External Users of Zimbra to only use VPN

[randall]

Hi All,

We are looking into making all our users, when ever they are on the road, to access their e-mail only using VPN.

I have been looking around the forum for post on similar item but have not found something (or maybe I missed it).

What do we need to do so that users will not be able to access https://mymail.domain.com from any internet connection? And in order for them to access it, they have to do VPN.

I would really appreciate for any feedback or if you can point me somewhere in the forum that have the same requirements.

Thanks in advance.

[randall]

Any idea on this one please? Any kind soul out there?

[uxbod]

Do you not have a firewall in front of your ZCS installation ? If you do then why not just allow the VPN IP block access to port 443 on your server ?

[randall]

Thanks Uxbod. But can you help understand further your suggestion?

And yeah, really thanks!

[apatosaur.9]

... Firewall restricting/preventing access from outside to your Zimbra box's IP port 443 is (probably) best, but you could probably use DNS, and simply not make the zimbra's IP resolveable via public DNS servers, keep it's record only in your company's internal DNS.

bottom line though. You should have your mailserver in a DMZ (DeMilitarized Zone) behind a firewall.

please post more details of how your servers access the net / how the net accesses your servers so that we can provide better suggestions.

Ciao

[Bill Brock]

Accessing your mail server across an SSL connection will give you the same security as through your VPN.

However, I add my private LAN IP of my mail server to the HOSTS file of my branch offices and laptops. The VPN client on the laptops are set to auto connect when the PC tries to access any IP's that exists on my private home office LAN. So when they access the mail server it gets the IP from the hosts file which in turn automatically makes a VPN connection to the home office. You could set the VPN client to manually connect and make the VPN connection first, but that seemed to confuse some users.

[randall]

Thanks for the reply guys. :-) Really appreciate your inputs.

To answer apatosaur.9, my zcs server is behind a UTM and not in DMZ. It's part of the private LAN.

Somehow it looks like this:

Internet--->UTM---->ZCS---->Users

And with this setup, users can access their mails from anywhere with internet connection via https.

We somehow want to make it like this:

External Users-->VPN--->Internet--->UTM--->ZCS--->Internal Users

What we want to happen is for the users to make use of VPN in order to get their mails. Not just ordinarily from any Internet connection.

The reason behind this is to discourage the users from using Internet shops/cafes to access their mails, since alot of these internet shops have keyloggers in their workstations. Several of our user accounts have been already compromised by this type of access from Internet shops/cafes.

If there will be a better suggestion rather than just using VPN, it would be highly appreciated.

Thanks in advance.