Secure OpenFire for Enterprise Usage: Extended Features w/ Plugins
Now we are going to add a bunch of plugins!
Download the following plugins from here: http://www.igniterealtime.org/projects/openfire/plugins.jsp
- Client Control
- Content Filter
- Kraken IM Gateway (If you are killing ALL other IM use in your enterprise, but still want to allow users to access other IM networks from their Work PC, you can use Kracken to do this. Kracken will allow them to connect Yahoo Messenger for instance to the Spark IM client (the one we are going to use). At that point, we can audit (i.e. LOG) ALL conversation on this outside network that occurs from their work PC.)
- Monitoring Service (very important, this is what will record all IM chats)
Go to the plugins tab on your server.
At the bottom, choose each file you downloaded and upload it to install it. Once you are done continue on…
First, we need to disable OTR. OTR is directly Client –to– Client encryption. This is bad, because it encrypts the chat from the server as well so you audit logs don’t record what is typed. To turn this off, we use a simple text filter against the command used to enabled it. To do so go to:
server –> server settings –> Content Filter –> Filter –> Tick “enabled” and In the patterns box delete anything in there and enter “\?OTR” (without the quotes) on the first line –> Under Rejection Notification tick enabled –> under Content Match Notification you do not need to enable this but you do need to enter a legitimate user account, use your own username –> save settings
Next we need to turn on auditing/monitoring of all chat. Go to:
server –> archiving –> archiving settings –> under “Message Archiving” tick “Archive One to One chats” and “Archive group Chats” —> the rest of the default settings will archive messages for all time, if you don’t need this, you can change the max message age to whatever your requirements are, 2 years is usually a pretty safe bet… 730 days… –> Update Settings
You may need to turn off file transfers between clients so your office LAN doesn’t turn into a peer-to-peer network for sharing Britney Spears’ latest comeback album, to do that, go to:
server –> Client Management –> Client Features –> File Transfer – set to disabled and –> save settings
You may want to lock down users so they can only connect to your IM server using Spark or another regulated client. You do that here:
server –> Client Management –> Permitted Clients
Finally, you may want to enabled other IM networks. This will allow users to, for example, use facebook chat from Spark or use AIM from Spark, however you will be auditing conversations on these other networks, hence you may be able to allow it and your employees need to know when they are at work that you are unfortunately in the role of having to play big brother. You can enable these other services via Kraken from here:
server –> Gateways –> Transports –> Tick the services you want to enable.
Okay, now you are pretty much all setup, if you are going to use your server from the internet, you need to forward TCP port 5222 to that public IP address you linked to your DNS record that you setup before all of this began and you need to allow traffic for this connection on your firewalls.
The last bit of this tutorial is a recommendation of which Clients to use for all major platforms. I have found the following to work okay thus far in my testing:
Windows / Mac / Linux : Use SPARK – it is pretty awesome! – get it from here: http://www.igniterealtime.org/downloads/index.jsp#openfire
Android – I have been testing with a free app called “Xabber” – search for it on the market – it works pretty well…
iOS – I have been testing with “Monal” – I tested with a few others but Monal as worked best so far.
All of the above clients are free… as in FREE. So you can use that if you are pitching this solution to the higher-ups 🙂
I hope all goes well, feel free to ask questions!