Spark, openfire 2 openfire firewall considerations

Viktor_Kvapil · February 6, 2009, 12:11pm

Hi All,

we are deploying 2 openfire servers one in internal corporate networks and one in dmz. Purpose is to allow mobile people from internet to make IM and voice available.

So far we have working IM and file send methods of communication. Server in intranet is connecting to dmz server via 5269,7777 ( server2server and file send) ports. From the internet there are 5222 and 5223 allowed (plain and ssl traffic I hope)

As peer to peer is not possible by security policies. What kind of ports are needed to allow mediaproxy service to serve client on both sides?

I saw a requirement of 10000-15000 UDP ports to be allowed on firewall to both sides. (is this really necessary?) isn’t it potential risk?

Thanks for any answer.

Viktor

David_Hite · February 7, 2009, 12:18am

It could be a possible risk, but this depends a lot on your network gear. If your firewall supports protection profiles and ips you could create a profile and assign it to your firewall policy that allows that traffic. That way all traffic could be scanned for Intrusions and malicous activity.

This combined with active network monitoring and good security practices should offer enough protection. I personally have remote clients vpn into our network to get access to our spark server rather then hosting in a dmz.

Hope this helps

-David