powered by Jive Software

How Can I Connect users outside LAN to Wildfire Server using Spark?

Okay, even though I hate the word, I can say that I am a “newbie” to Wildfire and Spark. I can also say that i am not an IT pro, but being that I am the Operations Director of a small company, guess who gets to do it all? That’'s right. I can say though that I am a very fast learner and I have a fair to moderate understanding of IT, and am certainly intrigued by it. Anyway, I have successfully set up the wildfire server on our local server at my office location (It is a server that only functions as an AD, DNS, and Domain Server.) I have set up the users on the LAN with the Spark client and have had not a single issue connecting and using the client. Now, the challenge for me is that I have 2 other (even smaller locations, and our CEO and other Partners are usually always remote; however, I want to (and am pretty sure that I can) be able to have the remote users log onto the Wildfire server using Spark.

So, knowing that I have a LAN set up behind a router and then the server is on that LAN. What I think I need to do (from reading through all the posts first) is to set the router to forward all external 5222 requests to the servers Local IP Address (which is 192.168.1.13.

What I first need to know is that this is correct (or at least on the sometimes wavering path of correct.) Secondly, I need to know that if this is correct, what do I get the users to set their server field to connect to on the spark log in box. Am I correct in saying that if I have it set up in the way I described above that they would log onto the router external IP, port 5222 (ex. 66.59.xxx.xxx:5222) and then it would forward it to the internal server?

I appreciate in advance any light that can be shed. Thanks.

So, knowing that I have a LAN set up behind a router

and then the server is on that LAN. What I think I

need to do (from reading through all the posts first)

is to set the router to forward all external 5222

requests to the servers Local IP Address (which is

192.168.1.13.

As long as you are only talking about having clients connect from outside the network on the non SSL (old style) port, you are right on.

What I first need to know is that this is correct (or

at least on the sometimes wavering path of correct.)

Secondly, I need to know that if this is correct,

what do I get the users to set their server field to

connect to on the spark log in box. Am I correct in

saying that if I have it set up in the way I

described above that they would log onto the router

external IP, port 5222 (ex. 66.59.xxx.xxx:5222) and

then it would forward it to the internal server?

Just put in the external IP address (65.59.xx.xx) of the router in the server field.

This isnt the most elegant way to set this up. The most prefered method would be to have the server have an external IP address and DNS entry. That isnt always possible, so I would say the next best method is to use some VPN then connect as you would on the LAN. The third choice is as I described above.

Thanks for that. Do you suggest that I use the SSL port instead?

Also, I am not going to set up the server with its own external and DNS, however, the VPN is not entirely out of the question. My only question is (and my inexperience is about to come out!) If I have let’'s say 6 clients out there (external from LAN), I would only need to set up one VPN right? and have all of those can connect to that VPN the same way.

Also, I have Server 2003 installed. Would it be best to set up the VPN role on the server? I am pretty sure I can manage that. I will let you know how it works out. Thanks.

For complete compatability, I would do both. Most modern clients should use port 5222 with TLS, but some older clients can only do SSL on port 5223. It shouldnt be too much extra overhead to support both, however.

You should only need one VPN (with 6 clients) but as to the implementation of that, you are on your own. I can only provide you info for Unix based solutions. Try Google for this one.

This may be a little out of the box here, however, I know that I need to open up port 5222 (I have a 3com 5012 router) and have all client requests for port 5222 on our external IP address forwarded to the servers LAN IP. The big question is: How exactly do I do that. Like I said I am a student in progress here (learning as I need to). I telnet to the router , and then I am stuck. I am unsure of the correct syntax to complete what I am sure (am hoping anyway) is a fairly simple task. I have all the info I need, I just have to put it all together. Thanks in advance for any light you may be able to shed.

Youve got me. Never used a 3com router before. Id check the documentation or get on 3com’'s website and search a bit.

That router has a web interface!

I haven’‘t used one of that model myself, but with a web interface I think you’'d be able to figure it out.

Don’'t forget that these things have “documentation”.

Even though I always forget that myself. ;-D

I have checked the documentation, but have not really found much that helps me… I know that I have to use NAT to get this to work, my problem, I have very limited knowledge about NAT.

As far as a web interface. I have not seen it. Are you sure that this model does? I will have to check, but I know that I have to telnet to it to do anything basically. A web interface would be absolutely awesome. I have tried (as is usually standard typing both the global and internal IP address of the router in a browser and gotten nothing.) I will search the web for info about this, but I am expecting the worse. Anyhow, I appreciate the help, and if you come across anything else that can help me I would appreciate it. Thanks.

The syntax for adding a NAT translation looks like this:

nat server protocol tcp global

for instance:

nat server protocol tcp global XXX.XXX.XXX.XXX 5222 inside YYY.YYY.YYY.YYY 5222

I do not believe that there is a web interface on the 50xx series routers.

Good luck.

md

That router has a web interface!

I don’‘t believe that to be true. Of course I’'ve been wrong many times before

Don’'t forget that these things have “documentation”.

I just downloaded the documentation (even though I don’‘t have a 3com router) and didn’'t notice anything about web interface in there. I only noticed console access from a wired port…

If there was a web interface, it would be easy cause you will normally find a page that shows a bunch of application/game start and end port, and then which internal machine to route those to…

command line of course will require some digging…

The syntax for adding a NAT translation looks like this:

nat server protocol tcp global

for instance:

nat server protocol tcp global XXX.XXX.XXX.XXX 5222 inside YYY.YYY.YYY.YYY 5222

I do not believe that there is a web interface on the 50xx series routers.

Good luck.

md

This is exactly what I thought! I am glad I have been reassured. Now, My question is this. I have entered a command line this way, and checked the show nat server, and I can see it.

My question now is, how do I get the outside clients to connect to it? I tried to test it myself from inside the LAN (which I suppose I can do, I hope) by typing to connect to the server (public IP :5222 ex, 208.46.xxx.xxx:5222) It still does not seem to work. Does anyone know where I am going wrong here? Thanks again. I really want to get this figured out, as the rest of the executive team just wants to use messenger :stuck_out_tongue: Which I am set against, but if I can not fix this soon, looks like I am up the creek. Thanks.

That type of thing is usually discouraged by a line in the config file which disallows traffic with a source IP that matches your internal IP schema. This is done to prevent spoofing. You will likely need to test from a machine that is outside of your local network. Test from home or another remote system to which you have access via say, RDP/ICA, VNC, pcAnywhere, etc. You get the idea.

Gotta first say that I really appreciate your help on this. I did test it from an outside source, but still nothing, although I had a person doing it for me as I was walking her through it.

It did not work however, but I am not sure why. I have two more quick questions, 1.) Even though I can check the nat server (when I do this is what I get: Server in private Network information: Interface: Serial 2/0, Protocol:6(tcp), 208.46.xxx.xx: 5222 192.168.1.13: 5222) is there any other way to verify that the router is in fact forwarding 5222 requests to the server? Or is that what this is telling me? Esentially, if it says this then it is. I know that the server is defininately listening on 5222 as the internal works. I need to narrow down where the issue is here.

My next question is that, say this is most certainly doing what I need it to be doing, then what do what does the outside users need to input into the fields into the client (we are using Spark)? User name: (locally, I am just putting in the user name and nothing else - no @…, etc) Server (locally, we just put in the name of the server and it works) do the outside users need to type in 208.46.xxx.xx:5222? Something else? I feel like I am missing something very simple here. I have tried a lot of other configurations through the aforementioned test with no success. Thanks again for all the help.

You’'re welcome. Hope that I can help you get it working.

Try this for the remote client config:

Open Spark and click on the ADVANCED item at the bottom of the client and then under the GENERAL tab uncheck the “Automatically discover host and port” option. Once you clear that check box the HOST and PORT boxes will become active and you will add these entries:

Host - XXX.XXX.XXX.XXX (the public IP on your router - FQDN may work but I have not tested so can’'t comment)

Port - 5222

Leave everything else at default and then click on OK to save and exit that window.

At the main window in Spark you will need to enter the user name and password and put something into the Server box. It doesn’'t seem to matter what you put in there since it is ignored when you have the manual configuration enabled in the Advanced config.

md

[/b]YOU ARE DA MAN!! It works now. I can not believe it. And to think My “time limit” was going to be 12:00 Noon EST today, and then I was just going to have to give up and move on! I can not tell you how great that is! I appreciate it so much.

To everyone else, all of your information was extremely helpful to me. Thanks.

Hey, glad to hear that it’'s now working. Happy to help out. Good luck with the demo to the decision makers.

md