powered by Jive Software

Openfire as internal and external Service - Firewall

Hi there

we’re in the middle of the process of implementing Openfire in our company. With the help of the people here, I was able to fix most of the problems and got nearly all of my questions answered. THANKS A LOT!

Our Openfireserver is for internal and external use, i.e. Users from ouside (customers, partners) can chat with us using our jabber ID.

OF itself sits inside the company LAn, having an IP Address of e.g. and has a static NAT Mapping on the firewall, so it’s external IP Address is e.g.

I added as xmpp.proxy.externalip into the system properties. Is there anything else I need to do on the OF Server site?

On the firewall, I’m a bit stucked …

I opened:


tcp/7000 for the irc gateway,

tcp/1863 for the msn gateway, tcp/443 for the msn authentication (I’ve read this somewhere here on the forum).

tcp 7777 fo file transfer


tcp and udp Port 53 for Nameservices


tcp/5222 and tcp 5223


tcp/7777 for file transfer

Is there anything else I need to do? Right now, we only want jabber and the irc + msn gateway, no sip, voice, etc.

Furthermore, is there anything else I need to do in order to get msn work? It seems that there are some problems with authentication, as the msn gateway doesn’t log in …

thanks a lot in advance


I do not know what you mean by this: “I added as xmpp.proxy.externalip into the system properties. Is there anything else I need to do on the OF Server site?”

You do not need to do anything special to openfire to make it work externally. No special settings on the server etc.

Here are the general requirements for external/internal access especially with fastpath enabled:

  • The Server Name, xmpp.domain, and server certificates need to have an external Fully Qualified Domain Name (e.x. chatserver.domain.com)
  • You need to add a A record to your external DNS for this domain name
  • You need to port forward 5222, 5223, 7777, 5269, 9090 or 9091 (if fastpath is hosted on openfire), 7070, 7443, 3478, 3479, 5229 (see the main page of the Openfire admin website for details on these ports)
  • Point all clients to the external FQDN

Hi Todd

I read the xmpp.proxy.externalip thing somewhere her on the server, that it’s needed when the server itself has an internal (not official) IP Address.

The server is called jabber.company com, but the domain itself is company.com, as I want the Jabber iD’s to be 1stname.lastname@company.com which works fine from inside and outside.

I agree, the certificate could become a problem. How is the “general guideline”? Will other jabber servers (e.g. other openfire or even googltalk) connect is the certificate is not valid in any case (no official root certificate, wrong name, etc.)?

Apart from that, it seems, that lke I did it, evenrything is working now …