Jabber behind a DMZ forward proxy

I have been searching for a way to use our internal Jabber server without having to be connected via VPN. The solution-a forward proxy in the DMZ that can securely talk back to the Jabber server. Here’s how you build it:

1) Build a stripped-down Linux server using your favorite distribution. This server will live in a DMZ environment, so the usual security warnings apply: install only needed packages, minimize running services, run an iptables firewall, harden the server using Bastille and/or manual methods, and regularly apply patches.

2) Install Apache 2.x from source. Be certain to include in your configure statement the “–enable-proxy” and “–enable-proxy-http” arguments, as they will provide the needed proxy functionality. The same security warnings also apply to the Apache build: compile only the modules you absolutely need, set appropriate file and directory permissions, and use restrictive directives to limit server functionality.

3) In the Apache httpd.conf file, add the following directives (adapt to your IP addressing scheme):

ServerName im.somedomain.com
ServerAdmin [email protected]
ErrorLog /httpd/logs/im_somedomain_com/error.log

# Proxy Section
ProxyRequests on
AllowCONNECT 5222

<proxy *>
Options None
AllowOverride None
Order Deny,Allow
Deny from all
Allow from all

4) Once configured, start Apache, place the server in the DMZ, and make the following firewall changes:
a) Allow inbound HTTP traffic to the Apache server over port 80.
b) Allow the Apache proxy server to talk over port 5222 (TCP) to the internal Jabber server.

5) Setup your external DNS server to resolve im.somedomain.com to the IP address of the proxy server.

6) Open your GAIM client and configure it to use the proxy. Choose Tools/Accounts to open the Accounts screen, then click on your Jabber account, and click the “Modify” button. In the “Modify Account” window, expand the “Show more options” section. In the Proxy Type drop-down list, select HTTP. Next, enter your external domain name for the proxy server, such as im.mydomain.com in the Host field with a port of 80 in the Port field. Click Save to store your settings, and then connect normally.

This will allow you to connect to the Apache proxy via HTTP, then have your session tunnelled over port 5222 (TLS) to the backend Jabber server.

No additional configuration is necessary on the origin Jabber server.