powered by Jive Software

Explanation: Connecting to your internal server from internet

One of the most popular questions on the forums and in the group chat is “How can i make my internal server available from internet?”. This is a rather complex topic and i don’t have all the information and no real experience about this. But i have a few suggestions. Feel free to correct me in the comments, if i made a mistake!

For a service to be available on the internet it has to have a proper domain name. Same as with your email provider. You go to say gmail.com or outlook.com, not just to gmail. If your XMPP server (Openfire or other) is named just chatserver, it would be harder to make it visible on internet, though probably still possible. But having a proper domain name is a key to avoid various problems in the future with contacts search, service discovery, service to service connections (if you plan such).

So, if your company has domain domain.com (your website is say on www.domain.com and email like *@domain.com), then your chat server could have an XMPP domain domain.com (or say chat.domain.com, if you prefer). And your users should put domain.com (or chat.domain.com) as a server in their clients (Spark or other XMPP client). This should work the same way internally before you make this available in the internet.

When you use same domain name for various services like www, mail and XMPP, client could get confused where to find a server. This is solved (not just in XMPP) with DNS SRV records. So, in your internal and external DNS you should have a record like that:

_xmpp-client._tcp.domain.com. 18000 IN SRV 0 5 5222 server.domain.com.

Where domain.com is your XMPP domain and server.domain.com is FQDN of your server hosting Openfire (which should also have A or AAAA record in internal DNS pointing to server’s IP). This way a client connecting to domain.com will find a server providing XMPP service. 5222 port is used for a client to connect to a server, so you should open it in your firewall filtering traffic from the internet to your local network (also called port forwarding).

If you named your XMPP domain chat.domain.com, then this record should look like

_xmpp-client._tcp.chat.domain.com. 18000 IN SRV 0 5 5222 server.domain.com. (not sure about this part yet)

So, when your external user, say in Spark, puts username, password and domain.com as a server and presses Login, his/her OS is querying its DNS server where domain.com is located. It gets domain’s IP and connects Spark to this IP, then Spark queries this domain for XMPP service provider on 5222 port and domain’s DNS replies that it should connect to server.domain.com. Then DNS A (or AAAA) record lookup is done and IP of a server is determined. Then firewall forwards connection on 5222 port from companie’s public IP to local IP of a server hosting Openfire. Similar things happen inside the network.

If you had an internal server with a simple name “chatserver” or even worse an IP address instead of a proper XMPP domain name, then this will be REALLY complicated. You will have to change your server’s domain name, which can lead to problems with already added contacts in a client (contacts will have old domain name in them). Then you will have to change login information in every client to the new name. Setting up DNS records also is not a trivial thing if you never had to do it. So, when someone asks “how to make my server available in the internet” you just can’t tell “do this and that”. This is not easy if you are not familiar with network/DNS matter.

I have skipped the certificates part, which can be worked around by changing Spark settings, but it is best to setup it properly. Quoting @guus from another post “Obtain a CA-signed certificate for your domain. Ensure that the certificate covers at the least the XMPP domain name as well as the FQDN of the host that’s running Openfire (again, if these are the same, things are easier). You can use Let’s Encrypt for this, which is free, but more complex to set up. Best results are obtained with a wildcard certificate for all subdomains of your domain.”

1 Like

A post was merged into an existing topic: Connection error connecting from another computer