Openfire in DMZ - firewalls, ports & external access

I’ve had a request to allow Spark / SparkWeb access from the internet (without VPN). We use Openfire 3.5.2 with IM Gateway and Red5 - and we want to use SIP phone and a client for mobile devices. So not much… :wink:

My question - is there a “best practice” method for acheiving this? I’m very wary of putting my Openfire server on the DMZ and opening a load of ports for Spark to connect directly, is there another way? Some sort of proxy? My SparkWeb install is on a different server to Openfire, so that can just be moved to the DMZ with TCP 443 open to the internet, but for Spark connections…?

Any pointers to a document, or any real world experience from anyone out there would be appreciated…

Cheere, Nick