Configure ICE candidate filtering and TURN-only mode for enterprise firewall traversal in WebRTC

Verified steps

1. When constructing RTCPeerConnection, pass a configuration object with iceTransportPolicy: 'relay' to force all media through TURN relays and prevent host and server-reflexive candidates from being gathered — this ensures traffic exits through a known TURN server that is permitted by the enterprise firewall.
2. Supply your TURN server(s) in the iceServers array of the RTCPeerConnection configuration with urls: ['turn:turn.example.com:443?transport=tcp'] to use TCP on port 443, which most enterprise firewalls permit for HTTPS traffic.
3. On the TURN server, enable the TURN-over-TLS (turns:) variant so the TURN handshake and relay traffic are wrapped in TLS on port 443, further bypassing deep-packet inspection that blocks plain TURN.
4. Add a STUN server to the iceServers array for scenarios where direct connectivity is allowed; the STUN server helps gather server-reflexive candidates that work when only NAT (not firewall) traversal is needed.
5. Monitor RTCPeerConnection.getStats() and filter for candidate-pair entries to confirm that the selected candidate pair type is 'relay'; if a non-relay pair is selected despite iceTransportPolicy: 'relay', the TURN configuration is likely misconfigured.
6. Handle TURN credential expiry gracefully: if the ICE process begins after TURN credentials have expired, candidates will fail to gather; refresh credentials and restart ICE via RTCPeerConnection.restartIce() before expiry.