Results 1 to 7 of 7

Thread: External Users of Zimbra to only use VPN

  1. #1
    randall is offline Advanced Member
    Join Date
    Jun 2007
    Location
    Philippines
    Posts
    193
    Rep Power
    7

    Default External Users of Zimbra to only use VPN

    Hi All,

    We are looking into making all our users, when ever they are on the road, to access their e-mail only using VPN.

    I have been looking around the forum for post on similar item but have not found something (or maybe I missed it).

    What do we need to do so that users will not be able to access https://mymail.domain.com from any internet connection? And in order for them to access it, they have to do VPN.

    I would really appreciate for any feedback or if you can point me somewhere in the forum that have the same requirements.

    Thanks in advance.

  2. #2
    randall is offline Advanced Member
    Join Date
    Jun 2007
    Location
    Philippines
    Posts
    193
    Rep Power
    7

    Default

    Any idea on this one please? Any kind soul out there?

  3. #3
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Do you not have a firewall in front of your ZCS installation ? If you do then why not just allow the VPN IP block access to port 443 on your server ?

  4. #4
    randall is offline Advanced Member
    Join Date
    Jun 2007
    Location
    Philippines
    Posts
    193
    Rep Power
    7

    Default

    Thanks Uxbod. But can you help understand further your suggestion?

    And yeah, really thanks!

  5. #5
    apatosaur.9's Avatar
    apatosaur.9 is offline Active Member
    Join Date
    Mar 2006
    Location
    South Africa
    Posts
    34
    Rep Power
    9

    Default or do it with DNS

    ... Firewall restricting/preventing access from outside to your Zimbra box's IP port 443 is (probably) best, but you could probably use DNS, and simply not make the zimbra's IP resolveable via public DNS servers, keep it's record only in your company's internal DNS.

    bottom line though. You should have your mailserver in a DMZ (DeMilitarized Zone) behind a firewall.

    please post more details of how your servers access the net / how the net accesses your servers so that we can provide better suggestions.

    Ciao
    Current specs:
    8.x NE + OSS KVM guests and Physical servers Ubuntu 12.04, RHEL 5 + 6 .
    on Dell server hardware.

    Previously: ZCS OSS and NE 7, 6, 5, 4, 3 variously on physical and virtual
    Twitter: @mciverza

  6. #6
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    8

    Default

    Accessing your mail server across an SSL connection will give you the same security as through your VPN.

    However, I add my private LAN IP of my mail server to the HOSTS file of my branch offices and laptops. The VPN client on the laptops are set to auto connect when the PC tries to access any IP's that exists on my private home office LAN. So when they access the mail server it gets the IP from the hosts file which in turn automatically makes a VPN connection to the home office. You could set the VPN client to manually connect and make the VPN connection first, but that seemed to confuse some users.

  7. #7
    randall is offline Advanced Member
    Join Date
    Jun 2007
    Location
    Philippines
    Posts
    193
    Rep Power
    7

    Default

    Thanks for the reply guys. :-) Really appreciate your inputs.

    To answer apatosaur.9, my zcs server is behind a UTM and not in DMZ. It's part of the private LAN.

    Somehow it looks like this:

    Internet--->UTM---->ZCS---->Users

    And with this setup, users can access their mails from anywhere with internet connection via https.

    We somehow want to make it like this:

    External Users-->VPN--->Internet--->UTM--->ZCS--->Internal Users

    What we want to happen is for the users to make use of VPN in order to get their mails. Not just ordinarily from any Internet connection.

    The reason behind this is to discourage the users from using Internet shops/cafes to access their mails, since alot of these internet shops have keyloggers in their workstations. Several of our user accounts have been already compromised by this type of access from Internet shops/cafes.

    If there will be a better suggestion rather than just using VPN, it would be highly appreciated.

    Thanks in advance.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. Replies: 12
    Last Post: 02-25-2008, 07:28 PM
  3. Replies: 22
    Last Post: 12-02-2007, 05:05 PM
  4. Replies: 16
    Last Post: 09-07-2006, 06:39 AM
  5. port 7071 not listening OS X install
    By leeimber in forum Installation
    Replies: 7
    Last Post: 03-21-2006, 10:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •