External XMPP ports 5222, 5223 disabled by default in Hipchat Server 2.0.7

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

This is for an outdated version of Hipchat Server

 This article applies to a version of Hipchat Server which will be deprecated soon. After that period the version will no longer be supported.

When will my version be deprecated?

The following versions have been deprecated:

  • Hipchat Server 1.3 (EOL Date: Aug 17, 2017)
  • Hipchat Server 2.0 (EOL Date: Jun 17, 2018)
  • Hipchat Server 2.1 (EOL Date: Dec 8, 2018)

The following version will be deprecated soon:

  • Hipchat Server 2.2 (EOL Date: May 30, 2019)

You can read more about Atlassian's End of Life policy here.

You should upgrade to a more recent version of Hipchat Server as soon as you can to take advantage of new features, and security and bug fixes.

As part of the Hipchat Server 2.0.7 release, we disabled external XMPP ports by default.

  • This affects ports 5222 and 5223 which are now closed by default.
  • XMPP via BOSH is not disabled, to maintain legacy support for bots and third party clients.
    • Our bosh URL is https://yourservername.domain/http-bind
    • We recommend configuring XMPP bots and third party clients to use the BOSH endpoint.
  • In this release, the external XMPP ports can be re-enabled with the command:
    • hipchat network --enable-xmpp-ports
    • Future releases may not support direct XMPP access.
  • Mobile and Windows clients with version >= 2.0 and Mac clients with version >= 4.0 will be required to connect with Hipchat server 2.0.7.
    • If you have updated your clients in 2016, they are >= 2.0.

Why are we doing this?

  • Our current information indicates this feature is not commonly used, with the exception of the legacy Hipchat clients (<2.0 clients, > 1 year old) and some bots. The most frequent request we receive regarding XMPP ports, is a way to disable them.
  • The current experience using 3rd party clients is not to par with the experience we wish to deliver to our customers.
  • Some customers have asked for a way to disable this, in order to retain greater control over the way in which Hipchat Server is used. 

How are we doing this?

Ports 5222 & 5223 are serviced by iptables, while the XMPP service (tetra-proxy-*) is always running and plumbed up in PREROUTING and OUTPUT chains tables as follows:

# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:xmpp-client state NEW statistic mode nth every 2 /* tetra-proxy-0-chat-port */ to::5232
DNAT       tcp  --  anywhere             anywhere             tcp dpt:5223 state NEW statistic mode nth every 2 /* tetra-proxy-0-chat-port-ssl */ to::5233
DNAT       tcp  --  anywhere             anywhere             tcp dpt:xmpp-client state NEW statistic mode nth every 1 /* tetra-proxy-1-chat-port */ to::5242
DNAT       tcp  --  anywhere             anywhere             tcp dpt:5223 state NEW statistic mode nth every 1 /* tetra-proxy-1-chat-port-ssl */ to::5243

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:xmpp-client state NEW statistic mode nth every 2 /* tetra-proxy-0-chat-port */ to::5232
DNAT       tcp  --  anywhere             anywhere             tcp dpt:5223 state NEW statistic mode nth every 2 /* tetra-proxy-0-chat-port-ssl */ to::5233
DNAT       tcp  --  anywhere             anywhere             tcp dpt:xmpp-client state NEW statistic mode nth every 1 /* tetra-proxy-1-chat-port */ to::5242
DNAT       tcp  --  anywhere             anywhere             tcp dpt:5223 state NEW statistic mode nth every 1 /* tetra-proxy-1-chat-port-ssl */ to::5243

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination 

Therefore, running netstat after enabling the XMPP ports will not show any processes listening on ports 5222 and 5223. 

Here's the difference of the output of iptables -S when XMPP ports are enabled vs disabled:

XMPP ports enabledXMPP ports disabled
-A INPUT -p tcp -m tcp --dport 5232 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5233 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5242 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5243 -m state --state NEW -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5232 -m state --state NEW -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5233 -m state --state NEW -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5242 -m state --state NEW -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5243 -m state --state NEW -j ACCEPT
Last modified on Jan 19, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.