How to handle the token endpoint when doing WebRTC streaming from a client in DMZ where XProtect is not accessible from DMZ.

005bH000002Pv3ZQAS · March 27, 2025, 10:03am

Hi! We have a use case where we will have a client application that will stream video via WebRTC.

In order to handle this without directly expose the Milestone server in DMZ we will set up TURN and STUN for handling the WebRTC part but we will also need to get an access token from the Milestone XProtect IdP (via the Milestone API GW).

Should we have an additional API GW for “protecting” the token endpoint and maybe also use mTLS for extra protection?

Does anyone have any “best practice” to share regarding our use case.

Best regards Hans

Bo_Ellegard_Andersen · March 28, 2025, 11:21am

There is an API Gateway Administrator’s Manual here.

It does not seem to mention the DMZ scenario that you are asking about. and it might come short of a ‘best practice’ description.

Installing the API Gateway in a DMZ is possible.

The ports that needs to be opened towards the XProtect servers are not mentioned in the manual for API Gateway but you can find them in the general Administrator’s Manual here.

Note that you can use basic authentication users but not Windows AD users because of the way the IDP works.

005bH000002Pv3ZQAS · March 29, 2025, 11:06am

Ok, thanks.

/Hans