I suggest you’ll need to ask your F5 team as to what details they need.
You may want port 5222 not 5223, depending on the clients you are using. 5223 is a legacy connection method.
If you are internet facing, you’ll probably want to ensure that STARTTLS is “Required” if you’re using a plain text connection, and check that the enabled encryption protocols and cipher suites suite your setup. Server Settings -> Client Connections -> Advanced configuration for you chosen port - plain text (5222) or legacy (5223)
But AFAIK, there are no known security issues with Openfire, but that doesn’t mean you’re no vulnerable to a DOS attack.
Thank you for replying,
current planned architecture is
Load balancer -> Openfire Nodes, in this do we need to use punjab connection manager? what is use of it?, we have around 10000 users.
As of now mobile client are not using bosh
I’ve never head of this Punjab connection manager, but http://bfy.tw/Iu18 suggests it is “a BOSH connection manager” - so as you’re not using BOSH, I’d guess it’s irrelevant.
one more doubt, so in our scenario, we need to open port 5222 5223 only in two nodes of openfire servers right? or Do we need to open these ports in load balancer also?
I’d generally prefer TCP over HTTP (7070/7443), but if you must use a client that uses HTTP (*) I’d prefer WebSocket over BOSH - but both use 7070/7443. But that’s just my preference.
(*) Necessary if there are firewalls in the way, or you client is browser based.
Our security team is not allowing port 5223, so we have to go with http-bind . I need to check whether http-bind working internally first, I have installed client Gajim, please help how to check.