Internal Instant Messaging Client / Server Combo?

strongmantim writes "I manage an internal help desk (25-30 people) for a medium-large company in the healthcare industry. We're looking for an internal, secure, FOSS (if possible) instant messaging / presence awareness client and server combo. Transmission of Protected Health Information is a sensitive issue, so the server has to be able to log any conversations that occur. It is preferred that the client not support outside protocols such as AIM, MSN, Yahoo, etc.; if it does, I will have to promulgate and enforce yet one more policy that my techs not connect to them. All of the computers that will connect run Windows XP. The system should be scalable up to ~100 people (in case we decide to include our entire office in the roll-out). Hardware and OS for the server are not an issue. Oh, and one more thing: It has to be free. Suggestions?"

Jabber is what you need

[osssmkatz]

The question is which client and which server, and that I don't know. You should be able to lock it down by not allowing anyone to change its preferences.

--Sam

Re:Jabber is what you need

Openfire

Re:Jabber is what you need

[palegray.net]

He could set up a Debian box (or virtual machine, whatever) running Jabber under his company's label in about an hour, including the OS install. Add a couple of hours to set up a backup/failover system synchronized via rsync and he's good to go. As for clients, there are a bunch of Java-based Jabber clients that integrate nicely with virtually any web app you've got deployed (with a bit of Perl or PHP glue, in some cases).

Re:Jabber is what you need

[craagz]

Openfire.. so easy you will be surprised. I've just come off a successful implementation at our workplace.
hack out the pidgin plugins. Pidgin Portable 2.5.5 is around 23MB and I removed all languages except English, plugins of everything except Jabber. Compressed it and 8MB.

Re:Jabber is what you need

[KTheorem]

Psi is a good, multi-platform Jabber only IM client.

Re:Jabber is what you need

[flosofl]

I second the Openfire/Spark combo (or other client of your choice). I set it up at work as a quick and dirty IM for our department (flung around the world). It's fantastic for quick questions or collabs that don't need or require email or phone. We've been using it for years (back when it used to be called Wildfire), and have not had one issue with it.

Re:Jabber is what you need

[Creepy+Crawler]

If you go that route, you could instead install Xming on the clients and run the jabber client locally, on the jabber server. Kind of high overhead, but full and complete control.

Each department could have their own eJabber server, so granularity would be rather fine.

Re:Jabber is what you need

[master5o1]

Pidgin client + Bonjour protocol.

Re:Jabber is what you need

[TuaAmin13]

That's what we run. Openfire + Pidgin, since it works on both Windows and Linux. Yes it supports other protocols and we don't care, because prior to this the entire site was using some weird combo of AIM/Y!/MSN (depending on department) which is more unsecure.

Stripping out the other plugins and deploying it via GPO would probably be your best bet.

Re:Jabber is what you need

[Em+Emalb]

This looks like a good spot to reply. :-)

At my work, we allow two IM programs, Pidgin and Trillian. Both are wide open, however all conversations are logged via Postini. My company (a financial firm) took the opposite route, rather than block a whole bunch of programs and port #s, we allow just about every form of internet communication and log it all.

So far, it's worked out fairly well. Users respect that the company respects their ability to not be "Big Brothered" to death by allowing everything but making them aware that it's all logged.

As far as IM clients go...what type of phone system do you have? If it's a Cisco system, you can look at Presence Server (CUPS) which has a built-in IM client and various other very nice to have options...just a thought.

Re:Jabber is what you need

[Tweezer]

What the hell are you smoking? I find answers like this to be way over simplified. Just setup a Debian box in an hour. Really? That is a bit naive. I have to ask you. Do you actually get your production servers setup in an hour? I don't know about you, but it takes me at least an hour or two to rack mount a new server, get it cabled, verify the redundant power is done correctly and get everything labeled properly. Then you have to get the OS loaded, app loaded etc. After all that, you need to be sure backups are setup and working properly, do some tests. After all this is HIPPA related and he needs to make sure it's working correctly, not to mention something like this will become a mission critical app in short period of time, because other people will come to rely on it . I could easily see after the release of something like this, other departments putting the use of the IM system into policy and procedures, because it's all logged. For example some manager says he will approve purchase requisitions over the IM system as it's all logged. I assume you've tested the log recovery from a backup and are confident you will be able to restore yesterday's log 7 years from now. And then document the whole thing. You do document things I hope. Even if you are the only admin, you need to document in case you are unavailable during an emergency. If you don't you aren't doing the job properly. I find a proper server takes more like 16-24 man hours.

Re:Jabber is what you need

[johnkzin]

The problem with Jabber/XMPP is that ... it doesn't satisfy the "not used externally" part. Jabber is the basis of GoogleTalk, and several individual IM services.

But, that's a questionable goal of the request anyway. Any one of his coworkers can connect to AIM/Yahoo/GoogleTalk right now. If he doesn't want that happening, he can't just say "we said 'no no bad coworker'" and expect that this makes things all good and happy. If he wants to ensure that coworkers aren't going to connect to external IM services, he needs to block those IM services at the border (firewalls and/or routers).

In my opinion, he should block all IM traffic (Yahoo, AIM, MSN, IRC, ICB, ICQ, XMPP/Jabber, Simple, and the others (look at what pidgin supports, find out what ports those chat/IM services use, block all of them)) at the border, and then require legitimate external users to use a VPN to access the internal Jabber server. If there are remote offices, then either those workers would need to VPN in to the site that hosts the Jabber server ... or each site should have its own Jabber server, and then the Jabber servers would all talk to each other via VPN.

That's how I'd set it up. Block every chat/IM protocol/port at the border (and at the border of each remote office). Set up a Jabber server at the central and at each remote office. Link the Jabber servers to each other via VPN/tunnel/etc.. Go from there.

Re:Jabber is what you need

I double and triple recommend Openfire. http://www.igniterealtime.org/projects/openfire/index.jsp/

We have been running this with their Spark client http://www.igniterealtime.org/projects/spark/index.jsp/ for roughly 300 employees and this thing is great.

- Free
- Supports logging
- Supports keyword blocking (important in a medical environment)
- Has a web-based client, too
- LDAP (Active Directory) integration supported

You'd be hard-pressed to find another IM server that is as polished as Openfire, while still being free.

Re:Jabber is what you need

[ckaminski]

Color me ignorant, but what do Pidgin and Trillian (IM) have to do with Postini (email)?

Just wonderin' is all.

Re:Jabber is what you need

[Em+Emalb]

We use postini to log all email and instant messenger communications. Postini acts as a proxy and stores each message for each user.

It's one of the requirements we have as a financial firm. (actually, I don't believe its required yet, but will be soon)

Re:Jabber is what you need

[bigstrat2003]

Yep, use that for your server. Do yourself a favor and use something other than Spark for the client, however. We use Openfire/Spark at my company, and while the server is solid and workable, the client is pure shit. It's slow and buggy as hell. Use Pidgin, Miranda, or whatever multi-protocol client you prefer, but not Spark.

Re:Jabber is what you need

[ajs]

Absolutely. Jabber is a great solution. You can do your own or you can use Google's. Google Apps (their business messaging package that comes with branded email for your domain, private IM, docs, etc) has instant messaging that you can lock down to just people in your company or you can allow them access to the Jabber network as a whole (including normal Google Talk users). If you do allow them external access, you can have a warning pop up whenever they talk to someone on an external connection so that they know it's not intra-company (e.g. a "don't share proprietary informtion" warning).

Either way Jabber is really the only choice these days. Legacy proprietary IM solutions are really just that at this point.

Re:Jabber is what you need

[palegray.net]

Holy crap! Calm down, dude. My idea was for setting up a test system, with a test failover system using what I presume would be readily available test systems in an organization like his (if they're not using virutalization, they probably should be). Yes, the progression you described is totally accurate for putting together a production rig. Wow, documentation? You don't say, I never knew about documentation requirements for maintaining a network. Again, wow. The guy's looking for ideas for how to get started with solving his problem; I assume he knows how to do the rest of his job.

Speaking of jobs, I've been doing this for close to fifteen years, including major work on Navy networks. How long have you been plugging away at it? Your technical skills sound great, but your interpersonal skills seem to indicate a penchant for running away with wild assumptions.

Re:Jabber is what you need

The question is which client and which server, and that I don't know. You should be able to lock it down by not allowing anyone to change its preferences.

--Sam

This is slightly different. But isn't Google A supposed to be the answer for all such queries. Atleast I thought that was the idea Google had in their mind that all the IT staff would suddenly favour the cloud and opt for such web based solutions.

But looks like not many favour web based ones. If that is the case, why is Google still investing like crazy for all such over-hyped web based ajaxified project?

Re:Jabber is what you need

[Tweezer]

I just reread my post. Sorry I cam accross as too harsh. I've been at this for about 15 years myself and I just get sick of people assuming something only takes a short period of time to setup, because you can knock out a proof of concept quickly. I've also run into plenty of situations over the years where the documentation wasn't done, because either the admin didn't do it or management didn't understand the importance and wanted something with a higher priority done. I've also seen proof of concept systems turn into production systems when a manager says it's good enough and not a critical system and not to worry. That's when you really need to worry.

Re:Jabber is what you need

[coryking]

That said, what about remote access from your mobile? Dunno if it is a requirement, but pretty much every mobile on the planet can speak MSN and AIM but I've yet to see one that can VPN into the office.

Course, both of those require the "server" to be AOL's or MSN's, not your own. Do any mobiles support Jabber?

Re:Jabber is what you need

[XSEnergy]

IP Messenger http://www.ipmsg.org/index.html.en/ is a nice lightweight alternative.

Re:Jabber is what you need

[palegray.net]

Hey, no hard feelings :). I definitely feel your pain; I've seen a setup where a repurposed desktop system shoved in a closet was acting as a domain controller for 150 workstations, another office with 90% of the outbound bandwidth consumed 24 hours a day by bots spouting spam, and still other situations where companies got some guy from the community college to build several "proof of concept" systems and just kept using them in production (they only had a cell phone number for their "guy", and I wound up trying to deal with the ensuing nightmare when crap started failing left and right). Sorry about that run-on sentence there, I get a little worked up about these things :).

Re:Jabber is what you need

[ckaminski]

Is this something supported in the IM client configuration? Or does postini use jabber/gtalk?

Re:Jabber is what you need

Network Solutions started with Pidgin for internal chat and a chatroom, then moved to Spark.

Meets all your requirements: does not support outside protocols such as AIM, MSN, Yahoo, runs on XP, scalable and free.

Best thing about it was that it saved the chatroom conversation for the last few hours, so you could login and see what was discussed earlier that day.

Re:Jabber is what you need

[jetole]

Yeah I did openfire + pidgin at our work too some time ago. When I have the time I am looking to move away from openfire although granted it was easy to install but is not as feature rich for the free version and I havn't tried the commercial edition. Although openfire runs on a debian system, we use active directory for our roster. Right now I think logging is imperative for the work place and I forget the name but there is a popular gnu jabber/xmpp server that has logging as a plugin.

Re:Jabber is what you need

Here's another vote for Openfire. It is really easy to setup and maintain, can be used with external databases (we are using postreSQL), integrates w/ LDAP, has an external client gateway plugin, and has FastPath which allows you to do do queue-based chat routing from a website. We have been using it for about 2 years now and have been really happy with it.

Re:Jabber is what you need

Second openfire. I'm not in some huge regulated industry (or company)--but Openfire was ridiculously easy for me to install even on our outdated SLES systems (and even easier on ubuntu). I'm not running SSO/LDAP yet (*sigh* I want to...don't start guys)--but I have centralized logging, absurdly easy web-based account mgmt, a client that I can install on any o/s, and it's so simple to use that I can get remote people on it safely without even requiring them to use the VPN. If I wanted to, I could (and have briefly) syndicated it with other jabber servers to expose "outside" chatting--we decided that wasn't worth it.

The application has caught on enough that amongst the non-blackberry crowd, it's more popular than email for interoffice communications--and there's been some discussions about getting our field team on it too--it would be absurdly easy if we decided to--to the point where the real barrier is that our "business" DSL account just doesn't have the uplink capacity for these things.

The Spark java client feels a bit slow and klugy -- most of the programmers prefer IRC or run pidgin to connect to it, but it's good enough to get the job done and anybody can figure out how to install it. I haven't tried any sort of A/V with it (we don't need that and don't have the outbound pipe anyway).

Re:Jabber is what you need

[MrDERP]

internal only IRC or Jabber? Sametime?? or the messenger service that used to pop up spam in Windows, I dont miss those days

Re:Jabber is what you need

[loners]

You might want to take another look at Openfire. They stopped creating a separate "Commercial" version and released a lot of the features into the open source version. There is now logging and some other features.

Re:Jabber is what you need

[jetole]

Yeah it's honestly been a while since I looked at it. Still don't like Spark though. ;)

Re:Jabber is what you need

[Em+Emalb]

As far as I know, it basically just logs it, does not use jabber/gtalk or any other IM protocol. It just captures the data and writes it to a file.

Re:Jabber is what you need

[ckaminski]

Strange, from reading the web info on google's site, I can't figure out that it does chat logging at all.

I know that GTalk will save your conversations as an email in gmail if you set it up right, but I can't figure out how postini grabs Jabber or AIM traffic if it's not a gateway appliance on your network.

If you find out, lemme know.

Re:Jabber is what you need

[jtev]

It's not rocket science to set up a server to NOT federate. Unless you federate, no connecting to the outside. Restricting users to only the settings you want them to have access to with group policies can make your life a little easier as an admin.

Re:Jabber is what you need

[uigrad_2000]

The problem with Jabber/XMPP is that ... it doesn't satisfy the "not used externally" part. Jabber is the basis of GoogleTalk, and several individual IM services.

But, that's a questionable goal of the request anyway. Any one of his coworkers can connect to AIM/Yahoo/GoogleTalk right now. If he doesn't want that happening, he can't just say "we said 'no no bad coworker'" and expect that this makes things all good and happy. If he wants to ensure that coworkers aren't going to connect to external IM services, he needs to block those IM services at the border (firewalls and/or routers).

In my opinion, he should block all IM traffic (Yahoo, AIM, MSN, IRC, ICB, ICQ, XMPP/Jabber, Simple, and the others (look at what pidgin supports, find out what ports those chat/IM services use, block all of them)) at the border, and then require legitimate external users to use a VPN to access the internal Jabber server. If there are remote offices, then either those workers would need to VPN in to the site that hosts the Jabber server ... or each site should have its own Jabber server, and then the Jabber servers would all talk to each other via VPN.

That's how I'd set it up. Block every chat/IM protocol/port at the border (and at the border of each remote office). Set up a Jabber server at the central and at each remote office. Link the Jabber servers to each other via VPN/tunnel/etc.. Go from there.

How in the world did that get modded up? Are people really that ignorant about jabber?

Here's all you need: http://en.wikipedia.org/wiki/List_of_Jabber_server_software

Re:Jabber is what you need

[Em+Emalb]

will do. I am not the "email" guy for our network, but I'll talk to him tomorrow at some point and let you know.

Re:Jabber is what you need

[pfleming]

This is one of the reasons that compliance officers at some firms recommend against writing anything investment related. It's a verbal conversation so that it doesn't have to be written down and stuck in a folder for the next 7 years.

Re:Jabber is what you need

[DavidRawling]

Ah, grasshopper, you missed the crucial component of the Google strategy (I'm watching it happening).

1. Talk to the CxOs (CIO, COO, CEO) of the company and ignore the project team working on the new desktop apps project.
2. Publicise how cheap it is and how wonderful it is that your entire company can do all of its work on the web with a standard browser.
3. <Jedi>There are no problems with Google Apps.</Jedi>
4. Take the CxO's on a trip to the local Googleplex with the kids chairs and the kindergarten walls, expressing how fun and easy everything is.
5. <Jedi>There are no problems with Google Apps.</Jedi>
6. Remind the CxOs that it's cheap and only a web browser is needed for everything
7. <Jedi>There are no problems with Google Apps.</Jedi>
8. Finally talk to the project team and explain how the CxOs have agreed to pilot 1000 users on Google Apps starting next month.
9. <Jedi>There are no problems with Google Apps.</Jedi>
10. Tell the CxOs that the project team is stalling and that they need to apply pressure.
11. <Jedi>There are no problems with Google Apps.</Jedi>
12. CxOs tell project team to migrate 1000 users to Google Apps as a "pilot".
13. Profit!!

See if you convince the CxOs, then the project teams, IT teams etc are dragged along whether the solution is appropriate or not. And that's why they're still pouring money into it.

Re:Jabber is what you need

[Deanalator]

By the way, the hak5 episode that came out today features a really nice video tutorial on setting up an openfire server.

hak5.org

Re:Jabber is what you need

[badkarmadayaccount]

Anything with a decent browser can do GTalk... so...

*ducks*

Re:Jabber is what you need

[Life2Death]

Though I agree with this guy above, did you read that its virtual?

Though I agree, those of us out there with limited nix' under our belts would just be left in the dust when it comes to sync' and other crap. I'm sorry, but I dont have hours to compile drivers, every program that doesnt come in a package, and learn a whole new command like, hardware tools, a desktop (KDE 4 sucks hard in my opinion, back to 3!) etc etc.

Pidgin

[Shikaku]

Use the encryption capabilities in Pidgin.

http://pidgin.im/

Re:Pidgin

[compro01]

I love Pidgin, but that doesn't fit the "does not support outside protocols" criteria.

Re:Pidgin

[SpaceLifeForm]

Pidgin is GPL, hack your own version so that
it does not support the 'outside protocols'.

It should be relatively straightforward.

Re:Pidgin

[erlehmann]

While Pidgin may be a reasonable multi-protocol client as a Jabber client I would suggest Gajim, which also does PGP and esession encryption (Pidgin cannot do either, AFAIK).

Disclaimer (possible conflict of interest): I contributed the :3 smilie to the Gajim icon set.

Re:Pidgin

You don't even need to do this. All the protocols are dynamically loaded (AFAIK, this is the case on Windows as well).

Just remove the files for the unsupported protocols & block all jabber communications with the outside through the firewall (gmail for instance uses jabber).

BTW, suggesting he hack the source instead of providing him with a client that meets his criteria is only useful if there are no free Windows clients that meet his needs. Since there are, at best you are telling him to use closed-source free (as in beer) software. At worst, he'll resort to closed-source non-free software.

If there are no open-source alternatives, offer to create him one by a fixed-cost contract, cause my guess would be that they are more concerned with recurring per-seat license costs than just paying $1000 one time up-front.

Re:Pidgin

[Cylix]

Pidgin protocols are supported through plugins.

Removing the respective plugin removes support for that protocol.

There are other measures which can be taken to ensure it stays protocol broken, but it really depends on how far the requester is willing to go.

Re:Pidgin

Not everyone is a coder damnit. and even among people who do have the skills necessary... how many do you think actually take a foss app and roll their own? "features" no one cares abount aren't selling points. yes, it's great. No, it is not the solution to every god damn problem.

Re:Pidgin

[hannson]

The latest version of Gajim is 0.12.1.
 
Is it stable enough?

Re:Pidgin

[Korin43]

Pidgin has encryption plugins, but from what I've heard, they aren't entirely stable :(

Re:Pidgin

[erlehmann]

considering that its been around for 5 years, the answer may not surprise you - or anyone for that matter: yes it is. i know only of one reliable way to crash it and that was a problem with the xmpp specification and has since been fixed. even running svn - which i do - does not necessarily mean there will be any instabilities.

Re:Pidgin

I use encryption plugins with pidgin and haven't had any trouble. The name of the plugin is Off-the-Record Messaging. I don"t know much about security but it says "Preserves the privacy of IM communications by providing encryption, authentication, deniability, and perfect forward secrecy."

I think the fact that pidgin is GPL means that you should be able to get it to do exactly what you want. It also handles Jabber/XMPP by default (I think, maybe I installed a plugin for it). If you are lucky there might even be a plugin that restricts messaging to a whitelist of buddies or servers. I assume setting up the user priviledges so that people can't change their settings or modify plugins is not going to be a problem.

Re:Pidgin

Then use Psi. Less eyecandy, but Jabber only (no workaround), and supports encryption (SSL and PGP).

http://psi-im.org/

Without a firewall, your employees will still be able to use a third-party Jabber server (like jabber.org) and use transports to reach MSN, Yahoo... Sure, it requires a bit more skill but it's not that hard and the one in your 30 people that will discover how to bypass your protections will explain it to the other ones. In short, don't try to restrict access based on the client: someone will outsmart you.

Re:Pidgin

[shutdown+-p+now]

I believe Psi also supports PGP, and it's pretty good overall (and looks a tad better on Windows than Gajim, since the latter is Gtk, while Psi is Qt).

Re:Pidgin

Pidgin supports encryption via the OTR plugin http://www.cypherpunks.ca/otr/ which works nicely.

Re:Pidgin

[muckracer]

> Use the encryption capabilities in Pidgin. Well, technically Pidgin does not have built-in encryption capabilities (unfortunately!!). You need a plugin like OTR: http://www.cypherpunks.ca/otr

Re:Pidgin

[Tarwn]

Unfortunately, while I personally like the XMPP protocol and think it would normally be an excellent solution, I think you have uncovered the biggest flaw. Preventing the clients from talking to the outside world is going to be nearly impossible unless you keep them on a network that doesn't route to the outside world.
For instance, GTalk uses SSL over port 443 so if you want any type of secure web transactions with the outside world then your also going to be allowing secure chatting. Even if you go through and block obvious XMPP hosts that are using non-standard ports (443, 80, etc) it will require ongoing attention as other sites start their own services.

Re:Pidgin

Beer isn't free, you moron.

Re:Pidgin

[certain+death]

There is a nice layer 7 firewall out now called Palo Alto that has the ability to actually distinguish between regular https and other protocols trying to use it's port. They of course are not cheap _or_ free, but they certainly work like a champ!

Re:Pidgin

[hansamurai]

We used to use Pidgin at work, and they allowed outside protocols like AIM. The only caveat was that you knew they were logging your conversations and when you started chatting with someone over AIM, your friend would get a message like "You are chatting with someone on X's server and your conversations are being logged."

Just that warning was usually enough to deter people from messing around on it too much.

Now we use a home grown solution... it seriously sucks, but I think they actually sell it to other companies so I'm not going to mention its name. At least the good thing about it is that everyone uses this protocol, so that you can essentially find and chat with anyone in the company.

Re:Pidgin

Logging is one of his requirements. He doesn't want things to be too secure; it has to be insecure enough that government will be ok with it. You can't have logging and also encryption, can you?

Ooh, unless everything is being encrypted with both the recipient and logger's keys. I know PGP can do that, but can gajim?

Re:Pidgin

[skeeto]

OTR is end-to-end encryption and wouldn't allow the server to keep logs, which is what is needed.

Re:Pidgin

[skeeto]

Everyone under here is missing the point. These encryption schemes are all forms of end-to-end encryption, and, as such, wouldn't allow the server to keep logs, which one of the requirements. He needs client/server encryption, which is already provided in XMMP by TLS and SASL.

Re:Pidgin

[jdinkel]

But some software IS free (as in beer).

SILC

[Zapotek]

You can setup a SILC server.
That's what we used to use in a company I worked for and it worked quite nice.

Re:SILC

[hgesser]

This post was rather short, but I think it is one of the best suggestions. I played a bit with SILC some years ago: From a user's view it looks a lot like an IRC client, so users can talk to one another privately or join a channel to meet with several other users. What's most important is: It meets all the criteria,
- it encrypts all communication
- it is no multi-protocol thing, i.e. you cannot connect to other services.
I can't remember whether you can run connections to several silc servers at the same time, but if so, that's at least better than having to restrict a program that can connect everywhere. Even though I haven't heard much of silc lately, the software is still actively developed. The last release is from March 19, 2009.

Re:SILC

[uhoreg]

SILC, however, fails the "log everything" requirement, by design.

Re:SILC

We are currently using SILC at my work and it works great. You can't connect to multiple servers at the same time, though you can set up your internal server to link to external servers if necessary. Pidgin (pidgin.im)'s Windows installler comes with SILC support, so it's easy to configure. Also, SILC's default method of communication is through chat rooms, which are far more useful in a company setting than individual to individual chats.

Jabber.

[Mercury]

You're looking for a jabber server and client.

I work for a credit card company, and we use ejabberd on the server end of things.

You probably have some jabber only client options, but those will still be able to connect to other jabber servers like Google Chat.

Live with it, because any IM server worth using is going to have _some_ public servers.

I'll leave the logging up to you, ejabberd can do it, but our company decided that the security issues involved with storing the logs were much worse then not having the logs.

(Having stored, unencrypted, card data for any length of time is something that, on the very optimistic (good luck with the auditor) side requires a great deal of security. And just encrypting the drive it's sitting on doesn't really do away with more then half of that. Health data should be as much of a nightmare, but maybe not.)

Re:Jabber.

[fuzzyfuzzyfungus]

Arguably, attempting to enforce protocol/connection restrictions on the client end, for any value of "enforce" beyond "make sure that the settings you want are the ones the drones receive automatically on login", is the wrong way to do it. Doesn't hurt to try; but it is really your firewall's job.

Re:Jabber.

[WindBourne]

Live with it, because any IM server worth using is going to have _some_ public servers.
Actually, the whole point is that they CAN NOT. Hippa mandates that they do not do that. It would be possible for somebody to copy/paste into the wrong window. For that, it would certainly lead to a firing, and possible jailing. I have consider doing a talk for kopete with an enforced port (via code). It sounds like that is exactly what is needed, though a secured jabberd would cut it.

Re:Jabber.

[teknosapien]

umm no you dont have to ever go through a public server if your routing is set up correctly in your client/server setup -- if you are already stopping IM via - non-install/network protocol/routing restrictions then your half way there. Any FOSS package you decide to install you can apply those restrictions/rules.

Re:Jabber.

[Sancho]

The original request said that it shouldn't support outside protocols, not outside servers. Finding a pre-written IM protocol that doesn't support an outside server is simply not going to happen. What you'd really want is to be able to use policies or some other technological means to restrict people from connecting to anything but the company server. They're dealing with HIPPA already, so they should have a fairly strict firewall that would take care of this. If they don't, it seems like they should be looking at fixing their infrastructure before implementing IM.

Re:Jabber.

Hippa mandates that they do not do that.

Maybe "hippa" mandates that, please site where HIPAA mandates this.

Re:Jabber.

It's HIPAA, not Hippa. And you can't be jailed for releasing protected health information, but you can be sued.

Re:Jabber.

It is possible to configure a Jabber server so that accounts on that server cannot communicate with accounts on other servers; my company's IM server (which uses OpenFire) is configured this way.

I'm not sure what features the original poster needs, but there are plenty of Jabber-only IM clients out there, (Psi, Spark, and Exodus immediately come to mind); you can find some basic feature comparisons on Wikipedia.

http://en.wikipedia.org/wiki/Comparison_of_instant_messaging_clients
and
http://en.wikipedia.org/wiki/List_of_XMPP_client_software#Single-Protocol_Jabber_Clients
should be useful.

Re:Jabber.

[Deanalator]

Rumor has it that openfire server with spark is pretty fancy.

http://www.igniterealtime.org/projects/index.jsp

Re:Jabber.

[Kadin2048]

Trying to enforce policy by trying to make the clients only connect to a specific server is stupid; a much better way (and the way I've actually seen implemented successfully) is to use a standard client program, a standard server running inside the LAN, and then enforce policy at the corporate firewall to prevent a user from connecting their client to a public server.

This way you can use whatever client/server combo you want: Jabber, SILC, AIM-style, SameTime, etc.

The way I'd enforce the gateway policy is simply to block ALL traffic from machines inside to machines outside. Machines inside the network, save specifically-designated servers working on specifically designated ports, don't get to talk to machines outside. Period. If they want to communicate with the outside world, they do it through a protocol-specific proxy. That would make it fairly easy to block connections out to IM servers; you just configure the HTTP proxy to never allow connections to the known public servers for that IM client, and to any server except on well-known HTTP ports. That will keep 99% of users from doing anything.

It's not totally secure, of course -- a highly-motivated user could set up a relay or IM server of their own, running on their own server (which wouldn't be blacklisted), on a common HTTP port, and there'd be no way to detect it except via packet inspection. However most people who are likely to do that are going to be in IT already.

I've worked in a number of healthcare and financial institutions that do the total-firewall plus filtering proxy thing; it actually allows them to be a lot less restrictive with their endpoint policies than they would otherwise have to be. You don't have to obsess quite so much about locking down every possible setting of every possible local program on the client machine when there's no way for the machines to pass traffic outside the network except through a small number of closely-monitored application proxies.

The only downside to this approach is that it can be a real bitch to get working if you have any legacy (non-web) client/server apps that weren't set up to use a proxy; if you start punching whole-port holes in your firewall to accommodate stuff like that, you quickly end up with nothing but a false sense of security.

Re:Jabber.

I'm actually a QSA, and yeah, if I ever saw an unencrypted PAN in a chat log, I'd instantly drag your entire network into scope for your RoC, which you'd of course fail. Obviously, I'm not one of those stupid checklist rubber-stamp did the check clear monkeys over at TA or Symantec - we hold our customer's feet to the fire, and they thank us for it.

Re:Jabber.

[muckracer]

> You're looking for a jabber server and client.

Aside from the main question...on just a local home network with a couple people on it, do you really need a server to connect them via LAN or is there a way to do it directly client to client?

Re:Jabber.

[drinkypoo]

I'd just use irc, then firewall all non-local irc traffic including via packet inspection. The only real alternative is to do it yourself. Just do it in a web browser window, it's not very complicated. There are numerous web-based chat systems already. Use one of those, then restrict access.

Re:Jabber.

[Himmy32]

Couldn't you also just block all non-internal jabber traffic then?

Re:Jabber.

i work in a HIPAA shop and i can assure you that you don't know what the fuck you are talking about. if you have a web browser you can accidentally paste something in a submit box just like this one. oh noes! you could accidentally fax a stack of docs to the wrong person. whoopsie! or how about email? reply all!

all that is required is due diligence in training employees in what not to do and what to do if you fuck up. we had one idiot send hundreds of archival CDs to the wrong clients. never got sued. just called and sent them all letters & email requesting destruction of the information. HIPAA is not the over reaching umbrella restriction you imagine.

on the off chance that you do have experience with it and that is your understanding i feel sorry for the company whose time and money you wasted securing things that don't need to be secured.

Re:Jabber.

[FictionPimp]

Exactly, I was employed at a large medical software company. We always used public IM for getting help from other techs on clients issues. This sometimes included sending a patients name or diag code. We all went though compliance training and I don't think it changed a damn thing in how we did business.

Re:Jabber.

[gnapster]

I've never tried it, but I don't know of a way to do client-to-client jabber, and I can't name any IM systems that do this (though they probably exist). However, one should easily be able to run the server program on any of the existing computers. There is no reason that you need seperate, dedicated server hardware to run a jabber server. OpenFire is written in Java, so it should run on most operating systems. Just choose a computer and install the server software, then aim each person's client at that computer.

Re:Jabber.

[jeffphil]

>> Actually, the whole point is that they CAN NOT.
>> Hippa [sic] mandates that they do not do that.

Sorry, but, nowhere in the HIPAA regulations is there language about this.

>> It would be possible for somebody to copy/paste
>> into the wrong window.

Believe it or not, happens just about every day in hospitals and other covered entities through email and other manners. This is by accident or not. Doesn't make it right, but it also doesn't mean that hospitals are going to be banning Outlook anytime soon.

They are putting more and more controls to look for outgoing PHI network traffic, and block from leaving the building. Education is also very important to making sure workers understand secured connections.

-jeffrey

Openfire

http://www.igniterealtime.org/projects/openfire/index.jsp

Works very well. Meets all your reqirements. Client supports Mac, Win and Linux but is a resource hog. It's jabber though so you can use many clients.

Re:Openfire

[drsmithy]

http://www.igniterealtime.org/projects/openfire/index.jsp

Works very well. Meets all your reqirements. Client supports Mac, Win and Linux but is a resource hog. It's jabber though so you can use many clients.

I second OpenFire. We have been (mostly) happily using it for a couple of years now. Trivially easy to setup, can back onto all the major DBs (or has one builtin) and has reasonable - if a bit clumsy and limited - capabilities to integrate with Active Directory.

Re:Openfire

[omnichad]

I love Openfire. I've been using it for over a year. Great plugins for logging, and an overall easy to use web interface. I have to agree that the Spark client is a killer resource hog (java based).

Re:Openfire

[Chazmosis]

Agreeing with the Above on this one. I've just rolled out Openfire with Spark to my 320 workstations and it just works

Re:Openfire

[x-cubed]

Yep, OpenFire sounds like exactly what the OP is looking for.

Re:Openfire

I second this. OpenFire has support for logging, and I'm pretty sure encryption. It also integrates with Asterisk based PBX systems (very, very convenient), supports many different SQL back-ends, quick provisioning and is open source. It's a great project.

The Spark IM client is a bit resource intensive, but it's quite full featured (and is a very, very powerful tool when combined with the Asterisk integration)

Re:Openfire

I agree, too. We run Openfire at work, with SSL encryption between client and server. Any jabber/xmpp client that fits your needs will work.

As far as locking stuff down, can you not block all the chat protocols at the firewall? Better yet, why not set up white-list egress filtering?

Re:Openfire

[SigmaTao]

Agree wholeheartedly.. works very well - have it running on a W2003 server with Windows and Linux clients - using Spark, Pidgin and Pandion clients. (Linux Spark client not particularly stable but Pidgin works very well). Setup very simple. Conversations are SSL encrypted. Lots of server side addons, and server based stats and monitoring are available.

Re:Openfire

[SigmaTao]

Sorry forgot to mention it is Active Directory integrated. :-)

Re:Openfire

[firefarter]

I second that opinion. Have it running on my vserver.

It's ideal for company usage - dead simple install, LDAP integration, security, message filtering (psst - don't let the users konw) etc... And stable - I only have to restart it for updates.

Re:Openfire

Definitly openfire is the way to go. Even has an integrated web help module. Great platform for extensions, supports SIP integration, and even flash/voip using red5.

Re:Openfire

I love OpenFire... Works Amazing and really does the job well for our office of 50 people. Plus it logs all conversations!

Re:Openfire

Yep, same here, Openfire works quite well. We have around 200-300 users online at time for a year or so.

Re:Openfire

[chazzf]

Excellent suggestion. We've been using this for about two years now and haven't had any problems. The Active Directory integration made contact lists and authentication a snap.

Re:Openfire

[GrenDel+Fuego]

I second Openfire. I set it up at work integrated into Active Directory for a user store, using Mysql replicating to a second box as a DR instance.

My server currently averages about 370 users per day or so, but I fully expect it to eventually handle the 1000+ employees in the company.

I don't use the chat logging functionality myself, but it is available in the product.

If you're using the Spark client you can also configure the FastPath plugin in order to create a "Live Support" chat queue for your helpdesk people so that other employees can talk to the next available person via a web interface.

Re:Openfire

[nurb432]

The native client has a bit more 'enterprise' features, if you lock it down to ONLY their client.

We tried it, worked great. Ended up with Microsoft due to politics.

Re:Openfire

I also recommend Openfire.

I installed it about 3 years ago on a PC sitting under the desk (Celeron 2.4; 256 or 512 MB RAM) and I never had a problem with it. Usually there are about 50-70 users logged in but it never crashed (except power outages, about once every two months). Every time I check it the CPU is mostly idle and the memory usage is very light for a java app (less than 50 MB).
It has an intuitive web interface from where you can set it up and administrate it. Also there are several plugins that extend the functionality.

For encryption you can enforce use of SSL on the server side.

I also saw in the options something about logging but I don't know for sure if it logs everything.

For the client part there are a lot of options, but the most user friendly I think is Exodus; it's a jabber only client so it doesn't try to generalize options available for different protocols; it also has some branding available for the interface via an XML file); and it's light on resources.

Ignite also provides a pretty nice Jabber client, Spark; but I found it to be a little heavy on memory usage (I consider 50MB for a chat client to be way too much).

Look for LDAP / Active Directory Integration

I would try to find one that integrates nicely with Active Directory. This way you can have:

- True single sign on. The client should re-use current windows credentials for the person already logged into the workstation.

- Automatic team awareness: a person wouldn't need to "add buddy". Everyone on their team would already be a buddy. Especially handy for new staff.

I don't know of any product that supports these, though.

Re:Look for LDAP / Active Directory Integration

[Omniscientist]

I'm not aware of any instant messaging client that integrates nicely with Active Directory other than Office Communicator (hell, it extends the schema), which definitely fails in the "FOSS" department.

I believe Jabber has LDAP support, however I'm not sure if there is any sort of "corporate address book" functionality built in.

Re:Look for LDAP / Active Directory Integration

[fuzzyfuzzyfungus]

If you really want heavy AD integration, you probably fall into the grasp of Microsoft Office Communications Server. You can absolutely forget free in that case, though.

FOSS side, I'm fairly sure that at least some degree of LDAP integration is possible, though it has been a while since last I checked.

Re:Look for LDAP / Active Directory Integration

[galatian]

Openfire (which has been suggested above) has AD integration. I run it at my school (with 900+ students/staff) and manage all the logins with the central AD server. Easy to set up and configure too.

Re:Look for LDAP / Active Directory Integration

[glitch23]

WiredRed makes an IM client/server called e/pop. It can integrate with ADS and settings are hardwired into the binary which is deployed to all clients. Therefore no worries that a user can change anything b/c only clients with the option enabled (again, in the binary) to change stuff can even see the available settings. It is not free though. If I recall correctly the price is about $15 per user. Because they make their own server it can work in private networks but the last I saw (4 years ago) they didn't use Jabber.

Re:Look for LDAP / Active Directory Integration

OpenFire has LDAP authentication. It is stable, integrates with our mail groups, and is pretty lightweight (it's running on one of our Scalix servers with no problems). We're using it right now, along with Spark with SSO. Works great.

My only complaint about Spark is that it is a little bit of a memory hog, so I haven't deployed it to departments that are overdue for a machine refresh (256MB on 1.2GHz is not quite enough with the other, more important, memory hogging applications that are necessary for the departments in question). That being said, it runs great on machines that have at least 512MB. (It uses about 50MB for the first several hours it's running, then drops to 12MB or so...)

Re:Look for LDAP / Active Directory Integration

[ubrgeek]

Doesn't it come as a component of the Exchange server?

Re:Look for LDAP / Active Directory Integration

[fuzzyfuzzyfungus]

I don't know. When my workplace demoed it, it certainly didn't, which was one of the reasons that we dropped it after the trial; but it certainly might in other cases, depending on exactly what sort of "Software Assurance" you have, what version of Office you are running on desktops(yes, Communications Server has CALs), what version of exchange, and so on.

Company-Wide Instant Messaging with Jabberd

[codefungus]

Company-Wide Instant Messaging with Jabberd by Oktay Altunergil

http://www.onlamp.com/pub/a/onlamp/2005/10/06/jabberd.html

Open Fire

[TrippTDF]

Open Fire is a wonderful Open Source server for jabber. I used it in a similar situation a few years back. There are many jabber clients- I'm sure you can find one that meets your needs.

Re:Open Fire

[WhoCantTakeAJoke]

I second. Openfire and Pidgin, Spark, etc.

Re:Open Fire

[d3matt]

Third. I've got an openfire server running at my office. It's quite easy to administer (and upgrade). I've used Spark and it's also quite easy to use, but we're using pidgin because we have no restrictions about connecting to outside IM servers.

Re:Open Fire

Seconded ... I'm using this for the IT department at our municipal government ... works wonderfully and so far has never tried to call home or anything beyond the firewall.

Re:Open Fire

One simple way to get lock down of the jabber client is to get a jabber client that is implemented as a Java applet.

The Java environment will prevent the applet from connecting to any host other than the one it was downloaded from.

It must also be noted that operating as a Java applet makes deployment very easy since there is no client code required at all.

The only problem will be finding an sufficiently attractive applet (to operate on IE without upgrading its JRE, it will remain 'stuck' at JDK1.1).

Re:Open Fire

[tf23]

One business I'm with uses Open Fire. Another uses OSX Server on an XServe w/ it's built-in Jabber server (attached to MS-AD for user accounts).

Both work extremely well. Throw in Pidgin, iChat or Adium and it's all good.

IRC?

Why not IRC? It does everything you need it to, is easy to use, is fully open source.

Re:IRC?

[adriel]

I would suggest to use IRC too, the setup is easy. There is alot of guide and freeware availiable for download now days to even run the server on windows.

Re:IRC?

An IRCd is easy to set-up, there are a couple for Windows based machines.

IRC is great for groups communicating, but if your need is mostly one on one I would stick w/ IM.

Re:IRC?

[SCHecklerX]

We used IRC for a corporate 'ask the ceo' thing. The nice thing with IRC is the ability to easily write your own bot code for moderation, information, whatever. The drawback is the lack of formal accounts. That's easily addressed though...

You can do clientless access on a web site using CGI::IRC. Tie this into your own authentiction (ldap with active directory, for example), and you have a solution that already leverages your existing infrastructure. That's exactly what we did above. Lock down the ircd to only allow connections from the CGI::IRC host if you don't want people using their own clients.

Jabber can likely be used the same way, but I don't have any experience around that.

IRC?

[gaelfx]

I've always found that IRC is pretty handy as a help service, most Linux distros host live help chat on it. Many other FOSS solutions seem to use it as well, such as VLC, OpenOffice.org, etc. I'm not sure how exactly one would go about setting up a server, but I can't imagine it would cost much of anything and it shouldn't be too difficult to set up. There is a pretty good wiki about it, it should have all the relevant links you could need for finding out how to do it. Cheers.

Run your own IRC Server

Use IRC. It's easily logged, there's a ton of clients, usernames can be enforced, it doesn't need to connect to outside servers. You can have multiple servers to enhance uptime. You easily have rooms where multiple can see what's going on allowing for more free-form input to conversations. Yet you still have person to person communications. Also, you can have bots. Have them setup to answer frequent questions, see who's oncall, all kinds of stuff.

I might suggest IRC

[Useful+Wheat]

If you don't expect many people to be using it, you could consider setting up an IRC. I would suggest this tutorial. http://www.howtoforge.com/linux_irc_server_anope_services

This tutorial describes how to set up and run an UnrealIRCD server on OpenSuSE 10.2 and Fedora Core 6. It also shows how to install Anope IRC services. Anope is a set of Services for IRC networks that allows users to manage their nicks and channels in a secure and efficient way, and administrators to manage their network with powerful tools.

Its FOSS, you can setup SSL, and it should be fairly easy to log/manage. With the tools available each person would be setting up their own chat room (just by naming it) and logging should be a snap.

Jabber and one of the single protocoll clients

[jeffm2501]

At our work the IT guys wanted to set up an IM network for similar reasons. They went with Jabber, and one of the jabber only clients (Coccinella, I think). They have it run through SSL, and set to log. They let some of us (the smart ones) use pidgin if we want multi-protocol clients. It works well and is tied into our Active Directory for accounts via LDAP.

We use soapbox

[alta]

It's jabber based. Free as in beer for both the client and server.

Lets us save logs of all chat sessions between employees, lets employees also save chat if they want to. Lets us do some filtering, overall a pretty good client/server.

http://www.coversant.net/

Oh, and I HAVE gotten Digsby to connect to the server, as well as trillian.

Re:We use soapbox

Lets us save logs of all chat sessions between employees...

That's a good thing ?

Re:We use soapbox

RTFA. These drones are under horrific regulations that prohibit treating them like human beings.

Transmission of Protected Health Information is a sensitive issue, so the server has to be able to log any conversations that occur.

Jabber client and server?

[DavidChristopher]

Have you evaluated Jabber? We used to use it in our office before they switched for some reason to a microsoft product that's not free (well, we have a corporate thing going on). The jabber client was customizable, and the server was very stable and robust. Also because the server is GPL it meets your FOSS requirement. http://jabberd.org/

XMPP/Jabber

[alanwj]

It sounds like XMPP (also called jabber) is what you need. XMPP is an open standard for instant messaging, and there are free/open source implementations for both clients and servers. One option for servers is jabberd. One option for a client is Pidgin (which runs in Windows and Linux).

IRC?

I believe IRC would suite you well. UnrealIRCd is pretty easy to use.

openfire / spark

Spark + openfire.

I implemented these with Active directory authentication.

Highly recommended, sure a couple quirks here n there with the advanced functions of the client, but for the basic features of needing to chat, and log... its the best i know of.

You're doing it wrong

[SoapBox17]

It is preferred that the client not support outside protocols such as AIM, MSN, Yahoo, etc.; if it does, I will have to promulgate and enforce yet one more policy that my techs not connect to them.

It sounds like your network, which contains confidential medical records, is connected to the internet.
So I have just one question: Dear God, why?

Re:You're doing it wrong

[Artemis3]

Not to mention using Windows XP...

Re:You're doing it wrong

How do you think they do it when you go to the doctor? He looks up your confidential records on one computer on a secure network, then if he needs information from the Internet he has another computer for that?

Re:You're doing it wrong

[Yvanhoe]

Why not ? I worked in an army lab that does that. One screen, one keyboard, one mouse, two PCs, a KVM switch.

Re:You're doing it wrong

It could be far, far worse. I work in the healthcare industry, and I can't tell you how many hospitals out there move their real-time, life-or-death data that, say, runs a surgery robot or delivers patient telemetry data to where it needs to go on the very same network the unit clerks use to surf www.freesmileysifyouletmeinfectyourbox.com

Just a couple days ago I remember working on a Philips Intellivue installation transmitting (for example) information on ventilators' status to a nurses' station, but which had somehow been infected with Conficker and thinking just how badly managed some important medical information is. . .

Re:You're doing it wrong

[WebCrapper]

Um, most hospitals in the world are like this. This is exactly why the HIPAA rules apply(in the US). They're actually much more harsh than your standard military style security as well (you should see the HIPAA requirements on the MilNet (they're actually separated, but you get the point).

So - now that you're more informed than before, do you trust your doctor's network?

Re:You're doing it wrong

[Atzanteol]

So your health claims can be processed in a reasonable amount of time without hiring an army of people to handle them. Amazingly computers are pretty good at 'data processing' type jobs...

Re:You're doing it wrong

[Dyslexicon]

A handful of reasons off the top of my head:

EMR vendor support. (Or you could fly someone in ever time you needed help...)
Limited patient EMR access. (Web appointment scheduling, e-visits, medical record summaries, etc.)
Cross-deployment communication.
EMR internal messaging integration with external email accounts.
The dream of sharing medical records between organizations would also require this, but, alas, that's just a dream.

Re:You're doing it wrong

Until certainly not very long ago, the new NHS backbone not only ran unencrypted, it ran unencrypted over the public intertubes.

It was running over the public network because the old NHS backbone didn't have the bandwidth. It was unencrypted because after 5 years the stakeholders couldn't agree to *any* encryption standards, so they just went ahead without and assumed everything would be OK. As it is, they've *still* not specced enough bandwidth for digital imaging, and I honestly don't want to know what's going on on the crypto side of things. It's just scary.

How that never became a national scandal I'll never know.

Re:You're doing it wrong

[furby076]

Also AIM can be setup in a manner where you cannot connect to the outside world. It can be setup for corporate infrastructure. It can be secure using this method.

Re:You're doing it wrong

[msormune]

Where did it read the actual servers containing the medical records are connected to the internet? The OP did not the even specify the type of company: They might just do software development for health care needs, in which case they hold no actual patient data.

Re:You're doing it wrong

[gnapster]

The users are at workstations, chatting, and apparently accessing medical records. OP writes:

Transmission of Protected Health Information is a sensitive issue

Thus, the people chatting must have access to medical records, otherwise, this wouldn't be a concern. So the workstations have access to the server with medical records. OP also writes:

It is preferred that the client not support outside protocols such as AIM, MSN, Yahoo, etc.

meaning that OP only wants users to chat using the service OP sets up, not with other services where they may have an account outside. This would only be a concern if the client workstations have access to the Internet.

The clients are on the same network as the medical record servers, and the clients are on a network that has access to the Internet. The two networks could conceivably be partitioned somehow, but they have these workstations in common, so it is by no means certain.

Re:You're doing it wrong

[iso-cop]

The original post is concerned about employees not being able to use instant messaging out to the rest of the world, which implies they are actually networked to the rest of the world. The setup you describe is not that situation. A KVM switch should not be Internet Protocol connection between the isolated and non-isolated PCs you are describing [I know, it is possible to have an IP KVM switch, but if the switch is IP then you have left open an obvious attack vector should the (more directly) Internet connected PC become compromised]. The point in the army lab would be accessibility to outside information on the Internet connected PC without potential threat to sensitive data on the PC not connected to the Internet.

pidgin, foss, encryption

This sounds like a custom version of Pidgin. It runs well in Windows, but I'm not aware that the other clients can easily be disabled.

I'm confused what you mean by policy, as blocking outgoing ports for that protocol should be able to stop them.

If you have a developer familiar with GTK/mingw you can build a custom version of Pidgin without support for the undesired protocols. You may be obligated to re-release modified code, so study the developer's license carefully.

Pidgin can work with your existing Novell, MSN, Sametime or Jabber server very well, but the plugins and customizations that Pidgin offers may need to be disabled for your needs as well.

I am not aware of what Pidgin options exist (or which protocols support) for encryption, but there seems to be a site dedicated to it:
http://pidgin-encrypt.sourceforge.net/

I use the Sametime version at a workplace that is very lenient with it's technicians and it works flawlessly with our IBM Domino servers. If you have the infrastructure to support an already existing client that may be a good avenue to investigate, as the Novell, Microsoft and IBM solutions may have the server side cut out for you.

-Tres

Openfire

[gbobeck]

I would recommend Openfire. It is a Jabber / XMMP implementation from Jive Software, and is open source (GPL).

See http://www.igniterealtime.org/

I can say from experience that it is fairly easy to administer, is multi-platform, and scales nicely. It has a rather nice size of plugins and should meet compliance standards.

Use Openfire

[uanimosity]

I used a Program called openfire/spark. It's client/server based and completely Free. It's OSS and very powerful. It uses the jabber protocol and it worked well for our company of over 200+ people. http://www.igniterealtime.org/projects/spark/index.jsp

Openfire

[cleveland61]

openfire is a jabber based FOSS server.
we use it with AD integration. I haven't implemented it yet, but they have plugins supporting full message transcript.

Spark is the client from the same company and it is jabber only.

If I remember correctly, openfire alos supports being a proxy for all other (most?) IM protocol's so even if someone gets a copy of AIM or whathave you on you network, there server can still log the transcript.

Easy to set up, free and robust.

wtf

[dissy]

I literally pasted the article title (sans "Ask slashdot: ") into google, and the first 4 results are free client/server packages of which some have already suggested. There also appears to be someone else asking this same question to some other forum, with attached answer...

I realized ask slashdot has been for years now less about questions for geeks than kids wanting someone else to do their homework, but when did ask slashdot replace google search?

Re:wtf

what needs to happen here.... we need to stop replying to these with any helpful info.. with a simple reply of google it. If they googled it then they wouldnt be using us all as there personal sales reps!!

Re:wtf

[complete+loony]

Though now the top 3 are references to this page.

Re:wtf

[erlehmann]

IMO, an "educated" opinion from a technical crowd is in any way better than a simple Google query. I don't know, for example, how Google could possibly have a differentiated answer to the pros and cons of particular clients.

Re:wtf

I think that asking slashdot is more useful (even though at least half the posts suggests that you are an idiot) because experts that might just have solved the problem long ago reads this stuff. They will be able to tell you in one or two sentences that you should or shouldn't do.

Google on the other hand gives you gazillion results which 95% are useless. And what results belong to that useless group is hard to know beforehand if you have no idea what the answer to your questions should be like.

Re:wtf

Why is educated quotes in your response? What are you implying? Is it that an opinion from a technical crowd will never be educated, or that an opinion from slashdot will never be educated? This is not an attack, I just want to understand the meaning of your message which to me seems rather ambiguous. Are you trying to establish that there is an educational spectrum? If so please elaborate on what constitutes this spectrum and how it applies to slashdot versus the general internet. Also could you provide a better example against using google for digging up comparisons between IM servers and clients? Your current argument is based on negative evidence, which is a logical fallacy. Please see Argument from Personal Incredulity (yes it's a wikipedia link).

Re:wtf

[dissy]

IMO, an "educated" opinion from a technical crowd is in any way better than a simple Google query. I don't know, for example, how Google could possibly have a differentiated answer to the pros and cons of particular clients.

Re-read the ask slashdot... He never once asked anyone to compare pros or cons, nor implied he was even interested in our opinions.
He laid out a list of requirements (which towards the end sound more like demands) and his last 'sentence' is one word/question:

Suggestions?

How is a google result list anything other than a list of suggestions?

SoapBox Server from Coversant

[TheCodeFoundry]

SoapBox Server from Coversant is probably your best bet. It's a stable platform, source is available.

http://www.coversant.com/

Re:FOSS? One Word: Bullshit.

[Auroch]

*or* ...
Number 3 ...

The health care company isn't american and understands that being OPEN isn't a bad thing. Americans have a problem with that concept.

Jabber + Miranda IM

[ScytheBlade1]

I wrote about this some time ago, right here.

The short and simple answer, that should fully meet your needs, is to install jabberd2, configure it as needed (should have a logging module/plugin somewhere), and then to use Miranda IM with only the XMPP components as the client. Miranda is very easy to customize; if you don't want a protocol you simply don't include the relevant DLL.

Note: the links on that page are dead, namely the ones to the MSI installer package that I built. If you have a need for it, feel free to drop me an e-mail (the /. address should be fine).

Re:Jabber + Miranda IM

And nothing says, "lasting, active open source project" like a page with dead links :)

Re:Jabber + Miranda IM

[gnapster]

I'm curious: it seems easy enough to exclude other protocols by only including the DLL for Jabber, but is there a straightforward way to ensure that the client (as installed) can only connect to a certain server? (That is, the server that the OP sets up on his LAN.) A number of people have mentioned a similar solution using Pidgin, but with the same shortcoming. With the solution you describe, I can't log in to AIM directly, but I could log in to Google Talk, or for that matter, I could log in to a Jabber server which has a transport for AIM.

I know that the easy answer is the firewall; I'm asking about the Miranda client, specifically. :c)

Re:Jabber + Miranda IM

[ScytheBlade1]

mirandaboot.ini can be used to specify defaults and optionally prevent them from being changed. From there, it is just a matter of locking down said file to prevent users from changing it, which if your users don't run as admin, is trivial.

I customized my version to specify a default server and username, along with a custom location for the profiles to be stored.

So yes, you could configure it to have what amounts to a hard-coded server to use. You may wind up poking through the source code to find the proper keys to add to the file, but as long as you're not afraid of that, it should work just great.

Re:Jabber + Miranda IM

[ScytheBlade1]

Which is why the dead links are on my blog, not the miranda webpage ;)

(I moved the domain it was hosted on, and never cared to properly update that entry, despite it being one of the few I care about.)

Sametime

[Gates82]

I've used IBM/Lotus Sametime and thought it worked quite nice, and is very professional. Not sure what the fees are like, but it does support a myriad of platforms.

--
So who is hotter? Ali or Ali's Sister?

Re:Sametime

[Lingerance]

Sametime? Run far far away. It is the most bloated client I've ever used for any chat protocol, it crashes frequently enough and when it does it will sometimes prevent the user from rejoining a group chat, requiring a new one be made and everyone move over. There isn't a way for people to join a group chat on their own accord and must be invited, nor is there a way to auto accept invites. Any time you need to copy/paste a chat log it must be manually edited so it becomes even remotely readable and some of the GUI settings work contradictory to what you'd expect (like disabling smileys, it just does not work).

Re:Sametime

[thebiss]

Some clients are more stable than others. I am on ST 7.5.1, and it's rock solid even with voice chats. I can't say the same about previous versions, and I haven't tried Sametime 8.0x yet.

I work with people that use Pidgin to connect to the same server, and it has crashed on them as well. I would rather have software I can get support for.

An enterprise client can work with IBM to pare down the options to whatever is needed, making it a lighter image.

We use Exodus and Zimbra

[jkrise]

Exodus is fairly simple to setup and administer. Zimbra provides much more than just Instant Messaging; we use it mainly for Zimlets and Collaboration; but the IM feature of Zimbra with auto-logging is very useful and sophisticated as well.

intranet web application

[Max_W]

Do it as a web (intranet) server application in PHP&MySQL. Install WAMP and write it. It will be much easier to maintain. It will be available by the address, say, 192.168.15.10 . So what?

Can you imagine installing a client on a 100 work stations? Upgrading? Been there. Thank you very much.

Wait...

It is sensitive, SO you _do_ want to log?
Well thats... bright.

Reason?

Re:Wait...

The SEC requires it for brokerages, HIIPPPPPPPPAAAAAA requires tons of crap like logging this type of crap for compliance, CreditCard crap requires tons of crap like this for compliance, etc, fucking, etc.

blah, blah, blah - yeah we all hate logging, but in some cases it is required.

Jabber

[pgn674]

I imagine that, in the end, your solution will involve Jabber and XMPP in some way.

OPENFIRE - FOSS Jabber (XMPP) server

[waa]

It has an intuitive/simple web interface for administration, and meets your logging needs and more. It can also support many gateways such as AIM, MSN, GADU-GADU, Yahoo! etc - But you don't have to enable them if you don't want them. I use this with the PSI IM client http://psi-im.org/ - A cross-platform Jabber IM client for MAC OSX, Linux and Windows. Check it out at: http://www.igniterealtime.org/projects/openfire/index.jsp

Spark

Spark is an Open Source, cross-platform IM client optimized for businesses and organizations. It features built-in support for group chat, telephony integration, and strong security. It also offers a great end-user experience with features like in-line spell checking, group chat room bookmarks, and tabbed conversations.

http://www.igniterealtime.org/projects/spark/index.jsp

openfire and spark

openfire and spark work like a champ....jabber protocol, with some solid server side security preferences

IRC over ssh

[profaneone]

+ssh for secure communictions
+Sessions logged on the server.
+Each person can talk to other people in private - just like "IM"
+IRC client lists who is logged in - presence awareness #1
+IRC clients configured to auto idle after X minutes - presence awareness #2
+Scalable past 100 users
+Permanent channels can be created for each team.
+DCC for file transfer.
+Depending on the IRC client, ascii emoticons can probably be converted to gif animations.

Maybe ?? http://www.unrealircd.com/

Or is IRC not the protocol you are looking for?

Re:IRC over ssh

[Jedi+Alec]

As a former IRC admin I have to say that the combination of the Unreal IRCD and Anope services were very nice to work with. Clients available for any platform one can think of, and dead easy to add extra functionality server-side for extra logging and so on.

HIPPA

[WindBourne]

Obviously, this, or something like it, is one of your main concerns (though you might not be American). I have thought some time ago that ktalkd was interesting because it was NOT designed to be large enterprise wide. It was a simple easy to used talk protocol, with a secured option. The client was ktalk, but it was for 1.0 and 2.0. It seems to me that something like this is really what you want, with an enforced port (code it in), combined with a firewall on that port. that approach would take care of the mistakes. Obviously, crackers could get by, but then again.....

Re:FOSS? One Word: Bullshit.

[Urza9814]

FOSS? Where did he say FOSS? He never said FOSS. He said 'free'. Most likely free as in beer. What company _isn't_ looking for free software? My guess would be they just don't consider this essential and don't want to waste a shitload of money on it.

One Word, People...

[russlar]

TELEPHONES!

Re:One Word, People...

[arndawg]

The problem with telephones is that you can't "queue" messages. Both parties need to be available at the same time. With instant messaging you just send your message and the receiver takes a look when he is available. If it demands a lot of discussion back and forth you pick up your phone. If there is a message that's important, but not quite important enough to call to verify that the receiver gets it, you send an e-mail + an IM.

Re:Not another one

[neokushan]

You know, I had the exact same issue this guy is having and, guess what - google gave me that exact answer (Openfire).
Of course, I used MirandaIM because I knew Miranda had Jabber support and it's a decent little client, but yeah, another vote for both Openfire and "just fucking google it next time".

Re:Not another one

Haven't had your coffee yet, dear?

Jabber (a.k.a. XMPP)

[Eythian]

Did you even look first? Jabber has been around for years now, and sounds like it'd be ideal. Technologically it is similar to email in principle. It's an open standard, so there are many clients and servers to choose from (I'm a fan of ejabberd myself.)

Any policies you like, such as connecting to other servers or protocols, logging, encryption, whatever can all be enforced from your server.

Psi

[actionbastard]

Open source.
Cross platform.
Cool name.
Teamed with Openfire, golden
BTW -and don't take this wrong- if you really are at a HMO/HCP, you should have policies in place that prevent IM to the Internet already in place. There's this thing called HIPAA, don't you know?

Re:Not another one

[Kleen13]

Hey look, another Ask Slashdot that should have been Ask Google! Wow! You never see those on here or anything. Maybe this could have been an Ask Freshmeat if they still want a solution from OSDN.

Boooooo. It's not a rumour, you do suck. Perhaps you should stop pissing in your Cheerios every morning and realize that perhaps he wanted a professional or experienced opinion.

Openfire/Jabber

[racazip]

I set up Openfire sync'd with LDAP, using Pidgin as the client, for my company. Very easy to set up and supports everything you asked for. :)

What is the world coming to?

[tracer-nz]

Is it really too hard to go and see people in person?

Re:What is the world coming to?

[Forbman]

Maybe. But, it can be a major pain in the ass to be interrupted in person for some. And most voice mail systems completely blow chunks, so that leaves out telephonic conversations. E-mail, it can be easy to lose messages due to inbox noise. IM? Well, I was a bit skeptical, but it works for some things far better than e-mail.

I'm an old-school Luddite in some ways (oh, the days of burning out actually on Bitnet relay/chat, talk and write)...

Re:What is the world coming to?

No, but it is less efficient. OP said they work at a help desk, so I'm sure efficiency is important for them.

AltME - not OSS, but free, secure, and easy

[deadzaphod]

This is a perfect use case for AltME, which is set up specifically for running your own private, secure server, that logs all messages. It is very easy to install, set up and to maintain (I've been running servers with no problems for a few years now).

How about

Tonic ? Free not FOSS no server needed client side logging from the product page : http://www.r2.com.au/software.php?page=2&show=tonic You want the power and convenience of instant messaging, but don't need or want the clients to talk to the outside world. Be it a bunch of friends having a LAN party, or a large corporation - instant messaging makes working together easy. Unfortunately, existing instant messengers allow users to communicate with the entire planet, not just your local network. Also check out the latest betas very stable . http://www.r2.com.au/publicbeta.php?page=12

Citadel groupware server has all of the above

[IGnatius+T+Foobar]

You definitely want to try out the Citadel groupware server. Even if you don't need it for its mail system, address book, calendar, etc... it's got a built in XMPP (Jabber) service that integrates nicely across the entire environment. It also logs all of the instant messages sent through it. Each user can review their own logs too, which is nice. And you have the ability to journal everything that comes through the system, perhaps to an external archiving service (this feature was built with industries like yours in mind, where anything that gets read by anyone *must* be archived).

And it's free software ... GPL 3, to be exact.

Re:Citadel groupware server has all of the above

a groupware that doesn't support ldap? this is a joke :)

Re:Citadel groupware server has all of the above

[DNS-and-BIND]

I'm actually in the market for similar software, and I almost clicked on your link. But as soon as you said "GPL Software", I immediately made the connection that it's not ready for prime time, installs out of a .ZIP file, requires registry tweaks, hand-editing of configuration files, etc. The usual crap. Yaknow, I'm sorry if I'm unfairly bashing Citadel, for all I know it doesn't have any of these issues. But that's definitely the thought process I just went through as current businessman and former Solaris "the command line is God" midlevel sysadmin.

Re:Citadel groupware server has all of the above

[Just+Some+Guy]

But as soon as you said "GPL Software", I immediately made the connection that it's not ready for prime time, installs out of a .ZIP file, requires registry tweaks, hand-editing of configuration files, etc.

Yeah, because Windows is the homeland of GPL software.

But that's definitely the thought process I just went through as current businessman and former Solaris "the command line is God" midlevel sysadmin.

Interestingly, I have the same thoughts about Solaris. Your "as a businessman" qualifier doesn't mean jack except that you want it to lend credence to your oddly out-of-touch viewpoint.

Get nailed

I for one welcome our soon to be sued Overlords

Personally, I anxiously await for the first company to get heavily sued so that some sort of understandable standard is documented.

So many of us are over engineering our systems for the "Fear of HIPPA". Once we cross that evil bridge we can see what is "sueable" and what isnt.

My favor line from an early HIPPA session was "we should protect patient data like a bank protects bank data". What on god's green earth that that actually, describably mean?

By Neruos

Since when did /. become the "please help me with my job and solve this for me cause I can not do the research for myself, so I'll post on a NEWS site for help instead of a forum related medium." place.

Re:By Neruos

Probably about the time that people started being whiny little bitches, choosing to complain about people looking for professional opinions instead of just shutting the fuck up themselves and reducing the S/N ratio for everyone else, or just ignoring the article/responses totally instead of going looking for things to bitch about.

Re:FOSS? One Word: Bullshit.

[Sancho]

We're looking for an internal, secure, FOSS (if possible) instant messaging / presence awareness client and server combo.

(emphasis mine)

Re:FOSS? One Word: Bullshit.

[drawfour]

FOSS? Where did he say FOSS? He never said FOSS.

Nice job reading. I quote from the Ask Slashdot itself:

We're looking for an internal, secure, FOSS (if possible) instant messaging / presence awareness client and server combo

He didn't say it HAD to be FOSS, but if possible, he would like it.

Not free, but cheap & good...

[shewfig]

There are a couple of commercial products which will handle the job. I'm most familiar with the Barracuda IM Firewall. For about $2k, you'll get everything you've listed - full logging of conversations and file xfers, plenty of capacity, integrated client, plus a few other nice features like keyword administrator notification & message blocking, LDAP integration, and reporting.

The biggest feature you might appreciate is its ability to BLOCK the public IM protocols. The larger models also connect to the public IM networks, so you can log & apply policy to those conversations on a per-user basis. Some people _insist_ on bypassing IT policies, so allowing those folks to connect in a way you control might make both you and them happier.

The factors I think need to be weighed are 1) the cost of your time 2) the cost of a HIPPA violation, and 3) your ability to set up something bulletproof (no offense intended - I wouldn't trust myself to do it right the first time!)

Disclaimer: I used to work for Barracuda a couple of years ago. Some of their technology is crap, but the IM firewall is IMHO one of the best things they've ever released.

Re:Not free, but cheap & good...

[juanca]

Agreed, we currently use the Barracuda IM at our main office with around 250 users and it works great, was very easy to set up and we can specifically configure who can use outside networks or not, and everything gets logged appropriately.

JC

Re:Not another one

[Kleen13]

Your point is that he's wasting your time? You probably shouldn't have replied then. My boo stands.

Bonjour may be what you need.

[SignOfZeta]

Bonjour (aka, Zeroconf) is a zero-configuration link-local protocol that you may find suitable. The protocol is built into Mac OS X and Linux (as Avahi); Windows XP just requires Apple's port of Bonjour to be installed. Once that's set up, you can tell Pidgin, iChat, Adium, Kopete, etc. to announce your presence. Just type in your name, and your Buddy List will instantly populate with all of the Bonjour chatters on your LAN.

It's not as manageable as Jabber or SILC, but from a technical perspective, you can get the entire office chatting in minutes. In my opinion, it's definitely worth a look.

Pluses:

1. Practically zero configuration -- punch in your name and go.
2. Totally decentralized -- no server needed. Much less to buy and maintain compared to Jabber.
3. Buddy Lists are automatically populated -- no need to add anyone.
4. Bonjour is not available outside of the LAN.
5. Compatible with IPv4 and IPv6.

Pitfalls:

1. Pidgin, iChat, etc. all support other externally-available services. (Can the client's preferences be locked? Or use a firewall/proxy to block all outgoing IM services.)
2. Anyone with Avahi/Bonjour, Pidgin/iChat/Adium/etc., and a LAN connection can just open up their laptop and join in the chatting fracas. (Secure your network -- WPA2 is fine, but since HIPAA's involved, try 802.1x, EAP, RADIUS, etc.)
3. You can only chat with users on your subnet. (Do a site survey before deploying.)
4. Chats are not encrypted in transit. (You may wish to encrypt with OTR or PGP.)
5. Other applications can use Bonjour to advertise services -- some VNC clients, for example, will advertise that the computer is running VNC. (Security through obscurity shouldn't be your only line of defense.)

Re:Bonjour may be what you need.

[Phroggy]

Bonjour is great, but what you've suggested doesn't meet his needs at all. One of the stated requirements is that there MUST be centralized logging of all conversations, and what you've proposed is direct client-to-client chats with no centralized server.

Re:Bonjour may be what you need.

[Megatog615]

The problem with using a firewall to block AIM for example is that you can actually use AIM over port 80 which may or may not be a critical port for some users. Block port 80 and you lose all HTTP connections(except for HTTPS).

Re:Bonjour may be what you need.

[Sandy09]

Try BigAnt Instant Messenger for enterprise , its key features fulfill your requirements: 1. Using a Client/Server architecture and works with intranet, 2. Centralized logging of all conversations; 3. Encrypted data transfer; 4. Not support outside protocols such as AIM, MSN, Yahoo, etc More features: broadcast message, voice and video chat, built-in document management which makes the daily work more efficient and convenient. http://bigantsoft.com/

Re:Not another one

[kolbe]

I also recommend Ignite Realtime's Openfire. I have run it since Jive owned an Enterprise version of it (~2005) and all I can say is that it's rock solid.

It can run the server under either Windows or *NIX, offers integrated or external Database Server options, can be deployed to your website via Fasthpath to offer online chat services and offers several client options.

The best part of it is that it's easy to learn and deploy. A definite must to check out.

Neos

Neos sounds like the messenger you need. It's free and doesn't support the other major messengers unless you install that yourself.

IRC is obsolete

[erlehmann]

Unless you are looking for massive scalability (as in: 500 users in a single chat room), Jabber / XMPP can handle everything better than IRC. There are things like automagic contact lists (have everyone in your department on the list, centrally administrated), working encryption, publish-subscribe ... and of course the XMPP standard is easy to extend, as it's XML based.

Re:Not another one

[Kleen13]

gotcha.

Re:Not another one

[harryk]

I agree.

The OpenFire Jabber server is rock solid and integrates with LDAP, has the ability to log conversations and generally speaking is very elegant and easy to maintain.

We also use the Spark client, which is made available by the same group.

Very solid setup if you ask me.

AChat...

[Ramsees]

We use achat in our organization: http://sourceforge.net/projects/achat/ It covers all our needs.

SLM Messenger

http://code.google.com/p/slmmachine/
SLM Messenger is well suited for your requirements since it is free-open source and specifically developed for in company(intranet) use with encryption support and designed for low network traffic (No broadcast message flows).
And it is based on peer to peer architecture; there is no need to server, clients can directly communicate each other.

RiseOp - Secure p2p coordination

[swabby64]

I have a program called RiseOp (wwww.RiseOp.com) that fits your problem. It is a highly secure, private communication system supporting IM, Chat, VoIP and file transfer among other services. It is fully decentralized, and very safe in that all members use public key crytography to personally encrypt and sign all communication. It scales very well, is user friendly and easy to manage - the organization structure of your company is mirrored in the program itself. IM me riseop@live.com on MSN if you have any questions.

IRC

[phlawed]

All IM protocols are, at one level, reimplementations of IRC. So why not use IRC?

We use Jabber for 300+ people

[theantipode]

... and we've had very few problems (the Miranda client gave us a hard time, but we just stopped allowing people to use it).

Silc

[kauttapiste]

Secure Internet Live Conferencing, or SILC is what you need (or might want to look at anyway:). Pidgin can be used as the client.

We ran this.

[Allnighterking]

At a company I left recently I installed Openfire and our supported IM client was their spark client (however despite my ex-bosses rants a lot of clients ended up being used by employee's) Spark works really well. Openfire is rock solid. It runs on Linux or Windows (better on Linux less server load). Without a hitch. Live upgrades work, and if you use mysql as the DB backend you can have auto failover. SSL 3 and TLS are supported as well.

Re:We ran this.

As an aside, the Client Control plugin for Openfire lets you restrict which clients are permitted to connect to the server. It's an official plugin from Jive Software, available for download from the Openfire admin console.

Re:Not another one

[Gerzel]

Perhaps he also wanted some insights from people who have been in similar situations?

There is a big difference between a website found on google and a testimonial from someone who's done it.

OpenFire + SparkWeb

[Hallow]

OpenFire, as many others have noted, is an open source jabber server, that's highly extensible, and already has support for the logging you require (via the monitoring plugin).

The same group also has a web based client, SparkWeb, that you can lock down to your OpenFire installation. You can also lock down OpenFire, so that it only supports your official client. One of the nice things about a web client is you don't have to deploy to 100 desktops. You just send out a link. :)

Blocking outside services is a waste of time

[fadir]

Set up a policy if you really have to but wanting to block services is just a waste of time and doesn't add anything to your security unless you have totally incompetent personnel or fully locked down computers. Otherwise they'll start using web clients or simply work around firewall blocks or the like - which at the end might cause more security issues than the usage of the service in the first place.

It's much better to invest this time to educate your people and teach them why it's a bad idea to use MSN.

Lots of companies set up ridiculous firewall rules and think that they are safe - not knowing that the overkill is causing exactly the opposite of what they want to achieve. People don't like to be locked down if they don't understand why.

I had a similar problem to solve in the (small) company that I work for. We ended up with Openfire and Pidgin. This is not safe from the outside but better than what our big mother company did. They force everyone onto Sametime and have their system locked down like no tomorrow - which ends up in people using a multitude of services and wasting a lot of time to work their ways around the firewall to be able to use MSN, Facebook, Jabber & Co.
While I know what I have to deal with and act accordingly, teach the people that they please stay away from insecure services on their work PC the mother company trusts in their rules and unintentionally provokes insecurity.

Security never works against the people, only with the people.

Re:Blocking outside services is a waste of time

[fprintf]

Set up a policy if you really have to but wanting to block services is just a waste of time and doesn't add anything to your security unless you have totally incompetent personnel or fully locked down computers. Otherwise they'll start using web clients or simply work around firewall blocks or the like - which at the end might cause more security issues than the usage of the service in the first place.

Perhaps this is an indication of how smart the security guys are where I work, but we have an internal IM client/server (we are also subject to HIPAA) and there is no way to get around getting to an outside server or client. You mention fully locked down computers... ours are XP and no one has administrative rights, but that is as locked down as they get (apart from a regular software scan). The Web has most of java/javascript disabled.

So I think your statement is either ignorance of smart but useable Internet policies or laziness in suggesting "it is a waste of time". There is a happy medium that exists between full blockage and wide open usage.

Re:Blocking outside services is a waste of time

[fadir]

Are you implying that what you have there is a happy medium? XP without admin rights and without Java and JavaScript is maybe working for you but it wouldn't work here. We are a software development company, developing for multiple platforms. There is no way to keep a capable programmer from accessing anything outside.

What about FOSS Cyn.in

Cyn.in is an Adobe Air app and may be just what you are looking for.

http://www.cynapse.com/products/cynin

Spark + eJabberd

[darkpixel2k]

I support a 7-site network with ~80 PCs. I use the Spark client because it comes packaged as an MSI--easy to push out via Group Policy. I also have a batch file which creates an initial settings file for the users the first time they sign in.

Initially we had an internal (old junker box) linux server which was only accessible from the internal network and everyone had Jabber IDs of user@customer.local. We recently switched to user@customer.tld so people could access it from their iPhones and Windows Mobile phones using the Palringo client.

ejabberd on linux has nice LDAP integration with Active Directory on Windows. You could also use the OpenFire server which is made by the same people that make Spark. It has a free version and a commercial version IIRC.

Another client to consider...

[willyd357]

...would be Pandion. It only supports XMPP/Jabber, so you wouldn't have to worry about outside clients quite as much(Gtalk could still be a problem, but IMOA an easily solvable one). The major benefit of using Pandion is that it "automatically encrypts your connection to XMPP servers." Considering the sensitive nature of the data that will be transfered via your IM system, this is a major benefit. It's also extensible through the use of plugins. Hope this helps.

Re:Another client to consider...

[willyd357]

Oh, and it is free. Both types of free.

Why not IRC

[Zerth]

You can firewall it off from outside nets and there are tons of free clients that don't support other protocols. Logging is easy too.

+1 for Jabber

[shutdown+-p+now]

If you want free, open, secure and cross-platform, then it's definitely XMPP/Jabber. No surprise there - open protocol, plenty of servers and clients to choose from - it really is good. From your description, you'll almost certainly want that.

However, For all-Microsoft shops with AD and Exchange, a pretty decent option is Office Communicator (+ the corresponding Server). It doesn't really have many advantages as an IM, but it does integrate with Outlook, Exchange and SharePoint (from shared address book, to minor bits such as auto-setting your status to "Busy - in a meeting" when you have a meeting scheduled on your Outlook calendar, and storing conversation logs in Outlook mailboxes, which indexes them for search). It's also pretty good for conferences. Still, main feature there is that integration - on its own, it's hardly worth the bother. And, of course, it's not free (in any definition of the word), and the protocol, while SIP-based, is not without proprietary quirks.

Re:+1 for Jabber

Sure Office Communicator has its issues (complicated and expensive), but who doesn't have an Action Pack subscription? The 10 Office Pro licenses make it worthwhile, never mind the various internal server licenses you get with it. $300 and 10 min of your time to fill out the application.

Yes it's meant for resellers and consultants, but in my last two jobs, I've applied for the Microsoft Partner Program and its action pack program with entirely accurate, non-reseller/consultant information/company description and been accepted.

This option is not free (neither foss or as in beer) so I apologize for not directly answering that part of the original post. Jabber/XMPP really is the best way to go, Office communicator just gives you many fairly simple ways to control its connections, as well as some really powerful, if overly complicated features (video, phone/voicemail integration, desktop sharing, extensive logging) that are all controllable through group policies and server settings.

Re:+1 for Jabber

OCS (Office Communications Server) works great at our company, and even completely replaced our PBX as well. The new R2 version as some nice new call center auto-routing capabilities you might find useful on the helpdesk..

Re:+1 for Jabber

[moofmonkey]

Are you serious? Office Communicator on its own is pointless and when linked to Outlook is one of the worst software combinations ever. When either gets stuck, it takes the other out with it. Disconnect and reconnect to a VPN for example, and if you were using them together, Communicator will hang and you will have to restart Outlook and lose whatever you were writing because its obviously not multithreaded at some key point where it interacts with Communicator. As a Linux fan, I can still admit that M$ are capable of writing good software (excel isn't bad), but in Outlook and Communicator you have two dark minions of Hell. Avoid. Like the plague.

Re:+1 for Jabber

[shutdown+-p+now]

Office Communicator on its own is pointless and when linked to Outlook is one of the worst software combinations ever. When either gets stuck, it takes the other out with it. Disconnect and reconnect to a VPN for example, and if you were using them together, Communicator will hang and you will have to restart Outlook and lose whatever you were writing because its obviously not multithreaded at some key point where it interacts with Communicator.

I've been using Outlook+Communicator at work for over a year, and I have never seen it do what you describe, even when the network went down entirely. I had Communicator crash otherwise two or three times, but Outlook kept working.

Nothing easier than Citadel

[flyingfsck]

Citadel can do IM and whole lot more and it only takes about 20 minutes to set up using the Easy Install script. Once up, it will keep running with zero maintenance. It is definitely the lazy man's groupware system and it can handle tens of thousands of users per server.

Pandion is a good windows jabber client

[donkaveh]

Openfire rocks, on windows I suggest you use Pandion as a stable client...

asdf

NIX talk ... simple, local, and somewhat idiot proof, well, you know

Apple Bonjour for Windows + Pidgin

[yopie]

Install Bonjour for windows, already installed to your system if you installed iTunes. Otherwise download for free at:
http://www.apple.com/downloads/macosx/apple/windows/bonjourforwindows.html

then, use Pidgin for IM.
Best part, it server less, no need dedicated server for running at network.

Re:Apple Bonjour for Windows + Pidgin

[Arimus]

And will not comply with the OP's logging requirements...

Go easy on the "should" will you?

[golodh]

@Anonymous Coward

As to where the parent post "should" have asked his question, the parent post asked an intelligent question on a forum that harbours a lot of people who can provide a good answer in under a minute. Slashdot.

There are lots and lots of applications like Jabber, Openfire and whatnot about. And yes, if you want you can create a great big (useless) list of them by Googling for a few minutes. And then what? What are the pros and cons of each app? Where can you find comparative tests? Are those tests any good? Has anyone got practical experience with the app? Any show-stoppers that aren't immediately apparent?

The point about most questions like this is that people who already know the answer consider them "easy". People who don't know the answer consider them hard, and will have to expend a lot of time finding out. Time that's wasted if you could simply have eliminated 90% of the options by asking. That's why you ask. At least if you'd rather get some useful work done instead of being the umpteeth person researching the same wheel.

It's a compliment to Slashdot that people ask such questions, and they do that because they even tend to get useful answers. It shows that Slashdot has value apart from serving as a forum for inane bickering.

Re:Go easy on the "should" will you?

[nitro77]

Mod this post up. I am out of mod points at the moment.

Re:Go easy on the "should" will you?

[LoadWB]

Seconded. I wish I had seen your post before I gave my tirade just above yours.

Re:Go easy on the "should" will you?

[damona]

... And for those of us who already know the answer, this is a good opportunity to find out whether there's something new we should be looking at too.

Re:Go easy on the "should" will you?

[strongmantim]

Thanks for the support! According to many posters here, I should also likely Google programming languages, learn to program, write my own IM/chat application, etc. There are a lot of people on Slashdot who have already gone through all the research and have a ton of experience using a particular server or client. I didn't ask this question on other boards or sites because I knew I wouldn't get honest, helpful answers from the other sites... I chose Slashdot because the community is resourceful, intelligent, and knowledgeable. Thanks again for your post!

Re:Go easy on the "should" will you?

[jdinkel]

As I read this particular post, I too was thinking "I wish I had mod points to mod this one up." Other post are in support of this same position, but it is commendable to golodh that he put it so eloquently.

Right product, debatable price

[McBeer]

If you already have office / exchange, Office Communicator is exactly the product you're looking for. (http://office.microsoft.com/en-us/communicator/FX101729051033.aspx) It's not free, but with volume licensing it's fairly inexpensive.

Re:Right product, debatable price

[lukas84]

I can only recommend OCS / Office Communicator.

We've made very good experiences with the product - Integration into already used products like Microsoft Office (especially Outlook) and Microsoft Exchange makes it a breeze.

Beware though that a external user aware deployment will need two servers (or unsupported hacks).

We're currently in progress of replacing our PBX with OCS 2007 R2. So far, it's looking good.

Re:FOSS? One Word: Bullshit.

[CAIMLAS]

Healthcare IT policy?

HAH.

Sorry buddy, that's just funny. Usually the only "policy" is "we want it cheap, we want it now, and the doctors get to decide", or something roughly approximating it in result.

The only actual 'policy' in most small/medium hospitals is "we don't change anything, even if we have to, unless the regulators say so". Ergo, you've got 15-year-old Windows with an ugly 17-year-old application port running on a single disk.

Oooh, Barracuda!

[NerveGas]

Encrypted communications, logging, and as it is an IM firewall, you can also use it to prevent users from logging into external services.

Go with XMPP.

[Arancaytar]

It is preferred that the client not support outside protocols such as AIM, MSN, Yahoo, etc.; if it does, I will have to promulgate and enforce yet one more policy that my techs not connect to them.

Honestly? Just block outgoing connections to oscar.aol.com and the other IM services. If you want to be really paranoid, you can even block outgoing XMPP to make sure that people will only connect with the internal server.

However, as has been said, XMPP is the only reasonable way to go.

If you want to avoid paying for licenses, you have the choice between XMPP, IRC, Bonjour (Apple).

Bonjour is server-less and ad-hoc, which is great if you don't have the infrastructure in place for a central server. At an office building you do, so I think you get a worthless feature at not inconsiderable inconvenience. Bonjour is free as in beer (but I'm not sure whether that extends to business use, so check), but not FOSS.

IRC excels at providing an open chat-room, but one-on-one conversations are less well supported. There's no persistent contact handle, no good presence announcement and even the identity check has to be run as a separate service (NickServ).

XMPP allows you to sign up everyone with their own internal account (employee@xmpp.company.com), and if you need to you can tell the xmpp.company.com server not to forward any connections from or to outside servers.

All conversation over the server can be logged. You may want to put a policy in place to forbid direct (peer-to-peer) connection as that is harder to log, or end-to-end encryption via OTR messaging.

For a client, I'd recommend Pidgin (which you can recompile without the AOL/MSN/Yahoo libraries, or just leave it in and block the servers), though Psi (XMPP only) isn't half bad either.

VOIP softphone + server

[kiss7]

I can recommend the voip server and client from mizutech http://www.mizu-softphone.com./ It has built in encyption capable for handling up to 10000 client. Unfortunately it is not free.

jabberd2/mysql/PSI

[defsdoor]

Install jabberd2 with mysql backend and PSI for the client. Then ask me nicely for my roster scripts that ensure that all users see all users, grouped nicely etc..

Block 5269 to your jabber server and make sure your users do not have direct internet access and they can't use the server or the clients to talk to anyone outside your server then.

IRC...

[MadMorf]

We use an in house IRC server with all IRC traffic blocked at the firewall...

Zimbra

[Exter-C]

Hello,

Zimbra is a good platform that we use for a company with just over 3000 users. The open source edition may do what you need. We currently use the fully loaded version with paid for support because it has "active-sync" support etc. however you maybe able to get the most from the FOSS edition.

Thanks for the recommendation.

Thanks for the recommendation. I wish that people who don't like a story wouldn't visit it and clutter the story with negative comments.

Re:Not another one

[LoadWB]

This is the exact attitude that pushes people away from FOSS in the first place.

It is almost impossible to get a real answer from people with experience when all you get in return is "RTFM n00b."

R'ing TFM does not always give you practical information or experience. Especially since there are quite a lot of people out there who are great at writing software but cannot write a manual to save their life. Either it is too technical and boasts about all of the incredible feats of writing the program with very little usability information, or overly verbose about how the program works with very little usability information.

Google does not have all of the answers. It has a wealth of information, but sometimes no answers.

jabber works but more

[Teunis]

OpenFire is the tool we used at the last shop I worked at - for exactly this. (it's a java-based server and will run on many server types including but hardly restricted to most Linux distros and Windows) They've got some great commercial tools as well.

for something requiring more technical workings of the software - jabber2 and ejabberd both are superior - but take more configuration.

For clients - there's the Spark client also from IGN software - which works well enough. otherwise a wide variety of opensource clients support Jabber/XMPP. You can firewall out the ports externally to lock people into being able to only sign into the local net as well, easily enough.

note: I currently do not work for anyone so I do not speak for any agency.

Re:Not another one

[atraintocry]

I don't know about plain LDAP but I had serious trouble getting OpenFire to work with Active Directory. It integrated fine on the server side but single sign-on for the clients never worked. It seemed like it works great for 95% of people but for certain setups it's just impossible to get right. It's highly dependent upon your DNS setup, although I can't think of anywhere our DNS would be different from the norm. I also got in a little trouble because my users aren't all in cn=users but based on testing I don't think that was where the issue was.

I tried for a long time to get SSO working and eventually I had to just roll it out with separate user accounts. I suppose I could have paid for support but if I was going to do that I would have just bought one of the Windows-based enterprise IM packages that's out there.

Other than that it's been great. I was using Psi for a client but I can't seem to get it to alert people consistently. I (and the users) want something that will pop up the message and take focus no matter what. But Psi seems to be erratic in this regard.

We use Zimbra and the Jabber zimlet too

We use Zimbra and the Jabber zimlet too. I can't say that I'd recommend installing Zimbra just for the IM tho. It does work and is a fairly simple addon. If you can get passed the Zimbra high requirements for what it does.

As far as worrying about connecting to outside services - fix your network so that can't happen. Kill off the default route to the external world and only allow the proxies to see the internet and DNS. Don't let your internal clients see anything except internal servers and the proxies, period.

shameless plug - iwannachat.net

[sydneyfong]

I (together with some friends) hacked up a rather powerful chatroom at http://www.iwannachat.net/

It seems to fit your criteria except that it is not "free" in either sense, but we don't have any concrete plans for commercialization of the thing, and I believe it should be possible for us to license the code to you for zero cost.

It's not an IM per-se, but we have dozens of active users and it's working quite well as an inclusive chatroom for a relatively small group of people. It started as (and is still) a hobby project, so most advanced features are not properly documented, but I'll be happy to show you more on request.

Leave a reply if interested. I can point you to a room of active users if you wish to see more than a rather "empty" demo room.

eBox

Here's another possible solution

http://ebox-platform.com/

Internal, Secure IM

[DutchMa5t3r]

You should try PinkNotes Plus (www.pnp4.com)

Re:Internal, Secure IM

[DutchMa5t3r]

I missed the 'it has to be free' part. PinkNotes is only $24.95 per user (one time)

Commercial Jabber (Which is still XMPP)

[Ilgaz]

As the guy has very specific needs with very strict requirements and exchange, perhaps Jabber.com products (now part of Cisco) are the way to go.

http://www.jabber.com/CE/JabberHome2

It is still XMPP, not a byte of non standard thing.

Re:Not another one

Another vote for OpenFire/Spark. We used it at a former employer and it worked very well.

Pro Tip

Really.

Re:Not another one

[Skylinux]

You will find plenty of testimonials if you Google for them.

So why not take it a step further and close down Slashdot.org?
After all, the articles on slashdot are not written by slashdot staff but borrowed of the web so anything on here can be found via Google. Most websites also have a comment section so the trollish comments can be found not only on Slashdot.org

So get over yourself, some people here may actually try to learn from the experience of others.

Don't like a story? Don't fucking reply!

what about a private IRC server?

people keep suggesting jabber but what about IRC?

Re:what about a private IRC server?

[argent]

IRC supports encrypted connections now?

Re:what about a private IRC server?

IRC over TLS/SSL
http://en.wikipedia.org/wiki/Comparison_of_IRC_daemons
Note the Client SSL column

CUPS (not the printer kind)

[Vrykoulakas]

Cisco Unified Presence Server, aka Cisco Personal Communicator. It's an IM client / server, it's also for a VoIP phone system so it does much more, and it's probably way too expensive for what you want to do... or maybe not.

Spark IM client/server

[bscarano]

I work for a Health Care company and we (IT) use Spark. You can find it here. I'm not sure of cost as my internal proxy won't let me access the site, but it works well. www.igniterealtime.org/projects/spark/index.jsp

Re:Spark IM client/server

[cgabbadon]

I agree, Openfire Server with Spark as the IM client will satisfy your requirements. It is a solid, extensible instant messaging server that should meet all your requirements.

What is nice about Openfire is that it allows you to centralize the management and security a lot, which gives you a lot of control in information-sensitive situations like this. It has integration with an existing LDAP/AD server if you want to keep your authentication policy centralized on your LDAP server if you have one. Likewise, you can force all users to use SSL for secure messaging if you want.

Likewise, I was working with the open source version over the last couple weeks (I setup a test environment for our company), and based on the menu options it appears that message auditing also is included (I didn't try it), so you can log all your conversations as you would like. I knew they had this feature before in their paid version, but it looks like they made it available in their open source version.

Finally, if you ever grow and need support, you can get it from their list of service providers. And it's free :-). It has easy installs for both Windows and Linux - definitely give it a try.
Good luck!

Openfire Server
Spark XMPP Client

Re:FOSS? One Word: Bullshit.

Speaking as someone who provides IT for clinical departments at a (American) teaching hospital. FOSS is not evil, or verboten. My employers, and the people I support, are more interested in results than methods, they just want to know that someone (even if it's us) will take responsibility for the system.

Me too!

I'm looking for health care. It has to be top quality, immediate, and available to my family and all my employees.

Oh, and one more thing: It has to be free. Suggestions?

college project

Reading the summary/question sounds almost exactly like one of my college assignments. A free, open source internal only chat system that runs on Windows. Maybe I should dig my copy out and e-mail it to him...

Re:Not another one

[Atlantis-Rising]

Do you generally make a point of walking into stores that sell things you don't like for the express purpose of complaining to the management that you don't like them?

Nobody is forcing you to be exposed to his inadequacy. It's perfectly possible for you to just toodle on by without ever having to set foot in this thread.

Your time was wasted not because of anything he did but because you chose to waste it.

I think that says more about your own sense of inadequacy than it says about any displayed inadequacy on the part of the original topic.

Barracuda Networks

Disclamer: I work for Barracuda.

What you're looking for is the "Barracuda IM Firewall", conversations are encrypted inbetween clients and the server, conversations can be logged, you can block external services, and it scales. We use it internally(~500 people).


PS: It's based on XMPP and you can use any jabber client with it, including pidgin or trillian.

Re:Barracuda Networks

[Life2Death]

My school uses your firewalls and its totally garbage. The mail spam component is more broken than blackboard.

IPSWITCH IM

IPSWITCH, makes one that sounds like what your looking for. We have used it for atleast 5 years with great success. I do wish they had the message logging in a sql db.

mIRC

[ers81239]

I have seen mIRC used in situations even more secure than the one you describe.

OpenFire is pretty decent

[Benanov]

We've had stability issues but we're running an older version and haven't gotten around to upgrading yet.

Logging is pretty easy.

Re:Not another one

[harryk]

I don't know about SSO in it's truest form, I assume you mean that after the user logs into the workstation, that they don't have to also login to the IM client. I never worked with that at all.

As for using the same user account to log in to both the workstation (XP I assume?) as well as the IM client, I had that working in about 5 minutes.

If it's not working, it's probably more to do with your ldap authentication than with either server.

Are you able to perform lookups from the CLI on the Jabber server? I would check that. Assuming that you can, the OpenFire server has a couple of tests that it can perform to help troubleshoot.

BTW - is this an OpenLDAP server or AD?

WASTE

WASTE can be a pain to setup initially, but it is the most secure messaging program available. Not sure if it will scale up to 100 people well and honestly it is more of a chat room thing than AIM although it can be used to chat with a certain person.

http://en.wikipedia.org/wiki/WASTE

Re:WASTE

[shish]

WASTE... has no central server.

the server has to be able to log any conversations that occur

(Aside from being the complete opposite of what's being asked for here, it is an acceptable chat system...)

Re:Not another one

LDAP connectivity with AD works fine. We just set up a filter on a group in AD and put the users that need access to IM in that. Users just use their normal logon credentials. Haven't really worked on getting the SSO option to work, just tested it briefly.

WASTE

[bioborg]

http://en.wikipedia.org/wiki/WASTE might work, it was developed by Nullsoft for internal communications and file sharing, is encrypted, and has no central server.

Waste is the way

[scld]

I thought I was going to be the savior, but bioborg beat me to it. Waste is great. Not the prettiest program, but definitely great.

+1 for OpenFire+Spark (FOSS)

[Shouden]

I'm the Senior SysAdmin for a large datacenter in Florida. We currently employ over 50 people in our building. We recently migrated from Pidgin+OTR(Encryption) to OpenFire+Spark with ActiveDirectory Integration. I had the server installed and pulling down a list of accounts from the AD server in a matter of minutes. The server has worked flawlessly for us for months and has tons of options. It supports the ability to either allow or lock out 'other' clients(AIM,YIM,etc). This coupled with ACL or Firewall restrictions will ensure that your users are ONLY using the Spark client. It also has chatrooms built into it which you can force your users into when they log on. It's pretty neat stuff.. oh.. it supports SSL connections, and will provide LiveChat for your website as well. It also support logging of all chat conversations if you have a need for that. The only downside that I've run into.. there's a bug on the linux client that has to be fixed manually(associated with the tray icon not showing up). The Windows client has a tendency to run slightly slow. While I read that it runs slow under Windows, in practicality I have not received even one complaint regarding the use of Spark. Oh.. while there is a history in the Spark client, it shows it all as one realllly long page so it's a little clunky having to hunt through your own personal chat history. Look no further. OpenFire+Spark is your answer.

OCS

[RogueProgrammer]

We have OCS deployed at 7 locations worldwide... It works wonderfully for this sort of application, as well we can do Livemeetings /screen sharing if we need to collaborate with a tech in North America and Europe.

This is what we did...

[Mysticalfruit]

Server: Jabber
Client: Pidgin

Jabber is mature, it doesn't crash and it works. Pidgin is multi platform and looks consistant across those platforms. We did have a couple of users who are Trillium holdouts.

It works great. We've just had to work on educating our users a bit in regards to what should be sent via internal IM and what's cool to be sent via AIM.

Re:Not another one

[jwilson27]

Another vote for OpenFire. I am the IT manager at a healthcare facility and I have implemented this successfully. The latest version was very easy to setup and integrate with Active Directory. It has been working like a champ for almost 8 months now. I also enabled the web client and Red5 video plugin for video chat. This saved us quite a bit of cash in travel fees since we have numerous clinics spread out over the area. We did not eliminate traveling (nothing beats face-to-face time). Instead we do weekly video meetings and monthly travel.

jive

[bannerman]

Jive server worked like a charm for my company for years. My users loved the Pandion client and were very disappointed when we migrated to GTalk.

Re:Not another one

We are using openfire with AD integration with no SSO and users are not in cn=users. There is somne configuration to be done, but it all works. You have to tell it where to look for the users in AD. Sounds like you really didn't research or spend enough time getting it working. We created NT groups also to pre-populate the clients with all the names too.

Spark is a great client and it can be locked down pretty easily through the openfire server.

Don't Forget Congress

The Sarbanes Oxley act makes it mandatory to keep backups of EVERY(!!!!) internal communication, including instant messaging. (Think Enron, "gonna screw those customers..", etc.) If your firm is big enough to be covered - publicly traded? - then you or your boss of IT could go to jail for not ensuring complete traceable logs are kept of every conversation...

GW Messenger from Novell

[FlyingGuy]

You will need at least one Edir Server and they can be the same box ( I Think, it might work with ldap ) and from there you are off and running.

It supports complete logging and log search ability ( by user or full text ), the client supports no other protocols it supports SSL has both linux and windows clients.

It is VERY light weight on both the server and client side.

OpenFire + Spark

[mnslinky]

Openfire and the server, Spark is the client. http://igniterealtime.org./ We use it in healthcare where I work and it's pretty solid. Archiving is an optional module and works well.

LAN messengers

http://en.wikipedia.org/wiki/Comparison_of_LAN_messengers

Have you looked at this list? The good thing with LAN messengers is that the traffic never leaves your local network, you won't get spammed either. Maybe have a look at Softros LAN Messenger, Borgchat, Pichat. Many LAN messengers can do what you are looking for: Run on Windows (and Linux), users can exchange private messages, chat on public rooms, message logging... only a few are freeware.

Alternatively I agree with other posters: it is not too hard to set up a local XMPP/Jabber server and use Pidgin/Miranda.

We use Openfire and Spark

[vicious0000]

http://www.igniterealtime.org/ It's an excellent combo, and if you don't want it to connect with Yahoo and all, just don't turn the feature on for the server. We've had it up and running for about 3 years, and it's been flawless.

Re:Not another one

[mpapet]

I had serious trouble getting OpenFire to work with Active Directory

That would be the case for two reasons:

1. SSO is not LDAP. You can, in theory, use an LDAP directory to provide the settings for SSO, but it's not SSO. Off the top of my head, you need a gina to do all of the SSO-stuff for you.

2. Microsoft's implementation of LDAP is non-standard. It's very quirky outside of the very simplest LDAP operations. To which the legions of Microsoft domain admins will cry out "What?! He doesn't know what he's talking about!" To which I reply, you don't work with LDAP. You are an Active Directory admin. The two are not the same thing.

Jabber or Openfire

[hggs]

Well, in my experience I have used Openfire and Jabber (via ebox). Both are easy to install and use. Ebox is a bit harder, but if you don't already have a server with SSO, it is the best option in my opinion. I have scaled both at companies with ~200 employees.

Word of warning though, I only use communications internally, have not tried to connect either solution via Internet (only as corporate intranet), though it is possible.

For the client, I find Pandion works best on XP clients, if you do not need other protocols as MSN, Yahoo, etc.

Spark

[ats-tech]

http://www.igniterealtime.org/index.jsp We've had good luck with this combo.

Fix your firewall

[tbuskey]

1st, fix your firewall to disallow *all* outgoing ports.

2nd, open up the ports that are needed.

I've seen one company disallow DNS to external addresses and force everyone to use the internal web proxy.

Now, you don't care that they connect to external IM servers because you've blocked them.

Set up an internal server recommended here with internal clients pointing at it.

If you're worried about installing a client that might be able to connect externally and you haven't already blocked that possibility, you're doing it wrong.

Re:Fix your firewall

[ShaunC]

One employee with a copy of PuTTy, and suddenly all the firewalling in the world is for naught...

SILC

[ezelkow1]

Consider this another vote for SILC. We have many teams of devs here and one of the larger ones implemented their own SILC server and we use it all the time whenever we have to discuss issues related to their area. Works nice in conjunction with pidgin since I think for now that is the only cross platform client for it.

Preventing connections to outside servers

[brassmaster]

Echoing what tbuskey said, it does seem as though you should already have something in place that blocks nonessential outgoing ports (firewall) and if you really do have as strict of requirements as you say, something like an 8e6 device that blocks outgoing access to undesirable servers running on ports 80 and 443. If this is the case, you should have no trouble keeping your users from connecting to external servers. If either of these aren't true and you choose an open source XMPP client that does only XMPP, you could modify the program by either hard coding in your server address or by having it ask a network service (DNS or similar) where the XMPP server is. No options = no problems.

Re:Not another one

[ReverendLoki]

One additional oversight you are making is that the asker is the only one who might benefit from having this question asked and answered publicly. I happen to also be in a position where we are thinking about deploying an internal-only IM for a small business. I have already Googled the topic and have learned a bit about Jabber, but happen to have not put the time into it yet to go poring through each of the different implementations to find the one that best fits our needs.

So, I open the article, and start reading the comments hoping for some knowledgeable colleagues who have already gone through this to share their experiences and wisdom. Unfortunately, I get people like you, wasting my time. You could have skipped this article as a topic you aren't interested instead.

Google is great for a search engine, but doesn't always provide the experienced advice one seeks.

Re:Not another one

[Cormacus]

You know, I enjoy reading both these questions and the answers. Sure, there are the occasional trollish responses that are unfriendly and uninformative, but usually there is at least one poster who adds something to the conversation that I genuinely didn't know/realize/have the background to appreciate. And that's why I keep reading /.

OpenFire is the answer

[ricosalomar]

I set up OpenFire for a financial svc company (a bank). SSL, full AD integration with SSO, made a little widget to display who was available on the intranet.

The AD bit took a while to set up, but once I got that sussed, it was really great.

No MOC, but SameTime

[NYIntensity]

Microsoft Office Communicator is integrated with Exchange, but doesn't actively "log" chat sessions, you have to email the conversation to yourself. I'd say Lotus SameTime is probably the closest thing I know of that would achieve what you're trying to do.

OSX server

[Tibor+the+Hun]

Get an Xserve with OS X server software, it has a built in Jabber based IM service. You can chose to federate it with other servers, such as gmail etc.
Don't know what clients it requires on the windows side, but we are a Mac shop, and it gives us state-wide audio/video capabilities.
Rock solid too.

Foss experience

I was looking for a similar solution and after some research I decided tried OpenFire and Spark as they appeared to be he most mature solution for this. My experience went as follows: Server install was a piece of cake, took about 15 minutes from start to finish, including active directory integration. Installed on a Debian Etch box. Spark client install was easy enough, and it has an MSI package for AD deployment. Just check the "single sign on" box and it logs you in with your current Windows credentials. I did run into trouble, however, with the directory publishing. You're supposed to be able to publish an Active Directory group to buddy list of all users of the system. It worked kinda, but users were missing etc. So there you have it...free, easy, but quirky.

IServerd

I've been using IServerd with ICQ clients in an enterprise environment. It supports IM, online notifications, file transfer etc. After 7 years it still works fine with several hundred users , but we had to tune the machine (mbufs & comp) for intensive network I/O.

Features of MS Office Communicator to consider....

[gosand]

OK, this isn't really about which app to set up, but I work for a very large bank, and I work from home. The standard is Office Communicator. While there are things I really don't like about the setup (no tabs, I can't log coversations automatically), there are things I do really like. I'm not trying to sell you on it as a solution, but there are features you could look for in other solutions.

a. Everyone has their standard login assigned to them... I don't have to chat with people's made-up logins. It's their full name, not some goofy nickname.

b. Integration with calendars. If someone is in a meeting, it shows their status as such. Integrates with Out of Office reminders, and you can set notes on your account too. Very handy.

c. The ability to add people to a conversation, having a virtual conference... couple that with...

d. The ability to screen share via a communicator session. Invaluable. You don't have to start up a livemeeting (although, you can do that too from Communicator), you can just quickly share your app/desktop with one or more people.

e. Although I can't log conversations, I can email them to myself. Good for referencing back to. However, being able to log everything would be much much better. I've lost conversations due to network glitches/closing the window accidentally.

Communicator may not fit the bill, but it does have some nice features for use in the workplace. Consider some of them in whatever you do choose.

unixbox: write joe

I was going to say Jabber, but it's not a fully enclosed system.
If you have an internal email server, you should be able to prop up a Jabber server.

I see 'healthcare industry', and I think HIPAA and healthcare privacy concerns.

How about Good, Old-fashioned 'write'?
----
unixbox:/~ # write joe
write: joe is logged in more than once; writing to pts/4
hey there- what's new?
-- 8 --
Joe sees:
Message from admin@unixbox (as root) on pts/0 at 10:04 ...
hey there- what's new?
EOF
----

No external logging, no third-party server, etc.
If we haven't progressed beyond this, I'm not surprised.

On the complete other hand, this doesn't jibe with your request, but I can recommend MessageLabs corporate messaging system. Works like any other, except everything passes through /their/ system. All conversation, all files, etc.

Double-edged sword..

CommuniGate Pro is very good for this request

[azdio]

CommuniGate Pro is not FOSS and my opinion is biased as I have business interest in this platform. However I do believe it is the best solution to this problem and many others despite not being "Free". It is available on most any platform you would want to run it on, supports Linux (not just specific distros) and has implemented enough RFCs to be regarded as a comprehensive communications operating system. The Flash client "Pronto!" has IM auto-archive. There is a PKI built in permitting the actual storage of the archives to be automatically encrypted by the rules engine on the storage device.

Full Documentation
http://www.communigate.com/communigatepro/default.html

Jabber Server
http://www.communigate.com/communigatepro/XMPP.html

Stored message encryption
http://www.communigate.com/communigatepro/PKI.html#SMIMERules

Pronto! Flash client
http://www.communigate.com/communigatepro/Pronto.html

Live Demo
http://talktoip.com/ (use sign-up link to get a full running demo account)

Re:Not another one

[doti]

MirandaIM is the only piece of software I miss from my distant Windows days.

Pidgin is OK, but Miranda was awesome.

Consider all options

[sys_mast]

Communicator.

I know it won't be popular with this group, but don't mod down for that. A good IT person will consider all options.

Why communicator?
Given the industry, there are specific regulations that may apply. Possibly SOX/PCI/HIPPA. I know that Communicator does fine with SOX and PCI, if setup right.

But I'll admit there may be FOSS that do meet those requirements, I just can't speak to those.

I work at an eHealth place...

We use GroupWise Instant Messenger.
Though yes, you would have to be running Novell eDirectory I think.

Internal, encrypted, logged, has stand-alone client.
Not FOSS though :\

But hey, if they already are running Novell stuff then this is right up their alley.

Re:I work at an eHealth place...

[FlyingGuy]

Its not FOSS but it is pretty inexpensive and it is rock solid and scales very very well.

And since E-Directory will install and run on windows,linux,unix and damn near every other OS out there, it is a great option.

Re:Not another one

[oatworm]

Yep - I second this. I have an Openfire/Spark setup here at work integrating with a Windows 2003 AD environment. Straight-up SSO doesn't work, meaning the person has to enter their password, but it does notice when people change passwords and it does match AD passwords perfectly. Sure, it's mildly inconvenient, but not catastrophically so.

Re:Not another one

[jetole]

ugh. Spark client sucks IMHO. Pidgin works much better.

Jabber?

[guruevi]

You can set Jabber up so it doesn't federate with other servers and you can also set it up to not allow non-SSL connections. I have Apple's iChat Server solution which is basically a Jabber server with a nice management interface (although for your specifics you might have to delve a bit deeper), it integrates in my directory and if you want also Active Directory. There are clients for all platforms and as I said, you can set it up entirely how you want it.

If you're looking for something else, look for HL7-enabled clients/servers which is a standard that can communicate with modalities even though some of those platforms don't have any interface for any type of chat client. It also integrates in workflow software etc. Apache's Camel and Mina projects are something to look for if you want to implement that, if you want to combine it with your DICOM-compatible PACS and/or RIS see DCM4CHEE

Looked at Tonic?

[inio]

Tonic is purely peer-to peer and discovers everyone on your broadcastable subnet.

http://r2.com.au/software.php?page=2&show=tonic

Re:Not another one

[jdinkel]

I do love a good self-fulfilling prophecy. Thank you, AC.

Re:Not another one

[trmatthe]

Fancy pointing out these LDAP "issues"?

I've migrated a metric crapload of LDAP apps from OpenLDAP, Sun LDAP and BT X.500 to Active Directory and AD/AM (aka AD-LDS) and haven't found a single issue with the LDAP interfacing apart from where apps were relying on non-RFC features in the original LDAP servers.

Your anecdote != data.

Re:Not another one

[againjj]

Most data is not information.

Most information is not knowledge.

Most knowledge is not wisdom.

From wisdom comes answers.

RE: by Anonymous Coward

And it's dumb fucks like you that ruin the intellectual collective of news forums, how about instead of replying. You first need to understand what a complaint is and why it was brought forth instead of spewing your brainless IQ on the internet for all to see.

Re:Not another one

[michaewlewis]

You work for Google, don't you?

It has to be free?

[SectoidRandom]

Ignoring for a moment that we are on /. :), when you consider the total cost of any such deployment over the long term, free is not possible. Your time costs money, one day you will leave and will require significant time to handover whatever solution you have implemented.

Free is not an option in any such decision, stop undervaluing yourself by perpetrating the myth to your managers that your experience and hard work is at zero cost to them!

Concentric.com offers secure, encrypted chat

Its not a server combo, but if you bring your email to their hosted exchange service - you get the ssl encrypted instant messaging for free! Hosted exchange enables you to share calendars, to-do lists, and contact lists while having your email synced in realtime. It might make more sense to go with a hosted service due to the high TCO of buying, maintaining and managing your own service. The business instant messaging is available as an add on to their web hosting and email hosting services.

Re:Not another one

[tobiasly]

This is the exact attitude that pushes people away from FOSS in the first place.

It is almost impossible to get a real answer from people with experience when all you get in return is "RTFM n00b."

Then good riddance. As the maintainer of several open source projects, I am constantly amazed by the number of people who ask a question on a mailing list that is answered in the top 5 questions of the FAQ.

People who expect not only to have amazing software written for them for free but also to be spoon-fed every step of the way don't do anyone any favors, so why should FOSS authors worry if they leave?

Google does not have all of the answers. It has a wealth of information, but sometimes no answers.

If Google doesn't have the answer, then install the software yourself, try it out, and then blog about what you found out. That's at most a half-day proposition for most FOSS projects. Not only will go gain good experience, but others will benefit from your efforts and you'll add to the discussion.

You don't have to be a developer to contribute to the FOSS community. Even if the only thing you contribute is your user experience or a simple "thanks", that's better than being a leech who expects someone else to do all the work. The OP didn't ask a single question that couldn't be answered by 30 minutes of Googling and another 4 hours of kicking the tires on some software.

Re:Not another one

Another network guy in favor of Openfire/Spark. While the Java-ness of the client slows it down, the end-users have found it intuitive and easy to learn.

Secure communications, no outside world chatting, logged conversations (if you want), FREE.

We looked at Wired Red's chat client solution but they wanted something well into the 4 digits. A few hundred bucks, maybe. But not just to chat in a business environment.

Been using it on OpenSuse for a year and a half now, no problems. BIG "win" here...

Communicator can log

[ancientt]

Communicator can be logged at the server level with the right configuration. It is a supported feature of the server.

I'd love to replace Communicator with FOSS, but Communicator does SSO, file transfer, AD integration and Outlook integration so that it can update your status according to your calendar. It even does a Mobile and Web client, though I haven't tried those. So far I haven't found anything FOSS that can match that.

Once a month or so I consider quitting my job and writing the code to do that.

Re:Not another one

[LoadWB]

Many environments do not lend themselves to "4 (sic) hours of kicking the tires on some software" and then blogging about it. And you are indeed right, there are a lot of people who refuse to read FAQs, but that does not make legitimate questions any less legitimate.

The OP wanted a reliable answer from a reliable source, a community of fellow geeks, nerds, twerps, dweebies, grunts, krunks, dorks, and the like.

And, hey, while I am at it, I think I will throw in another famous response in FOSS forums: "write your own patch and submit it." Yeah, I have seen that one plenty of times to feature recommendations or requests.

A lot of FOSS developers forget that there are people using their software who are not programmers. FFS, you should be flattered. And while I understand you have to deal with a lot of dumb-asses who ask the same dumb-ass questions you have already put in your FAQ, but that is part of dealing with the customer. You do not like that? The hire Smykowski to act as the go-between for you and your customers, because it seems that dealing with them has depleted your people skills.

And therefore, frankly, good riddance to you and your software until you learn how to address your audience.

IRC

[rcgreenw]

You can set up an IRC server with Pidgin (or other) clients, then firewall access to any external servers. You then have the option of running customized bots, having common chat rooms, and person to person chats.

    We used this for internal communications in the networking group where I used to work. It had the added benefit of having a client that worked on a text Linux console in the server room. Of course the only bot we ran was one that interjected comments about local restaurants when we were deciding where to eat lunch. ;)

You need to talk to Jive

[geekoid]

http://www.jivesoftware.com/

Anonymous Coward

I don't know if my toy project fits in your case. Take a look anyway, it's developed in Java (1.6.x) and GPLv3'ed:

http://ezim.sourceforge.net/

The downside I've noticed so far is that it only works within a single network segment. i.e. no cross-router communication

Yafumato

I am the author of FOSS web-based instant messenger software called Yafumato (http://sourceforge.net/projects/yafumato/) that I think can meet your needs. The web client uses HTTP streaming AJAX with JavaScript chat windows.

The software was originally designed to support external messengers, but I have a non-public build that supports internal-only messaging. External messengers could be disabled with a code change. Chat rooms are also supported for internal messaging.

The software uses a MySQL database to log all messages. This is an option when setting up your user, but could be made required via a code change.

A demo version is available at https://randomtask.org/yafumato/. Please note that the demo is not the build with internal messaging; the internal messaging build includes all the features of the demo plus internal messaging, chat rooms, and user account maintenance.

Jabber Private Server

I heard somewhere you might be able to set up a private Jabber server using an Internal (private network address for all in company that can access) Private IP Address. Set up the server in it's settings to not connected to global network or private only. Their may be a encryption addon to add to jabber on top of that. Make sure you are using a Jabber only client.

Build Your Own Jabber Server for Private Communication
http://www.mutaku.com/geeklog/article.php?story=20071129154823176

HIPPA

[stanjam]

Since you are talking health care, you also need to be in compliance. That requires not only logging, but encryption. While I can not make specific recommendations (I believe there are some good ones here) I would make sure that you can make encryption an integral part of this system. That would help make sure you are in compliance without having to add extra steps later in the process. Just food for thought. Most of the open source alternatives you get should be able to work nicely with PgP. Since you want the system to be closed, I would recommend setting up and using your own key server.

Why use a server?

Why not use a private P2P application?

With this one you get secure chat, forums and file transfers :

http://retroshare.sourceforge.net/

Java Instant Messaging

We use Java Instant Messaging. It works great. Its based on the Jabber protocol and comes with a Java client that runs on any OS with Java VM installed. You can also lock it down to where clients cannot connect to public IM servers (Yahoo, AIM, etc.)

Re:Not another one

[atraintocry]

Yeah, I wanted to have the client get the authentication from Windows (XP + AD on 2003) and then auto-login. It seemed like everything was happening correctly...from what I remember I had to generate matching kerberos keys on the Openfire server and the KDC and a special user account on the domain controller.

There's tons of logs from java, the server, and the client, and you can actually watch the packets as they go. But the problem was that everything looked good according to all of the forum threads. Getting official support and rebuilding the DC weren't options so I just used separate accounts with the same names. We don't have enough users that it's even an issue, though obviously doing it the right way would have been nice.

Re:Not another one

[atraintocry]

I do remember being able to get it that far. In my particular case auto-login was more important than using the same accounts, because my users aren't too savvy and I wanted to make it painless for them to IM each other. In spite of all this they still barely use it :D

Re:Not another one

[atraintocry]

Do you mean that the client software doesn't use a password at all? That's what I was trying to accomplish. And it seemed like it can be done but after a few days I stopped trying.

What I probably should do is grab the accounts from AD but then just save the password in the client.

Re:Not another one

[atraintocry]

It's very possible that I was mistaken and that SSO for Spark simply doesn't work with Active Directory. But I had done a bunch of reading and I was under the impression that not only was it possible but that a lot of people had it set up that way.

There are many threads like this one:
http://www.igniterealtime.org/community/thread/26839

Use Jabber

[rpwoodbu]

Jabber should solve your needs. It is free and open. There are many client and server implementations. Almost every Jabber client and server supports SSL. There are servers that do server-side logging. You will want to prevent connection to external Jabber servers by use of a firewall rule. However, servers can exist on non-standard ports, and the only complete way to prevent access to that is to restrict the client's configuration (not sure which clients make that easy), and restrict your users from running software on their computers not installed by an administrator; you have to decide if it is worth being so Draconian.

Visit www.jabber.org a long list of servers and clients. Evaluate them to see which fit your needs. My recommendation for a client in Windows is Psi, as it is good, easy to use, flexible, and only talks to Jabber. I have experience with ejabberd and jabberd 1.x, and I've heard decent things about jabberd 2.x and Openfire; you'll need to evaluate them yourself to get the one that gives you the features you need.

Oh really?

[mpapet]

I've migrated a metric crapload of LDAP apps

Yes, you've migrated them into ActiveDirectory, not another LDAP server.

Here's a little taste of the LDAP-like problems.

http://www.openldap.org/lists/openldap-software/200312/msg00240.html

As my original post states, you are an Active Directory admin. You have made the classic mistake of thinking the *very* limited LDAP functions in AD are similar to running an LDAP server.