How Connect uses STUN services¶
CyberHive Connect uses the STUN protocol for Endpoint-based network address discovery.
If STUN is not permitted due to firewall restrictions, or other network security measures, then Connect will not function as expected.
Firewalls need to allow outbound requests to the STUN servers along with inbound replies to these requests.
If your firewall blocks outbound traffic, please open the ports shown in the table below.
What is STUN¶
STUN stands for "Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)" and was defined by RFC 3489.
The RFC describes STUN as:
a lightweight protocol that allows applications to discover the presence and types of NATs and firewalls between them and the public Internet. It also provides the ability for applications to determine the public Internet Protocol (IP) addresses allocated to them by the NAT.
STUN services used by Connect¶
By default, the following public STUN services are used:
Host | Port | Weight |
---|---|---|
stun1.l.google.com | 19302 | 100 |
stun2.l.google.com | 19302 | 100 |
stun3.l.google.com | 19302 | 100 |
stun4.l.google.com | 19302 | 100 |
stun.stunprotocol.org | 3478 | 500 |
STUN service weighting
A weight is applied to each STUN service. A higher weight means it is less likely to be used.
Alternative STUN services¶
If your organisation has its own instance of the Connect Control Service, then it is possible to configure alternative STUN services.
Note that multiple STUN services are used to obtain consensus. It is necessary to have at least three STUN services configured.
Firewall requirements¶
Each Endpoint must be able to send UDP-based STUN requests to all of the STUN services in use, and to receive related responses.