Re: [pntaw] TURN over websockets or just TURN.

"Tirumaleswar Reddy (tireddy)" <> Thu, 26 September 2013 03:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1A76521F9967 for <>; Wed, 25 Sep 2013 20:26:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.283
X-Spam-Status: No, score=-10.283 tagged_above=-999 required=5 tests=[AWL=0.315, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nWaLYN9N+GaY for <>; Wed, 25 Sep 2013 20:26:48 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id ECADA11E80F4 for <>; Wed, 25 Sep 2013 20:26:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=9047; q=dns/txt; s=iport; t=1380166007; x=1381375607; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=TC3M33TKbDuUXl34LMJXQBV9zgzV4MZobiQxabAbNXM=; b=PNw8XCP534fI21th7FQwEUdPhHN7zNz0w15UcalwD+xp5913UuzLRlFY X0EFsL+ghzKcGg9Wdcd9EDAI6nkwMH2MDreVVVNDEZP8NV8HDFkVkODJ7 I4Hfxk0c3r68yPTjhrkiWgoHLDfSRZH4dAH5qwT+qIiCpE1DzmxfRtKFh o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="4.90,982,1371081600"; d="scan'208,217"; a="264592515"
Received: from ([]) by with ESMTP; 26 Sep 2013 03:26:44 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r8Q3QihX003711 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 26 Sep 2013 03:26:44 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Wed, 25 Sep 2013 22:26:44 -0500
From: "Tirumaleswar Reddy (tireddy)" <>
To: Sergio Garcia Murillo <>, "" <>
Thread-Topic: [pntaw] TURN over websockets or just TURN.
Thread-Index: Ac651aqKgci54WbeToGdcCETWYgQigAWo1kAAAViDwAAALMdAAAA0c8AAACDlIAAAtpOAAADozFA
Date: Thu, 26 Sep 2013 03:26:43 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A1907F780xmbrcdx10ciscoc_"
MIME-Version: 1.0
Subject: Re: [pntaw] TURN over websockets or just TURN.
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Sep 2013 03:26:53 -0000

Hi Oleg,

Please see inline [TR]

From: [] On Behalf Of Sergio Garcia Murillo
Sent: Thursday, September 26, 2013 2:10 AM
Subject: Re: [pntaw] TURN over websockets or just TURN.

El 25/09/2013 21:18, Oleg Moskalenko escribió:
Andy, see below:

On Wed, Sep 25, 2013 at 12:03 PM, Hutton, Andrew <<>> wrote:

[AndyH] True I was considering that as the simple case and of course there is no HTTP CONNECT in that scenario. So are you saying that when there is no proxy then a websockets connection is more likely to work than a TURN/TCP or TURN/TLS connection. I would be interested in whether there is evidence of that I am not sure whether it is true or not certainly in the encrypted case I don't see how this can be but I am not an expert on this.

I cannot say that I am exactly an expert in IT firewall world, too. But I personally observed a rather strict corporate environments where a strict firewall is used without explicit HTTP proxy. Also, I heard from our TURN server users the stories about similar cases. The usual story was that the firewall blocks the outgoing TURN TCP connection unless it is destined to 80/443 port and it has an HTTP handshake.

Exactly the same case here. I have (had) a "potential" customer that is using a cloud based network filtering solution, and SIP over secure websockets works but TURN over TLS on port 443 doesn't. I yet have to double check my TURN TLS settings to see if everything is correctly configured and working correctly with chrome.

[TR] Various Enterprises in addition to firewalls are also using cloud connector which re-directs HTTP/HTTPS traffic to cloud based "Security As A Service" (SecaaS) for DPI, reputation based filtering etc;st=sb. SecaaS can also do HTTPS inspection by acting as HTTPS proxy.


Best regards