powered by Jive Software

Openfire connection with load balancer F5


#1

Hi Experts,

In our scenario, we are planning to do clustering with two nodes and connect to F5 load balancer. I have few queries as below.

  1. After doing the clustering, what are the details we have to provide to F5 load balancer team so as to connect to openfire.

  2. We are using custom mobile application, do we need to use http-bind or xmpp connection will work if we open port 5223.

  3. If we open port 5223, will there be any security problems?

Thank you


Access from internet
#2
  1. I suggest you’ll need to ask your F5 team as to what details they need.

  2. You may want port 5222 not 5223, depending on the clients you are using. 5223 is a legacy connection method.

  3. If you are internet facing, you’ll probably want to ensure that STARTTLS is “Required” if you’re using a plain text connection, and check that the enabled encryption protocols and cipher suites suite your setup. Server Settings -> Client Connections -> Advanced configuration for you chosen port - plain text (5222) or legacy (5223)

But AFAIK, there are no known security issues with Openfire, but that doesn’t mean you’re no vulnerable to a DOS attack.

Greg


#3

PS. If your clients are using BOSH and/or WebSocket then you may also need to enable port 7070 (http) and//or 7443 (https).


#4

Thank you for replying,
current planned architecture is
Load balancer -> Openfire Nodes, in this do we need to use punjab connection manager? what is use of it?, we have around 10000 users.
As of now mobile client are not using bosh


#5

I’ve never head of this Punjab connection manager, but http://bfy.tw/Iu18 suggests it is “a BOSH connection manager” - so as you’re not using BOSH, I’d guess it’s irrelevant.

Greg


#6

one more doubt, so in our scenario, we need to open port 5222 5223 only in two nodes of openfire servers right? or Do we need to open these ports in load balancer also?


#7

You must expose port 522x to the LB, and the LB must expose 522x to your clients.

Greg


#8

Thank you Greg


#9

HI Greg

Is TCP binding possible, if yes what is benefit of it with comparing xmpp(5222) and http binding.

Thank you


#10

5222 /is/ TCP binding.

I’d generally prefer TCP over HTTP (7070/7443), but if you must use a client that uses HTTP (*) I’d prefer WebSocket over BOSH - but both use 7070/7443. But that’s just my preference.

(*) Necessary if there are firewalls in the way, or you client is browser based.

Greg


#11

Hi

Our security team is not allowing port 5223, so we have to go with http-bind . I need to check whether http-bind working internally first, I have installed client Gajim, please help how to check.

Regards