[jdev] Federation server placement

Robert Quattlebaum darco at deepdarc.com
Wed Feb 17 17:39:39 CST 2010


Hello Matt!

On Feb 17, 2010, at 10:34 AM, Mason, Matt wrote:

> I am trying to understand best practices for server placement from a firewall perspective:
>  
> There are two layers of firewalls, the Web tier which is facing the public.  The App tier is behind the firewall.  The App Tier cannot instantiate a connection to the web tier for security reasons. 
>  
> Is the best practice to have a federation of servers such that the Web tier XMPP server is facing outward and automatically connects to an XMPP server sitting on the App tier so messaging can occur with all clients inside and outside the firewall?
>  
> I don’t think I have seen standard docs on how to place Federation servers with respect to firewalls, etc.  Any comments would be greatly appreciated.


I don't think I am quite understanding your setup. How many servers are you intending to deploy? Are they all servicing one domain? Do you intend to allow automatic federation with other domains (like google talk), or are you only federating internally? XMPP Servers cannot forward traffic, in case that is what you were thinking, so simply having one server in your "Web tier" and one server in your "App tier" won't get you very far. 

I'll cover a few basics just in case there is a misunderstanding. Generally, a single XMPP server will be authoritative for one or more domains(Think "gmail.com" or "livejournal.com"). For security reasons, XMPP servers can't forward traffic, so if someone on your server wants to send a message to someone in a different domain then your XMPP server will need to be able to directly connect to the server that is authoritative for that domain (and vise-versa!). Unless you are using a jabber server which will allow you to run the S2S component on a separate machine, you will not be able to deploy as you described.

Jabberd2 does allow you to separate the S2S component from the rest of the server, but I do not recommend using Jabberd2 for various reasons. There may be a way to do what you describe using an XMPP server which supports clustering (Like Openfire or ejabberd), but that is outside of my scope of expertise. This is not a standard feature as far as I know.

There are two types of connections that an XMPP server can have: C2S (Client-to-Server) and S2S (Server-to-Server). For a client to connect to your server, it simply needs to be able to connect to the C2S port. If you are worried about someone compromising your XMPP server and using that as a point of entry to attack the rest of your network, you could simply disallow all connections to or from your "App tier" except for C2S connections. For automatic federation to work, you need to allow the S2S port to be open to connections from the internet as well as allow your sever to connect to make outbound connections to any port.

I hope this helps. 

__________________
Robert Quattlebaum
Jabber: darco at deepdarc.com
eMail:  darco at deepdarc.com
www:    http://www.deepdarc.com/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20100217/e169ea4b/attachment.htm>


More information about the JDev mailing list