted by the firewall.

The CMS server can be deployed as an edge device and function as a TURN server, but since the Expressway-E has TURN server capabilities as well. That is what you will use for this lab. Regardless of which device is used as a TURN server to anchor media, the TURN server must be configured in the CMS database so that the Call Bridges know where to send media and, since the TURN server is on the public internet, the web client can know where to send its traffic. An Expressway-E, acting as a TURN server, will bridge the traffic received on its internal and external interfaces together so that users can establish two-way communication.

For any device to use a TURN server, authentication is required. You should configure another set of authentication credentials on the Expressway-E to use for TURN. Follow these steps to configure the credentials:

1. Open the browser to the Expressway-E at https://expe1a.pod8.cms.lab:445
2. Log in with username admin and password c1sco123
3. Navigate to Configuration > Authentication > Devices > Local database
4. Click New
5. Enter turnuser in the Name field
6. In the Password field enter c1sco123 - If pasting this value, use Control-V
7. Click Create credential

To avoid potential external firewalls blocking access to our TURN server, we would like the service to run on port 443, which happens to be the port we use to administer the Expressway-E. Therefore we will change this first.

1. Navigate to System > Administration on Expressway-E at https://expe1a.pod8.cms.lab
2. Near the bottom, find the Web administrator port setting and change it to 445
3. Click Save
4. You should see a message near the top of the screen that indicates System settings have been saved, however a restart is required for them to take effect. Don't bother with this now. You'll restart the server later on. Just keep in mind, the next time the system is restarted, you'll need to point the browser to port 445.

Now you can configure the Expressway-E TURN server.

1. Navigate to Configuration > Traversal > TURN
2. For TURN services, select On
3. For TCP 443 TURN service select On.
   This is an Expressway X8.11 feature that allows the external clients to use port 443 to access the TURN server. This helps avoid issues where external clients are on networks where traffic to the default TURN port, 3478, is being blocked.
4. In the Authentication realm line, enter turnuser
5. Click Save Notice in the TURN server status for the 10.0.132.X external addresses that it is now listening on port 3478 and port 443.
6. The system warns you that this change requires a restart, click on the restart text (or navigate to Maintenance > Restart options and click Restart
7. Click OK to confirm the restart.

While the Expressway-E is restarting, we can focus on CMS again. Now that the TURN server is enabled, Cisco Meeting Server needs to be made aware of it. The only way to configure it is via the API. Start by looking at the API reference to see how to set up and modify a TURN server.

Follow these steps to configure the TURN server on CMS:

1. Launch or switch to the Postman app
2. Switch to the POST verb.
3. Put in the following URL: https://cms1a.pod8.cms.lab:8443/api/v1/turnServers
4. From the Body tab, make sure the x-www-form-urlencoded radio button is selected.
5. This is another excellent place to use the Bulk Edit mode, so click on the Bulk Edit text in the row under the x-www-form-urlencoded button.
6. Enter each Key / Value pair as noted in the table below. The table outlines the decisions that were made in choosing these values.
   
   

   Parameter / Key	Value
   serverAddress	10.0.108.71 Description: The IP address that CMS should expect to get traffic from when invoking this TURN server.
   clientAddress	10.0.132.108 Description: The address that clients should send traffic to in order to reach this TURN server. This is the external address of the TURN server.
   username	turnuser Description: The TURN server username configured on the Expressway-E
   password	c1sco123 Description: The password associated with the TURN server user on the Expressway-E
   type	expressway

   The following is the same data in the format that can be pasted into the Bulk Edit window.
   
   
   serverAddress:10.0.108.71 clientAddress:10.0.132.108 username:turnuser password:c1sco123 type:expressway
7. Click Send in Postman.

Assuming you received a 200 OK response, use the GET method to examine the configuration.

1. In Postman switch to the GET verb. Leave the URL unchanged from the POST request you just sent.
2. Press Send
   




3. The results gives you some basic information about the TURN server and also includes the turnServer ID.
4. Copy the turnServer ID value from the result above and append it to the existing URL to query the object. The resulting URL should look something like https://cms1a.pod8.cms.lab:8443/api/v1/turnServers/abb5ecf5-e2b6-48f4-a60b-0ef3eaa99ec2
5. Press Send again.






6. Now you can see all the settings you just configured. If you want to get some runtime status information for the TURN server, append /status to the end of the URL. The URL should look something like https://cms1a.pod8.cms.lab:8443/api/v1/turnServers/abb5ecf5-e2b6-48f4-a60b-0ef3eaa99ec2/status
7. Press Send again.








8. This API call provides some useful information. Note that reachable is true, along with the roundTripTimeMs. If your Expressway-E/TURN server is not yet up, then this command will likely show different results, indicating that it is not reachable.

By default, every CMS server maintains its own connection to each TURN server.