Openfire connection with load balancer F5

matdav · July 5, 2018, 4:09am

Hi Experts,

In our scenario, we are planning to do clustering with two nodes and connect to F5 load balancer. I have few queries as below.

After doing the clustering, what are the details we have to provide to F5 load balancer team so as to connect to openfire.
We are using custom mobile application, do we need to use http-bind or xmpp connection will work if we open port 5223.
If we open port 5223, will there be any security problems?

Thank you

gdt · July 5, 2018, 7:32am

I suggest you’ll need to ask your F5 team as to what details they need.
You may want port 5222 not 5223, depending on the clients you are using. 5223 is a legacy connection method.
If you are internet facing, you’ll probably want to ensure that STARTTLS is “Required” if you’re using a plain text connection, and check that the enabled encryption protocols and cipher suites suite your setup. Server Settings -> Client Connections -> Advanced configuration for you chosen port - plain text (5222) or legacy (5223)

But AFAIK, there are no known security issues with Openfire, but that doesn’t mean you’re no vulnerable to a DOS attack.

Greg

gdt · July 5, 2018, 7:35am

PS. If your clients are using BOSH and/or WebSocket then you may also need to enable port 7070 (http) and//or 7443 (https).

matdav · July 5, 2018, 7:55am

Thank you for replying,
current planned architecture is
Load balancer -> Openfire Nodes, in this do we need to use punjab connection manager? what is use of it?, we have around 10000 users.
As of now mobile client are not using bosh

gdt · July 5, 2018, 8:24am

I’ve never head of this Punjab connection manager, but http://bfy.tw/Iu18 suggests it is “a BOSH connection manager” - so as you’re not using BOSH, I’d guess it’s irrelevant.

Greg

matdav · July 5, 2018, 8:30am

one more doubt, so in our scenario, we need to open port 5222 5223 only in two nodes of openfire servers right? or Do we need to open these ports in load balancer also?

gdt · July 5, 2018, 8:53am

You must expose port 522x to the LB, and the LB must expose 522x to your clients.

Greg

matdav · July 8, 2018, 3:53am

Thank you Greg

matdav · July 8, 2018, 6:16am

HI Greg

Is TCP binding possible, if yes what is benefit of it with comparing xmpp(5222) and http binding.

Thank you

gdt · July 9, 2018, 8:54am

5222 /is/ TCP binding.

I’d generally prefer TCP over HTTP (7070/7443), but if you must use a client that uses HTTP (*) I’d prefer WebSocket over BOSH - but both use 7070/7443. But that’s just my preference.

(*) Necessary if there are firewalls in the way, or you client is browser based.

Greg

matdav · July 25, 2018, 6:11am

Hi

Our security team is not allowing port 5223, so we have to go with http-bind . I need to check whether http-bind working internally first, I have installed client Gajim, please help how to check.

Regards