Configure a Juniper Firewall¶

This guide explains how to configure a Juniper firewall to allow Reemo to use an optimal connection (direct/udp) and avoid unnecessary fallback to relays.  
A correct configuration reduces latency and improves the audio/video quality of sessions.  
Without this configuration, Reemo can still work, but connections will fall back to relays (relay/tcp, relay/udp, websocket) with reduced performance.

Before starting, make sure your Juniper firewall (SRX Series, Junos OS) is properly installed and accessible via its web administration interface.

Then log in to the interface with your administrator credentials.

Note

This configuration is provided as an example.  
Screens and labels may vary slightly depending on the version of your device (e.g. Junos OS SRX).  
The proposed names for objects (Reemo_TURN1, Reemo_Protocol_in, etc.) are indicative: you may use your own naming conventions.

Step 1: Add the Reemo servers¶

In Security > Policy Elements > Zone Address Book, add the following addresses in the Internet zone:

Reemo_TURN1 :
- Type : FQDN
- Domain Name : turn1.reemo.io

Add TURN1 address in the Zone Address Book.¶

Reemo_TURN2 :
- Type : FQDN
- Domain Name : turn2.reemo.io

Add TURN2 address in the Zone Address Book.¶

Reemo_Signal :
- Type : FQDN
- Domain Name : signal.reemo.io

Add Signal address in the Zone Address Book.¶

Overview of addresses

Overview of Reemo addresses — Summary of configured addresses.¶

Step 2: Create Reemo applications (services)¶

In Security > Policy Elements > Applications, create the following custom applications:

Reemo_TURN_UDP443 :
- Protocol : udp
- Destination Port : 443

UDP 443 application for TURN — Custom application: TURN over UDP/443.¶

Reemo_Protocol_out :
- Protocol : udp
- Source Port : 58200-58400

Reemo Protocol Out application — Custom application: outgoing flows from the Reemo Agent.¶

Reemo_Protocol_in :
- Protocol : udp
- Destination Port : 58200-58400

Reemo Protocol In application — Custom application: incoming flows for the browser.¶

Overview of applications

Overview of Reemo applications — Summary of configured applications.¶

Step 3: Create security rules¶

In Security > Security Policy, create the following rules:

Global rules¶

Reemo_TURN :
- From Zone : internal
- To Zone : Internet
- Destination Address : Reemo_TURN1, Reemo_TURN2
- Applications : Reemo_TURN_UDP443, junos-https
- Action : permit

Juniper rule to TURN (UDP/443) — Allow TURN (UDP/443) and HTTPS to the TURN servers.¶

Reemo_Signal :
- From Zone : internal
- To Zone : Internet
- Destination Address : Reemo_Signal
- Applications : junos-https
- Action : permit

Juniper rule to the signaling server — Allow HTTPS to the signaling server.¶

Rules for the remote computer (“Reemo Side”)¶

These rules concern the outgoing traffic generated by the remote computer running the Reemo Agent. They allow the machine to correctly communicate with the client browser via the UDP 58200–58400 range.

ReemoAgent_out :
- From Zone : internal
- To Zone : Internet
- Source Address : LAN (remote computer)
- Destination Address : any
- Applications : Reemo_Protocol_out
- Action : permit

Reemo Protocol Out rule — Allow outgoing flows from the Reemo Agent.¶

Rules for the browser (“Browser Side”)¶

These rules concern the incoming traffic on the browser side (the user’s workstation). They ensure that UDP 58200–58400 flows sent by the Reemo Agent properly reach the browser.

ReemoAgent_in :
- From Zone : internal
- To Zone : Internet
- Applications : Reemo_Protocol_in
- Action : permit

Reemo Protocol In rule — Allow incoming UDP flows on the browser side.¶

Overview of policies

Overview of security policies — Summary of configured policies.¶

Step 4: NAT configuration (recommended)¶

To preserve performance in direct/udp, it is recommended to:

Disable source port overloading,
Enable persistent NAT behavior.

Open NAT > Source, then Global Settings.
Disable the Interface Port-Overloading option.
Add specific rules in the main Source Rule Set.

Overview of NAT rules — Example of NAT configuration.¶

NAT rule examples¶

Reemo_NAT_TestPage_rule (Test to UDP/443) :
- Source : your internal subnet
- Protocol : udp
- Port : 443
- Action : Do Source NAT With Egress Interface Address + Persistent
ReemoAgent_out (Agent outgoing flows) :
- Source : your internal subnet
- Protocol : udp
- Ports : 58200-58400
- Action : Do Source NAT With Egress Interface Address + Persistent
ReemoAgent_in (browser-side incoming flows) :
- Source : your internal subnet
- Protocol : udp
- Ports : 58200-58400
- Action : Do Source NAT With Egress Interface Address + Persistent

Summary: Ports and addresses to open¶

For quick reference, here is a summary table of the required flows for Reemo to work properly in direct/udp mode:

Usage	Protocol	Ports	Destination
Signal server	TCP/UDP	443	`signal.reemo.io`
TURN servers	UDP	443	`turn1.reemo.io`, `turn2.reemo.io`
Reemo Protocol In	UDP	58200–58400	Browser (client workstation)
Reemo Protocol Out	UDP	58200–58400 (src → dynamic dst)	Remote computer (Reemo Agent)