my customer ICBC asked us to just expose one IP address on internet for all REMBs installed in DMZ zone.
Rem solution is using reverse proxy to hide REAS topology.
But, expose all REMBs IP external interface to internet.
Customer wants to hide REMB IP address also.
Internal remb#1, 192.168.1.1, (port range 16000~16500)
Internal remb#2, 192.168.9.1.2(port range 16000~16500)
public internet 18.104.22.168 (port range 16000~17000)
is there any customer raised same requirement?
Do we have any workaround?
Typically on the public facing side of the Media Broker in DMZ only 5 ports per media broker are exposed and these are generally NATed via a firewall. This is because the WebRTC calls use port offloading and the sRTP and sRTCP streams on each of the 5 MediaBrokers are multiplexed on the single port.
You could use one IP on the firewall to NAT to all your Media brokers:
- External FW IP (ports 16000- 16004) -> REMB1 External facing IP (ports 16000 - 16004)
- External FW IP (ports 16005- 16009) -> REMB2 External facing IP (ports 16000 - 16004)
FYI.. On the internal (SIP) side larger numbers of ports are needed as there is no multiplexing and each call needs 2 ports.
Please sign in to leave a comment.