Hi,
Having had numerous problems getting file transfer proxying to work, I thought I’d share some tips and tricks I’ve learned along the way.
1) Multi-homed / Multiple IP addresses
If your openfire server has multiple IP addresses for running different services, I’d strongly recommend you do this:
- Stop openfire
- cd /opt/openfire-x.y.z/conf/
- vi openfire.xml
- Uncomment the section, and put the openfire server’s IP in there
- e.g. 192.168.10.66
- start openfire back up, and check http://192.168.10.66:9090/ for the admin console.
I had some strange problems which turned out to be down to the server having multiple IPs. The firewall was NATing an external IP, port 7777 through to 10.66, but the replies appeared to be coming from a different IP, so the firewall was NATing them out to a DIFFERENT external IP!
2) NAT / Port Translation and routing
Let’s say your external IP is 12.34.56.78
Let’s say your internal IP is 192.168.10.66
Either add a static NAT, or add “port forwarding” rules to allow traffic hitting 12.34.56.78 on ports 5222 (XMPP), 5223 (XMPPS), 5269 (optional: server2server), and importantly, 7777 (FileTransfer).
Now, click on Server > Server Manager > System Properties in the Openfire admin console, or assuming your IP is as above, click here: http://192.168.10.66:9090/server-properties.jsp.
Under the “Add new property” section at the bottom of the page, add one with Property Name: xmpp.proxy.externalip and Property Value: 12.34.56.78
If you have setup DNS entries correctly, you can put the hostname instead, but the IP removes one level of complication during testing!
3) DNS Entries
Let’s say your openfire server is running on example.com. I’m going to call the server “xmpp.example.com”, but openfire is configured with server name “example.com”
Firstly, add an A record pointing xmpp.example.com to the external IP 12.34.56.78. In BIND9 format this would be:
xmpp.example.com IN A 12.34.56.78
Now add XMPP SRV Records as follows:
I have put these in BIND9 format as it’s the easiest way to express them.
_xmpp-server._tcp 3600 IN SRV 10 0 5269 xmpp.example.com.
_xmpp-server._udp 3600 IN SRV 10 0 5269 xmpp.example.com.
_xmpp-client._tcp 3600 IN SRV 10 0 5222 xmpp.example.com.
_xmpp-client._udp 3600 IN SRV 10 0 5222 xmpp.example.com.
_jabber._tcp 3600 IN SRV 10 0 5269 xmpp.example.com.
_jabber._udp 3600 IN SRV 10 0 5269 xmpp.example.com.
_jabber-client._tcp 3600 IN SRV 10 0 5222 xmpp.example.com.
_jabber-client._udp 3600 IN SRV 10 0 5222 xmpp.example.com.
Some posts have recommended adding proxy.xmpp.example.com pointing to the server too. I personally didn’t do this, and have succeeded in getting everything working, including file transfer proxies, without it. If someone wants to post an update or advice here feel free.
4) Outbound firewall rules!?
By default most home / ADSL firewall routers allow all outbound traffic. Some corporate LANs are a bit more restrictive. If someone can’t connect to your openfire server, or file transfers are failing, ensure that they have “outbound access to the external IP (12.34.56.78) on TCP ports 5222, 5223 and 7777”.
That pretty much covers all the gotchas we experienced settings things up. We were hosting an openfire server on one LAN, with users connecting in from 2 other external sources, all behind at least one firewall and router. It took a little time to get everything working perfectly, including the file transfer proxy, but if you follow the instructions above, hopefully it will ease the setup process for you.
Hope this helps.
Mark