powered by Jive Software

Openfire behind Firewall

I’m new to openfire and I’ve spent some time trolling the forums looking for an answer to my question with no luck.

I have an openfire server inside of my company network that’s functioning fine. What I would like to do is set up a web based jabber client that can access the openfire server BUT I do not want the client running the web based jabber client to actually make a direct connection to the openfire server (there are no open ports for openfire in the firewall). I’m currently looking at JWChat as my web based option - is there a way to make the server hosting JWChat (or any web based jabber client) make the connection to the openfire server onbehalf of the end user?

My goal is to NOT open a port in the firewall for jabber traffic and I do NOT want any installable jabber software to be able to access the openfire server - the only outside jabber client I want to be able to hit the openfire server is the one I’m hosting on my web server.

Thanks in advance for your assistance.

Sounds like you may want to look into an http proxy server (ala squid, perhaps?) Even apache can do the basic proxy stuff. Just restrict your proxy stuff properly.

I’ve been continuing my research into this topic and I believe I’ve found what might be my solution.

HTTP Binding - correct me if I’m wrong, but I believe this is intended for just my purpose? I’m currently exploring JWChat + punjab, however at the moment we’re currently running wildfire 3.0.1 which does not support BOSH. Right now I’m polling the community to see if anyone has had any errors when upgrading from wildfire 3.0.1 to openfire 3.3.3.

My thinking is that the system would be set up as illustrated below:

Openfire (HTTP Binding) > Firewall > Proxy > JWChat/punjab(HTTP Binding)

Is this correct?

I’ll update this thread if I discover anything useful.

Technically this can all be done with a router or pix box that you probably have in place. All routers and cisco pix allow for route tables to restrict access to addresses. Just configure a route table to allow the web server to access the openfire server, and restrict the access to the openfire server to the ip of the web server. we do the same thing with our mail server. it is inside the firewall and the web access to it is outside.

Of the web based clients I know of, they all make connections direct from the end users machine - who is loading up the app - to the ip address of the XMPP server they’re connecting to - they do not relay through the server that is hosting the web based client; is this not what BOSH is meant to do?