Re: [pntaw] TURN over websockets or just TURN.

"Tirumaleswar Reddy (tireddy)" <> Thu, 26 September 2013 10:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CB8EF11E8189 for <>; Thu, 26 Sep 2013 03:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.204
X-Spam-Status: No, score=-10.204 tagged_above=-999 required=5 tests=[AWL=-0.206, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_16=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ftoRyELU3tkc for <>; Thu, 26 Sep 2013 03:49:19 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A326111E80AD for <>; Thu, 26 Sep 2013 03:49:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=20418; q=dns/txt; s=iport; t=1380192559; x=1381402159; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=7EWQq0wa8Cwwg5w3iXJluusZdxTsaCIXG+GSmaypGOM=; b=mH4sSmLl0EamI8VvyqRDc4iPksq2KiQlmMXH9PADPTh33waljvaneoRY c/fzzP5muJfIx2Ss/r9TKB7ye7MVB1T/Hs0txV6VREp4shinHrkOwF4G4 2Y/QktBHw9dJarw6sYpntW8P2ZRSZR7AOhTWr5BplHwP0fITONngJX4nv I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="4.90,984,1371081600"; d="scan'208,217"; a="264728259"
Received: from ([]) by with ESMTP; 26 Sep 2013 10:49:18 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r8QAnItP023274 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 26 Sep 2013 10:49:18 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Thu, 26 Sep 2013 05:49:18 -0500
From: "Tirumaleswar Reddy (tireddy)" <>
To: Oleg Moskalenko <>
Thread-Topic: [pntaw] TURN over websockets or just TURN.
Date: Thu, 26 Sep 2013 10:49:17 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A1907FACFxmbrcdx10ciscoc_"
MIME-Version: 1.0
Cc: "" <>, Sergio Garcia Murillo <>
Subject: Re: [pntaw] TURN over websockets or just TURN.
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Sep 2013 10:49:24 -0000

Hi Oleg,

My opinion is that in such scenarios where Firewall + SecaaS is used, the Enterprise Security policies would like to do the following

1)Permit UDP pinholes through the firewalls only for WebRTC sessions originated by certain domains that Enterprise has business tie-up with.
2)Block UDP pinholes through the firewall for the rest of the domains.  In this case "TURN over web-sockets" would be of help since the traffic would go through SecaaS and it can make a decision whether to permit or block the traffic based on various information like Black-listed/White-listed TURN servers, TURN over web-sockets is permitted/denied etc. For example media session initiated using Skype (which has no business tie-up with the Enterprise) could be permitted over "TURN over web-sockets" because SecaaS can identify the traffic and also enforce granular policies for example

a)permit the "TURN over web-sockets" session only during non-business hours
b)permit the "TURN over web-sockets" session only for guests.

From: Oleg Moskalenko []
Sent: Thursday, September 26, 2013 12:11 PM
To: Tirumaleswar Reddy (tireddy)
Cc: Sergio Garcia Murillo;
Subject: Re: [pntaw] TURN over websockets or just TURN.

Hi Tiru
thanks for the info !
What is your opinion, do we have to add something to the draft to improve our interoperability with  Secaas systems ?
We are pretty much concentrating on two major aspects:
1) Connectivity
2) Ability for the network managers to set the access policies.

On Wed, Sep 25, 2013 at 8:26 PM, Tirumaleswar Reddy (tireddy) <<>> wrote:
Hi Oleg,

Please see inline [TR]

From:<> [<>] On Behalf Of Sergio Garcia Murillo
Sent: Thursday, September 26, 2013 2:10 AM

Subject: Re: [pntaw] TURN over websockets or just TURN.

El 25/09/2013 21:18, Oleg Moskalenko escribió:
Andy, see below:

On Wed, Sep 25, 2013 at 12:03 PM, Hutton, Andrew <<>> wrote:

[AndyH] True I was considering that as the simple case and of course there is no HTTP CONNECT in that scenario. So are you saying that when there is no proxy then a websockets connection is more likely to work than a TURN/TCP or TURN/TLS connection. I would be interested in whether there is evidence of that I am not sure whether it is true or not certainly in the encrypted case I don't see how this can be but I am not an expert on this.

I cannot say that I am exactly an expert in IT firewall world, too. But I personally observed a rather strict corporate environments where a strict firewall is used without explicit HTTP proxy. Also, I heard from our TURN server users the stories about similar cases. The usual story was that the firewall blocks the outgoing TURN TCP connection unless it is destined to 80/443 port and it has an HTTP handshake.

Exactly the same case here. I have (had) a "potential" customer that is using a cloud based network filtering solution, and SIP over secure websockets works but TURN over TLS on port 443 doesn't. I yet have to double check my TURN TLS settings to see if everything is correctly configured and working correctly with chrome.

[TR] Various Enterprises in addition to firewalls are also using cloud connector which re-directs HTTP/HTTPS traffic to cloud based "Security As A Service" (SecaaS) for DPI, reputation based filtering etc;st=sb. SecaaS can also do HTTPS inspection by acting as HTTPS proxy.


Best regards

pntaw mailing list<>