Note: This article is for the updated High Performance Relay (v2.0), released in October 2024. For the article on the legacy relay server (v1.0) prerequisites, please reference the documentation here.
The Parsec Relay Server is an on-premises high-performance relay (HPR) server that is part of the Parsec for Teams Enterprise license. It's a solution for when you need more control over your network infrastructure and want to ensure the success of P2P connections.
This lightweight server program relays many concurrent Parsec sessions through a single IP address / port configuration. It can be used to assist with NAT traversal as either an on-premises relay for large LAN deployments of Parsec, or as a general-purpose WAN relay server.
If you'd prefer to avoid the Parsec Relay Server, look into Parsec's networking requirements.
Advantages
Reliability
The HPR server is a lightweight server program that efficiently relays many simultaneous Parsec connections through a single IP address/port configuration providing availability within strict firewall/NAT environments. Leveraging HPR to overcome dependence on UPnP for the Parsec app NAT traversal is crucial to ensure the success of connections in corporate environments.
Visibility
The HPR now sends heartbeat and connection data to the Parsec API. This enhances visibility into your Parsec infrastructure and provides insights into infrastructure health, connection information, and connection count. Improved logging capabilities help simplify ongoing maintenance and support operations.
Simplification and security
By relaying packets between clients and hosts, the HPR server removes reliance on UPnP or complex firewall rules that would otherwise be required for P2P connections to be successful. The HPR server is hosted by the customer, always remaining under their control in the location of their choice, whether that be on a physical machine in the office or running as a VM in a public cloud.
Architecture
Customer managed infrastructure
The HPR service runs on a Linux server that can be bare-metal, a virtual machine (VM), or a cloud instance. In general, we recommend running 2 HPR servers per site for high availability. The HPR servers should be located on your corporate network and should be as close as possible to the hosts and clients using it for connections. With respect to leading security practices, we recommend placing the HPR in a Demilitarized Zone (DMZ). Please refer to the technical reference for full guidance on where to place the relay.
Prerequisites
Server machine specs
Component | Minimum spec |
CPU | 2 cores |
RAM | 4 GB |
NIC | 1 Gbps |
Server & OS recommendations
Distro | Version |
Rocky Linux | 9.3 |
Ubuntu | 24.04 LTS |
We have tested the Linux distributions listed above and know they work. The Parsec HPR service setup on Linux requires Systemd v250 or greater. This allows the use of systemd-creds for secure key storage. Please ensure your intended distribution supports this. All distributions tested by Parsec have a supported version of SystemD by default. Where available we recommend using TPM 2.0 enabled machines for encryption and decryption of the private key.
You are responsible for ensuring that any additional security hardening on the host machine is appropriate to your organization's desired security posture and for any ongoing maintenance required. We provide some general recommendations here. However full instructions on installing and hardening Linux are outside the scope of this article.
Network and firewalls
- Allocate public IP for HPR server(s)
- A single public IP can be used for multiple HPRs, listening on different ports
- Assign local IP address to HPR server(s)
- We recommend configuring a static IP address
- NAT public IP and public listener port -> private IP and public listener port
Source IP | Source port | Destination IP | Destination port | Protocol |
Relay private IP | * | kessel-api.parsec.app | 443 | TCP/HTTPS |
Parsec host machine | Parsec host start port (Default: Random) | Relay private IP | Relay private listener port (Default: 4900) | UDP/STUN |
Parsec client machine/Any | Client start port (Default: Random) | Relay public IP | Relay public listener port (Default: 5000) | UDP/BUD |
Relay private IP |
Relay public listener port (Default :5000) |
Parsec host machine | Parsec host start port (Default: Random) | UDP/BUD |
Next steps
Before moving on to configuration, ensure you have appropriate access and make note of the following as you will need these things later:
- HPR local IP address
- The public IP address assigned to your HPR
- The port used for relay communication (Relay public listener port - default 5000)
- The port used for STUN (Relay private listener port - default 4900)
- Console or remote (SSH) access to the server
- Access to the Parsec admin dashboard, with permission to add and modify relays
- Your Team ID, located in the admin dashboard
- Your Firewall configuration should be completed per the HPR network requirements in the table above