Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
350
Views
5
Helpful
2
Replies

Presence Fedeartion with Googletalk - Security Risk

Go to solution
hamed1900
Level 1
Level 1

ā€Ž12-08-2013 02:22 PM - edited ā€Ž03-19-2019 07:37 AM

Hi,

We want to federate Jabber with Googletalk for Custromer, All the voip Servers are in Corporate Network and Not in DMZ.

Based on the document we need to open a Port for XMPP federation which we cannot open it from outside to inside as it would be security Risk.

My question is can I install a Presence server for a cluster in DMZ and let just that one in the cluster talk to Googletalk? However, users still getting their Jabbers registered in the other Presence Servers in Corporate Netowork?

HM

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

ā€Ž12-08-2013 06:22 PM

It's possible but not a good idea. For one, you would end up having to open many more ports to get the cluster database replication, XMPP server-to-server, etc. to work across the firewall. For another, the node in the DMZ has a full IPsec tunnel to the other nodes as well as CUCM; if the DMZ node was compromised your entire cluster would be in trouble, except now you gave the attacker a protected tunnel instead of confining them to only XMPP port/process. For SIP federation Cisco used a TLS proxy feature of the ASA but that has never been developed for the XCP side of things. For XMPP you either need to rely on SELinux and IPtables embedded in the appliance, or look at third-party XMPP proxies which is not supported by Cisco. IMO, you're more likely to introduct security risks than close them by using a third-party proxy.

Please remember to rate helpful responses and identify helpful or correct answers.

View solution in original post

2 Replies 2

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

ā€Ž12-08-2013 06:22 PM

It's possible but not a good idea. For one, you would end up having to open many more ports to get the cluster database replication, XMPP server-to-server, etc. to work across the firewall. For another, the node in the DMZ has a full IPsec tunnel to the other nodes as well as CUCM; if the DMZ node was compromised your entire cluster would be in trouble, except now you gave the attacker a protected tunnel instead of confining them to only XMPP port/process. For SIP federation Cisco used a TLS proxy feature of the ASA but that has never been developed for the XCP side of things. For XMPP you either need to rely on SELinux and IPtables embedded in the appliance, or look at third-party XMPP proxies which is not supported by Cisco. IMO, you're more likely to introduct security risks than close them by using a third-party proxy.

Please remember to rate helpful responses and identify helpful or correct answers.

Go to solution
hamed1900
Level 1
Level 1
In response to Jonathan Schulenberg

ā€Ž12-10-2013 02:10 PM

Thanks Jon,

Gtalk decided not to use  XMPP and wants to use its own protocol anyway which is a shame.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents