Results 1 to 4 of 4

Thread: Best Setup Behind a Firewall?

  1. #1
    redd77's Avatar
    redd77 is offline Starter Member
    Join Date
    Nov 2011
    Posts
    2
    Rep Power
    3

    Default Best Setup Behind a Firewall?

    We are currently setting up a new ZCS installation. (7.1.3) It will be located behind a firewall and I've found the articles about Split-DNS.

    What I would like to do is setup two seperate network interfaces on the server. The first interface would get an IP address on our internal private network. The other interface would be in our DMZ and would be NAT'd to a public IP address for external web access and mobile devices.

    Is this possible? Would I be better off just placing the entire server in the DMZ or on the private network? We're moving from an older home-brewed system where one box in the DMZ handled web access and another box in the DMZ relayed external messages to and from the actual mail server that is on the private network. I'd like to move away from that and have everything on one box but still be secure.

    Thanks

    Shawn

  2. #2
    LHammonds's Avatar
    LHammonds is offline Special Member
    Join Date
    Sep 2011
    Location
    Texas
    Posts
    150
    Rep Power
    3

    Default

    Quote Originally Posted by redd77 View Post
    What I would like to do is setup two seperate network interfaces on the server. The first interface would get an IP address on our internal private network. The other interface would be in our DMZ and would be NAT'd to a public IP address for external web access and mobile devices.
    Why would you use two interfaces? I have my (test) server setup on the internal network but the hardware firewall controls what communication is allowed from the outside...such as blocking administrative access to the server or IMAP/POP3 and just allowing the web interface to pass through over SSL.

    LHammonds
    Type su - zimbra -c "zmcontrol -v" to get your version and copy that into your profile (more info here)

  3. #3
    redd77's Avatar
    redd77 is offline Starter Member
    Join Date
    Nov 2011
    Posts
    2
    Rep Power
    3

    Default

    You know what? You're right. Our old mail system was overbuilt and I was over thinking the problem. Thanks!

  4. #4
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by redd77 View Post
    We are currently setting up a new ZCS installation. (7.1.3) It will be located behind a firewall and I've found the articles about Split-DNS.

    What I would like to do is setup two seperate network interfaces on the server. The first interface would get an IP address on our internal private network. The other interface would be in our DMZ and would be NAT'd to a public IP address for external web access and mobile devices.

    Is this possible? Would I be better off just placing the entire server in the DMZ or on the private network? We're moving from an older home-brewed system where one box in the DMZ handled web access and another box in the DMZ relayed external messages to and from the actual mail server that is on the private network. I'd like to move away from that and have everything on one box but still be secure.

    Thanks

    Shawn
    I would not multi-home a Zimbra server because most Zimbra components answer on all interfaces, but you can place the individual Zimbra servers of a multi-server installation in different firewall zones, so as to better secure both inter-server traffic and protect the system as a whole from the Internet.

    For example:

    Public DMZ:
    MTA/LDAP Replica/BIND Replica server(s)
    Mailbox Server(s)

    Private Network (No access from the Internet except by two-factor VPN or better):
    LDAP Master/BIND Master/Logger Host/Admin Console server/SSH access.

    If you are really paranoid you can put the public Mailbox Servers in their own firewall zone as well.

    In either case, the firewall allows only that inter-server traffic as required required, as well as public Internet access to the DMZ servers. It may be more complex than beneficial; you'll need to do things like have different UNIX accounts on each system and provision something like fail2ban on at least the LDAP master server.

    At some point, mitigating the extra risk adds enough complexity to create its own set of risks.

    Hope that helps,
    Mark

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Login page from outside firewall.
    By tcolson in forum Administrators
    Replies: 2
    Last Post: 01-13-2011, 03:55 AM
  2. Proper Firewall configuration
    By pavera in forum Installation
    Replies: 6
    Last Post: 05-30-2007, 04:22 AM
  3. RHCS setup
    By Klug in forum Installation
    Replies: 1
    Last Post: 05-29-2007, 12:59 AM
  4. zimbra email dns setup
    By robharpham in forum Installation
    Replies: 4
    Last Post: 05-13-2007, 06:25 PM
  5. Server behind firewall
    By VmarkV in forum Installation
    Replies: 3
    Last Post: 11-05-2005, 09:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •