XMPP related firewall question

We are planning to redesign our chat front end client & have some questions related to XMPP & possible firewall issues:

OpenFire accepts connection to server on 5222 port & if we use XMPP API for connection to OpenFire - would this mean our client will have communicate to OpenFire on port 5222? If yes - would’nt this lead to blocked firewall issues when people user our chat client on the browser?


The clients will connect to openfireon port 5222 (in this case browser will do that). If you have a firewall on that server, you would have to open 5222 port. On the clients side it depends on the firewall software they use or not. If the browser is allowed to go to the network it will work. Though in my case (Jetico Personal Firewall) i’m letting my browser to only work as Web Browser. So to be able to connect to say SparkWeb (Openfire’s official web front-end) i have to add another rule letting my Firefox to connect to port 5222. Windows firewall wount ask you any question i think.

Hey Bhaskara,

If users outside of your internal network will need to connect to your server then you will need to open port 5222 in your firewall. If you are going to federate with other server (i.e. exchange messages with other XMPP servers) then you will also need to open port 5269 in your firewall.

Clients that are not using a firewall do not need to configure anything on their side. If they have their own firewall they will need to configure it so that their application can open outgoing traffic to your server. Usually that is not needed but some places with high security like to block outgoing traffic. Clients will use a temporary port to connect to the port 5222 on the server. That temporary port (aka Ephemeral port will change each time they connect but as I said firewalls do not care about them unless they are too restrictive.


– Gato

Ephemeral? Hm… Was 5229 an ephemeral port when i was connecting to SparkWeb? Or is it specific to SparkWeb? Maybe this question should be addressed to David

P.S. it seems that SparkWeb is using only 5229 and 5222 to connect.

Hey Wroot,

In TCP, clients also need to use a local port to connect to the server. The port to use is a temporary one (i.e. the number is valid for that session only) and it is obtained from a valid range. Your OS may run out of ephemeral ports when you are opening too many connections from the same machine. Moreover, firewalls on the client may also block connectivity from the client to remote machines (e.g. an XMPP server). That’s why I was saying that he might need to configure his firewall to allow a socket to connect to his XMPP server.


– Gato