TIMP 1.x FAQs

Common problems

Some common problems faced using TIMP

Console does not start on XP SP2

SP2 tightened DCOM security settings, so when you start the console, it says something like "Error in ATE connection"*.

This is a security permission issue tha can be modified using the Component Services administrative tool."

Do the following:

- Windows Start
- run: dcomcnfg
- Console Root/Component Services/Computers/My computer/DCOM Config/ATE.SimpleScriptPlugin
- right click on properties and go to Security tab
- select in "Launch and Activation Permissions"
- "Customize" and press "Edit"
- Add local userid TW32JS_USER and add activation permission. Then OK OK OK...

After that the console works.


----------------------------------------
*
Into event log/System comes error
"The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {1D5B286A-475A-4C24-84F4-6BB4743F97E1}
to the user KMLPC4\TW32JS_USER SID
(S-1-5-21-57989841-436374069-1343024091-1013).

TIMP is installed but I cannot connect to it with a Client

I have installed the latest copy of the TIPIC server environment. I am able to use the clients to connect to the tipic.com server but cannot connect to a local server (my machine name). All of the appropriate processes are running (according to you troubleshooting guide). when I run ATEConsole and select GUI console, it hangs with the message ' Wait while connecting...'

There could be several reasons why you cannot connect to your newly installed TIMP server:

1) The machine is not reachable by IP; although you have specified the correct name of the machine as your Jabber server, the machine itself could not be reachable by IP

2) There could be a Firewall installed on the machine where the server is installed (check if you have Zone Alarm or other apps)

3) There could be other applications, on the machine where the server is installed, that make it impossible to the TIMP server to connect

4) You have to specify the name of your server when connecting to TIMP; the IP address is not valid - TIMP will refuse connection from the IP because it would consider them addressed to another server (in Jabber xxx@myserver is different from xxx@xxx.xxx.xxx.xxx where that is the IP address of the server.

Switching from Integrated to Standalone users can't authenticate

If you switch from Integrated Users to Plain XML Users without re-installing, any user names created in the Integrated mode cannot be used to create an account because the system says the name is not available.

In both modes users' profiles are stored in XML files in a directory on your PC. In the integrated mode the XML file does not contain a password (just a dummy one).

C:Documents and SettingsTW32JS_USERApplication DataTipicspoolyour_Jabber_server

If you switch from integrated mode to standalone, the XML will be there for the users you created in the integrated mode, but you will not be able to use their profile because of the dummy password.

To avoid this delete the XML files if you switch.

The search for a user function does not seem to work

The contact 'Search' does not appear to work, at least nothing that we tried could bring up any users into the list grid.

Search actually works. You just have to fill up vCards for the users on your server. The search function does not look for JIDs but only for first and last name.

Cannot connect 2 TIMP servers (S2S) or cannot connect to jabber.org (for example)

Does the evaluation server allow server to server connections. I was attempting to send messages to a user on my eval server from another server within my organization (it is a jabber2d server) I do not seem to be seeing any traffic between the 2 servers.

----------------

Check the following:

- make sure you've enabled S2S connection during the configuration (Wizard) of both servers
- make sure the firewall does not stop port 5269
- make sure you've registered the TIMP server name into the DNS for both installations (or in the HOST file into the 2 machines where you installed the server).

How to get Support on TIMP

If you need assistance from Tipic about installing or running TIMP, please send us the following files that have been generated during the installation:

- Installation Log
- Server Log
- PlugIn.xml
To find the Installation Log file, go to: Windows Start -> Programs -> Tipic Instant Messaging Platform -> Current Configuration and cut and paste it into a text document.

To find the Server Log file go to: c:\Documents and Settings\TW32JS_USER\Application DataTipic*-MainATE.log

Do the folowing:
- stop the server
- delete the existing files
- restart the server, then...

- perform the action that that did not work for you like:
--- creating a new user
--- authenticating through an IM client
--- browsing a chatroom

- wait 10 seconds between one try and another
- wait a minute before stopping the server to make sure the log is written in the file
- stop the server
- find the new log and save into a text document

To find the PlugIn.xml file go to: c:\Documents and Settings\TW32JS_USER\Application DataTipic\ATEConf\plugIn.xml

Attach the files to an e-mail and send it to support@tipic.com

The XMPP protocol

Some questions about the XMPP protocol

Is there a Time Stamp in the Message?

Do you know whether the message protocol provide date Stamp in its message XML format?

Can't seem to find it specific in the Jabber doc, does that mean for message send, there will be no way to trace the sent date of the message?

Offline messages are stored (in the XML files on the HD) with the time stamp; it is then a feature of the client to show this information. Online messages do not have (obviously) the time stamp.

Priority tag for routing messages with the highest priority?

I notice in the Presence packet, there is a priority attribute for routing messages with the highest priority (Does TIMP have this implementation?). Wonder why this is not included in the Message packet as well?

The priority attribute in the presence packet is a Jabber feature.

Jabber allows you to connect with the same username and the same password several times.

Each sessions of a single user is identified by a resource and a priority:
a "buddy" can address a message to particular resource specifying a to="user@server/resource".

If the message is like "user@server", the server delivers the message to the highest priority resource (==user session).

General Questions about TIMP

General Questions about TIMP

Is TIMP compatible with other XMPP Servers and Clients?

Tipic Instant Messaging Server and ATEClient(the client SW Component) are XMPP compatible.

(TIMP is based on the Open Source JSM - Jabber Session Management)

You can use any XMPP Client with Tipic Instant Messaging Server.

How does TIMP compare with Jabber Inc. Commercial Server?

There have been no comparisons made between the j.o server and Tipic's; the reality is that it would be like comparing apples and oranges because of the underlining OS. The two servers may well coexist because of the two OSs.

Do I buy one server or different servers for different branches?

XMPP is just like e-mail. You can have different "branches" with different domain names chatting; as an example:

branch1 is one location with one server; users can chat between each other
user1@branch1.com
user2@branch1.com
user3@branch1.com
user4@branch1.com
.....

branch2 is another location with one server; users can chat between each other
user1@branch2.com
user2@branch2.com
user3@branch2.com
user4@branch2.com
.....

when user1@branch1.com chats with user2@branch1.com their chat is Client-Server-Client

when user1@branch1.com chats with user1@branch2.com their chat is Client-Server-Server-Client

Now with Jabber like with e-mail you can decide to have a server for each "branch"; the advantage is scalability and the fact that if an internet connection goes down, users of one server can still chat between each other.

What is ATE?

ATE is the the XML Router, which is the core of Tipic Instant Messaging Server. Plug-Ins are linked to ATE, through ATEConsole, and receive/elaborate/reply XML messages. Also the Instant Messaging functions are carried out by a Plug-In called JSM, which is the perform the Instant Messaging logic and is the Open Source component.

How does TIMP scale?

There are two possible ways to scale a Jabber Server (and thus TIMP):
-- e-mail like, appropriate for Corporations (Enterprise): if your Company is divided in different departments or countries, you can have a Jabber server for each of those (like e-mail - xxx@yyy.zzz.com aaa@mmmm.zzz.com); the users of these servers see each other through s2s connection.
-- ISP like environment: you have one domain and want to scale the number of users on that domain.
the approach here is that of server farming, which TIMP does nicely - each server can have around 1,000 or more concurrent users (due to windows limitation on sockets), and you can farm together the servers. From our experience, in an ISP environment, you have a ratio of less than 1/10 (concurrent users/ registered users), which means that each server can manage 10,000 or more registered users!

How heavy is TIMP in terms of CPU load ?

The CPU load does not depends on the number of client but on the number of messages routed.

Usually, also the roster size affects performance. At tipic.com we run TIMP with a mean many hundreds concurrent users in busy hours so DEFINITELY the problem is not in the number of connected clients.

TIMP uses a kind of "traffic shaping" to limit the number of messages per second a client can send; if a client exceeds that limit it happens to be "karmed" in the O.S. version of jabber (which lead to
messages lost) or simply disconnected in TIMP.

If you have developed a server side plug-in plug-in you have to check if you are sending too many messages; in this case the client gets disconnected and then it sudden reconnects in a neverending loop which in fact might lead to 100% CPU usage.

You can easly check the number of messages that are circulating in the system either by using TIMP console / Server log (remember to press on the "Update Log" button) or just looking in the text file "C:Documents and settingsTW32JS_USERApplication DataTipicMainAte.log" where you can find some rows like "Router: xxx messages successiful routed". The server writes such a line about every 30 seconds, so subtracting the value found in the last two entries you get half the messages per minute TIMP is routing.

Another cause of 100 CPU would be a kind of Misconfiguration in which TIMP sends a message to the s2s component and this then re-send it back to TIMP in a neverending loop.

Managing TIMP

Frequently Asked QUestions about how to manage TIMP

How can I administer TIMP from another machine?

Even though I have the server mapped on my workstation, I cannot run the TIMP Management Console executable. It appears that I have to actually run the console on the server otherwise it never comes back from collecting info on the server.

Correct, the TIMP Management Console runs only on the same machine where the TIMP server is installed.

From other machines, you can manage the TIMP server using a Jabber client (CLI interface), if you are the Administrator of the TIMP server; just add this JID: admin@ate.yourserver to the roster of the administrator (should be administrator@yourserver the first user created).

To add other administrators add it to the custom part of the admin plug-in (using TIMP Management Console), like in the following example:

administrator@Console
user1@yourserver
user2@yourserver

Only administrators can "talk" to the admin plug-in!

Preventing users from creating accounts on TIMP

There are 2 ways to do prevent users to create accounts on your TIMP Jabber server:
- if you choose the integrated NT authentication, only existing users on you NT machine will be able to log in to jabber
- if you do not use NT authentication, you can edit the custom configuration of the JSM plug-in either deleting or commenting the tag.

How do I know how many users are logged into TIMP?

Yes, server administrators can:
- know how many users are online
- broadcast messages to online users
- set the message of the day (when you log-in you receive the message)
All the above can be done through either Winjab or TipicIM (clients from anywhere - must be administrator) or using Tipic Management Console on the server.

Creating 50 users in advance

I noticed when a new user is created, he/she needs to login the first time to create the user account. Is there a batch process available to do that if I want to create 50 users account?

For each user created with TIMP there is a corresponding XML file in the following directory:
C:Documents and Settings-TW32JS_USER-Application Data-Tipic-spool-your_Jabber_server

Depending on the type of Authentication (integrated with NT or Standalone) the file will contain either a dummy password or the real password; the file also contains all the other info about the user and the offline messages received by the user.

IF you decide to change the XML file, you should be VERY careful about character encoding, and accepted XML, otherwise your JSM will stop working.

You can create the files for 50 users in advance, either by hand or by a simple batch program (off course changing the names of the files to reflect the use name).

If you pre-create these files, you can take the opportunity to pre-add contacts to users' rosters, if that is something interesting for your application.

--------------
If I create the 50 users in advance, does that mean they are automatically registered as new user and there is no need to relogin the first time to verify the account? (for integrated with NT)
YES

--------------
I presume I also need to create the similar account in Active Directory or Win2K users account if the type of authentication is integrated with NT.
YES. The request of creating a new account the first time you connect, is related to the creation of the XML file. There must be the Win2k user though (if you chose the integrated authentication) otherwise the client will not authenticate.

--------------
Does it mean that the user xml file is constantly updated, either when the user is online or offline (storing offline message)? What is updated in the xml file when user is online?
YES, it is constantly updated. It stores offline messages. It stores the password (which is dummy in the case of integrated authentication).

It also stores subscription information: for example a subscription information is the info related to the users with which the contact exchanges presence information; if that setting changes while the user is online (for example a new subscription) that information is stored in the XML file.

Is there any way to detect if the XMPP server is alive?

Is there a defined keep-alive packet in TIMP, e.g., client just send a pre-defined packet and expects the Server to echo/send some packet back to show that it is still alive?

This is for the client to detect abnormal breaking of connection.

To check if the connection is still alive you can send just a space character every 30 seconds (for example). If the socket goes in an error state it means you have been disconnected. You should also tune socket options like KEEP ALIVE.

You can also send a jabber browse request (for example) from time to time, but this is discouraged since it causes server overload.

Changing port for Open Connection from 5222 to xxxx

TIMP, like any Jabber server, accepts open connection on port 5222 and SSL connection on 5223.

To change the Open Connection port to say 5224 do the following:

- start TIMP Management Console
- go to GUI Console
- double Click on the "tgservice" plugin
- click on the Custom Plug in Tab
- to the jpold configuration add '-p 5224'
- in the stunnel configuration change 5222 in 5224

something like:

jpolld.exe -p 5224 -d 8000 ..........
stunnel.exe -d 5223 -r 5224 .........

Set the configuration and then restart the TIMP Service (from Windows Start menu)

How does TIMP use port 8000 (and other ports)?

TIMP is composed by several applications that interact through COM and TCP/IP.
Port 8000, by default, is used to connect jpolld (which is the application that deals with client connections) to the main router.

Also port 8001 is needed for s2s (which is the application that deals with server-to-server connections) to the main router. Actually the Installation Wizard checks if port 8000 is available, if not it tries with an higher port number. Be aware that ports 8000/8001 must be open only for loopback connections (so, not in the corporate firewall, but in a personal firewall installed on the machine).

Ports 5222/5223 must be open in the corporate firewall to allow open/secure connections.

Port 5269 must be open in the corporate firewall to allow your server to interoperate with other public jabber server (a FQDN is also needed). If not open in the corporate firewall but only in the personal firewall, port 5269 allows various TIMP servers on different machines to interoperate.

Deleting users from the directory after they left the company

A few users have left our company, but they are still showing up in Tipic when we search for their username whether we delete or disable their account from Active Directory. Please can you let me know how to remove them.


In this directory you should find the file:

global.xdb

C:\Documents and Settings\TW32JS_USER\Application Data\Tipic\spool\Prova_JSM/

You should edit this file with an XML editor to delete the users that left your company.

How does the License work and how soon do we receive it?

When we purchase the license, how soon can we get the license installed?

As soon as you purchase the License, we will send you the license code that you can enter in the evaluation copy of TIMP turning it into a fully functional version of TIMP

In the e-mail that we send out with the license code we will explain you how to do it (straightforward operation through the "TIMP Configuration Wizard").

How to use TIMP License Code when you buy one

When you buy I license code we will send you the license by e-mail

When you receive the code, you do not have to reinstall the 5 concurrent users evaluation version of TIMP, but just:

- start TIMP Installation Wizard (from Start/Program Files/Tipic Instant Messaging Platform/Installation Wizard) if you have already installed the server, otherwise follow the first installation instruction and get to the point where you are asked about the license code.
- enter the following XML, which is the registration code, by cutting and pasting the following:

xx-xxx-xxx@xxx.xx
xxxxxx

- read the installation log: you should now read that TIMP is registered

NOTE:
Regarding the licensing, as an example, 10 user license means a maximum of 10 concurrent users. The server checks how many logged on users there are every "timeslot" (of one minute): if, at the end of one time slot, the number of concurrent users exceeds the license, for the next time slot you are unable to log in with other clients, even if you have logged off with all the previous logged on client. If at the end of the time slot the number of logged on users is below the maximum, you are allowed, in the next timeslot, to log on new users.

Adding a new license

If you want to add a new license to the already running TIMP, you should do the following:


From the Windows Start Button: All programs -> Tipic Instant Messaging Platform -> TIMP Management Console
From the Tipic Management Console: Gui Console -> double click on "jsm"
From the "jsm" Plug-in Setting: Click on Custom Plug-in Setting -> some XML will appear in that window.

Now below the tag you will see the existing license you previously entered. You should add the new license that you will receive via mail below the existing one.

Following is an example:
<custom>
<license>
.....
</license>
<license>
....
</license>

After pasting the new license, click on "Set Configuration", click on "OK" to restart the plug-in, on "OK" to exit the "jsm" configuration, and you are done.

Can we programmatically enter add-on licensing for the TIPIC server?

We want to implement the interface to all the user to add licensing via our web-based admin interface so we need to know the specifications of the XML file where license codes are maintained.

There is an XML file in:
C:Documents and SettingsTW32JS_USERApplication DataTipicATEConfPlugIns.xml

You should add the license in the custom part of 2 plug-ins:

- JSM
- Admin

The best would be if you inspect the XML file that you have today and look for the correct fields to add.

SSL (Secure Socket Layer) Support

TIMP supports SSL connections between the clients and the server. This means that if you are out of your office, you can securely connect to your TIMP server there using SSL.

How do I enable SSL support in TIMP?

SSL is enabled by default (like open connection of course). You can connect with SSL to TIMP using any SSL enabled XMPP client.

Use port 5523 for SSL connections as opposed to 5522 for open connections.

I want to change the SSL Certificate, where is it located?

I want to change the SSL Certificate, where is it located?
The certificate (foo-cert.pem) is located in TIPIC install directory.

The foo-cert.pem contains x.509 cert, private key and DH parameter.

What is the DH parameter, how do we let TIMP know about the file foo-cert.pem and say, the passphrase for the private key? Do we just replace this file with our preferred certificate and key?

Regarding the certificate, you just need to overwrite the x.509 sample certificate with your own, but you need to pay attention to:

- the fact that the certificate needs to be interoperable with openssl ".pem" format. You should ask to your Certificate Authority Administrator how to obtain such a certificate from a commercial CA platform

- you need a certificate without a passphrase, since we use stunnel to implement the SSL stack..

BTW, since ATE automatically starts stunnel, and since the service is able to start "automatically", passphrase would need to be stored in ATE config file (it would be then "easily" readable by an Administrator).

The best way to assure that no one can steal the certificate is to move the certificate under the "TW32JS_USER" profile, so that only the administrator (and TW32JS_USER == ATE) can read the certificate.

For this purpose, run console, locate and double click on the "TGService" plugin, then switch to the "Custom" tab and find a row that starts as "stunnel .....".

Replace the "foo-cert.pem" string with the full file name (including the path) where you stored the certificate.

To remove the passphrase please refer to : http://www.octaldream.com/~scottm/talks/ssl/stunnel.html

How do I get a valid SSL Certificate

The supplied certificate is out of date and brings up some errors on the client.

The certificate must be in .pem format, must not be password protected to be overwritten and renamed. You should refer to the relevant Microsoft Docs.

Problems using Microsoft winsock API

I am presently testing out the SSL feature. I created a secure socket using Microsoft winsock API and set the SSL protocol to be v3. But somehow when I do a connect to the TIMP server, I always get an MS error which says "This function is not supported on this system".

There should be no problem using MS API. Probably it is just a matter of using the same key length - TIMP uses 128bit. TIMP uses Open SSL www.openssl.org and www.stunnel.org.

Using MS API was not an option because MS changes the specs frequently and TIMP must comply to the XMPP specs.

Fixing SSL: SSL enabled client fails to connect.

TIMP is organised in several processes which are monitored by a PlugIn called tgservice. The SSL connections are handled by the stunnel process.

If you have sporadic problems when connecting using but you have been able to at least connect one time, try killing the stunnel.exe process (using task manager or restarting TIMP); beware that system automatically restarts stunnel.exe.

If you are still unable to connect or the stunnel process does not exist at all, do the following:

in the custom part of the TGservice PlugIn you find 3 processes:

jpolld - it handles NON SSL user connections
stunnel - it handles SSL connections
s2s - implements the server to server protocol

change the stunnel entry from:

...
stunnel.exe -d 5223 -r 5222 -p foo-cert.pem
...

to:
...
c:\TIMP_Installation_path\stunnel.exe -d 7000 -r 5222 -p "c:\TIMP_Installation_path\foo-cert.pem"
...

save the configuration and restart the plug.in.

Setting the SSL listening port to a port other than 5223

TIMP is organised in several processes which are monitored by a PlugIn called tgservice. In the custom part of this PlugIn you will find 3 processes:

jpolld - it handles NON SSL user connections
stunnel - it handles SSL connections
s2s - implements the server to server protocol

Just find the port number you want to substitute (in your case relative to the stunnel process) and change it. E.g. you can change from:

...
stunnel.exe -d 5223 -r 5222 -p foo-cert.pem
...

to:
...
stunnel.exe -d 7000 -r 5222 -p foo-cert.pem
...


to allow SSL connections on port 7000 instead of 5223.

If you have other processes that need to be monitored, you can add till 20 "..." tags in the custom part of the tgservice PlugIn.

Please be aware that NO carriage returns or line feed MUST exists between the and tags.

How can I verify that the data sent is encrypted when sent?

Just download ethereal from:

http://www.ethereal.org

or pcaptrace from:

http://www.pocketsoap.com/pcaptrace/.

Follow the instructions provided on their respective sites to grab the traffic on port 5223.

What are the cipher suites supported by TIMP?

All OpenSSL supported cyphers.

Please refer here:

http://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp

for the full list of cyphers.

VOIP integration with TIMP

I installed the demo version of TIMP and everything works except VOIP (Voice over IP) calls between TipicIM clients; I keep getting the following error message: "Timeout trying to contact Tipic Server Voip Plugin, please check your firewall rules (state 1)". I manage the LAN here and I have opened all ports.

--------------------------------------------------

In order for VOIP calls to work you need to do the following:
- enable s2s communication (when running the configuration Wizard)
- make sure that the name of the server (and the machine where TIMP is installed and gets its name) is a FQDN (Fully Qualified Domain Name.

Transports/ Gateways

Transports to legacy protocols such as MSN, ICQ etc. are created and maintained by the Open Source community; the transports are available for the Linux Operating System currently.

You can integrate the transports with TIMP; to do so you would need to set-up a Linux Box and install the transports there and then configure TIMP.

Configuring the transports on a Linux Box

Suppose you installed TIMP 1.2 on a domain such as mycompany.com and you want your users to have access to the transports to MSN and ICQ. These are the steps you should follow:

- install a Linux Box with your favourite distribution

- download install the transports on the Linux Box, associating the following domain names:
-- icq.mycompany.com
-- msn.mycompany.com

- check on you company DNS that the domain names icq.mycompany.com and msn.mycompany.com are correctly pointing to the Linux Box and the domain name mycompany.com with the machine running TIMP1.2

- double check that you have installed TIMP1.2 with S2S support enabled (refer to TIMP1.2 installation log)

- open TIMP Console

- locate the jsm | mycompany.com line in the plug-in list and double click on it

- switch to custom configuration and locate the browse tag

- insert just after <browse> the following text:

<service type="msn" jid="msn.tipic.com" name="MSN">
<ns>jabber:iq:gateway</ns>
<ns>jabber:iq:register</ns>
</service>
<service type="icq" jid="icq.tipic.com" name="ICQ">
<ns>jabber:iq:gateway</ns>
<ns>jabber:iq:register</ns>
<ns>jabber:iq:search</ns>
</service>

- save the updated configuration and restart the jsm plug-in

Authentication

TIMP 1.2 supports different authentication schemes:
- Active Directory Integration
- Stand Alone

During the set-up wizard you can define the authentication scheme.

Other questions

Variuos generic questions

Adding multiple hosts to the TIMP Server

A TIMP Installation allows you to host multiple domains; this allows you to host on the same server something like:
- mycompany1.com
- mycompany2.com
- mycompamy3.com

From the user's perspective these are 3 separate XMPP/Jabber servers.

In order to add the 2 hosts to the already present host (created during the configuration of the TIMP server), follow these steps:

- Open the "TIMP Management Console"
- Create a new plug-in
- Give it a "Plug-In Name", e.g. jsm-2 or whatever reminds you about the new host
- choose a domain name, and put it in the "Host" box
- Empty the JID Substr string
- As COM Object ID, type: WIN32_JABBERLib.JSMPlugin
- As Start-Up Type, be sure to set it to "Automatic"
- Be sure that everything else is "unchecked" in the "General PlugIn Settings"
- Press OK and Confirm you want to update the configuration
- Now open the configuration for the "JSM" plugin (the original Host plug-in)
- Switch to "Custom PlugIn Settings"
- Copy the whole text of the clipboard (e.g. selecting the whole text and pressing CTRL+C)
- Click on Cancel because you do NOT update the configuration
- Reopen the configuration of the newly created plugin (e.g. jsm-2)
- Switch to "Custom PlugIn Settings"
- Overwrite the custom part, pasting the content of the clipboard (e.g. selecting the whole text and pressing CTRL+V)
- If needed, change the custom part to meet the requirements of the newly created plugin (e.g. database integration, message logging, type of authentication etc)
- Press Ok, and confirm settings changes
- Start the new plug-in

- Repeat the previous steps for all the new hosts that you would like to add.

What you just did was adding one or more JSM Plug-ins to the TIMP server, and telling TIMP to address messages to a specific domain to the specific JSM Plug-in

Installing TIMP securely within the corporate firewall

1) If we use Active Directory that resides in the secure zone, where should we install TIMP server?

It depends.
If the jabber server is only intended to be used by the internal lan, the best is to put it in the safe zone and leave users from outside be allowed to connect to the TIMP server only after a VPN/dialin call into the safe zone.
Otherwise, if you are planning to make TIMP interoperable with other jabber servers you should put it (or at least the s2s component) in the DMZ.
If you, at last, want to allow users to connect from the outside, without previously established VPN/dialup call, you need to put also the c2s/wireless proxy in the DMZ zone.
Depending on what is the level of interoperability you like most, you have/can open different ports on the two firewalls.
The most important thing to keep in mind, is *in NO way* enable NOT-SSL-ed connection from outside you LAN.

2) If TIMP is in the DMZ, is there any concerns?

If is the same as placing an EMAIL server or a Webserver in the DMZ. Search for "Exchange in DMZ" for lots of opinions about if this is good/evil. Or read this article
http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=23653 and the pointed MS links.

3) If TIMP is in DMZ, what are the ports on the second firewall that needs to be opened to allow AD authentication?

The answer depends on how is configured your AD, so the best choice is to read the documents above (TIMP has less requirements then exchange, but making exchange in the DMZ communicate with the AD allows TIMP also), log the traffic (with www.ethereal.org) opening with all the ports described in those document and then close those that you are sure not using for your particular AD setup.

4) If TIMP is in the DMZ, what other security measures we need to take to secure TIMP and Jabber protocol? Any statistics and counter-measure of Jabber server hack attempts?

There aren't known server hacks for jabber-1.4.2 based server. The only care I suggest is not to allow plain authentication, at least from the outside (this can be prevented filtering port 5222)

5) If we are to harden the TIMP's W2K server platform, which services are not safe to remove? Do you have typical hardening guide of TIMP servers?

TIMP just needs DCOM services and Workstation services to be installed.
Everything else (iis, alerting etc) are useless for TIMP. Please refer to MS guides here http://www.microsoft.com/security lock down a windows machine.
We also suggest to enable packet filtering on the machine (native in w2k, or through an Application Firewall or other third party software) and avoid all *inbound* connections but to port 5222 (for plain client connections), 5223 (for SSL-protected client connections), 5269 (for server to server connections).

6) If TIMP is in the DMZ, If we have a number of server components and clients that sit on the server offering Jabber services, where is the best zone to place these applications - safe zone or DMZ?

It depends on the component, but in general it is safe to have client IM programs in the safe zone, as well as services. TIMP takes care not to deliver big messages (>1MB) so to make very unlikely that a buffer overflow
could happen in a component/client. Of course this this possibility does not protect against programming errors.

Is there a way we can pre populate the user listings?

I was wondering if there is a way we can pre populate the user listings for new employees here at our company. We are growing very fast and to have to teach people how to add contacts and also have to have each person accept each request is time consuming and not really nessesary.


Here you can find some scripts that you can modify for that purpose:
http://jru.jabberstudio.org/
http://jabbertools.jabberstudio.org/
http://scriptrepo.jabberstudio.org/

(TIMP is compatible with jabberd 1.4.2 user format)

How can they increase the karma so that avatars can be loaded without being disconnected by the server?

TIMP implements a leaky bucket algorithm. You can finetune two parameters: the duration and the size. Two backet allow to define a short period limit and a long period limit. By default
- Peak Bucket size id 10KB (10240) and Peak Bucket Size is 10 seconds
- Mean Bucket size id 20KB (20240) and Mean Bucket Size is 60 seconds

Start the TIMP console, double click on the TGService plugin, go to the custom part, and look for a line containing jpolld.exe. Add the following
parameters:
-pbs 1048576 -ps 60 -mbs 1048676 -ms 60

to set the limits, e.g., to 1MB of traffic every 60 seconds (both for paek and mean traffic).

Scaling TIMP

Can you tell me about some possible scability/redundancy architectures with TIMP? We have about 1200 employees worldwide, and IM is a critical service for them. How would you recommend deploying TIMP?

There are 3 ways to achieve redundancy/scalability and it all depends on the way you want to configure your network.

1 - use a domain name for each section/department of your company; you would have IM addresses like:
xxx@NYC.mycompany
yyy@LA.mycompany

Install a server for each department and link them through s2s connection

Benefits: distributed architecture; even if connection drops between some departments, users can chat within the departments

2 - use one domain name; all 1200 users on one server.
For redundancy: have DB user integration; have a backup server with data replication and a script to switch from one server to the other

Depending on the way your users chat, it could be possible that one server would not be enough (can be only checked while using the system)

3 - use one domain and decouple front end and back end to scale. This solution allows you to scale nicely up to as many users as you want, but it requires a custom installation of TIMP.