Best way connecting 2 companies?

Openfire Openfire Support
1

Hi everyone,

We’'re running WF3.0.1 on Windows using Active Directory LDAP integration. We setup shared groups on the server to pre-populate everyones rosters. We use Spark for the client. We have an AD group called IM and any member of this group is allowed to login to to WF.

We now have a requirement to communicate with a separate office that is not part of our AD domain or local network.

What I’‘d like to be able to achieve is to have my local staff able to communicate with the remote staff using wildfire. I’'d also like to be able to manage the groups centrally on the server so that my local staff see all the remote users and vice versa.

So having said that, what’'s the best way of achieving this?

  1. Can I create non AD logons to my current WF server and get them to log in remotely? or

  2. Should I create a separate WF server for them at their office and get the 2 WF servers to talk to each other? If I do that can I share groups between them?

What’'s the best way forward?

thanks

Steve

2

stevekdavis wrote:

We now have a requirement to communicate with a separate office that is not part of our AD domain or local network.

What I’‘d like to be able to achieve is to have my local staff able to communicate with the remote staff using wildfire. I’'d also like to be able to manage the groups centrally on the server so that my local staff see all the remote users and vice versa.

So having said that, what’'s the best way of achieving this?

  1. Can I create non AD logons to my current WF server and get them to log in remotely? or
  1. Should I create a separate WF server for them at their office and get the 2 WF servers to talk to each other? If I do that can I share groups between them?

I’'d say that having a separate WF server would be the best way, using s2s for communication (using the whitelist if s2s is usually turned off). You can add foreign addresses to a group, so you can simply add the separate office into the group of the main WF server.

3

@Steve,

I’‘m not sure what’'s best for you, but the first option also seems viable to me via HybridAuthProvider.

4

both look like good options. The secondary auth option looks interesting and may be an easy one for me to implement in the short term.

I think the other office is going to grow so they may need to have their own server at some point. I never knew you could add remote users to shared groups , I just thought they had to be local users.

Not sure if it’‘s important but our server is here in the UK and the remote server is in Chicago so I’'d like to reduce unnecessary traffic as well.

5

I’'ve made a bit of progress.

I’‘ve installed a second copy of WF 3.0.1 on their server (Win2003, embedded DB). I’'ve setup the DNS SVR records for them and us. These are all active.

jabber.tcp.domain1.co.uk 5 0 5269 imserver.domain1.co.uk

xmpp-client.tcp.domain1.co.uk 5 0 5222 imserver.domain1.co.uk

xmpp-server.tcp.domain1.co.uk 5 0 5269 imserver.domain1.co.uk

Ports 5222,5223 and 5269 are open on each server and the opposite domain as added to the white list of each server for S2S comms.

On my existing server I’'ve added a test group with a couple of the users from the remote server. This is added to my roster automatically with the users showing as offline.

On the remote server I’'ve done the same, added a shared group with a few of our users listed.

As a test, I’'ve installed spark on the remote server and logged in as one of the remote users. As expected my shared group appears on their roster with all the users showing online as they should.

However I’'m not receiving the fact that the remote user is online, the remote user still shows as offline on my roster. On the remote client, I can dbl click my ID and start a chat and sure enough that chat window pops up on my PC and we (me!) can chat happily. I can do this for them as well even though they are showing as offline.

If I change my status to away/busy etc it’'s reflected on the remote roster straight away. Do the opposite and nothing happens.

As a test, I’‘ve just installed v3.1 b3 on the remote server but this has made no difference. I can’‘t really do that on my local server as this is live and I’'m also wary of beta versions of most things.

I’‘ve done a little digging to see how well the 2 servers work apart from the lack of online notification and found that the conference and search doesn’'t work between servers. Is this to be expected? or is there a way of getting at least the conference to work.

local server uses conference.server1.com, remote server uses conference.server2.com, each server cannot see the other conference server. Does this need to be setup in DNS or extra SVR records?

On the remote server if I invite a local user to a conference on the remote server the local user never gets the invite.

So to summarise:

  1. the servers are talking to each other to a fashion. I get presence updates one way but not the other. How can I fix this?

  2. Can I search or conference across servers?

thanks again

Steve

6

just a bit more info on this. While I’'m testing, I have both servers setup within the same LAN. I have now set both client and server secure connections to be optional on both servers. We still have the self signed certs that are installed by default.

I have created an xmpp-server.tcp.conference.domain1.co.uk srv record for both domains but I still can’'t see the opposite conference service.

I still only get presence info sent from the US to the UK server. Both have been restarted.

I have turned on debug logging on both servers.

This is a snip from the UK server:

2006.10.04 09:04:21 Connect Socket[addr=/10.0.0.59,port=4861,localport=5222]

I can attach other log files if needed.

thanks

Steve

7

ok I’‘ve made a small amount of progress. I’'ve taken the shared groups off of both servers and manually added the user from the UK onto a US users roster and presence is passed backwards and forwards from both servers as expected.

Does this give any clues? (apart from it’'s to do with shared groups )

8

You probably have some issues with subscriptions (it’‘s not set to “both”). However, I don’‘t know how to fix that other than sending it manually from the other server’'s clients.

You have two separate conferencing servers, but connecting to conference.server1.co.uk from server2.co.uk should work fine for collaborative chatting.

9

Hi Steven,

I think you should try to setup a shared group on one server at a time because this could make tracking down the presence error easier. In fact, shared group can be setup independantly, and so, you don’'t have to setup similar shared groups in both servers. Also, creating a group does not automatically make it shareable. Remember to enable sharing.

As for services in a server like conference, search etc, I think (again ) you will have to make them resolvable for remote servers in addition to the main xmpp.domain. That means, all xmpp.domain, conference.xmpp.domain, search.xmpp.domain etc have to explicitly be defined resolvable. Also, because you setup the s2s with the white list, I think (again ) all of the services should be included in the white list as well.

10

Well that fixed the conferencing add conference.server1.co.uk to the white list of the other server worked. Strangely it won’'t let me add search.server1.co.uk to the white list as it complains that I need a valid port number. It will only let me add 2 servers using port 5269.

Back to shared groups and presence:

On my UK server I added a shared group with a few users from the US server. I then made this visible in the roster of a particular group in the UK.

That had the effect of asking the US user to allow all the UK users who viewed the shared group to allow them to add him to their list. I did that and bi-directional presence is working fully still. (this was the direction is wasn’'t working before)

I’'ll check it the other way and feedback my findings shortly.

Steve

11

stevekdavis wrote:

That had the effect of asking the US user to allow all the UK users who viewed the shared group to allow them to add him to their list. I did that and bi-directional presence is working fully still. (this was the direction is wasn’'t working before)

Yes, that’‘s inherent in the XMPP specification. The server only controls its own presense subscriptions, it can’‘t control the other server’'s. Setting the client to automatically accept presence subscriptions might be the easiest solution.

12

that’‘s the conclusion I’‘ve come to as well after a lot of shared group testing. Adding a group one side forces an auth request the other side. If you don’'t accept these properly then the groups get all screwed up.

It’'s a real game of chance trying to get them in sync.

How can I set WF or Spark to auto accept requests?

13

How can I set WF or Spark to auto accept requests?

On Spark, you’'ll have to develop an extension/plugin to auto accept subscriptions. On Wildfire, you can download the Subscription plugin from the admin console, details of which can be found in http://www.jivesoftware.org/wildfire/plugins/subscription/readme.html. Cool aint it? , though you might however be wary about spIM

14

aznidin wrote:

though you might however be wary about spIM

That shouldn’‘t be an issue when there’'s a whitelist for s2s.