Skip to content

How Connect uses STUN services

CyberHive Connect uses the STUN protocol for Endpoint-based network address discovery.

If STUN is not permitted due to firewall restrictions, or other network security measures, then Connect will not function as expected.

Firewalls need to allow outbound requests to the STUN servers along with inbound replies to these requests.

If your firewall blocks outbound traffic, please open the ports shown in the table below.

What is STUN

STUN stands for "Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)" and was defined by RFC 3489.

The RFC describes STUN as:

a lightweight protocol that allows applications to discover the presence and types of NATs and firewalls between them and the public Internet. It also provides the ability for applications to determine the public Internet Protocol (IP) addresses allocated to them by the NAT.

STUN services used by Connect

By default, the following public STUN services are used:

Host Port Weight
stun1.l.google.com 19302 100
stun2.l.google.com 19302 100
stun3.l.google.com 19302 100
stun4.l.google.com 19302 100
stun.stunprotocol.org 3478 500

STUN service weighting

A weight is applied to each STUN service. A higher weight means it is less likely to be used.

Alternative STUN services

If your organisation has its own instance of the Connect Control Service, then it is possible to configure alternative STUN services.

Note that multiple STUN services are used to obtain consensus. It is necessary to have at least three STUN services configured.

Firewall requirements

Each Endpoint must be able to send UDP-based STUN requests to all of the STUN services in use, and to receive related responses.