I have an internal Openfire server, which talks to our AD environment. There is a need for users to be able to connect externally, however I’d rather avoid them having to go through a HTTP Proxy or otherwise change their configuration to do so. Obviously the simplest solution would be to put Openfire in the DMZ and have internal/external users connect to it directly, however AD in the DMZ is a no-no.
The options I have so far are:
Another Openfire system in the DMZ which does server-server connections, or clustering, to the internal system. I think authentication might trip me up here, since I don’t believe Openfire will forward through authentication requests.
A DMZ system using something like stunnel to forward DMZ requests into the internal network. I don’t need the SSL piece of stunnel, since Openfire is configured to require SSL over 5222 anyway.
Just dumping AD and installing Openfire in the DMZ with static accounts. This has lots of headaches related to password expiration and user management I’d rather avoid.
Some other proxy system which can handle XMPP requests transparently.
My worst case config is Apache w/ mod_proxy that users have to enable/disable as necessary - I’d rather avoid this, since there are some clients which don’t support HTTP Proxies (Jivetalk on my Blackberry for example).
Any other ideas?