I’m running Openfire on a multi-homed system that has one interface connected to the “user” LAN and a second to a “management” LAN. The interfaces are firewalled differently and I’d like to be able to have the Openfire admin console listen on the management interface rather than the user interface. I’ve found, and configured, the setting that has Openfire generically listen on a specific interface, but I can’t find anything that would allow me to split the admin(port 9091)/user(port 5222) listening across two interfaces.
Is there any way to do this? If not, how do I make a suggestion for a possible future enhancement?
be seeing you … Don
P.S.
I’m new to Openfire, but am very impressed by the professional quality of the system.
You should be able to access the admin console from any interface that has port 9090 or 9091 open. The important thing to remember if you are using windows is to name the Openfire server the same name as the computer that it is bein installed on. So if the computer has a domain name of server1.domain.com you should name your openfire server the same thing during the setup.
Thanks for the quick reply, but I think I need to give you a bit more information so you understand what I’m trying to do …
The server that runs Openfire has two NIC’s (and two IP addresses) on two separate LAN subnets::
Subnet1: 10.10.3.0/24 used for client access to servers (Openfire IP=10.10.3.254)
Subnet2: 10.10.4.0/24 used for management access to servers (Openfire IP=10.10.4.254)
I’ve configured Openfire to only listen on 10.10.3.254 since client traffic should not be arriving over 10.10.4.254. I can connect to the admin console with no problem at the 10.10.3.254 address.
What I’d like to do is to completely segregate admin access from client access. I’d like the admin service accessible only on 10.10.4.254 address subnet and not on the 10.10.3.254 address. Conversely I want the client access to happen only over the 10.10.3.254 address but not the 10.10.4.254 address.
The rationale for this is two-fold. First, authentication and authorization rules are different for the 10.10.4.0/24 subnet (administrators) and the 10.10.3.0/24 subnet (users); and second, I don’t want to have administrative and user traffic (even if it’s encrypted) mixed on the same subnet. I could probably do this by allowing Openfire to listen on both interfaces/IP addresses and use port filtering in the firewalls to restrict where requests come from, but I’d prefer to have Openfire specifically listening on the right Interface/IP address.
BTW. You were correct in your assumption that it’s a Windows ( for now ) environment.
Any other hints or suggestions?
be seeing you … Don
I have my openfire server running on a machine with 3 NICs. It is configure to run on the the primary due to the restriction with openfire needing to be named the same as the bind name in a windows Active directory setup. I can access the admin panel from any of the other NICs as long as I open the ports 9090 or 9091. The admin panel is just a web page running on a set of ports. You can even make those ports the 80 and 443 if you want. does not matter as long as they are open in your firewall.
Sounds like I have a similar set-up except my server is running in a DMZ with no AD environment and no local DNS so I used LMHOSTS to set the appropriate host names for the interfaces. I’m using the local database to contain userid’s (less than 50 maximum).
I had a look at the source code and the admin console appears to check for a specified interface to listen on. The problem is that there is only one system property that specifies the “listening” interface and it applies to both admin and client connections. It looks ( but I’m not a Java guru ) as if it would be pretty simple to add a new system property to specify a unique IP address for the admin console to listen on and to use that if it was non-null.
be seeing you … Don
I did a bit more digging on the issues site and found JM-123 that appears to address my issue, and more besides.
So here is a new, hopefully simple , question: Can anyone tell me how to add my support to implementing JM-123 in an upcoming release?
be seeing you … Don
"Can anyone tell me how to add my support to implementing 
[JM-123|http://www.igniterealtime.org/issues/browse/JM-123] in an upcoming release?"
Yes. Sign up for an account on the issue management system, and ‘Vote’ for it by making a comment below the issue you’re linking to. More people leaving positive comments are a good thing, IMHO.
Regards.