[JDEV] not s2s but s2p --- server to proxy

Edward Geraghty edgy at us.ibm.com
Mon Jun 4 13:05:11 CDT 2001 

Hello All,

     I brought up the problem with s2s communication with
firewalls/NAT networks in April on the jdev group and didn't get
any answers. I was chatting on jdev conference about a week
ago and the answer I had was to talk to my firewall admin
to allow the specific ports open to allow s2s comms. While
this is a valid answer, many company's will not allow inbound
connections. This even gets more complicated when a company's
primary connection is through a NAT/SOCKS firewall where 2
way comms is not allowed(pass-thru on a port could work if
you were using NAT).

     I just wanted to start a mini discussion on methods
to solve these sorts of problems. I realize that the s2s
needs to be a bidirectional communication(connections initiated
from either side of the firewall). With s2s you may never know
who will try to contact you so you must be able to accepts
connections from anyone..

Here is my bad attempt at my server to proxy protocol(s2p) :)
Hopefully the diagram works out.

INTRANET       FIREWALL       INTERNET(EXTERNAL)
<IJAB-US> <--> <JABGATE> >--> <EJAB-US> <---><jabber.com>
      =       -          >--> <EJAB-JP> <---> <jabber.org>
      =       -                         <---> <any JABSRV>
<IJAB-JP> <----

     A company on its intranet might have a Jabber server in
each of its divisions/countries/etc.. us.company.com/jp.company.com.
The jabber servers in Japan(IJAB-JP) and US(IJAB-US) would
communicate across intranet using the normal s2s component with
dialback. In order to facilitate communication with external jabber
users on the internet or other companies, we need to have a bastion
host on the internet(or DMZ) that would allow s2s with dialback
(2 way comms). This bastion host indicated by the TAG <EJAB-US>
would have A and SRV DNS records for the EJAB for the jabber domains
us.company.com/jp.company.com. The DNS would allow external
jabber servers to connect to the bastion host and deliver
messages.

     The part I left out was that there needed to be a way to
allow the internal Jabber servers to deliver and receive
messages to/from the internet. If the IJAB servers could send
all messages destined to the internet to another component
(jabber server?) that set up a tunnel to the bastion
jabber server. The difference between what I'm saying and s2s
is that the JABGATE would initiate the connections to the EJAB-XX
servers. This would allow you to comply with allowing only
outbound connections.

      I know this isn't currently available in the current Jabber
protocol but just curious how others have dealt with this problem.
Are there any nasty problems out there waiting for people who
try to implement(e.g. security). I am not worried if the answer
is "it won't work". Since  there is nothing a bit of code can't
fix :)

TIA,

EdGy

More information about the JDev mailing list