Corporate chat with domain authorization

Corporate communication in a domain

Task: run own self-hosted messenger with domain authorization and encryption.

Nuances:

Nulla: cloud solutions such as Slack or Teams are not an option. Three reasons why: not secure, expensive, and required high-speed internet and modern hardware.

Unus: domain logins — there are names in Cyrillic, so jabber applications such as Openfire won't work because they can't process UNICODE logins.

Duo: several domains in a company that used simultaneously. Transparent authorization for users to avoid entering logins and passwords. Deploying MSI via GPO and ready to work.

Tres: users with Android devices, and must connect at the same time with domain logins via the internet and encryption for security measures. PUSH notifications should work too.

We do not specify how much time is wasted when searching for such a messenger because it is not an easy task. A real project with a long development history is required. We must understand that serious corporate software is more about support, fixes, and solving user's problems, and not about "cloud-based", "future development", "blockchain innovation", etc.

For example, MyChat — a corporate messenger with a history, big and alive support forum and (attention!) a free version for 20 concurrent connections. No trial period. Yes, it's happening.

Total time for a launch is 15 minutes. Let's go.

Downloading and installing the server
Importing users from a domain
Deploying MSI package
Enabling transparent authorization
Port mapping on the router for connecting people over the internet
Domain login on Android smartphone
Multilogin and phone binding

1. Downloading and installing the server

00:00 Download a distribution file on the official website, we need the Windows server only for now.

01:00 Launch the installer, everything goes smoothly. Install the server by default; any OS starting from Windows 7 is suitable, the server or desktop x86/x64 one — it does not matter. System requirements are not high. MyChat perfectly works on ancient hardware.

When starting, the installer asks for UAC privileges, because the installation is performed in Program Files. The distribution file has a digital signature, we are good.

During the installation process, the program asks for an administrator's email and company name, where it would work:

MyChat installation, filling data

Email is written to the server's admin profile, and the company name will be displayed in the chat later.

Do not check the box with Windows Autorun:

MyChat Autorun

Jumping ahead, this action is for running the server as a service. For now, let's train to work with GUI applications.

03:00 Run MyChat Server:

Installing MyChat, access permission in Windows Brandmauer

Permission granted. Two similar requests will be displayed for the built-in NodeJS WEB server and TURN server for calls.

The server is working:

Installing MyChat, running MyChat Server

03:10 Press the button "Administration" and enter the Admin Panel:

MyChat Server Admin Panel

While doing this, remember Openfire developers who could make this process easier, avoiding searching on forums to find out what is the admin's login and password :)

The system warns us to change the login/password for the administrator and let us to the Admin Panel:

MyChat Server Admin Panel, interface

The Admin Panel works fast and is responsive to management commands.

All navigation is made via a tree-like menu that expands when choosing the root element. A lot of features are divided into sections including a built-in help page that opens in a browser when pressing F1. There is a lot of helpful information strongly recommended for reading :)

MyChat Help page

2. Importing users from a domain

04:30 Enter the section for importing users from a domain:

Importing users from a domain to MyChat

It's simple. Specify a domain controller host and any user with a password and permission to connect to the domain. It is not always the admin.

Connection performed via LDAP, uploading users, their photos, and company structure if everything is correct in Organizational Units in the domain tree. If not, upload users using the import filter to choose those users you need:

LDAP settings in MyChat

Press the button "Connect", and then "Import". That's it, an account with additional fields (emails, work positions, phones) imported.

3. Deploying MSI package

06:00 Download MSI on the website and install it via GPO. Everything is by default. Her is the guide on how to do it for those who have never done it or forgot the details.

There is an interesting nuance regarding client application installation. What is better — the MSI package or a regular EXE installer? Someone can argue, telling that scripts are the best for automatic application deployment, and MSI is the solution "out of the box" approved by ~~its majesty~~ Microsoft.

It's true. But when you install MyChat Client by EXE installer, it by default offers you to install the application to the Windows user's profile. And MSI package is installed to the Program Files only.

Because when you install an update via GPO, users have to logoff/logon to apply the policy and complete updating the messenger. And if the application is installed in C:\Users\%USERNAME%\AppData\Local\MyChat Client\, the update is performed directly from your server. It is very convenient and quick. No UAC elevated privileged is needed.

It's up to you which option is better. Here is the Help page regarding application automatic installation (installer's key).

4. Enabling transparent authorization

08:00 "Two as one". Firstly, the client application must know that it has to use transparent authorization. Authorization types can be "mixed" on the server.

Secondly, the application must know where to connect: is this a host or MyChat Server's IP?

To configure it, apply the following REG file via Group Policy:

REGEDIT4 [HKEY_CURRENT_USER\Software\MyChat Client] "Domain" = "Domain_name" "IP" = "IP_adress_MyChat_Server"

These two fields is enough. For more details you should check the official Help page (option 3).

5. Port mapping on the router for connecting users over the internet

12:00 This option is not necessarily required. If your users work only in a local network or via VPN, you do not need the configuration to forward ports on a router.

If you connect people over the internet, configure port mapping on the router.

Her is the list of ports specified in the Help (highlighted by green color).

For those, who read these words for the first time, here is the deal: there is an external ("white") IP address available over the internet and given by your company provider. This address is applied to the router that shares the internet in the office.

People connect to this address over the internet.

Router is configured in such a way that all the connections it receives on its address via specified ports (TCP 2004, 443, 8888), redirect to the local network on the IP address where MyChat Server works (e.g, 192.168.10.100).

If it's completely new for you, ask a specialist to configure everything. It takes a few minutes with no magic.

By the way, here is the important thing about Android. Google's privacy policy requires that applications from external networks must connect via HTTPS only (encryption protocol). OK, but you need a certificate (purchased or generated via Let’s Encrypt — it does not matter). And this certificate is provided for a domain and not an IP address. It means that besides external IP you need a domain linked to this IP.

After you completed everything, check it on Admin Panel.

Now you know everything :)

6. Domain login on Android smartphone

15:00 Nothing is complicated here. Download the application on Google Play, launch it, add your server, specify the user's login with a domain and password.

No transparent authorization, unfortunately. But this is actually logical. This is a smartphone and not a Windows computer, authorized in a domain.

When connecting to the server, the Android application transfers a user's login and password via an encrypted channel on MyChat Server that checks via LDAP if login is allowed. If everything is good you enter the chat. After the first successful login, a user is able to enter the chat automatically.

Important! To make PUSH notifications work, your MyChat Server must have an internet connection and access to mychat-server.com via TCP port 52020. If access is not granted, make a rule in a firewall for outgoing traffic.

7. Multilogin and phone binding

Almost all messengers have a necessary phone binding. In other words, a smartphone first, then a desktop or laptop. For example, you can run Telegram on a smartphone and computer. Messages displayed on both devices automatically synchronize.

Different case with WhatsApp. First, only a smartphone, then desktop.

But if you have no extra smartphone, or you do not want to connect your phone number — most messengers won't meet your expectations. Telegram, Viber, Line, Skype, WhatsApp — all of them require a phone number.

Another thing with MChat. If you do not want to use a phone number, use your nickname, email, domain login, or UIN.

No limitations for concurrent connections on different devices as soon as the number of licenses is enough.

Download MyChat Server

< <<<=====		=====>>> >

NetworkSoftwareSolutions