STUN (Session Traversal Utilities for NAT) enables an end host operating behind a NAT device to discover its NAT IP address and NAT port allocated by the NAT device. Interactive communication applications (for example real-time voice, video, and messaging) running on these hosts use the STUN protocol for discovering NAT IP address and port information. This information is used by these applications to connect to their peer applications in the Internet. STUN protocol includes servers, known as STUN servers, residing in the Internet. Using the STUN protocol, an application of an end host sends a request to a known STUN server, which in turn then embeds the NAT IP address and port in the payload of its response packet.
In an LSN deployment of a Citrix ADC appliance for an ISP, interactive communication applications (for example real-time voice, video, and messaging) running on a subscribers can use the STUN protocol to discover whether it is behind a NAT (Citrix ADC appliance) device or not. These applications send a request to a known STUN server. On receiving the request, the Citrix ADC allocates a NAT IP address and a port for this request, creates an LSN session and an LSN mapping entry, translates the packet with the allocated NAT IP address and port, and then forwards the packet to the STUN server. The STUN server embeds the allocated NAT IP address and port in the payload of its response packet. When the subscriber finally receives the packet, from the payload of the packet it learns that it is behind a NAT device, and the NAT IP address and port allocated for the session.
The application then notifies the peer applications that it is reachable at the NAT IP address and the port of the LSN mapping entry created for the STUN session. It notifies by embedding the NAT IP address and port in the payload of the packets sent to the peer applications. For making the application reachable at the same LSN mapping entry for any external application, full Cone NAT (endpoint Independent mapping and Endpoint Independent filtering) is enabled for the LSN configuration on the Citrix ADC appliance.
The Citrix ADC detects an LSN session of type STUN if the request packets are destined to TCP or UDP port 3478, and then marks the created mapping entry of type STUN. The Citrix ADC applies a timeout called, STUN timeout, to the created STUN LSN mapping entry. A STUN timeout is the maximum time that the Citrix ADC maintains an idle STUN LSN mapping entry since it was last used by any LSN session. If the STUN LSN mapping session is unused for a time that exceeds the STUN timeout, the Citrix ADC removes the mapping entry.
For an application on a subscriber that use STUN LSN mapping entry to stay available to other peer applications on the Internet, the application periodically sends keep-alive messages to the Citrix ADC appliance so that the STUN LSN mapping entry does not timeout. A higher frequency of keep-alive messages can have an affect on the performance a subscriber, especially, if the subscriber is a mobile device. A higher value of STUN timeout reduces the frequency of keep-alive messages from a subscriber.
ALGs on the Citrix ADC appliance do not apply to an LSN session that use a STUN LSN mapping entry because NAT IP address and NAT port are communicated in payload of the packets related to the session.
For subscribers’ applications that use STUN protocol, the LSN configuration must have the following settings:
- STUN timeout. In an LSN configuration, the LSN group includes the STUN timeout setting.
- Endpoint-independent mapping and endpoint-independent filtering for STUN protocol ports.
For instructions on creating an LSN configuration, see Configuration Steps for LSN.
The following sample LSN configuration applies to applications that use STUN protocol over TCP or UDP. STUN timeout is set to 10 mins. Endpoint-independent mapping and endpoint-independent filtering is set for the STUN TCP port (3748) and the STUN UDP port (3748).
add lsn client LSN-CLIENT-1 Done bind lsn client LSN-CLIENT-1 -network 192.0.2.0 -netmask 255.255.255.0 Done add lsn pool LSN-POOL-1 Done bind lsn pool LSN-POOL-1 203.0.113.3 Done add lsn group LSN-GROUP-1 -clientname LSN-CLIENT-1 -stuntimeout 10 Done bind lsn group LSN-GROUP-1 -poolname pool1 LSN-POOL-1 Done add lsn appsprofile LSNAPPSPROFILE-TCP-STUN-1 TCP -mapping ENDPOINT-INDEPENDENT –filtering ENDPOINT-INDEPENDENT Done bind lsn appsprofile LSNAPPSPROFILE-TCP-STUN-1 3748 Done bind lsn group LSN-GROUP-1 -applicationprofilename LSNAPPSPROFILE-TCP-STUN-1 Done add lsn appsprofile LSNAPPSPROFILE-UDP-STUN-1 UDP -mapping ENDPOINT-INDEPENDENT –filtering ENDPOINT-INDEPENDENT Done bind lsn appsprofile LSNAPPSPROFILE-UDP-STUN-1 3748 Done bind lsn group LSN-GROUP-1 -applicationprofilename LSNAPPSPROFILE-UDP-STUN-1 Done