powered by Jive Software

Forwarding XMPP through DMZ to Internal Openfire server

I have an internal Openfire server, which talks to our AD environment. There is a need for users to be able to connect externally, however I’d rather avoid them having to go through a HTTP Proxy or otherwise change their configuration to do so. Obviously the simplest solution would be to put Openfire in the DMZ and have internal/external users connect to it directly, however AD in the DMZ is a no-no.

The options I have so far are:

  • Another Openfire system in the DMZ which does server-server connections, or clustering, to the internal system. I think authentication might trip me up here, since I don’t believe Openfire will forward through authentication requests.

  • A DMZ system using something like stunnel to forward DMZ requests into the internal network. I don’t need the SSL piece of stunnel, since Openfire is configured to require SSL over 5222 anyway.

  • Just dumping AD and installing Openfire in the DMZ with static accounts. This has lots of headaches related to password expiration and user management I’d rather avoid.

  • Some other proxy system which can handle XMPP requests transparently.

My worst case config is Apache w/ mod_proxy that users have to enable/disable as necessary - I’d rather avoid this, since there are some clients which don’t support HTTP Proxies (Jivetalk on my Blackberry for example).

Any other ideas?


Hi David,

did you consider using a connection manager? There are some issues with the order of messages when a log of messages are delivered (offline messages or entering a MUC), beside that it works fine as a proxy for clients (not for s2s connections). It does terminate the client sessions and creates a connection manager session to Openfire. Openfire does the authentication, so you need only to open port 5262 from DMZ to Openfire.


I didn’t realize the ‘Connection Manager’ existed, however it sounds like it does exactly what I need. I’ll have to try it and see how well it works! I take it I will have to install Openfire in my DMZ, along with the Connection Manager plugin, and point it to my internal Openfire environment? I couldn’t find any good (or even, any) documentation on the Connection Manager. Is there a webpage I am missing?


Hi David,

a CM is a standanlone product. So there’s no need to install Openfire in the DMZ.

http://www.igniterealtime.org/projects/openfire/connection_manager.jsp is probably the page you’ve seen, and there’s little more to say about CMs. They have a configuration file where one needs to specify the openfire server and some more things. It does not include a GUI as far as I know.


After I downloaded the tgz and read the documentation it made much more sense :slight_smile: At some point I saw tcp/5262 mentioned, however that port isn’t open on my Openfire install - Is there something I need to enable for that, or was it a typo?


There is no need to use a connection manager.

This is all you need:

  • Openfire needs a DNS name that can be resolved from the internet
    • Server name
    • xmpp.domain
    • certificates (selfsigned is fine)
    • DNS a record
  • Ports forwarded from external IP to internal NAT address

Port forwarding from the external networking through to the internal envionrment is not permitted by our security policies, hence why we have a DMZ.

Hi David,

visit https://your-openfire.example.com:9091/connection-managers-settings.jsp and enable the port it there.