[jadmin] Jabber via a DMZ proxy - SOLVED

Costa, Jeff jcosta at lendlease.com
Wed Oct 19 12:28:16 CDT 2005


Ken -- I built the proxy to keep the Jabber server out of the DMZ.
Internal users go direct to the server using STARTTLS (5222) and an
internal DNS zone. External users can use the HTTP proxy, allowing them
to connect to Jabber without having to establish a VPN connection first.
A big plus.

We do have heterogenous firewalls on the front and back ends of the DMZ
segment. The proxy adds another "layer of security." And since we use
Active Directory for Jabber authentication, its much easier to keep the
Jabber server on the same LAN segment with the DC.

------------------------------

Message: 4
Date: Wed, 19 Oct 2005 10:51:52 -0400
From: KWermann at misti.com
Subject: Re: [jadmin] Jabber via a DMZ proxy - SOLVED
To: Jabber server administration list <jadmin at jabber.org>
Cc: jadmin at jabber.org, jadmin-bounces at jabber.org
Message-ID:
	
<OFCA5F38A4.6CF60502-ON8525709F.004EE297-8525709F.00506352 at misti.com>
Content-Type: text/plain; charset="us-ascii"

Hi Jeff,

I am curious why you used the proxy instead of just setting up firewall
rules to allow redirection of traffic over port 5223/SSL or
5222/Unsecure to the Jabber server within the DMZ? You then have the
FQDN registered on both internal DNS and External DNS servers. You would
then configure routing and firewall rules from your LAN and the Internet
to the DMZ.

It seems that adding the proxy server would require extra steps. Is this
just so you are not showing port 5223 available on the net through the
firewall? Are you having internal users access the server via 5223/5222
without the proxy server?

Now, everything I said may not be applicable if you are doing this
because you do not have a DMZ or Firewall to begin with. If that is the
case just let me know.

I only write this because I find firewall/DMZ/proxy items very
interesting.

Instead of building a Linux firewall, does anyone know if SmoothWall's
default install can do this easier?

Best Regards,

Ken Wermann

jadmin-bounces at jabber.org wrote on 10/18/2005 05:32:18 PM:

> For anyone interested in setting up a DMZ-based proxy server to enable

> Jabber usage, I've posted instructions in my blog, located here:
> http://openrent.blogspot.com/
> 
> In a nutshell, you build an Apache forward proxy that enables Jabber 
> over HTTP. The benefit is the ability to securely use an internal 
> Jabber server from anywhere in the world (assuming your Jabber client 
> supports HTTP proxy, like Gaim does).
> 
> Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.jabber.org/pipermail/jadmin/attachments/20051019/538f5ce6/at
tachment.htm

------------------------------

_______________________________________________
jadmin mailing list
jadmin at jabber.org
http://mail.jabber.org/mailman/listinfo/jadmin
FAQ: http://www.jabber.org/wiki/index.php/FAQ-JADMIN

End of jadmin Digest, Vol 21, Issue 25
**************************************

-----------------------------------------
"This email (including any attachments) is confidential.  If you are not
the intended recipient you must not copy, use, disclose, distribute or rely
on the information contained in it.  If you have received this email in
error, please notify the sender immediately by reply email and delete the
email from your system.  Confidentiality and legal privilege attached to
this communication are not waived or lost by reason of mistaken delivery to
you.  Lend Lease does not guarantee that this email or the attachment(s)
are unaffected by computer virus, corruption or other defects. Lend Lease
may monitor incoming and outgoing emails for compliance with its Email
Policy.  Please note that our servers may not be located in your country."




More information about the JAdmin mailing list