Other questions
Variuos generic questionsAdding multiple hosts to the TIMP Server
A TIMP Installation allows you to host multiple domains; this allows you to host on the same server something like:
- mycompany1.com
- mycompany2.com
- mycompamy3.com
From the user's perspective these are 3 separate XMPP/Jabber servers.
In order to add the 2 hosts to the already present host (created during the configuration of the TIMP server), follow these steps:
- Open the "TIMP Management Console"
- Create a new plug-in
- Give it a "Plug-In Name", e.g. jsm-2 or whatever reminds you about the new host
- choose a domain name, and put it in the "Host" box
- Empty the JID Substr string
- As COM Object ID, type: WIN32_JABBERLib.JSMPlugin
- As Start-Up Type, be sure to set it to "Automatic"
- Be sure that everything else is "unchecked" in the "General PlugIn Settings"
- Press OK and Confirm you want to update the configuration
- Now open the configuration for the "JSM" plugin (the original Host plug-in)
- Switch to "Custom PlugIn Settings"
- Copy the whole text of the clipboard (e.g. selecting the whole text and pressing CTRL+C)
- Click on Cancel because you do NOT update the configuration
- Reopen the configuration of the newly created plugin (e.g. jsm-2)
- Switch to "Custom PlugIn Settings"
- Overwrite the custom part, pasting the content of the clipboard (e.g. selecting the whole text and pressing CTRL+V)
- If needed, change the custom part to meet the requirements of the newly created plugin (e.g. database integration, message logging, type of authentication etc)
- Press Ok, and confirm settings changes
- Start the new plug-in
- Repeat the previous steps for all the new hosts that you would like to add.
What you just did was adding one or more JSM Plug-ins to the TIMP server, and telling TIMP to address messages to a specific domain to the specific JSM Plug-in
Installing TIMP securely within the corporate firewall
1) If we use Active Directory that resides in the secure zone, where should we install TIMP server?
It depends.
If the jabber server is only intended to be used by the internal lan, the best is to put it in the safe zone and leave users from outside be allowed to connect to the TIMP server only after a VPN/dialin call into the safe zone.
Otherwise, if you are planning to make TIMP interoperable with other jabber servers you should put it (or at least the s2s component) in the DMZ.
If you, at last, want to allow users to connect from the outside, without previously established VPN/dialup call, you need to put also the c2s/wireless proxy in the DMZ zone.
Depending on what is the level of interoperability you like most, you have/can open different ports on the two firewalls.
The most important thing to keep in mind, is *in NO way* enable NOT-SSL-ed connection from outside you LAN.
2) If TIMP is in the DMZ, is there any concerns?
If is the same as placing an EMAIL server or a Webserver in the DMZ. Search for "Exchange in DMZ" for lots of opinions about if this is good/evil. Or read this article
http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=23653 and the pointed MS links.
3) If TIMP is in DMZ, what are the ports on the second firewall that needs to be opened to allow AD authentication?
The answer depends on how is configured your AD, so the best choice is to read the documents above (TIMP has less requirements then exchange, but making exchange in the DMZ communicate with the AD allows TIMP also), log the traffic (with www.ethereal.org) opening with all the ports described in those document and then close those that you are sure not using for your particular AD setup.
4) If TIMP is in the DMZ, what other security measures we need to take to secure TIMP and Jabber protocol? Any statistics and counter-measure of Jabber server hack attempts?
There aren't known server hacks for jabber-1.4.2 based server. The only care I suggest is not to allow plain authentication, at least from the outside (this can be prevented filtering port 5222)
5) If we are to harden the TIMP's W2K server platform, which services are not safe to remove? Do you have typical hardening guide of TIMP servers?
TIMP just needs DCOM services and Workstation services to be installed.
Everything else (iis, alerting etc) are useless for TIMP. Please refer to MS guides here http://www.microsoft.com/security lock down a windows machine.
We also suggest to enable packet filtering on the machine (native in w2k, or through an Application Firewall or other third party software) and avoid all *inbound* connections but to port 5222 (for plain client connections), 5223 (for SSL-protected client connections), 5269 (for server to server connections).
6) If TIMP is in the DMZ, If we have a number of server components and clients that sit on the server offering Jabber services, where is the best zone to place these applications - safe zone or DMZ?
It depends on the component, but in general it is safe to have client IM programs in the safe zone, as well as services. TIMP takes care not to deliver big messages (>1MB) so to make very unlikely that a buffer overflow
could happen in a component/client. Of course this this possibility does not protect against programming errors.
Is there a way we can pre populate the user listings?
I was wondering if there is a way we can pre populate the user listings for new employees here at our company. We are growing very fast and to have to teach people how to add contacts and also have to have each person accept each request is time consuming and not really nessesary.
Here you can find some scripts that you can modify for that purpose:
http://jru.jabberstudio.org/
http://jabbertools.jabberstudio.org/
http://scriptrepo.jabberstudio.org/
(TIMP is compatible with jabberd 1.4.2 user format)
How can they increase the karma so that avatars can be loaded without being disconnected by the server?
TIMP implements a leaky bucket algorithm. You can finetune two parameters: the duration and the size. Two backet allow to define a short period limit and a long period limit. By default
- Peak Bucket size id 10KB (10240) and Peak Bucket Size is 10 seconds
- Mean Bucket size id 20KB (20240) and Mean Bucket Size is 60 seconds
Start the TIMP console, double click on the TGService plugin, go to the custom part, and look for a line containing jpolld.exe. Add the following
parameters:
-pbs 1048576 -ps 60 -mbs 1048676 -ms 60
to set the limits, e.g., to 1MB of traffic every 60 seconds (both for paek and mean traffic).
Scaling TIMP
Can you tell me about some possible scability/redundancy architectures with TIMP? We have about 1200 employees worldwide, and IM is a critical service for them. How would you recommend deploying TIMP?
There are 3 ways to achieve redundancy/scalability and it all depends on the way you want to configure your network.
1 - use a domain name for each section/department of your company; you would have IM addresses like:
xxx@NYC.mycompany
yyy@LA.mycompany
Install a server for each department and link them through s2s connection
Benefits: distributed architecture; even if connection drops between some departments, users can chat within the departments
2 - use one domain name; all 1200 users on one server.
For redundancy: have DB user integration; have a backup server with data replication and a script to switch from one server to the other
Depending on the way your users chat, it could be possible that one server would not be enough (can be only checked while using the system)
3 - use one domain and decouple front end and back end to scale. This solution allows you to scale nicely up to as many users as you want, but it requires a custom installation of TIMP.