Best Setup Behind a Firewall?

[redd77]

We are currently setting up a new ZCS installation. (7.1.3) It will be located behind a firewall and I've found the articles about Split-DNS.

What I would like to do is setup two seperate network interfaces on the server. The first interface would get an IP address on our internal private network. The other interface would be in our DMZ and would be NAT'd to a public IP address for external web access and mobile devices.

Is this possible? Would I be better off just placing the entire server in the DMZ or on the private network? We're moving from an older home-brewed system where one box in the DMZ handled web access and another box in the DMZ relayed external messages to and from the actual mail server that is on the private network. I'd like to move away from that and have everything on one box but still be secure.

Thanks

Shawn

[LHammonds]

What I would like to do is setup two seperate network interfaces on the server. The first interface would get an IP address on our internal private network. The other interface would be in our DMZ and would be NAT'd to a public IP address for external web access and mobile devices.

Why would you use two interfaces? I have my (test) server setup on the internal network but the hardware firewall controls what communication is allowed from the outside...such as blocking administrative access to the server or IMAP/POP3 and just allowing the web interface to pass through over SSL.

LHammonds

[redd77]

You know what? You're right. Our old mail system was overbuilt and I was over thinking the problem. Thanks!

[LMStone]

We are currently setting up a new ZCS installation. (7.1.3) It will be located behind a firewall and I've found the articles about Split-DNS.

What I would like to do is setup two seperate network interfaces on the server. The first interface would get an IP address on our internal private network. The other interface would be in our DMZ and would be NAT'd to a public IP address for external web access and mobile devices.

Is this possible? Would I be better off just placing the entire server in the DMZ or on the private network? We're moving from an older home-brewed system where one box in the DMZ handled web access and another box in the DMZ relayed external messages to and from the actual mail server that is on the private network. I'd like to move away from that and have everything on one box but still be secure.

Thanks

Shawn

I would not multi-home a Zimbra server because most Zimbra components answer on all interfaces, but you can place the individual Zimbra servers of a multi-server installation in different firewall zones, so as to better secure both inter-server traffic and protect the system as a whole from the Internet.

For example:

Public DMZ:
MTA/LDAP Replica/BIND Replica server(s)
Mailbox Server(s)

Private Network (No access from the Internet except by two-factor VPN or better):
LDAP Master/BIND Master/Logger Host/Admin Console server/SSH access.

If you are really paranoid you can put the public Mailbox Servers in their own firewall zone as well.

In either case, the firewall allows only that inter-server traffic as required required, as well as public Internet access to the DMZ servers. It may be more complex than beneficial; you'll need to do things like have different UNIX accounts on each system and provision something like fail2ban on at least the LDAP master server.

At some point, mitigating the extra risk adds enough complexity to create its own set of risks.

Hope that helps,
Mark