Frequently Asked Questions (FAQ)

A.   About the AnyFirewall Developers Community

1. What is AnyFirewall Developers Community?
2. Who should become member?
3. What are the benefits of becoming a member?
4. How can I get commercial license for AnyFirewall Engine and/or AnyFirewall Server?

B.   NAT Traversal Problem and Applications

5. What is NAT and firewall?
6. What is the NAT/firewall traversal problem?
7. What applications can benefit from Eyeball NAT traversal solutions?
8. What types of features and capabilities is the VoIP industry looking for in a NAT traversal solution?

C.   Eyeball Products and Features

9. What products does Eyeball provide for NAT traversal?
10. What are the features and benefits of Eyeball AnyFirewall Engine?
11. What does Eyeball AnyFirewall Engine product contain?
12. What are the features and benefits of Eyeball AnyFirewall Server?
13. How does AnyFirewall solutions compare with Session Border Controllers (SBCs)?

D.   Standards

14. What are STUN, TURN and ICE?
15. Which standards and drafts do you support?
16. How do you differentiate your products from IETF STUN, TURN and ICE?
17. Do you support HTTP tunneling?

E.   Eyeball AnyFirewall Engine Technical Details

18. What platforms and operating systems does AFE support?
19. Which programming languages do you support?
20. What NAT and firewall devices or solutions do AnyFirewall solutions traverse?
21. What kind of sample programs does AFE come with?
22. How big is the AFE library?
23. Do you support nested NATs and multi-level NATs?
24. Does AFE traverse symmetric NATs?
25. I only want to use STUN, TURN and ICE, but do not want to use HTTP tunneling and UPnP traversal.  How can I do this?
26. Can I use AFE for XMPP, JINGLE and/or RTSP?
27. What is peer-to-peer media delivery and why should I care?
28. What is your peer-to-peer call completion rate?
29. Is AFE library thread-safe?
30. Can multiple SIP user-agents in the same computer share the same library?
31. What is AFE channel and how is it is related to socket programming?
32. What is the difference between AF_CHANNEL_RTP and AF_CHANNEL_UDP?
33. How can AFE be used to implement SIP outbound?
34. Can you also relay signaling messages (such as SIP messages)?
35. How do you test your NAT traversal solutions and what kind of interoperability tests have you done?
36. Which SIP stacks do you support?
37. Do you provide source code?

F.   NAT Traversal Problem and Applications

38. What is the purpose of AFE Demo?
39. What does the AFE demonstrations shows?

A.   About the AnyFirewall Developers Community

1. What is AnyFirewall Developers Community?

The AnyFirewall Developers Community is designed to enable software developers to incorporate the world's leading firewall and NAT traversal solution into their IP communication applications (such as VoIP phone, video streaming, content sharing, networked games etc.). The membership to this community is free and it enables rapid integration of STUN, TURN and ICE features into their applications, services and devices.

2. Who should become members?

Anyone using internet communication may face NAT traversal problem. If you are an application developer, solution integrator or device maker having problems with NAT, firewall or http-proxy traversal for IP communications, then you should become member of AnyFirewall Developers Community. Here are sample applications whose developers will find this program helpful:

• VoIP softphone or service
• Audio/video streaming
• Video conferencing
• Web conferencing
• Peer-to-peer content sharing
• Networked games

3. What are the benefits of becoming a member?

NATs and firewalls break IP communications if you do not have the right tools and technologies to handle them.  A member of the AnyFirewall Community gets access to software and support to rapidly integrate NAT, firewall and web-proxy traversal features into their applications free of charge thus reducing risk exposure, cost and time-to-market. 

Here are some of the membership benefits:

• FREE download of Eyeball AnyFirewall Engine – a software library for NAT and firewall traversal along with documentation and sample programs.
• Access to the AnyFirewall Demo for trying Eyeball NAT and firewall traversal solutions before implementing into your applications.
• Development support for enabling STUN, TURN and ICE features into your applications and devices.
• Test developed application(s) with FREE access to online Eyeball AnyFirewall Server.
• Access to whitepapers, tutorials and other technical materials.
• Community support for discussion and interoperability testing.

4. How can I get commercial license for AnyFirewall Engine and/or AnyFirewall Server?

In order to get the commercial license for AnyFirewall Engine and/or AnyFirewall Server, please fill theSales Request Form. A sales consultant will contact you soon.

B.   NAT Traversal Problem and Applications

5. What is NAT and firewall?

Network Address Translation (NAT) refers to mechanism or device doing translation of IP addresses from one realm to another.  Firewall refers to a packet filtering mechanism usually implemented at the border of a network in order to protect the internal computers from unwanted traffic or users. Many broadband home users install home routers from various vendors, such as Belkin, D-Link, LinkSys and NetGear.  A home router like this serves two purposes: it works as a NAT and allows sharing of a public IP among multiple computers, and protects local computers by working as a packet-filtering firewall that blocks un-invited traffic from public Internet.  Business users also use NAT and firewall features using (a) Internet routers allow them to share a few public IP addresses among many computers, and (b) Internet firewall products such as Cisco PIX, Juniper NetScreen, and CheckPoint FW1 to shield internal computers and data from outside access and rogue traffic.

The above figure shows a LinkSys router device working as a NAT and firewall.  Here 3 devices using private IP addresses 192.168.20.2, 192.168.20.3 and 192.168.20.4 share the public IP address 61.22.34.54 through the NAT.  Here the router allows these internal hosts to access the public Internet by modifying each IP packet to and from these computers by using a two-way mapping between private IP addresses and transport ports to the router’s public IP address and transport ports. The rewriting of addresses by the NAT is usually performed using a lookup table, where mappings between internal address/port pairs and external address/port pairs are stored.

6. What is the NAT/firewall traversal problem?

While NATs and firewall serve important purposes by allowing multiple computers to share few public IP address and protecting local computers from unwanted traffic and access, they also pose major challenges for IP communications through the Internet. 

The above figure illustrates the NAT /firewall traversal problem for IP communications using SIP (Session Initiation Protocol) - a widely adopted standard for VoIP.  In SIP, two user-agents needs to exchange IP addresses and media transport port in the SIP INVITE message to establish media exchange between them.  The figure shows the following problems:

• When Carol wants to make a call to Elisha, Carol needs to share the IP address and a UDP transport port where she will receive voice data. However when Carol uses the private IP address and local UDP port to receive voice for the SIP call, voice packets from the remote party connected to public Internet will never reach Carol because private IP addresses are not routable in the public Internet.
• If Carol is in a call with Elisha and for a while only Elisha talks (i.e. Carol does not send any packets to Elisha), then Carol’s NAT may close the binding, which effectively terminates the call.
• If David wants to call Alice, David needs to sends a SIP INVITE to Alice. Firstly David cannot send the INVITE message to Alice’s private IP address.  Even if David knows the public IP address of Alice’s NAT, the INVITE message will not reach Alice because the firewall will block it.

7. What applications can benefit from Eyeball NAT traversal solutions?

Any application using IP communications or data transfer may benefit from Eyeball NAT traversal solutions.  Here is a list of sample applications:

• VoIP softphone
• Audio/video streaming
• Video conferencing
• Web conferencing
• Peer-to-peer content sharing
• Networked games

8. What types of features and capabilities is the VoIP industry looking for in a NAT traversal solution?

Some key features that are expected from a NAT traversal solution include:

• Call completion guarantee: The solution must ensure 100% call completion rate between users, regardless of the NAT/firewall types used.
• Standard compliance and interoperability: The solution must interoperate with equipment from different vendors. Therefore, the solution must be based on some standards to ensure successful communication between devices with different settings.
• Maximize peer-to-peer calls: The solution needs to maximize peer-to-peer (P2P) calls in order to reduce load on relay servers, and to provide low end-to-end delay, low jitter and reduced packet loss. Having high P2P calls makes a service scalable, and reduced operating cost due to reduced bandwidth requirement.
• Security: The NAT traversal solution must not compromise the security settings of the NAT/firewall.
• Ease of integration with existing products or services: It is vital for the NAT traversal solution to be easily integrated with existing VoIP products or services, with minimal amount of work and time.
• Service scalability: The solution needs to be scalable so that it can be used independent of the number of participants.
• Optimized call completion time: The solution needs to make sure that the calls are established quickly.

C.   Eyeball Products and Features

9. What products does Eyeball provide for NAT traversal?

Eyeball provides a complete solution to ensure seamless traversal of media across different NATs, firewalls, UPnP gateways, & web proxies. This comprises two products:

• Eyeball AnyFirewall Engine (AFE) – the industry's leading firewall and NAT traversal SDK offering the most comprehensive implementation of STUN, TURN and ICE along with UPnP and web-tunneling, and
• Eyeball AnyFirewall Server (AFS) - a carrier-grade STUN and TURN server ready for licensing and mass deployment.


The above figure illustrates Eyeball NAT traversal solutions.  Here are a few highlights about Eyeball’s NAT traversal solutions:

• 100% call completion: 100% call completion through NATs, firewalls, UPnP gateways and web proxies.
• Comprehensive implementation of industry standard protocols: UPnP and IETF standards of STUN, TURN, ICE, and nat-behaviour-discovery-01.
• High peer-to-peer call completion rate: More than 95% of calls are completed without the use of a relay server.
• Multiple platforms: AFE is available on Windows, Linux, Mac OS, Windows Mobile and iPhone with other platform support available upon request.
• Easy to integrate: The AFE socket API is based on the standard Berkeley socket API, which is used in most operating systems. This allows AFE to be integrated quickly into existing products.
• Complete solution: The AnyFirewall™ Server (a standards-based STUN/TURN relay server) and the AnyFirewall™ Engine (a standards-based ICE client) provide a complete solution for NAT traversal.
• Service scalability: A single AnyFirewall™ Server supports more than 10,000 concurrent calls at one time, with more calls supported by simply adding another server.
• Product maturity: Eyeball Networks Inc. has been a leader in NAT traversal solutions for over 5 years. Our products are field tested by millions of end-users all over the world.

10. What are the features and benefits of Eyeball AnyFirewall Engine?

The Eyeball AnyFirewall Engine™ provides a feature-rich NAT traversal SDK for application developers and device makers. Here are a few technical highlights:

• Most comprehensive implementation of STUN, TURN, and ICE, plus optional features such as UPnP gateways and HTTP tunneling through web-proxies.
• Automatic selection of transport modes (UDP or TCP), and transparent translation of UDP to TCP when using TCP relaying.
• Supports symmetric RTP and smart keep-alives for signaling and media connections.
• Multiparty calls with hybrid UDP, TCP and HTTP streams.
• Traversal for voice, video, instant-messages and file-transfer.
• Minimized call completion time by pre-fetching and caching candidates.
• Simple C/C++ API familiar to TCP/IP socket programmers.
• Works with 3rd party SIP/XMPP stacks & voice/video engines.
• PC and embedded system support including Microsoft Windows, Linux, and Windows Mobile.

The rich set of APIs offered by AFE enable developers to write IP communication applications without the concern of NAT and firewall traversal problems. The following figure shows the diverse kinds of applications that can be built using AFE. It supports rapid integration with third party signaling protocol stacks (such as SIP, XMPP, JINGLE and RTSP) and media engines.

11. What does Eyeball AnyFirewall Engine product contain?

AnyFirewall Engine provides a rich and flexible application programming interface (API) to enable seamless NAT and firewall traversal for your applications. The product includes everything you need for rapid integration of NAT traversal features into your application:

• C/C++ library providing flexible API
• Sample client application in source code illustrating how to use the Engine for VoIP applications using third-party SIP stack and RTP library
• Developer reference documentation
• Technical support for integration and customization
• Development and test access to Eyeball AnyFirewall Server - a carrier-grade STUN and TURN server

12. What are the features and benefits of Eyeball AnyFirewall Server?

The Eyeball AnyFirewall™ Server is a carrier-grade server for NAT/firewall discovery, and signaling and media relay based on STUN standard (RFC 5389) and TURN IETF draft. Here are some of the feature highlights of Eyeball AnyFirewall Server:

• First standards-based NAT and firewall traversal server for VoIP -- incorporates STUN and TURN and supports HTTP tunneling as a fallback. Supports traversal of media and signaling including voice, video, IM and file-transfer.
• Scalable firewall traversal for large deployments -- most calls use peer-to-peer media transport, load balancing based on DNS SRV lookup, more than 10,000 concurrent calls per CPU.
• Interoperability with 3rd party products -- works with 3rd party clients and end-points, and SIP servers from Cisco, Huawei, Nortel, Tekelec and Ubiquity.
• Support wiretapping of calls by forcing relay usage for certain users (for CALEA requirements).
• Ready for deployment in IMS infrastructure (stand-alone server or integrated into CSCF).
• Runs on standard Linux systems (standard PC or carrier-grade servers).
• Easy to setup using either text-based configuration; interactive command line interface; or web-based provisioning, monitoring, and usage statistics.

13. How does AnyFirewall solutions compare with Session Border Controllers (SBCs)?

Session Border Controllers (SBCs) is another solution of NAT traversal problem. A brief comparison is provided here between AnyFirewall Solutions and SBCs:

D.   Standards

14. What are STUN, TURN and ICE?

The IETF (Internet Engineering Task Force) has devised a suite of standards and protocols, namely STUN (Session Traversal Utilities for NAT), TURN (Traversal Using Relay NAT), and ICE (Interactive Connectivity Establishment), to address the NAT traversal problem.

STUN solves the NAT traversal problem partly by enabling clients to know the public IP address of the NAT. With STUN, a client generates a STUN request to a STUN server on the public Internet. This request causes the NAT to allocate a binding to the client. The STUN server sends a response to the client and, within its body, returns the source IP address and port of the request as seen by the STUN server.  STUN is simple and lightweight, and allows extensions such as adding new types of request to the server. This works in establishing peer-to-peer (P2P) media delivery through many NATs.  However there are some NATs, where STUN is not enough, and a relay server is needed to deliver media data between peers.

To allow media delivery through a relay server, IETF devised TURN as an extension of STUN.  In TURN, a client sends a request to a TURN server prior to making a call. The TURN server returns to the client an IP address and port that it can use as the destination for media.

ICE is a framework that defines how to use the STUN and TURN protocols to solve the NAT traversal problem, by choosing the best possible interconnection method between two users. Since ICE incorporates STUN and TURN methods, sometimes ICE is also used to refer to the complete STUN, TURN, and ICE solution.

Although ICE is still an Internet draft, and not yet standardized, it has already received widespread support and adoption. Leading vendors including Microsoft, Cisco, Nortel, Lucent Alcatel, Huawei, Avaya, Juniper, Tandberg, Tekelec, Nokia, and Sony Ericsson have adopted ICE for NAT traversal. CableLabs, the technology consortium of cable system operators who are also the largest VoIP operators in USA, has also incorporated ICE support into the CableLabs IMS specification for next-generation communications architecture.

15. Which standards and drafts do you support?

Eyeball AnyFirewall solutions support STUN, TURN and ICE standards/drafts.  It also supports Universal Plug-and-play (UPnP) Internet Gateway standard and traversal of HTTP web-proxies.  Eyeball supports latest IETF standards and drafts on STUN, TURN and ICE, and is committed to provide timely support for future draft updates until they become standards.

16. How do you differentiate your products from IETF STUN, TURN and ICE?

Eyeball provides complete STUN, TURN and ICE solutions comprising two products: (a) AnyFirewall Engine – a client-side software library and (b) AnyFirewall Server - a carrier-grade STUN and TURN server.

It should be noted that IETF describes the protocols and details for STUN, TURN and ICE.  However there are still a lot of details left for software developers implementing them.  Eyeball provides the most comprehensive implementation of STUN, TURN and ICE in AnyFirewall Engine. 

Here are some of the key features of Eyeball AnyFirewall Engine that is above and beyond the IETF standards:

• More than 95% P2P call completion in UDP-enabled networks using advanced AnyFirewall technology (which leads to high scalability)
• Traversal for voice, video, instant-messages and file-transfer
• Automatic selection of transport modes (UDP or TCP), and transparent translation of UDP to TCP when using TCP relaying
• Multiparty calls with hybrid UDP, TCP and HTTP streams.
• Supports symmetric RTP and smart keep-alives for signaling and media connections
• Load-balancing using DNS SRV
• Traversal of UPnP gateways and web-proxies
• Wire-tapping specific users for law enforcement purposes
• More than 5 years of experience with millions of end-points through many service provider customers around the world

17. Do you support HTTP tunneling?

Yes, AFE supports HTTP tunneling for networks that does not allow any traffic other than web traffic.  AFE has been tested with popular web-proxy servers such as Microsoft ISA, Squid and Webproxy.  It also supports basic/NTLM authentication if required.

E.   Eyeball AnyFirewall Engine Technical Details

18. What platforms and operating systems does AFE support?

Eyeball AnyFirewall Engine has been ported for many platforms including Windows XP, Vista, Linux, Mac OS X, Windows Mobile and iPhone.  AFE has been designed with multi-platform support in mind with a platform abstraction layer (PAL) to separately handle platform specific issues.  This enables rapid porting of AFE to new PC and embedded platforms.

19. Which programming languages do you support?

AFE may be used in any system programming language such as C, C++, Pascal/Delphi, C# and Objective C.  Eyeball uses C/C++ as their platform for AnyFirewall Engine software development.

20. What NAT and firewall devices or solutions do AnyFirewall solutions traverse?

Eyeball AnyFirewall solutions guarantee traversal of IP communications through all NATs, firewalls and web-proxies. Our solutions have been field-tested with numerous NATs and firewalls around the world through more than 19 million end-points and more than hundred service providers.

A sample list of NATs/firewalls and web-proxies that Eyeball AnyFirewall solution is tested:

21. What kind of sample programs does AFE come with?

AFE comes with two sample programs. The VoipPhone project comes with full source and executables and SimpleVoipPhone project with only source. VoipPhone shows how to use the Engine for VoIP applications using “reSIProcate” SIP stack and RTP library. SimpleVoipPhone uses a simpler SIP stack and provieds easier understanding of AFE. In Windows platform, these are MFC applications developed using Microsoft Visual Studio 2005 or 2008.

22. How big is the AFE library?

The standard footprint of AnyFirewall for PC including optional UPnP and web-tunneling features is about 350kB.  Smaller footprints are available for embedded devices and other environments where available memory is limited.

23. Do you support nested NATs and multi-level NATs?

Yes, Eyeball AnyFirewall solution supports nested NATs and multi-level NATs.

24. Does AFE traverse symmetric NATs?

Yes, AFE traverses symmetric NAT traversal. Moreover, thanks to its advanced technology, it completes most calls using P2P media delivery even for symmetric NATs.  Of course, if P2P call completion is not possible for certain combination of NATs, calls are completed using TURN server.

25. I only want to use STUN, TURN and ICE, but do not want to use HTTP tunneling and UPnP traversal.  How can I do this?

The simplest way to disable HTTP tunneling and UPnP traversal is to use AFE in “Standard” mode instead of the default “Auto” mode.  Another way to do this is to use AFE in ``Manual`` mode, and then disable HTTP tunneling and UPnP traversal using SetChannelOption().

26. Can I use AFE for XMPP, JINGLE and/or RTSP?

Yes, you can.  AFE is designed in a way so that it can work independent of any particular application level protocol. Therefore, AFE can be used for XMPP, JINGLE, and/or RTSP.

27. What is peer-to-peer media delivery and why should I care?

In a peer-to-peer media delivery, the endpoints exchange media data directly without using any centralized resource. As each peer shares its processing capabilities and bandwidth with the other peers, peer-to-peer networks are highly scalable and robust in case of failures.  It also provides better quality of service in terms of lower delay, jitter and loss rate as compared to relayed media delivery.

28. What is your peer-to-peer call completion rate?

Peer-to-peer call completion rate depends on a few factors such as whether the NAT/firewall allows UDP, port mapping type of NAT and whether the client is behind strict firewall only allowing web-traffic.  AFE provides peer-to-peer call completion rate is more than 95% between end-points behind UDP-enabled NATs and firewalls.  For UDP-enabled NATs, AFE establishes P2P calls even through most symmetric NATs.  For cases when P2P media delivery is not possible, AFE establishes the calls through the relay server.

29. Is AFE library thread-safe?

Yes, AFE is thread-safe. There are no restrictions with respect to the number of threads that access the API.

30. Can multiple SIP user-agents in the same computer share the same library?

Yes, multiple SIP user-agents in the same computer can share the same library.

31. What is AFE channel and how is it is related to socket programming?

Eyeball AnyFirewall Engine uses the concept of channels to simplify application programming. Each channel is accessed via a set of functions similar to the socket API. Like sockets, each channel represents an endpoint for sending and receiving data. However, channels hide the underlying complexity required for the NAT/firewall traversal process, such as the STUN, TURN, and ICE functionality.  To make adding the functionality of AFE to an existing application easy, calls to the socket API are replaced with similar AFE API calls. For example, to send and receive data using AFE, an application calls the Send() or Recv() on a channel, instead of using the send() and recv() functions of the socket.  Furthermore, AFE provides the Select() function for channels, which models the behavior of the socket API function, select().

32. What is the difference between AF_CHANNEL_RTP and AF_CHANNEL_UDP?

They are very similar. For AF_CHANNEL_RTP, the timeout is ignored in the Send and Recv calls, forcing them to be non-blocking. Packets will be sent using peer-to-peer UDP, UDP-UDP relay, or make a TCP connection to the relay server and allocate a UDP port, so that UDP traffic is sent to the remote user agent. For RTP Channels, we send Binding Indication messages for keeping NAT bindings alive, while for UDP channels we send STUN packet with invalid attribute.

33. How can AFE be used to implement SIP outbound?

Eyeball AnyFirewall Engine can be used to implement sip-outbound draft.  For each SIP flow, one needs to use one SIP channel.

34. Can you also relay signaling messages (such as SIP messages)?

Yes, we can.  By default we try to establish a connection with the SIP server directly whenever possible. However, there are certain cases where direct connection is not possible to establish (e.g., if the client is behind a NAT with UDP blocked). In those cases we use TURN server to establish the connection and relay SIP messages. TURN server is also used to relay SIP messages for clients behind web-proxies.

35. How do you test your NAT traversal solutions and what kind of interoperability tests have you done?

Eyeball has developed extensive test tools, scripts and test-bed to test AnyFirewall features under different test scenarios.  Our test-bed contains many kinds of NATs, firewalls and web-proxies, and we have developed automated test tools to test the features.  Eyeball software has also been field-tested with millions of end-points through many service providers around the world.

Eyeball also participates and encourages multivendor interoperability tests.  We supplied the reference STUN-TURN server for 22nd SIP interoperability test event arranged by SIP forum. Eyeball AnyFirewall Engine also participated in the event as one of the most comprehensive implementation of latest IETF drafts on STUN, TURN and ICE for seamless traversal VoIP calls through NATs, firewalls and web-proxies.

Eyeball AnyFirewall Server and Engine have also been serving as a reference implementations at CableLabs PacketCable Application Lab -- the premiere lab for cable-operators in the USA who represent the dominant VoIP operators in the world.  This lab facilitates interoperability and performance testing for applications and servers from many vendors such as Cisco, Ericsson, Nokia, Nortel and Siemens.

36. Which SIP stacks do you support?

AFE is designed to work with any SIP stacks (or other application stacks such as XMPP/JINGLE or RTSP for that matter).  Eyeball has developed applications integrating AFE with multiple open-sources SIP stacks such as oSIP and RESIPROCATE.

37. Do you provide source code?

Yes, we provide the source code of a sample program which illustrates how to implement a VoIP application integrating AFE with a SIP stack and voice engine.  Source-code for AnyFirewall Engine (or Server) is also available for licensing.

F.   NAT Traversal Problem and Applications

38. What is the purpose of AFE Demo?

AFE demo is a simple NAT and firewall traversal demonstration using Internet Explorer that demonstrates traversal of SIP, XMPP and media data through NATs, firewalls, UPnP gateways and web-proxies. It allows anyone using IE to login to our demo service and call one of the online demo users, a phone number or any other user online with the demo service. Since any two users may call each other using any combination of NATs or firewalls, this demonstration is very general.

39. What does the AFE demonstrations shows?

AnyFirewall Engine Demo shows the following:

• SIP and XMPP login independent of NATs, firewalls and web-proxies.
• Show whether you connected directly or via the relay server.
• Make calls to 3 end-points at Eyeball NAT traversal lab.
1. End-point using public IP.
2. End-point behind a common LinkSys NAT/router.
3. End-point behind Microsoft ISA HTTP-proxy where all traffic other than HTTP is blocked.
• Make calls to any SIP end-point or voice gateway. If your friend is connected to the same demo or other publicly accessible SIP servers, you can call him/her.

The following figure shows the demo setup at Eyeball.