Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Installation

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 11-03-2011, 09:51 AM
Starter Member
 
Posts: 2
Default Best Setup Behind a Firewall?

We are currently setting up a new ZCS installation. (7.1.3) It will be located behind a firewall and I've found the articles about Split-DNS.

What I would like to do is setup two seperate network interfaces on the server. The first interface would get an IP address on our internal private network. The other interface would be in our DMZ and would be NAT'd to a public IP address for external web access and mobile devices.

Is this possible? Would I be better off just placing the entire server in the DMZ or on the private network? We're moving from an older home-brewed system where one box in the DMZ handled web access and another box in the DMZ relayed external messages to and from the actual mail server that is on the private network. I'd like to move away from that and have everything on one box but still be secure.

Thanks

Shawn
Reply With Quote
  #2 (permalink)  
Old 11-03-2011, 11:39 AM
Special Member
 
Posts: 138
Default

Quote:
Originally Posted by redd77 View Post
What I would like to do is setup two seperate network interfaces on the server. The first interface would get an IP address on our internal private network. The other interface would be in our DMZ and would be NAT'd to a public IP address for external web access and mobile devices.
Why would you use two interfaces? I have my (test) server setup on the internal network but the hardware firewall controls what communication is allowed from the outside...such as blocking administrative access to the server or IMAP/POP3 and just allowing the web interface to pass through over SSL.

LHammonds
__________________
Type su - zimbra -c "zmcontrol -v" to get your version and copy that into your profile (more info here)
Reply With Quote
  #3 (permalink)  
Old 11-03-2011, 12:14 PM
Starter Member
 
Posts: 2
Default

You know what? You're right. Our old mail system was overbuilt and I was over thinking the problem. Thanks!
Reply With Quote
  #4 (permalink)  
Old 11-06-2011, 08:47 AM
Moderator
 
Posts: 1,209
Default

Quote:
Originally Posted by redd77 View Post
We are currently setting up a new ZCS installation. (7.1.3) It will be located behind a firewall and I've found the articles about Split-DNS.

What I would like to do is setup two seperate network interfaces on the server. The first interface would get an IP address on our internal private network. The other interface would be in our DMZ and would be NAT'd to a public IP address for external web access and mobile devices.

Is this possible? Would I be better off just placing the entire server in the DMZ or on the private network? We're moving from an older home-brewed system where one box in the DMZ handled web access and another box in the DMZ relayed external messages to and from the actual mail server that is on the private network. I'd like to move away from that and have everything on one box but still be secure.

Thanks

Shawn
I would not multi-home a Zimbra server because most Zimbra components answer on all interfaces, but you can place the individual Zimbra servers of a multi-server installation in different firewall zones, so as to better secure both inter-server traffic and protect the system as a whole from the Internet.

For example:

Public DMZ:
MTA/LDAP Replica/BIND Replica server(s)
Mailbox Server(s)

Private Network (No access from the Internet except by two-factor VPN or better):
LDAP Master/BIND Master/Logger Host/Admin Console server/SSH access.

If you are really paranoid you can put the public Mailbox Servers in their own firewall zone as well.

In either case, the firewall allows only that inter-server traffic as required required, as well as public Internet access to the DMZ servers. It may be more complex than beneficial; you'll need to do things like have different UNIX accounts on each system and provision something like fail2ban on at least the LDAP master server.

At some point, mitigating the extra risk adds enough complexity to create its own set of risks.

Hope that helps,
Mark
__________________
___________________________________
L. Mark Stone, CIO


"Uptime. All the time."

477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678

proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com




 

SEO by vBSEO ©2011, Crawlability, Inc.