InstallGuide CorporateConfiguration
Go up: ParentWiki
This appendix provides some tips for installing Jabberd for use by a corporation or other private organization. These tips were originally posted by Ken Wermann on the Jadmin Mailing List :
- Install from Source
- Install to Unix
- Locate Server in DMZ or on LAN
- Enable Only SSL Communication
- Apply OpenSSL Patches
- Disable User Registration
- Use Strong Server Passwords
- Avoid Transports and Additional Services
- Log Conversations
- Use JAJC or Exodus Jabber Client
These tips are not meant as an exhaustive guide to installing Jabberd for corporate use.
Install the latest stable Jabberd server from source. Although there are many packages (RPM's, etc) available for Jabberd, users report various problems with some of these. At the time of writing, Jabberd 2.0s1 is the latest stable release, and it is available from Jabber Studio.
Jabberd is native to Unix. Although libraries exist for installing Jabberd to Windows, you should make your corporate installation only to a flavor of Unix.
Administrators should give careful consideration to whether users may need to connect from outside the corporate firewall. If users will never need to connect from outside the firewall, then locate the Jabberd server on the corporate LAN. For the Jabberd host name, you can use any name that clients can resolve. Your Jabberd server will not be able to communicate with other Jabber servers.
If you have users that need to connect from outside the firewall — even if only occasionally — you should locate your Jabberd server in a DMZ. Open port 5223 on both the DMZ and firewall to permit SSL encrypted Jabber communication. For your Jabberd host name, you can use a host on your domain, such as jabber.mycompany.com.
Even if your server is located on the corporate LAN, you should enable only SSL communications. Instant messaging traffic is easy to sniff on a network. See Section 5.2 for information about how to configure Jabberd 2 for SSL.
Keep your OpenSSL installation up to date and apply the latest patches as they become available. You may wish to subscribe to the OpenSSL Mailing Lists.
Public user registration should be disabled. See Section 5.5 for information about how to disable public registration for Jabberd 2. Enabling user password change (Section 5.6) would be a good idea.
With public registration disabled, an administrator(s) will need to create user accounts. See the JabberStudio: Script Repository for user creation scripts that can be used with Jabberd 1.4. See Section 6.3 for information about how to create accounts with Jabberd 2.
Make certain that you change all default server passwords and secrets, and you should use strong passwords for these. These passwords include the password for your database connection and the password for your router connections.
Although Jabber transports (for foreign IM systems) can provide desirable features, administrators should avoid providing these services because they may create additional security vulnerabilities in addition to HR risks. On the other hand, JUD and Conferencing are recommended services for corporate installations. Note that at the time of writing JUD does not function properly with Jabberd 2.
Check with you legal department to determine the requirements for message logging. Laws about message logging vary by country, state, province, etc., and these laws are often prescribe how long message logs must be preserved. This is especially true for certain industries, such as financial and healthcare.
Log IM messages if this is permitted or required. Inform your users that their conversations are being logged because this is good practice and because this will discourage inappropriate use of IM. See JabberStudio for utilities for monitoring Jabber traffic. Currently, there are no available utilities for logging messages on Jabberd 2.
JAJC is a good choice of a client for deployments running Jabberd 1.4 on Windows 2000 or higher because it is a mature, full-featured Jabber client that supports SSL.
Exodus is a good choice of a client for deployments running Jabberd 2. Like JAJC, Exodus is a stable client with many Jabber features. Additionally, Exodus supports SASL for authentication and TLS for channel encryption. Exodus is also a good choice for a clients running on older Windows systems.
© 2003 Will Kamishlian and Robert Norris
Image(http://jabberd.jabberstudio.org/2/docs/ccommons.gif, right)This work is licensed under the Creative Commons Attribution-!NonCommercial-!ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
