Note: The following article describes the connectivity for Auvik’s Remote Support capabilities, used on Windows workstations and servers and MacOS workstations. For information on how the Remote Terminal, Remote Tunnel, or Remote Browser connect to a target device, please see this article. 

Auvik’s Remote Support feature uses the industry standard WebRTC (Web Real-Time Communication) to connect an endpoint machine to a technician's browser.

All media streams sent over WebRTC are securely encrypted. The encryption protocol used depends on the channel type; data streams are encrypted using Datagram Transport Layer Security (DTLS) and media streams are encrypted using Secure Real-time Transport Protocol (SRTP).

To create this connection we use a combination of HTTPS and secure web-socket (WSS) requests.

WebRTC leverages a number of downstream systems to function properly. These include ICE, STUN, and TURN; all are necessary to establish and maintain a peer-to-peer connection over UDP. Auvik’s remote support capabilities leverage  Twilio within our product as our ICE, STUN, and TURN provider.

• ICE (Interactive Connectivity Establishment) is a standard that describes how to coordinate STUN and TURN to make a connection between hosts.
• STUN (Session Traversal Utilities for NAT): Helps the client discover its public IP address and port when it's behind a NAT (like in most home or office networks).
• TURN (Traversal Using Relays around NAT): Relays media through a third-party server if a direct peer-to-peer connection can’t be established — which is crucial in scenarios with strict firewalls or symmetric NATs.

Remote Support Connection Flow

Phase 1: Technician’s web browser starts the signaling process

The first phase of establishing a WebRTC connection is signaling.

The first step in this process is for the Technician’s browser to start an https connection with the Auvik  WebRTC Signaling Server. This server is within the Auvik infrastructure. That connection gets upgraded to a secure websocket (WSS).

The Auvik Signaling Server communicates with Twilio APIs to do a STUN lookup to determine how the machines will connect.

After this process has been started the Auvik web browser then sends a message over HTTPS to the Auvik cloud to request starting a remote connection to the machine.

Phase 2: Remote device connects to the signaling service

The second phase of connectivity is a similar process from the end device running the Auvik services that the technician will connect to. The Auvik cloud will send a request to the end device over a secure web socket. 

That request is processed by the Auvik services running on the end device, which then connects to the Auvik WebRTC Signaling Service over HTTPS, which the connection then gets upgraded to a secure web socket.

Similar to the process between the technician’s browser and the Auvik cloud in Phase 1, the Auvik WebRTC Signaling Service uses Twilio to determine how the remote device can connect to the technician’s machine. 

Phase 3: Technician and remote device Connected over a WebRTC Tunnel

After each device establishes a connection with the Auvik WebRTC Signaling Service, the devices are able to negotiate which ICE connection to use. This is handled behind the scenes and invisible to the remote user and the technician. 

If devices are able to contact each other directly they will then do so. If devices are not able to connect to each other directly due to symmetric NAT or other issues, the WebRTC process negotiates use of a relay server, referred to as the TURN media relay, so that the two devices will relay their session through the geographically nearest relay point.

We now have an encrypted WebRTC connection between the endpoint and the technician’s browser for the remote session to begin!

Networking considerations

In order to establish a remote session both the technician’s machine and the endpoint machine will need to be able to reach your Auvik tenant at <domainprefix>.<cluster>..my.auvik.com

Additionally, the machines must allow outbound connections to http://twilio.com on the following ports: