Openfire behind proxy

Hi, I have read other discussion threads related to proxy issue with IM Gateway plugin. I am still not sure if that functionality is supported yet or not.

I installed openfire behind socks / http proxy (corporate firewall) and I have transport

plugins (for yahoo, msn etc ) installed on the server. Does the

transport provision through proxy settings to go outside the firewall ?

Basically, I am looking for :

client (psi/spark) ->openfire (with transport plugins) -> FIREWALL -> XMPP server , Yahoo , MSN

Something like this would be useful in restricted corporate environments that would support for NTLM based HTTP proxies.

My question is does anything like this exist currently ?

The plugin doesn’t support proxy at all at this time: GATE-130

However, I think I’ve seen a couple of folk have some success with some other solution they’ve put together. I don’t know how much luck you’d have searching the threads some more as it looks like you already have. Perhaps someone who’s tried before might have something to say?

Hi,

See http://www.igniterealtime.org/community/thread/26697

I have clients (psi) <-> openfire server <-> proxy & FW <-> outside world

Sometimes I also have clients in the outside world too.

Whatever the situation, the IM plugin does not work.

Of course, please not that setting

update.proxy.host and

update.proxy.port in server properties will only let you be noticed about updates of openfire (could be usefull in your case but won’t fix that issue).

Correct, the plugin does not support proxies. I think someone worked out some “magic” to get Yahoo working once. Not sure.

I think yahoo gateway is working out of the box behind a proxy here … I’ll ask people using it and give back results

Thanks, really appreciate a reply on how to connect to yahoo through proxy.

I would suggest that you add an exception for your chat server to your proxy. It is (I assume) an approved server for a specific purpose. It woould not neet to be proxied. Deny all not chat related ports for the server so it can not be used for inappropriate surfing.

You are perfectly right !

Unfortunately, I think I already opened all the required ports, hence I don’t see what is missing in my configuration.

btw, the thread is nearly the same as http://www.igniterealtime.org/community/message/155163#155163

Regards,

cgravier

Make sure that the proxy server or firewall (i.e. pix box) is not inherrently blocking the following ports and addresses:

AOL: 5190 login.oscar.aol.com

IRC: 7000 irc.freenode.net

MSN: 1863 messenger.hotmail.com

Yahoo: 5050 scs.msg.yahoo.com

Gtalk: 5222 talk.google.com

I used to block all the ports but since switching to spark there is no need, since I use the permissions to regulate who accesses what.

Thanks for the exhausted list !

I can, however, telnet all those servers through my corp firewall:

MSN:

telnet messenger.hotmail.com 1863

Trying 65.54.239.80…

Connected to dp.msnmessenger.akadns.net.

Escape character is ‘^]’.

IRC:

telnet irc.freenode.net 7000

Trying 209.177.146.34…

Connected to chat.freenode.net.

Escape character is ‘^]’.

NOTICE AUTH :*** Looking up your hostname…

NOTICE AUTH :*** Found your hostname, welcome back

NOTICE AUTH :*** Checking ident

AOL: not allowed

(i don’t want)

Yahoo:

telnet scs.msg.yahoo.com 5050

Trying 216.155.193.128…

Connected to scs-dcna.msg.yahoo.com.

Escape character is ‘^]’.

Gtalk:

telnet talk.google.com 5222

Trying 209.85.137.125…

Connected to talk.l.google.com.

Escape character is ‘^]’.

Am not that sure now that this is a network issue … but I am out of test to perform. If you have any idea, let’s tell me i’ll give it a try.

Do you have any debug logs from Openfire and Spark we can see. I recommend you clear out the logs just befor you attempt to connect to narrow the logs as much as possible.

Also what is the flavor of your proxy/firewall.

I am using psi as client, but it is ok for me to test with spark if the following clues are not enough:

Here is the debug log when I connect to my jabber server:

2007.09.05 10:02:04 A new session has come online: me@jabber.mydomain.com/Psi

2007.09.05 10:02:04 Created msn session for me@jabber.mydomain.com/Psi as ‘-----@yahoo.fr

2007.09.05 10:02:04 Creating MSN session for xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 Logging in to MSN session for xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 Received presence packet: <presence type=“probe” from="me@jabber.mydomain.com/Psi" to="msn.jabber.mydomain.com

"/>

2007.09.05 10:02:04 session 13 established

2007.09.05 10:02:04 MSN: Session established for xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 session 13 sent message VER 1 MSNP11 CVR0

2007.09.05 10:02:04 MSN: Session messageSent for xxxxxxxx@yahoo.fr : VER 1 MSNP11 CVR0

2007.09.05 10:02:04 session 13 sent message CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 8.1.0178 MSMSGS xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 MSN: Session messageSent for xxxxxxxx@yahoo.fr : CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 8.1.0178 MSMSGS xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 session 13 sent message USR 3 TWN I xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 MSN: Session messageSent for xxxxxxxx@yahoo.fr : USR 3 TWN I xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 session 13 received message VER 1 MSNP11 CVR0

2007.09.05 10:02:04 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : VER 1 MSNP11 CVR0

2007.09.05 10:02:04 session 13 received message CVR 2 8.1.0178 8.1.0178 8.0.0787 http://msgr.dlservice.microsoft.com/download/1/A/4/1A4FEB1A-18E0-423A-B898-F

697402E4F7F/Install_Messenger.exe http://get.live.com

2007.09.05 10:02:04 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : CVR 2 8.1.0178 8.1.0178 8.0.0787 http://msgr.dlservice.microsoft.com/download/1/A

/4/1A4FEB1A-18E0-423A-B898-F697402E4F7F/Install_Messenger.exe http://get.live.com

2007.09.05 10:02:04 session 13 received message XFR 3 NS 207.46.107.87:1863 0 207.46.96.153:1863

2007.09.05 10:02:04 session 13 closed

2007.09.05 10:02:04 MSN: Session closed for xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : XFR 3 NS 207.46.107.87:1863 0 207.46.96.153:1863

2007.09.05 10:02:04 session 14 established

2007.09.05 10:02:04 MSN: Session established for xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 session 14 sent message VER 1 MSNP11 CVR0

2007.09.05 10:02:04 MSN: Session messageSent for xxxxxxxx@yahoo.fr : VER 1 MSNP11 CVR0

2007.09.05 10:02:04 session 14 sent message CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 8.1.0178 MSMSGS xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 MSN: Session messageSent for xxxxxxxx@yahoo.fr : CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 8.1.0178 MSMSGS xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 session 14 sent message USR 3 TWN I xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 MSN: Session messageSent for xxxxxxxx@yahoo.fr : USR 3 TWN I xxxxxxxx@yahoo.fr

2007.09.05 10:02:04 session 14 received message VER 1 MSNP11 CVR0

2007.09.05 10:02:04 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : VER 1 MSNP11 CVR0

2007.09.05 10:02:05 session 14 received message CVR 2 8.1.0178 8.1.0178 8.0.0787 http://msgr.dlservice.microsoft.com/download/1/A/4/1A4FEB1A-18E0-423A-B898-F

697402E4F7F/Install_Messenger.exe http://get.live.com

2007.09.05 10:02:05 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : CVR 2 8.1.0178 8.1.0178 8.0.0787 http://msgr.dlservice.microsoft.com/download/1/A

/4/1A4FEB1A-18E0-423A-B898-F697402E4F7F/Install_Messenger.exe http://get.live.com

2007.09.05 10:02:05 session 14 received message USR 3 TWN S lc=1033,id=507,tw=40,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1188978605,kpp=1, kv=9,ver=2.1.6000.

1,rn=Rir4B3zT,tpf=091935cb39d27dbe68a3c66f9f49d984

2007.09.05 10:02:05 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : USR 3 TWN S lc=1033,id=507,tw=40,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1188978

605,kpp=1,kv=9,ver=2.1.6000.1,rn=Rir4B3zT,tpf=091935cb39d27dbe68a3c66f9f49d984

2007.09.05 10:02:10 Received presence packet: <presence to=“msn.jabber.istase.comfrom="me@jabber.mydomain.com/Psi">

<priority>5</priority>

</presence>

2007.09.05 10:02:10 An existing resource has changed status: me@jabber.mydomain.com/Psi

2007.09.05 10:02:15 session 14 closed

2007.09.05 10:02:15 MSN: Session closed for xxxxxxxx@yahoo.fr

2007.09.05 10:02:43 EXCEPTION

java.net.SocketTimeoutException: Read timed out

at java.net.SocketInputStream.socketRead0(Native Method)

at java.net.SocketInputStream.read(SocketInputStream.java:129)

at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)

at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:722)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:67 9)

at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)

at org.mortbay.io.ByteArrayBuffer.readFrom(ByteArrayBuffer.java:168)

at org.mortbay.io.bio.StreamEndPoint.fill(StreamEndPoint.java:99)

at org.mortbay.jetty.bio.SocketConnector$Connection.fill(SocketConnector.java:190)

at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:277)

at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:203)

at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:357)

at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:217)

at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:475)

2007.09.05 10:02:43 EOF

2007.09.05 10:02:44 EXCEPTION

(and the same SocketTimeoutConnection is raised over and over)

I think this point the line in the code which try to connect to “something”. I just need that something to allow it

The proxy used in my corp. is squid and i can only guess that we used shorewall (hence classical iptables) as FW. The FW allows outgoing traffic.

HTH !

Let me know if you know what is the serviuce that my server cannot connect to please.

Regards,

cgravier.

EDIT: replace my contacts name in logs in order to avoid robot indexing (spam) (you should have th e full log with the email notice if you use that)

That exception is interesting, I don’t recall having seen it before! (might have just looked past it)

Ok, so what is happening at the point you are at in that log is… well lets back up.

First, you connect to the server and port listed in the admin interface options. (typically messenger.hotmail.com port 1863)

Most of the time that server tells you “no no go here instead” (the XFR command). your first session is immediately closed and JML connects you to the new location. that part is succeeding just fine.

Then you get down to “tweener” authentication. (the USR/TWN type command)


This involves connecting via HTTP to a Nexus server, via https, “https://nexus.passport.com/rdr/pprdr.asp

This nexus server points you at an auth server you -should- be connecting to. (typically something like https://loginnet.passport.com/login2.srf)

We then connect to that URL and complete the process of getting a login ticket.


Once we get that login ticket, we send it as a response to the USR/TWN command to authenticate with MSN itself.

Note that we’re not getting to that last step. I put the ******'s around the part that’s failing. We don’t know exactly what part of that is failing based off the logs though, but based off the error message it looks like an https connection is failing. Actually it looks like it’s establishing the connection and getting no data back, which is awefully strange.

I’d like to ask you to try, just to see if it works, gateway.messenger.hotmail.com port 80 in your admin console options. I found some documentation about it and I don’t know if it works “out of the box” or if JML would need to be coded to support it.

BTW, this site: http://www.hypothetic.org/docs/msn/

is extremely useful for figuring out what MSN is doing. One of the specific docs I looked at while investigating this is:

http://www.hypothetic.org/docs/msn/notification/authentication.php

Hello,

Using gateway.messenger.hotmail.com port 80 is not working out of the box. The test failed in admin console and I have in debug log:

DWREngine._handleResponse(‘7513_1188993504565’, s0);

2007.09.05 14:10:16 Returning: id[4866_1188993504200] assign[s0] xhr[true]

2007.09.05 14:10:16 var s0=false;

DWREngine._handleResponse(‘4866_1188993504200’, s0);

2007.09.05 14:10:19 EOF

2007.09.05 14:10:19 Exec[0]: ConnectionTester.testConnection()

2007.09.05 14:10:19

–Object created, not stored. Call params

(string:gateway.messenger.hotmail.com, string:80)

id=6593_1188993527925. Using (XHR,POST)

2007.09.05 14:10:19 Returning: id[6593_1188993527925] assign[s0] xhr[true]

2007.09.05 14:10:19 var s0=false;

DWREngine._handleResponse(‘6593_1188993527925’, s0);

With a web browser behind the proxy/FW, I can point to https://nexus.passport.com/rdr/pprdr.asp

(the page is empty but I can see in status bar that the loading is finished). The source code of the paper is however empty too if I check for HTML source.

This tends to go in the same observation that "“Actually it looks like it’s establishing the connection and getting no data back”. What do yu get if you point your browser to https://nexus.passport.com/rdr/pprdr.asp actually ?

cgravier

Moreover, I re-re-restarted my openfire.

Example of the debug log when I connect:

2007.09.05 14:39:58 A new session has come online: my.login@jabber.mydomain.com/Psi

2007.09.05 14:39:58 Created msn session for my.login@jabber.mydomain.com/Psi as ‘xxxxxxxx@yahoo.fr’

2007.09.05 14:39:58 Creating MSN session for xxxxxxxx@yahoo.fr

2007.09.05 14:39:58 Logging in to MSN session for xxxxxxxx@yahoo.fr

2007.09.05 14:39:59 Received presence packet: <presence type=“probe” from="my.login@jabber.mydomain.com/Psi" to=“msn.jabber.mydomain.com”/>

2007.09.05 14:40:00 session 3 established

2007.09.05 14:40:00 MSN: Session established for xxxxxxxx@yahoo.fr

2007.09.05 14:40:00 session 3 sent message VER 1 MSNP11 CVR0

2007.09.05 14:40:00 MSN: Session messageSent for xxxxxxxx@yahoo.fr : VER 1 MSNP11 CVR0

2007.09.05 14:40:00 session 3 sent message CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 8.1.0178 MSMSGS xxxxxxxx@yahoo.fr

2007.09.05 14:40:00 MSN: Session messageSent for xxxxxxxx@yahoo.fr : CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 8.1.0178 MSMSGS xxxxxxxx@yahoo.fr

2007.09.05 14:40:00 session 3 sent message USR 3 TWN I xxxxxxxx@yahoo.fr

2007.09.05 14:40:00 MSN: Session messageSent for xxxxxxxx@yahoo.fr : USR 3 TWN I xxxxxxxx@yahoo.fr

2007.09.05 14:40:00 session 3 received message VER 1 MSNP11 CVR0

2007.09.05 14:40:00 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : VER 1 MSNP11 CVR0

2007.09.05 14:40:00 session 3 received message CVR 2 8.1.0178 8.1.0178 8.0.0787 http://msgr.dlservice.microsoft.com/download/1/A/4/1A4FEB1A-18E0-423A-B898-F6

97402E4F7F/Install_Messenger.exe http://get.live.com

2007.09.05 14:40:00 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : CVR 2 8.1.0178 8.1.0178 8.0.0787 http://msgr.dlservice.microsoft.com/download/1/A

/4/1A4FEB1A-18E0-423A-B898-F697402E4F7F/Install_Messenger.exe http://get.live.com

2007.09.05 14:40:00 session 3 received message XFR 3 NS 207.46.107.66:1863 0 65.54.239.20:1863

2007.09.05 14:40:00 session 3 closed

2007.09.05 14:40:00 MSN: Session closed for xxxxxxxx@yahoo.fr

2007.09.05 14:40:00 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : XFR 3 NS 207.46.107.66:1863 0 65.54.239.20:1863

2007.09.05 14:40:00 session 4 established

2007.09.05 14:40:00 MSN: Session established for xxxxxxxx@yahoo.fr

2007.09.05 14:40:00 session 4 sent message VER 1 MSNP11 CVR0

2007.09.05 14:40:00 MSN: Session messageSent for xxxxxxxx@yahoo.fr : VER 1 MSNP11 CVR0

2007.09.05 14:40:00 session 4 sent message CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 8.1.0178 MSMSGS xxxxxxxx@yahoo.fr

2007.09.05 14:40:00 MSN: Session messageSent for xxxxxxxx@yahoo.fr : CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 8.1.0178 MSMSGS xxxxxxxx@yahoo.fr

2007.09.05 14:40:00 session 4 sent message USR 3 TWN I xxxxxxxx@yahoo.fr

2007.09.05 14:40:00 MSN: Session messageSent for xxxxxxxx@yahoo.fr : USR 3 TWN I xxxxxxxx@yahoo.fr

2007.09.05 14:40:00 session 4 received message VER 1 MSNP11 CVR0

2007.09.05 14:40:00 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : VER 1 MSNP11 CVR0

2007.09.05 14:40:00 session 4 received message CVR 2 8.1.0178 8.1.0178 8.0.0787 http://msgr.dlservice.microsoft.com/download/1/A/4/1A4FEB1A-18E0-423A-B898-F6

97402E4F7F/Install_Messenger.exe http://get.live.com

2007.09.05 14:40:00 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : CVR 2 8.1.0178 8.1.0178 8.0.0787 http://msgr.dlservice.microsoft.com/download/1/A

/4/1A4FEB1A-18E0-423A-B898-F697402E4F7F/Install_Messenger.exe http://get.live.com

2007.09.05 14:40:00 session 4 received message USR 3 TWN S lc=1033,id=507,tw=40,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1188995279,kpp=1, kv=9,ver=2.1.6000.1

,rn=CpwJYjou,tpf=6d155e552e03fe5d9232c5b19b25003a

2007.09.05 14:40:00 MSN: Session messageReceived for xxxxxxxx@yahoo.fr : USR 3 TWN S lc=1033,id=507,tw=40,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1188995

279,kpp=1,kv=9,ver=2.1.6000.1,rn=CpwJYjou,tpf=6d155e552e03fe5d9232c5b19b25003a

2007.09.05 14:40:02 Received presence packet: <presence to=“msn.jabber.mydomain.comfrom="my.login@jabber.mydomain.com/Psi">

<priority>5</priority>

</presence>

2007.09.05 14:40:02 An existing resource has changed status: my.login@jabber.mydomain.com/Psi

From your link (http://www.hypothetic.org/docs/msn/notification/authentication.php), I understand that I successfully pass “Subsequent USR response” with the line:

" 2007.09.05 14:40:00 MSN: Session messageReceived for xxxxxxxx@yahoo.fr

: USR 3 TWN S

lc=1033,id=507,tw=40,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1188995

279,kpp=1,kv=9,ver=2.1.6000.1,rn=CpwJYjou,tpf=6d155e552e03fe5d9232c5b19b25003a"

But I don’t go through “TWN Authentication”

But I don"t have the error about socketexception I got earlier, I just received in the log after some times:

http://…

(2007.09.05 14:40:02 An existing resource has changed status: my.login@jabber.mydomain.com/Psi)

2007.09.05 14:41:04 session 4 closed2007.09.05 14:41:04 MSN: Session closed for xxxxxxxx@yahoo.fr

@yahoo.fr

Nothing more in error.log or warning.log or info.log

This seems to be an error with the firewall/proxy for sure. The communication channel is send out the request but does not appear to get a response. I can not help but question the holes you have punched for the server. The ports you open in the firewall need to be both directions (in/out). The minimum ports you need opened are:

3478

3479

5222

5223

7777

As for your proxy server squid has the ability to add IP address of machines to not filter at all. Has that been done for the chat server.

Thanks for listing those ports.

On my server box, here is the port regarding openfire that I opened:

9090 & 9091: web admin console and web ssl admin console

5222 & 5223: client to server, client to server using ssl

5269: server to server

7777: file transfert over jabber

In your config, I assume that you put 3478 & 3478 for admin console without and with ssl for security purpose.

On the corp. firewall, only the ports:

5223, 5269, 8010 are opened.

(file transfer is not working which is understandable).

You think that port 5222 is needed by MSN gateway ? (as msn is not encrypted, this can explain the all thing, but the log seems to report a timeout on a ssl connection not a plain text one …) I didn’t want it open becauseI only wanted SSL traffic for conversations … opening 5222 will allow jabber conversation in plain text :confused: Maybe there’s a configuration attribute to forbidden jabber client from not using ssl ?

Anyway, I will ask for opening 5222 port on corp. FW and see how things turn out.

I will keep you inform as soon as the port is opened.

cgravier.

5222 should not be required for MSN =) Only XMPP

“in theory”, the only ports you’ll need specifically for MSN are 1863 and 443. On top of that, all communications are started from the client side so you should really only need outgoing so long as once the connection is establishes, the firewall doesn’t get in the way. It’s very perplexing. Most likely that error you were seeing then was not actually related to MSN itself. (might have been a spurious message from another transport or openfire process … could have even been a failed SSL’d XMPP connection) So what does that leave us with … unclear. One thing I will do real quick is put some -crazy- debugging in JML right around the place that seems to be failing and we’ll see if we can see what’s going on. I’ll attach a patched gateway.jar here in a moment. Fair warning, I’ve got some “code in process” with the patched gateway.jar, but it should be stable.

Oh and, all of the useful info from the nexus url is actually in the headers. =) PassportURLs:

I don’t have 1863 and 443 opened now (i ask for closing 443)

But isn’t 1863 and 443 only needed as outgoing traffic ? (I am the intiator of the msn connection, MSN won’t connect to my jabber, will it ?)