[jadmin] Jabber via a DMZ proxy - SOLVED

KWermann at misti.com KWermann at misti.com
Thu Oct 20 08:24:01 CDT 2005

Hey Jeff,

Very cool. I love hearing how people setup their configurations. We do not 
link our systems into the AD for security reasons, that and we have remote 
users worldwide that are not AD or VPN users. Some are just contractors. 
We don't require the VPN for access as we allow direct connect. That is an 
interesting idea though to add the proxy for added security. Do you find 
you get any "lag" because of the proxy?


Ken Wermann

jadmin-bounces at jabber.org wrote on 10/19/2005 01:28:16 PM:

> Ken -- I built the proxy to keep the Jabber server out of the DMZ.
> Internal users go direct to the server using STARTTLS (5222) and an
> internal DNS zone. External users can use the HTTP proxy, allowing them
> to connect to Jabber without having to establish a VPN connection first.
> A big plus.
> We do have heterogenous firewalls on the front and back ends of the DMZ
> segment. The proxy adds another "layer of security." And since we use
> Active Directory for Jabber authentication, its much easier to keep the
> Jabber server on the same LAN segment with the DC.
> ------------------------------
> Message: 4
> Date: Wed, 19 Oct 2005 10:51:52 -0400
> From: KWermann at misti.com
> Subject: Re: [jadmin] Jabber via a DMZ proxy - SOLVED
> To: Jabber server administration list <jadmin at jabber.org>
> Cc: jadmin at jabber.org, jadmin-bounces at jabber.org
> Message-ID:
> <OFCA5F38A4.6CF60502-ON8525709F.004EE297-8525709F.00506352 at misti.com>
> Content-Type: text/plain; charset="us-ascii"
> Hi Jeff,
> I am curious why you used the proxy instead of just setting up firewall
> rules to allow redirection of traffic over port 5223/SSL or
> 5222/Unsecure to the Jabber server within the DMZ? You then have the
> FQDN registered on both internal DNS and External DNS servers. You would
> then configure routing and firewall rules from your LAN and the Internet
> to the DMZ.
> It seems that adding the proxy server would require extra steps. Is this
> just so you are not showing port 5223 available on the net through the
> firewall? Are you having internal users access the server via 5223/5222
> without the proxy server?
> Now, everything I said may not be applicable if you are doing this
> because you do not have a DMZ or Firewall to begin with. If that is the
> case just let me know.
> I only write this because I find firewall/DMZ/proxy items very
> interesting.
> Instead of building a Linux firewall, does anyone know if SmoothWall's
> default install can do this easier?
> Best Regards,
> Ken Wermann
> jadmin-bounces at jabber.org wrote on 10/18/2005 05:32:18 PM:
> > For anyone interested in setting up a DMZ-based proxy server to enable
> > Jabber usage, I've posted instructions in my blog, located here:
> > http://openrent.blogspot.com/
> > 
> > In a nutshell, you build an Apache forward proxy that enables Jabber 
> > over HTTP. The benefit is the ability to securely use an internal 
> > Jabber server from anywhere in the world (assuming your Jabber client 
> > supports HTTP proxy, like Gaim does).
> > 
> > Jeff
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mail.jabber.org/pipermail/jadmin/attachments/20051019/538f5ce6/at
> tachment.htm
> ------------------------------
> _______________________________________________
> jadmin mailing list
> jadmin at jabber.org
> http://mail.jabber.org/mailman/listinfo/jadmin
> FAQ: http://www.jabber.org/wiki/index.php/FAQ-JADMIN
> End of jadmin Digest, Vol 21, Issue 25
> **************************************
> -----------------------------------------
> "This email (including any attachments) is confidential.  If you are not
> the intended recipient you must not copy, use, disclose, distribute or 
> on the information contained in it.  If you have received this email in
> error, please notify the sender immediately by reply email and delete 
> email from your system.  Confidentiality and legal privilege attached to
> this communication are not waived or lost by reason of mistaken delivery 
> you.  Lend Lease does not guarantee that this email or the attachment(s)
> are unaffected by computer virus, corruption or other defects. Lend 
> may monitor incoming and outgoing emails for compliance with its Email
> Policy.  Please note that our servers may not be located in your 
> _______________________________________________
> jadmin mailing list
> jadmin at jabber.org
> http://mail.jabber.org/mailman/listinfo/jadmin
> FAQ: http://www.jabber.org/about/jadminfaq.shtml
> _______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jadmin/attachments/20051020/bb06e25d/attachment-0002.htm>

More information about the JAdmin mailing list