We previously configured our clients to use a TURN server at turn:ourTurn.com:443. A customer with very strict network rules could not use our WebRTC services, but when updating the ICE server to turns:ourTurnserver.com:443?transport=tcp (note the added S in turns vs turn and TCP as transport protocol) it resolved their issue.
Unfortunately, this made our service unavailable to many other customers (no idea why, we expected the 'strictest' config with TURNS/TLS to work all the time). So we implemented the 'gold standard' implementation where the clients use a list of ICE servers, i.e.
[stun:ourTurnserver.com:443, turn:ourTurnserver.com:443?transport=udp, turn:ourTurnserver.com:443?transport=tcp, turns:ourTurnserver.com:443?transport=tcp]
Now our service works again for all users, EXCEPT those behind the very strict firewall.
Note that the new configuration (list of ICE servers) includes the TURNS address, which made the config work for the strict firewall in the first place.
Any ideas what is going on?