Stun services, About stun, About ice – TANDBERG D14049.04 User Manual
Page 162: Stun binding discovery, How it works, Stun relay, About stun about ice stun binding discovery, Ice firewall traversal, Protocol, Configuring the vcs as a traversal server

162
D14049.04 
JULY 2008
Grey Headline (continued)
TANDBERG
VIDEO COMMUNICATIONS SERVER
ADMINISTRATOR GUIDE
Configuring the VCS as a Traversal Server
About STUN
STUN is a network protocol that enables a SIP or H.323 client to 
communicate via UDP or TCP from behind a NAT firewall. 
The VCS Expressway can be configured to provide two types of 
STUN services to traversal clients. These services are STUN 
Binding Discovery and STUN Relay. Currently the VCS supports 
STUN over UDP only.
STUN Services
STUN Relay
The STUN Relay service (formerly known as TURN) allows a client 
to ask for data to be relayed to it from specific remote peers via 
the relay server and through a single connection between the 
client and the relay server.
How it works
A client behind a NAT firewall sends a STUN Allocate request to 
the VCS Expressway which is acting as the STUN relay server. 
The sending of this request opens a binding on the firewall. Upon 
receipt of the request, the VCS Expressway opens a public IP 
port on behalf of the client, and reports back to the client this IP 
address and port, as well as details of the firewall binding. The 
client can then provide this IP address and port to other systems 
which may want to reach it. 
The client can restrict the remote address and ports from which 
the relay should forward on media. Any incoming calls to this IP 
address and port on the VCS server are relayed via the allocated 
binding on the NAT to the client.
STUN Binding Discovery
The STUN Binding Discovery service provides information back 
to the client about the binding allocated by the NAT firewall being 
traversed. 
How it works
A client behind a NAT firewall sends a STUN discovery request 
via the firewall to the VCS Expressway, which has been 
configured as a STUN discovery server. Upon receipt of the 
message, the VCS Expressway responds to the client with 
information about the allocated NAT binding, i.e. the public IP 
address and the ports being used.
The client can then provide this information to other systems 
which may want to reach it, allowing it to be found even though it 
is not directly available on the public internet.
The endpoint will only be reachable if the firewall has the 
Endpoint-Independent Mapping behavior as described in 
.
About ICE
Currently, the most likely users of STUN services are ICE 
endpoints. 
ICE (Interactive Connectivity Establishment) is a collaborative 
algorithm that works together with STUN services (and other 
NAT traversal techniques) to allow clients to achieve firewall 
traversal. The individual techniques on their own may allow 
traversal in certain network topologies but not others. Also some 
techniques maybe less efficient than others, involving extra 
hops (e.g. STUN Relay). 
ICE involves the collecting of potential (candidate) points of 
contact (IP address and port combination) via each of the 
traversal techniques, the verification of peer-to-peer connectivity 
via each of these points of contact and then the selection of the 
“best” successful candidate point of contact to use.
For detailed information on the base STUN protocol and 
the Binding Discovery service, refer to 
Utilities for (NAT) (STUN) [11]
.
For detailed information on the STUN Relay service, refer to
Obtaining Relay Addresses from Simple Traversal Underneath 
NAT (STUN) [12]
.
STUN Relays consume traversal call licences (three 
relays take one licence) but they do not actually pass 
through the traversal subzone.
