External XMPP ports 5222, 5223 disabled by default in HipChat Server 2.0.7

This Knowledge Base article was written specifically for the Atlassian Server platform. Due to the Restricted functions in Atlassian Cloud apps, the contents of this article cannot be applied to Atlassian Cloud applications.

As part of the HipChat Server 2.0.7 release, we disabled external XMPP ports by default.

  • This affects ports 5222 and 5223 which are now closed by default.
  • XMPP via BOSH is not disabled, to maintain legacy support for bots and third party clients.
    • Our bosh URL is https://yourservername.domain/http-bind
    • We recommend configuring XMPP bots and third party clients to use the BOSH endpoint.
  • In this release, the external XMPP ports can be re-enabled with the command:
    • hipchat network --enable-xmpp-ports
    • Future releases may not support direct XMPP access.
  • Mobile and Windows clients with version >= 2.0 and Mac clients with version >= 4.0 will be required to connect with HipChat server 2.0.7.
    • If you have updated your clients in 2016, they are >= 2.0.

Why are we doing this?

  • Our current information indicates this feature is not commonly used, with the exception of the legacy HipChat clients (<2.0 clients, > 1 year old) and some bots. The most frequent request we receive regarding XMPP ports, is a way to disable them.
  • The current experience using 3rd party clients is not to par with the experience we wish to deliver to our customers.
  • Some customers have asked for a way to disable this, in order to retain greater control over the way in which HipChat Server is used. 

How are we doing this?

Ports 5222 & 5223 are serviced by iptables, while the XMPP service (tetra-proxy-*) is always running and plumbed up in PREROUTING and OUTPUT chains tables as follows:

# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:xmpp-client state NEW statistic mode nth every 2 /* tetra-proxy-0-chat-port */ to::5232
DNAT       tcp  --  anywhere             anywhere             tcp dpt:5223 state NEW statistic mode nth every 2 /* tetra-proxy-0-chat-port-ssl */ to::5233
DNAT       tcp  --  anywhere             anywhere             tcp dpt:xmpp-client state NEW statistic mode nth every 1 /* tetra-proxy-1-chat-port */ to::5242
DNAT       tcp  --  anywhere             anywhere             tcp dpt:5223 state NEW statistic mode nth every 1 /* tetra-proxy-1-chat-port-ssl */ to::5243

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:xmpp-client state NEW statistic mode nth every 2 /* tetra-proxy-0-chat-port */ to::5232
DNAT       tcp  --  anywhere             anywhere             tcp dpt:5223 state NEW statistic mode nth every 2 /* tetra-proxy-0-chat-port-ssl */ to::5233
DNAT       tcp  --  anywhere             anywhere             tcp dpt:xmpp-client state NEW statistic mode nth every 1 /* tetra-proxy-1-chat-port */ to::5242
DNAT       tcp  --  anywhere             anywhere             tcp dpt:5223 state NEW statistic mode nth every 1 /* tetra-proxy-1-chat-port-ssl */ to::5243

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination 

Therefore, running netstat after enabling the XMPP ports will not show any processes listening on ports 5222 and 5223. 

Here's the difference of the output of iptables -S when XMPP ports are enabled vs disabled:

XMPP ports enabled XMPP ports disabled
-A INPUT -p tcp -m tcp --dport 5232 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5233 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5242 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5243 -m state --state NEW -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5232 -m state --state NEW -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5233 -m state --state NEW -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5242 -m state --state NEW -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5243 -m state --state NEW -j ACCEPT

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport