Install TURN Server

Prerequisites

Before configuring the TURN server, ensure the following:

• MDM Server is installed and configured.
• A server is available running:
  1. RHEL 7 / 8 / 9
  2. Container runtime: Docker or Podman
  3. Container compose support (Docker Compose or Podman Compose)

• The TURN (Coturn) service must be:

  1. Publicly reachable by both the browser (admin) and managed devices
  2. Accessible over configured ports (including media ports)

• Network/firewall configuration:

  1. Port 3478 (TCP) – TURN/STUN
  2. Port 5349 (TLS/TCP) – Secure TURN (TURNS)
  3. Media port range (UDP) – for relayed media traffic (e.g., 49152–49252)

• If using TLS:

  1. Valid TLS certificate signed by a trusted Certificate Authority (CA)

Install and Configure TURN Server

Step 1: Navigate to TURN Installation

1. Log in to the BigFix Console.
2. Navigate to:
   1. Apps → Modern Client Management → Admin
3. In the left panel, expand:
   1. Coturn Service
4. Click on:
   1. Install

Step 2: Select Target Devices

Field: Target Device

• Click on the Select button.
• Choose the device where the TURN server should be installed.

Notes:

• The TURN server can be installed only on supported environments:

  1. RHEL 7 / 8 / 9
  2. Docker or Podman installed
  3. Compose support available

Purpose:

• Defines the machine where the TURN service will be deployed.
• This machine should ideally have public network accessibility.

Step 3: Configure Server Details

Section: Server Configuration

Field: Server Address (Required)

• Enter the hostname or FQDN of the TURN server (e.g., turn.yourdomain.com).

Purpose:

• This address is used by devices and browsers to connect to the TURN server.
• Must be resolvable from both managed devices and admin browsers.

Field: External IP Address (Optional but Recommended)

• Enter the public IP address of the TURN server.

Purpose:

• Required when the configured Server Address does not resolve to the server’s public IP.
• Ensures correct routing of TURN traffic when NAT is involved.

Step 4: Configure Network and Ports

Section: Network & Ports

Field: Enable TCP/UDP Port

• Enable this option if TCP connectivity should be allowed.
• Default Port: 3478

Purpose:

• Enables TURN/STUN communication over TCP.
• Useful in restrictive networks where UDP may be blocked.

Field: Enable TLS (TURNS) Port (Optional but Recommended)

• Enable this option to allow secure TURN communication.
• Default Port: 5349

Purpose:

• Encrypts TURN traffic using TLS.
• Recommended for production environments.

Additional Fields (Visible when TLS is enabled):

Field: TLS Certificate (Required for TURNS)

• Upload a TLS certificate.

Purpose:

• Must be a certificate signed by a trusted Certificate Authority (CA).
• Used to establish secure communication.

Field: TLS Key (Required for TURNS)

• Upload the private key corresponding to the TLS certificate.

Purpose:

• Required for TLS handshake and encryption.

Field: Media Ports (Required)

• Specify a UDP port range:
  1. Min: 49152
  2. Max: 49252

Purpose:

• Used for relaying media/data between browser and device.
• Ensure this entire range is open in firewall settings.

Step 5: Configure Authentication

Section: Authentication

Field: Authentication Secret (Required)

• Enter a secure shared secret.

Purpose:

• Used to authenticate TURN clients (browser and device).
• Prevents unauthorized usage of the TURN server.

Step 6: Install TURN Server

1. Review all configurations.
2. Click Install.

Purpose:

• Deploys and configures the TURN (Coturn) server on selected devices.
• Enables relay-based connectivity required for Remote View sessions.

• Ensure the TURN server is publicly reachable on all configured ports.
• Prefer enabling TLS (TURNS) for secure environments.
• Use strong, non-guessable authentication secrets.
• Verify firewall rules for:
  1. 3478 (TCP)
  2. 5349 (TLS/TCP)
  3. Media port range (UDP)
• Deploy TURN server on infrastructure with:
  1. Stable public IP
  2. High bandwidth
  3. Low latency

Outcome