Installing and Configuring the TURN Server

The Remote Access feature in BigFix Modern Client Management (MCM) requires a TURN server to establish reliable WebRTC sessions between administrator browsers and managed devices.

To support reliable connectivity—especially when devices are behind NAT or restricted networks—a TURN (Traversal Using Relays around NAT) server is required. As of MCM v3.6.0, this supports Remote View capability.

Quick Reference: Production-Ready Configuration

Table 1. System Sizing for 100 Concurrent Sessions
Category Recommended Value Technical Specifications
Production Baseline 100 Concurrent Sessions 12 vCPU, 32 GB RAM, 1 Gbps NIC
Standard Ports 3478 (TCP), 5349 (TLS) Required for TURN/STUN and Secure TURNS communication.
Media Port Range 49152–49352 (UDP) Allocates 2 ports per session (~300 ports recommended for 100 sessions).
Storage 20–40 GB Dedicated for container images and connectivity debugging logs.
OS & Runtime RHEL 7 / 8 / 9 Requires Docker or Podman with Compose support.
Security CA-Signed Certificate Enables TLS; anticipate 10–20% CPU overhead for encryption.

Installation and Configuration Steps

  1. Navigate to TURN Installation: Log in to the BigFix Console and go to Apps > Modern Client Management > Admin > Coturn Service > Install.
  2. Select Target Device: Click Select and choose a machine running a supported RHEL version with a container runtime installed.
  3. Configure Server Details: Enter the Server Address (FQDN). If the FQDN does not resolve directly to the public IP, provide the External IP Address.
  4. Network and Ports:
    • Enable Port 3478 (TCP) for standard connectivity.
    • Enable Port 5349 (TLS) and upload your CA-signed certificate and private key.
    • Define the Media Port Range (Default: 49152–49252). Ensure the firewall allows this UDP range.
  5. Authentication: Enter a secure Authentication Secret to prevent unauthorized relay usage.
  6. Finalize: Review settings and click Install to deploy the containerized service.

Best Practices and Troubleshooting

Best Practices:

  • Always prefer Secure TURN (TURNS) via port 5349 for production.
  • Ensure the server is publicly reachable with a stable public IP and low latency.
  • Monitor scaling: Add +4 vCPU and +8 GB RAM for every additional 100 sessions.

Troubleshooting:

Common Issue Recommended Action
Connection Timeouts Verify port 3478 (TCP) and the UDP Media Range are open in the OS firewall and Network Security Groups.
TLS Handshake Errors Ensure the certificate is CA-signed and the FQDN matches the certificate's Common Name (CN).

Results

Upon successful installation, the TURN server status will show as Active in the BigFix Console. Devices in restricted networks will now be able to establish Remote View sessions via the relay.