Best practice: Publish UCServer configuration for external access
December 2020
Best Practice
The procedure described in "Best practice" requires detailed IT expertise in configuration and administration.
Setting up the WebServices for connections from clients to the UCServer from outside the UCServer network requires detailed knowledge of STUN/TURN, network architecture and security settings.
With UCConnect, a service from estos, it is easy to set up connections from clients to the UCServer as an external connection.
What is the UCServer WebService?
A WebService is always installed together with the UCServer, which is permanently connected to the UCServer. The UCServer WebService is required to connect ProCall Mobile, ProCall for macOS and the ProCall web applications to the UCServer. The publication of the UCServer WebService enables the use of these applications not only in the local network, but also via the internet or from the home office.
What options are there for publishing?
Depending on the structure of the network infrastructure of the user company and the technical and organizational requirements, we distinguish between different scenarios.
Publication without DMZ (medium complexity)
Publication with DMZ (high complexity)
Publication using the estos complementary online services or UCConnect (low complexity)
UCConnect
Further information on the supplementary online services is available on our website (https://www.estos.com or https://portal.ucconnect.com)
Depending on the network infrastructure, we recommend different procedures.
DMZ | Location UCServer | Procedure |
---|---|---|
No | LAN | |
Yes | DMZ | |
Yes | LAN |
Port forwarding – configure the NAT router with port forwarding, the encryption (TLS) of the communication is done by the UCServer WebService. These settings can be found in the UCServer administration in the menu Tools >> Network interfaces.
HTTP reverse proxy – An HTTP reverse proxy is a server that receives HTTP(S) requests and forwards them to a server in the private network. This http reverse proxy requires the SSL certificate, the communication is forwarded to the UCServer via HTTP (to the network interface of the "WebService http") or HTTPS (to the network interface of the "WebService https"). For example, you can use nginx (proxy_pass), Apache (mod_proxy, ProxyPass) or Microsoft® IIS (Application Request Routing) as the server.
Requirements for the reverse proxy
The HTTP reverse proxy must allow web socket connections (RFC 6455) in addition to HTTP GET and POST.
What requirements must be met?
Public IP address – Your internet access must have a public IP address.
DNS entry – The public IP address must be resolvable via a DNS entry. Add a DNS A record to your domain (e.g. ucws.domain.com), use your public IP address.
SSL certificate – The certificate should be issued by a public certificate authority (CA) that is trusted by all major browsers and operating systems. If you work with a self-signed certificate ('Self Signed Certificate'), the connection is encrypted, but not secure against interception. This does not allow the use of browser applications.
Caution when choosing the certificate
A trustworthy certificate is absolutely necessary for the use of browser applications.
How to proceed further?
Please decide on the basis of the concrete network infrastructure whether you want to use Port Forwarding or http Reverse-Proxy.
Further information