Hi All,
I’m looking for insight into the pros and cons of opening my Asterisk boxes media ports for direct RTP traffic vs using a turn server to relay the traffic so that Asterisk stays safe behind NAT.
Our current setup is having Asterisk on our network and requiring users to be within our own network to connect locally to Asterisk but we’re now looking to get users who work externally using our web phone without the need to connect to a VPN.
We’ve spent some time implementing a turn server on our own network and utilising this as a relay into Asterisk for the added security of the turn phemeral credentials, having another hopp for an attacker to jump through and also having no direct access into Asterisk.
We have one final problem which is when my turn server sends traffic to Asterisk the source is it’s internal IP address which isn’t a candidate in the SIP header and so Asterisk drops the connection (only it’s external IP address is in the ice candidate list).
Based on the above problem that’s proving very difficult to get past we’re starting discussions around just opening the UDP ports required on the Asterisk box and scrapping the turn server integration.
I’d like to gleam some information from the community on best practises for this. We control everything from DNS, Network, routing etc so can make any changes required but I would like to try and find out what is the “done thing” in the industry.
Thanks in advance and if you need any more information please let me know.
Robert.