deploying dmz secure xmpp proxy server - lotus

Sametime GatewayVersion 9

Deploying DMZ XMPP Proxy Server

November 2013

Edition Notice

Note: Before using this information and the product it supports, read the information in "Notices."

This edition applies to versions 8.5.2 IFR1 and 9.0 of IBM Sametime (program number 5724–J23).

© Copyright IBM Corporation 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

ContentsIntroduction..............................................................................................................................................................2

The dual DMZ approach.....................................................................................................................................2DMZ XMPP proxy server...................................................................................................................................3

Installing and configuring Sametime Gateway........................................................................................................3Setting up DMZ XMPP proxy server......................................................................................................................4

Installing WebSphere 7.0.0.15 Network Deployment........................................................................................4Downloading files..........................................................................................................................................4Installing Network Deployment 7.0.0.15.......................................................................................................4

Installing the XMPPProxy application..............................................................................................................14Defining an internal port for listening to servers..............................................................................................16Creating and defining the shared_lib shared library.........................................................................................17Defining the class loader...................................................................................................................................21Enabling the startup bean..................................................................................................................................22

Creating custom properties in Sametime Gateway................................................................................................23Configuring firewalls.............................................................................................................................................24

Setting inner firewall rules................................................................................................................................24Setting middle firewall rules.............................................................................................................................25Setting outer firewall rules................................................................................................................................26

IBM Sametime Gateway Deploying DMZ XMPP proxy server 1

IntroductionThis guide explains how to enhance security by deploying an XMPP proxy server as a separate cell that resides in a DMZ between IBM® Sametime® Gateway servers and the Internet.

The dual DMZ approachThe Sametime Gateway connects an organization's Sametime Community Server to the outside world through the Internet. This outside connectivity poses risks and requires firewall protection. Normally, an organization would meet this requirement by deploying the Sametime Gateway in a DMZ (demilitarized zone) situated between the company's own intranet and the Internet. Clients using XMPP to access Sametime Gateway from the Internet tunnel through an outer firewall to an XMPP proxy server, which then routes client requests through an inner firewall to the corporate intranet where Sametime servers are deployed.When you deploy Sametime Gateway using a single DMZ, the deployment looks like this, where each of the colored blocks represents a different zone with different firewall settings:

For some organizations, a single DMZ does not provide a sufficient level of security, and an additional DMZ is required to further isolate Internet-facing servers. This "dual DMZ" approach increases security by inserting an additional "middle" firewall between the Internet and the corporate intranet, creating another network zone called an Application DMZ:

In this type of deployment, the Sametime Gateway servers are moved outside the inner firewall but are separated from the original (Web) DMZ by a new middle firewall, creating an Application DMZ. The XMPP proxy server is deployed in the Web DMZ to isolate it from the Sametime Gateway server in the Application DMZ.


DMZ XMPP proxy serverThe DMZ XMPP proxy server is the same J2EE application that Sametime Gateway uses for the conventional XMPP server. The difference is how you deploy it: you deploy the DMZ XMPP server in a different cell from Sametime Gateway, and you set up a firewall between the Sametime Gateway servers and the DMZ XMPP proxy server. The use of a separate cell and an additional firewall provide added security to your Sametime deployment.To deploy the DMZ XMPP proxy server, you will set up a dual DMZ deployment where the Sametime Gateway servers reside in the Application DMZ and the DMZ XMPP proxy server resides in the Web DMZ. External XMPP users can access only the DMZ XMPP proxy server, which passes requests for data to the Sametime Gateway servers, which in turn connect to the Sametime Community Servers on the corporate intranet before routing data back to the users. Note that the DMZ XMPP proxy server is not secured like the WebSphere DMZ Secure Proxy Server, because the XMPP application is installed on a WebSphere Application Server. However, deploying the DMZ XMPP in an dual-DMZ configuration does provide more security than installing it within the base DMZ.

Installing and configuring Sametime GatewayInstall and configure either a stand-alone Sametime Gateway server, or a cluster of Sametime Gateway servers, as described in the Sametime wiki.Deployment notes: • Do not deploy an XMPP proxy server as instructed in the product documentation, because XMPP

communications from external clients will be routed through the DMZ XMPP proxy server instead. You will install the DMZ XMPP server as a separate task after Sametime Gateway is running.

• Configure the inner firewall (between the Sametime Community Servers in the Intranet zone and the Sametime Gateway servers in the Application DMZ) as explained in the Sametime wiki topic, Opening ports in the firewall.

• You will create one Sametime Gateway cell, containing either a single, stand-alone server, or a cluster of servers.


http://www-10.lotus.com/ldd/stwiki.nsf/dx/Opening_ports_in_the_firewalls_st852ifr1


http://www-10.lotus.com/ldd/stwiki.nsf/dx/Installing_a_Sametime_Gateway_server_st852ifr1

Setting up DMZ XMPP proxy serverInstall and configure a DMZ XMPP proxy server by first installing WebSphere Application Server Network Deployment.Note: These instructions use WebSphere 7.0.0.15 in the examples. If you have updated the WebSphere servers in your deployment to a later fix pack level, then you should update the server that will host DMZ XMPP proxy server to match. For best results, all of the WebSphere servers in your deployment should be at the same fix pack level.

Installing WebSphere 7.0.0.15 Network Deployment Install WebSphere Network Deployment on the computer that will function as the DMZ XMPP proxy server. You will install with no profile and then use the Profile Management Tool to create a custom cell profile.

Downloading files

You can download files from CD/DVD or Passport Advantage.

1. Log in to the computer as the system administrator (Microsoft® Windows®) or as root (IBM AIX®, Linux, Solaris).

2. Navigate to a temporary location where you want to store downloaded files.

3. Download the following package:

WASND V7.0.0.15 Customized Installation Package operating_system for Sametime V8.5.2 Multilingual

4. Extract the package into the temporary location.

Installing Network Deployment 7.0.0.15

1. Navigate to the ifpackage/WAS directory below the temporary location where you extracted the Network Deployment V7.0.0.15 package.

2. Start the installation wizard by running the following command: installThis command is available on all operating systems.

3. Use the wizard to install the Network Deployment:a. On the "Welcome to the IBM WebSphere Application Server Network Deployment installation wizard"

screen, click Next.


b. On the "Software License Agreement" screen, click I accept both the IBM and the non-IBM terms and then click Next.

c. On the "System Prerequisites Check" screen, verify that your computer satisfies the prerequisites and then click Next.

If your computer does not meet the prerequisites, you must exit the wizard, modify the computer until prerequisites are met, and then begin again from step 2.

d. On the "Optional Features Installation" screen, do not select any optional features -- just click Next.


e. On the "Installation Directory" screen, accept or change the Product Installation location and then click Next.

f. On the "WebSphere Application Server Environments" screen, select None and then click Next.

g. Click Yes when the warning message prompts you to choose whether to continue without creating a profile:


h. On the "Repository for Centralized Installation Managers" screen, do not select the option to create the repository -- just click Next.

i. On the "Installation Summary" screen, review the summary and if it is correct, click Next to begin the installation.

If the summary is not correct, click Previous as needed to back up and correct any settings as needed before clicking Next to return to the summary and begin the installation.


j. On the "Installation Results" screen, do the following:

i. Verify that the server was successfully installed.ii. Click Create a new WebSphere Application Server profile using the Profile Management tool.iii. Click Finish.

The installation wizard opens the Profile Management Tool. Proceed to the next section to configure a profile for the XMPP server.

Configuring the server profileAfter WebSphere Network Deployment has been installed, you can configure the server's profile.1. When the Profile Management Tool opens, click the Launch Profile Management Tool button.

2. In the “Profiles” list, click the Create button:


3. On the “Environment Selection” screen, click Application Server, and then click Next:

4. On the “Profile Creation Options” screen, click Advanced profile creation and then click Next:


5. On the “Option Application Deployment” screen, clear the Deploy the default application option, and then click Next:

6. On the “Profile Name and Location” screen, do the following before clicking Next:a. Change the Profile name to RTCGW_Profile1b. Change the Profile directory to match by replacing the last folder name “AppSvr02”

with RTCGW_Profile1


7. On the “Node and Host Names” screen, change the Server name to XMPPProxyServer, and then click Next:

8. On the “Administrative Security” screen, click Enable administrative security, create an administrator user name and password, and then click Next:

9. In the “Security Certificate (Part 1)” screen, click Next without changing any settings.10. In the “Security Certificate (Part 2)” screen, click Next without changing any settings.11. In the “Port Values Assignment” screen, click Next without changing any settings.


12. (Windows only) In the "Windows Service Definition" screen, clear the Run the application server process as a windows service option, and then click Next:

13. On the “Web Server Definition” screen, click Next without changing any settings.14. On the “Profile Creation Summary” screen, verify the settings and then click Create.15. On the “Profile Creation Complete” screen, click Launch the first steps console, and then click Finish:


16. Use the “First steps” console to start the XMPP server and open the administrative console:

a. On the “First steps” console, click Start the server.Wait for the following message to confirm that the server has started:Server XMPPProxyServer open for e-business.

b. Return to the “First steps” console and click Administrative console.The server's administrative console (the Integrated Solutions Console) opens in a browser.

Proceed to the next section, where you will use the administrative console to install the XMPP proxy server application.


Installing the XMPPProxy applicationUse the administrative console to install the XMPP proxy server application that is included in the Sametime Gateway package. 1. Log in to the administrative console using the user name and password you created during installation.2. Copy the rtc.xmppproxy.ear file from the fix package to temporary folder on the computer where you

will install it (the server where you just configured the profile).3. In the console, navigate to Applications Application types WebSphere enterprise applications.4. In the Enterprise Applications table, click the Install button:

5. On the “Path to the new application” screen, browse to the location where you placed the rtc.xmppproxy.ear file, and then click Next:

6. On the “How do you want to install the application?” screen, click Fast Path – Prompt only when additional information is required, and then click Next.


7. Click Next on each of the remaining installation pages without changing any settings; at the “Summary” page, click Finish.

8. Review the installation messages and verify that the application installed successfully:

9. Save the installed application by clicking Save directly to the master configuration:

Leave the administrative console open for the next task.


Defining a port for communications from Sametime Gateway serversOn the new XMPP proxy server, define a port for listening for communications from Sametime Gateway servers.1. Back in the administrative console's navigation tree, click Servers Server types WebSphere

applications servers.2. In the list of application servers, select XMPPProxyServer.3. On the “Configuration” tab, look under “Communications” and click Ports.4. In the Ports table, click the New button:

5. In the “Port Name” section, click User-defined Port and type XMPP_INTERNAL_PORT in the Specify Port name field..

6. In the Host field, type the IP address of the computer on which XMPPProxyServer is installed.7. In the Port field, type 5272.8. Click OK.9. Click the Save link in the “Messages” box at the top of the page:


Creating and defining the shared_lib shared libraryCreate a shared library of Sametime Gateway files that are also used by the XMPP proxy server.1. On the XMPP proxy server, create a directory named STgatewayProxy below the WebSphere installation

root, so that the new directory is at the same level as the AppServer directory.For example, on Windows you would create the new directory with the following path:C:\Program Files\IBM\WebSphere\STgatewayProxy

2. Within the new STgatewayProxy directory, create a subdirectory called rtc_gw_lib; this will serve as the shared library.

3. Copy the following files from the fix package: dbpersist.jarjdom.jarrtc.gatewayAPI.jarrtc.gatewayConfig.jar

4. Place the files into the new STgatewayProxy/rtc_gw_lib directory.5. (Windows only) Determine the Windows 8.3 format (the “short path”) of the shared library's path:

You will supply the path in the Shared Libraries setting in the WebSphere administrative console. In Windows, the default installation path for WebSphere ND includes spaces (C:\Program Files\IBM\WebSphere); however, WebSphere does not accept paths with spaces in the name. If your installation path includes spaces, work around this issue by determining the 8.3 version of the path, which does not use spaces.a. In Windows Explorer, navigate to the directory, highlight the full path in the address bar, and copy the

path by right-clicking and selecting Edit → Copy.

b. Open a command prompt by doing one of the following:- Clicking Start → All Programs → Accessories → Command prompt.- Clicking Start → Run, typing cmd.exe, and then clicking OK.


c. In the command prompt, type cd followed by a space, and then paste the path you copied by right-clicking and selecting Edit → Paste.

d. Press Enter to change to the directory.e. Now run the command command:

The path is displayed in Windows 8.3 format; for example: C:\PROGRA~1\IBM\WEBSPH~1\STGATE~2\RTC_GW~1


f. Write down the path for use later in this task.Tip: If you are concerned about typing errors, you can run the dir command and save the output to a file:

And then copy the path from the file when you need it:

6. Define the shared library for the XMPP Proxy server:a. In the WebSphere administrative console, click Environment -> Shared libraries.b. In the Shared Libraries page, verify that Show scopes selection drop-down list with all the scopes

options is selected.


c. Select your XMPP server from the list (look for the server listing your server's node name with server1 as the server name).

d. In the scopes table for your XMPP server, click the New button.e. Set the scope to use the following values, and then click Apply:

Name: GatewayLibClasspath: Type the path to the rtc_gw_lib folder that you created in step 2 (this path cannot contain spaces).Attention: In Windows, type the 8.3 formatted short path that you determined earlier, and use forward slashes (/) as delimiters; for example: C:/PROGRA~1/IBM/WEBSPH~1/STGATE~2/RTC_GW~1If you copy and paste the path from the saved directory listing, be sure to correct the slashes now.

f. Click OK.g. Click the Save link in the “Messages” box at the top of the page:


Defining the class loaderCreate a class loader for the XMPP proxy server and assign the new shared library to it.1. Create the class loader:

a. In the WebSphere administrative console, click Servers → Server Types → WebSphere application servers.

b. In the servers list, click XMPPProxyServer.c. On the Configuration page, look under “Server infrastructure” and click Java and Process

Management → Class loader.d. In the class loaders table, click the New button.e. In the Class loader order list, click Classes loaded with parent class loader first.f. Click OK.g. Click the Save link in the “Messages” box at the top of the page:

2. Associate the new shared library with the XMPP proxy class loader you created. a. Return the the class loaders table and click the new class loader ID that you just created.b. Click Shared library.c. In the Shared libraries table, click the Add button.d. Select the GatewayLib shared library from the list.e. Click OK.f. Click the Save link in the “Messages” box at the top of the page.


Enabling the startup beanEnable the startup bean so that the XMPP proxy server can start whenever the WebSphere server hosting it is started.1. In the WebSphere administrative console, click Servers → Server Types → WebSphere application

servers.2. In the servers table, click XMPPProxyServer.3. On the Configuration page, look under “Container Settings” and click Container Services → Startup

beans service.4. Look under “General Properties” and click Enable service at server startup.

5. Click OK.6. Click the Save link in the “Messages” box at the top of the page:

7. Restart the XMPP proxy server.


Creating custom properties in Sametime Gateway Enable the Sametime Gateway server or cluster to use the DMZ XMPP server by creating two custom properties on every Sametime Gateway server in the cluster. These properties supply the host name and port of the DMZ XMPP server.1. In the administrative console, click System administration → Cell.2. On the Configuration page, look under "Additional Properties" and click Custom Properties.

3. Add the first custom property:a. In the custom properties table, click New.b. Type xmpp.dmz.proxy.hostname in the Name field.c. In the Value field, type the host name of the XMPP proxy server.d. Click OK.

4. Add the second custom property:a. In the custom properties table, click New.b. Type xmpp.dmz.proxy.port in the Name field.c. In the Value field, type the port used by the XMPP proxy server.d. Click OK.

5. Click the Save link in the "Messages" box at the top of the page.

6. Restart the Sametime Gateway server or cluster. 7. Synchronize and restart nodes in the Sametime Gateway cluster as follows:

a. In the navigation tree, click System Administration → Nodes.b. Select all nodes in the cluster, and then click the Full Resynchronize button at the top of the table.c. Back in the navigation tree, click System Administration → Node Agents.d. Select all nodes in the cluster, and then click the Restart button at the top of the table.


Configuring firewallsThe dual DMZ deployment requires that you create an additional demilitarized zone (a Web DMZ) by deploying another firewall between the DMZ XMPP proxy server cell and the Internet, and then configure the firewall settings between the Web DMZ and the Application DMZ where the Sametime Gateway cluster resides.

Setting inner firewall rulesThe inner firewall separates the corporate intranet (where the Sametime Community Servers are hosted) from the Application DMZ (where the Sametime Gateway servers are hosted) and should be configured as explained in the Sametime wiki topic, Opening ports in the firewall.



Setting middle firewall rulesThe middle firewall separates the Application DMZ (where Sametime Gateway is hosted) from the Web DMZ (where the DMZ XMPP proxy servers are hosted) and should be configured according to the following rules:

Middle firewall rules

From IP From Port To IP To Port Protocol Direction Comments

Sametime Gateway servers

Ephemeral port range of the operating system

DMZ XMPP proxy server

Defined DMZ XMPP proxy port (see page 16).

TCP/TLS Inbound Incoming internal XMPP traffic in the cluster


Ephemeral port range of the operating system

Sametime Gateway servers

Server-defined XMPP port, or by default, 5269

TCP/TLS Outbound Outgoing internal XMPP traffic in the cluster

*Any Any DMZ XMPP proxy server

§ 9060 TCP Inbound Admin Console

*Any Any DMZ XMPP proxy server

§ 9043 TLS Inbound Admin Console

Block all unused DMZ ports

* Administrative console ports are optional. The administrative console can be accessed locally by opening the web browser on the DMZ XMPP proxy host, without defining rules in firewall. If you choose to access the console from an external host, that external host should be defined in your firewall rules.

§ Verify that ports 9060 and 9043 are not already in use by another service by checking the "Administrative console secure port" and "Administrative console port" values in the AboutThisProfile.txt file.


Setting outer firewall rulesThe outer firewall separates the Web DMZ (where the DMZ XMPP proxy servers are hosted) from the Internet, and should be configured according to the following rules:

Outer firewall rules

From IP From Port To IP To Port Protocol Direction Comments

Any IP of external XMPP server

Any IP of DMZ XMPP proxy server

5269 TCP/TLS Inbound Incoming XMPP traffic


Ephemeral port range of operating system

External XMPP servers

5271 TCP/TLS Outbound Outgoing XMPP traffic

Block all unused DMZ ports


NoticesThis information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 JapanThe following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:IBM Corporation5 Technology Park DriveWestford Technology ParkWestford, MA 01886

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.This information is for planning purposes only. The information herein is subject to change before the products described become available.This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

TrademarksThese terms are trademarks of International Business Machines Corporation in the United States, other countries, or both:IBMAIXSametimeWebSphereJava and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States, other countries, or both.Linux is a trademark of Linus Torvalds in the United States, other countries, or both.Other company, product, or service names may be trademarks or service marks of others.

deploying dmz secure xmpp proxy server - lotus

Documents