Starting with Jump Desktop Connect 6.7.42 you can now run on-premise, high availability relay servers.
On Premise relay servers allow you to control how Jump Desktop traffic is routed through your infrastructure. All traffic is run through a specific set of UDP ports so you can control exactly what goes in and out and apply proper QoS if needed. You can also run a relay server behind a NAT using port forwarding.
On Premise Relay Servers can be used to replace complex and potentially slow VPN infrastructure. On Premise Relay servers achieve higher performance than VPNs by avoiding the extra networking and CPU overhead of VPNs. On Premise Relay Servers are also easier to deploy than VPN infrastructure - for example there is no key distribution or client side configuration required with on premise relay servers. On Premise relay configuration is centrally controlled using Jump Desktop's Connect Settings.
Encryption: All Jump Desktop Connect traffic is encrypted end-to-end. The on premise relay server will not be able to decrypt the underlying protocol data. It will transmit opaque, encrypted data packets between computers.
Relay server configuration where the relay is hosted externally:
Alternate configuration where the relay server is hosted internally:
Requirements:
- Jump Desktop for Teams Enterprise subscription.
- A Linux machine that will act as a relay server inside or outside your network. The relay has been tested on CentOS, AlamaLinux, RockyLinux and Ubuntu, however you can use any flavour of Linux.
- Quad core or better processor.
- 4GB or more RAM.
1. Setup Relay Server
We'll setup a open-source TURN server called coturn. We'll use Docker to deploy the official coturn docker image.
- Make sure you have Docker installed on your server machine: How To Install Docker.
- Select a port (RELAY_PORT), username (RELAY_USERNAME) and password (RELAY_PASSWORD) for relay server. In the case below, we've used relay port 3478, with username MyUserName and password MyPassword and external IP 1.2.3.4. The external IP field is the public IP address of your WAN interface.
- Select a connect port range to use (RELAY_CONNECTION_MIN_PORT, RELAY_CONNECTION_MAX_PORT). Each simultaneous connection requires one UDP port on server. The number of ports you allocate to the connection port range will determine the number of simultaneous connections the server can serve. In the example below, the server can handle ~400 connections.
To start coturn on your internal machine run the following command. Note: These steps are for Linux:
RELAY_PORT=3478
RELAY_USERNAME=MyUserName
RELAY_PASSWORD=MyPassword
RELAY_EXTERNAL_IP=1.2.3.4
RELAY_CONNECTION_MIN_PORT=49152
RELAY_CONNECTION_MAX_PORT=49552
sudo docker run \
-d \
-p $RELAY_PORT:$RELAY_PORT/udp \
-p $RELAY_CONNECTION_MIN_PORT-$RELAY_CONNECTION_MAX_PORT:$RELAY_CONNECTION_MIN_PORT-$RELAY_CONNECTION_MAX_PORT/udp \
--restart=always \
docker.io/coturn/coturn \
--listening-port $RELAY_PORT \
--min-port $RELAY_CONNECTION_MIN_PORT \
--max-port $RELAY_CONNECTION_MAX_PORT \
--external-ip=$RELAY_EXTERNAL_IP \
--no-tcp-relay \
--no-cli \
--user "$RELAY_USERNAME:$RELAY_PASSWORD" \
--realm jumpdesktop.com \
--lt-cred-mech \
--pidfile /tmp/turnserver.pid
2. Setup Connect Settings
Once the relay server is running we will use Connect Settings to configure Jump Desktop Connect on your team machines with the relay server configuration.
- Create a new Connect Setting configuration or edit your existing configuration.
- In the Networking section click the Edit button next to the On Premise Relay Servers option.
- In the Edit Relays dialog, click the Add button to add a new relay server configuration.
- In the Add New Relay dialog enter the following:
- In the Username field enter the username you selected when setting up the relay server (RELAY_USERNAME).
- In the Password field enter the password you used when setting up the relay server (RELAY_PASSWORD).
- In the Host enter the relay server's IP address (RELAY_EXTERNAL_IP) followed by a ':' and then the port (RELAY_PORT).
- Tip: For the Host field you can also use your relay's internal LAN IP address instead of it's external IP address. Using the internal IP address may be necessary if your internal machines can only communicate with the relay server using it's internal IP address.
- Click Save
- Optional: Turn on Relay Connections Only.Normally Jump Desktop Connect will try it's best to create a direct peer-to-peer connection between machines using NAT traversal. If this fails, it will fallback to using your custom relay server. You can force Jump Desktop Connect to always use your relay server for connections. This is useful for high security environments where you want to control all traffic flow to and from your machines.
- Click Save to save the configuration.
- Make sure you Assign the Connect Settings to the computers you want to use the relay server with.
Testing Connections to make sure they're going through your relay server
To test if connections are using your custom relay server, apply the settings to a computer and then use the Jump Desktop to connect to the computer. Once you're connected:
- Click Help -> Diagnostic Logs
- Open up the latest Viewer logger file and then search backwards for the string: "Got candidate". There might be multiple hits with that string, but there should be at-least one hit with your relay server's address there. If you see your relay server's address, then things are working.
- Additionally if you want to check and make sure Relay Connections Only option is working, you can also search backwards in the logs for the string "Using Cand" and make sure your relay server's IP address is mentioned in that line.
High Availability Relay Servers
Jump Desktop Connect supports specifying multiple relay servers for high availability scenarios. Given multiple relay servers, Jump Desktop Connect will automatically skip servers that are down and choose the relay server that has the lowest latency.
For high availability scenarios we recommend at-least 2 or more relay servers.
You can add multiple relay servers in the Custom Relay Servers section by clicking the Add button.
Firewall settings
You should make sure your relay server's firewall port allows incoming and outgoing UDP traffic on the RELAY_PORT and the port range: RELAY_CONNECTION_MIN_PORT - RELAY_CONNECTION_MAX_PORT
Running a Relay Service Behind a NAT
It's possible to run the relay service behind a NAT using port forwarding. Please make sure you read the Firewall Rules for Relay Service Behind NAT below.
Make sure the NAT is configured to forward UDP traffic on the connections ports to your relay server's internal IP address. For example if your relay server is running on internal IP: 192.168.2.10 and port ranges 49152-49552 then create the following port forwarding rule on your router or NAT:
Port forwarding rule #1
External Port range: 49152 - 49552 (RELAY_CONNECTION_MIN_PORT - RELAY_CONNECTION_MAX_PORT)
External Protocol: UDP
Internal IP: 192.168.2.10
Internal Port: 49152 - 49552 (RELAY_CONNECTION_MIN_PORT - RELAY_CONNECTION_MAX_PORT)
Critical: Firewall Rules for Relay Service Behind a NAT
When running the relay within your network, it is crucial to tightly control communications between the relay server and other internal machines via firewall rules. The relay should only interact with machines that require its service, not with your entire internal network.
1. Restrict Internal Communications: Limit this communication to UDP traffic on ports 3478 (RELAY_PORT) and 49152-49552 (RELAY_CONNECTION_MIN_PORT - RELAY_CONNECTION_MAX_PORT), ensuring that it is always initiated by internal machines, never by the relay server.
2. Block TCP Connections: Ensure that no TCP connections are allowed from the relay server to any other machines on the internal network.
3. Block Outgoing UDP Connections from the Relay Server (Recommended): It is advisable to prevent the relay server from initiating any outgoing UDP connections to the internet. Ideally, all connections from the wider internet should be inbound only and to ports in the external port range 49152-49552 (RELAY_CONNECTION_MIN_PORT - RELAY_CONNECTION_MAX_PORT). However, there may be scenarios where the relay server attempts to connect to external hosts on behalf of internal machines.
Comments
0 comments
Article is closed for comments.