[JDEV] not s2s but s2p --- server to proxy

Peter Saint-Andre stpeter at jabber.org
Tue Jun 5 10:57:20 CDT 2001 

This sounds similar to what Jer is talking about in his recent proposal 
for Proxy Accept Socket Service (PASS):

http://core.jabber.org/pass.html

Peter

Edward Geraghty wrote:

> Hello All,
> 
>      I brought up the problem with s2s communication with
> firewalls/NAT networks in April on the jdev group and didn't get
> any answers. I was chatting on jdev conference about a week
> ago and the answer I had was to talk to my firewall admin
> to allow the specific ports open to allow s2s comms. While
> this is a valid answer, many company's will not allow inbound
> connections. This even gets more complicated when a company's
> primary connection is through a NAT/SOCKS firewall where 2
> way comms is not allowed(pass-thru on a port could work if
> you were using NAT).
> 
>      I just wanted to start a mini discussion on methods
> to solve these sorts of problems. I realize that the s2s
> needs to be a bidirectional communication(connections initiated
> from either side of the firewall). With s2s you may never know
> who will try to contact you so you must be able to accepts
> connections from anyone..
> 
> Here is my bad attempt at my server to proxy protocol(s2p) :)
> Hopefully the diagram works out.
> 
> INTRANET       FIREWALL       INTERNET(EXTERNAL)
> <IJAB-US> <--> <JABGATE> >--> <EJAB-US> <---><jabber.com>
>       =       -          >--> <EJAB-JP> <---> <jabber.org>
>       =       -                         <---> <any JABSRV>
> <IJAB-JP> <----
> 
>      A company on its intranet might have a Jabber server in
> each of its divisions/countries/etc.. us.company.com/jp.company.com.
> The jabber servers in Japan(IJAB-JP) and US(IJAB-US) would
> communicate across intranet using the normal s2s component with
> dialback. In order to facilitate communication with external jabber
> users on the internet or other companies, we need to have a bastion
> host on the internet(or DMZ) that would allow s2s with dialback
> (2 way comms). This bastion host indicated by the TAG <EJAB-US>
> would have A and SRV DNS records for the EJAB for the jabber domains
> us.company.com/jp.company.com. The DNS would allow external
> jabber servers to connect to the bastion host and deliver
> messages.
> 
>      The part I left out was that there needed to be a way to
> allow the internal Jabber servers to deliver and receive
> messages to/from the internet. If the IJAB servers could send
> all messages destined to the internet to another component
> (jabber server?) that set up a tunnel to the bastion
> jabber server. The difference between what I'm saying and s2s
> is that the JABGATE would initiate the connections to the EJAB-XX
> servers. This would allow you to comply with allowing only
> outbound connections.
> 
>       I know this isn't currently available in the current Jabber
> protocol but just curious how others have dealt with this problem.
> Are there any nasty problems out there waiting for people who
> try to implement(e.g. security). I am not worried if the answer
> is "it won't work". Since  there is nothing a bit of code can't
> fix :)
> 
> TIA,
> 
> EdGy
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
> 
> .
> 
> 


-- 
Peter Saint-Andre
stpeter at jabber.org

More information about the JDev mailing list