Secure Instant Messaging

In many business environments, instant messaging has replaced email (and even the telephone) as the tool of choice for brief and casual contact. While easy, real-time chat has been embraced by most users, it still poses a number of challenges for network administrators. Most message services use no encryption by default, run your private conversations through their own servers, and offer no means to retain a permanent record of what could be important business communications. Running your own iChat Server can solve those problems.

Server Admin: iChat

In Server Admin, select your server from the left column, then click "Settings" from the toolbar. In the "Services" pane, check "iChat", and save your changes at the bottom of the window. Now choose the iChat service on the left, then hit "Settings" once again and begin with the "General" configuration pane. The current hostname of your server will already be listed under "Host Domains". If you'd prefer to use a service-specific name, such as ichat.makemacwork.com, you'll need that set up in your DNS listings.

Next, select the SSL certificate you'd like to encrypt message traffic with. You can use the unsigned "Default" certificate that's created by OS X Server, but many Jabber clients (including Apple's own iChat) will complain that they can't verify the server's identity. If your company doesn't already act as it's own certificate authority, it's easiest to use a third-party vendor such as Digicert, Thawte, or Go Daddy.

For "Authentication", Kerberos is the most secure option, but becomes unwieldy for users outside of your domain. The "Any Method" option will use Kerberos when possible, and otherwise default to a username and password. If you're required by law or policy to archive chat transcripts, move to the "Logging" pane, and check "Automatically save chat messages". When you're finished, click "Save".

Now everyone with a user account on your server can log in using any "Jabber-compatible" client. This includes iChat and Adium for Macintosh, as well as Trillian and Pidgin for Windows, among others. If you're planning to offer instant messaging from outside your office (for traveling employees, clients, or vendors) you'll also need to forward ports 5060, 5190, 5222, and 5223 through your firewall for this configuration.

Finally, there's one feature in Leopard's "Standard" server setup that somehow missed inclusion in the more flexible and configurable "Advanced" option. To automatically add every iChat user to every other user's Buddy List, you'll currently need to run the following on the command line after each user logs in initially:

sudo /usr/bin/jabber_autobuddy -m

Keep in mind that "Auto-Buddy" is a neat idea for small workgroups, but can quickly become unwieldy as your user base grows. If the feature appeals to you, it makes the most sense to automate the process by adding a launchd script that runs the command on a scheduled basis.

With these steps in place, anyone involved with your organization can send and receive secure instant messages through your OS X Server.

Recommended Reading: To learn more about the Jabber protocol (on which iChat Server is based), check out the information at Jabber.org.

Categories: Command Line, Mac OS X Leopard, OS X Server

Posted on 5 March 2008 by Ellis Jordan Bojar

Secure Instant Messaging

Search:

Essential Articles:

Categories:

Recent Posts:

Brought to you by: