DMZ Server?

Andy_McCall · April 15, 2010, 12:26pm

Hi Folks,

I have a fairly nice Openfire setup on our internal network, its integrated with AD and we use groups for auto-roster population, at the moment its working very well and I am happy with it.

I would like to expand the installation to allow users to connect from their iPhones and home PC’s, but I don’t want to set up any VPN’s or allow access direct to the internal network. I am hoping that there is some way I can install a second server in the DMZ that users from outside the network can connect to, and this then passes everything between the external client and the internal server. The server in the DMZ would do no authentication, no roster storage or database connections, it would simply act as a proxy between the external clients and the internal server.

Can I install a server in the DMZ that just passes through connections to the internal server for everything? Almost like an Openfire-proxy-only server?

Thanks!

Andy.

LG1 · April 15, 2010, 6:36pm

Hi Andy,

did you take a look at the connection managers? They work like simple proxies, see http://www.igniterealtime.org/projects/openfire/connection_manager.jsp

LG

Andy_McCall · April 19, 2010, 11:53am

The connection manager looks like what I am looking for, but one thing confuses me about configuration, I am pretty sure I understand the domain, hostname and port settings, but I don’t get the password option:

xxxxxx.xxx.xx

openfire

5262

Can someone explain what password this should be?

Milan_Enev · April 19, 2010, 12:09pm

Not tried by myself but maybe shared secret between connection manager and OF server, one defined at Server->Server settings-> Connection manager ?

Andy_McCall · April 19, 2010, 1:14pm

Excellent, I think this is exactly what I want.

I am just waiting for the firewall rules to be changes so I can test.

Thanks for the help, I will mark both replies as correct answer when I have it working.

Andy_McCall · April 20, 2010, 3:40pm

This works, however the console is showing Trillian on the iPhone as logged in without any encryption. Do I have to open any other ports or configure anything else to allow encrypted clients? I haven’t managed to test Trillan on an external desktop PC yet.

I think I have also found a bug in Openfire:

If the iPhone client IM+ connects the Sessions list of users has a java stack exception, the client works, its just listing the sessions that doesn’t. Trillian connects and you can see the client listed, but IM+ causes the exception. You can repeat the issue very easy.

Thanks for the help so far.

LG1 · April 20, 2010, 6:55pm

OF-143 will likely not be fixed soon. So the locked lock will not be displayed even if the connection is encrypted.

“You can repeat the issue very easy.” - Looks like I finally found an iPhone sponsor (;

Andy_McCall · April 21, 2010, 10:16am

I tested with the full Spark client last night from a PC rather than an iPhone, and it connects with no issues and the admin console shows the connection is encrypted.

So, I think I stumbled on two bugs - the encryption icon not showing, and IM+ causing a java stack exception when listing the connected sessions in the admin console.

Other than that its all great!

Thanks for the help all.

Oh - what does ““You can repeat the issue very easy.” - Looks like I finally found an iPhone sponsor (;” mean?