I am setting up Openfire in conjuction with the Psi client. We will be running about 100 clients, 85 or so will be tier 0, 15 will be tier 1. We are trying to lock things down really tight, and I have a few questions for the experts.
Openfire is configured to look into Active Directory for Users and Groups, but I want to set it so that only people from tier 0 and teir 1 group can even connect to the server in the first place. Essentially I want two groups to run the show, if you’re not in either one of the groups, you can’t do anything. If a tier 0 agent logs in they should only be able to see the one group chat in their contacts, as well as all 15 of the teir 1 people. When a tier 1 agent logs in, they should see the one group chat, all of the teir 0 people and the teir 1 people in a seperate category.
I have set things up pretty well thus far, but my teir 1 agents can’t see anything in their contacts. I went to Users/Groups > Groups > and then searched for my teir 1 group. I then set the radio button to **enable **and put in the contact list group name of the teir 0 group, then checked the box “Share group with additional users” and selected the teir 1 group as well.
To have everyone see the one chat room I set up I went to Server > Client Management > Group Chat Bookmarks > and then created a new bookmark. The group chat address format is my.chat.name@conference.computername. Then I checked “All Users”. Agents can still go to “Join"Groupchat” to connect to it, but I want the chat to appear in the contact list on first login.
Lastly, I’m concerned with the client in general. Once I install this software on an agent’s PC, what’s stopping them from connecting to a chat server outside of our network? Would I have to block connections to and from all of the servers in the drop down list?
I know this is a lot, but since we are a call center we absolutely have to tighten security as much as possible. Maybe I should try a different client? Any insight would be much appreciated.
I went to Users/Groups > Groups > and then searched for my teir 1 group. I then set the radio button to **enable **and put in the contact list group name of the teir 0 group, then checked the box “Share group with additional users” and selected the teir 1 group as well.
You should put a sharing name for tier 1 group (how you wnat it to appear in the client), not the tier 0 group’s name into that field. And in the “Share group with additional users” you should select all groups that you want this group be visible to (tier 1 group’s users should be able to see each other already).
Bookmark appearance depends on the client. Some can show bookmarks in the contacts list (e.g. Exodus, but it is a very outdated client), some show them in special menu/window. Unless you modify a client, you can’t change that.
Your users will be able to connect to other jabber servers unless again, you modify the client (jabber clients are designed with openness in mind) or as you said, you can block outside connections with a firewall. E.g. in Spark one can set unmodified server value via default.properties file, so users won’t be able to login to another server. Not sure if Psi has something similar. http://community.igniterealtime.org/docs/DOC-2163
I was able to get the contacts to show up correctly, thank you.
I guess my primary concern now is not being able to lock down the client. I’ve looked for several other clients that would disable connections outside of our intranet, but like you said, jabber clients are designed to be open.
Still, it makes me think that someone must have gotten over this problem before. We don’t want to use Spark because we have some computers that have very low available resources. We need a very simple lightweight client.
I can’t seem to find any other discussions about XMPP/Jabber clients on a secure intranet. Are people just blocking things in the firewall? How would I go about doing this?
I guess nobody cares maybe it would be sufficient to block all connections outside with the destination port being 5222 (standard xmpp port on which jabber server listens for clients, you may also add 5223, though it is obsolete now).
Looks like we just needed a different client. I recently discovered that Pandion has a .msi for mass deployment via GPO, and can be locked down via .xml files that get written to the computer on install. I’m having a lot of fun messing with it!
And those xml files are written into user’s AppData? Which means they can modify and unblock your restrictions. I’m deploying Spark via GPO too (not with msi, but a batch script, as its installer supports silent install (-q key)).