[jadmin] Answer to 'firewall question'

kadokev at msg.net kadokev at msg.net
Thu Mar 15 20:29:56 CST 2001


It is very much feasible to tunnel outbound connections from jabberd.

>This would actually be an https: proxy server.  This is a large corporate
>environment, and it's very unlikely that they'll let me punch holes in it
>and make a machine in our network visible to the outside.  If there was a
>client that would use https proxy instead of socks 4 or 5 then I could put
>the server outside of the firewall and the clients could get to
>it...however...I'm not a programmer and since everyone that writes this
>server and it's clients are doing it with their own blood sweat and
>tears...I'm not gonna push my luck.

I could probably code up proxy support for outbound connections in Jabberd
in an couple of hours, but it wouldn't be cost-effective at my standard rate.


It is trivial to tunnel outbound connections through a HTTPS proxy server
on a firewall. This does not require any changes to the firewall. Currently
none of the Jabber clients support this.

If you look at AOL's Instant Messenger client, they support SOCKS 4, SOCKS 5,
and a third type of proxy, "HTTPS". This third proxy option uses a very
simple protocol required by the HTTPS proxy standard, the 'CONNECT'
request type.

This feature (in all HTTP 1.1 compliant HTTPS proxies) is documented here:

	http://www.netsys.com/firewalls/firewalls-9604/0492.html

In summary, in HTTP/1.1, an additional method in addition to the normal
GET, POST, HEAD, etc was added, if the client connects to the proxy server
and sends a string of "CONNECT jabber.org:5222 HTTP/1.0\r\n\r\n",
after reading the response headers and a blank line, the client will have a
transparent connection to the jabber service.


>> I'm running a jabber server behind a firewall/proxy server.  Is anyone
>aware
>> of a way to make the transports go out of the firewall?  Someway to put
>the
>> proxy server settings into the <service> section of the transports?  If I
>> can get AIM and ICQ to go out from here, then I can eliminate two of the
>> chat programs people here use.  If not, is there any intention of adding
>> this in the future?

This same 'CONNECT' syntax for HTTPS proxies will work just as well for
outbound connections for AIM and ICQ from a jabber server as it does for
AIM clients behind a firewall.

Download the official AIM client and give it a try.


Kevin Kadow
MSG.Net, Inc.




More information about the JAdmin mailing list