Topic: Dumb Setup Question - Remote Administration

[oldphart]

What is the correct address/subnet mask to use for Remote Administration ?


My homegrown router is set up like so:

eth0 (Internal LAN)
Addr: 192.168.1.1  Mask: 255.255.255.0

eth1 (My DMZ's NIC)
Addr: 10.0.0.1  Mask: 255.255.255.0

eth2 (My connection to the outside world)
Addr: xxx.xxx.xxx.xxx  Mask:255.255.252.0

I've set up the server on
Addr: 10.0.0.11  Mask: 255.255.255.0  GW: 10.0.0.1 (The DMZ's NIC)


Just happy hacking "https://your-sme-server-ip-address/server-manager" gets me nowhere.


So.....What is the correct address/subnet mask to use for Remote Administration ?

One of my Class C machines ?

Do I need to park a dedicated box in the DMZ ?

 

[raem]

oldphart

> "https://your-sme-server-ip-address/server-manager" gets me nowhere.

That will not work by default from remote locations, it will only work from the local network (LAN) or when using a VPN connection.

See Remote Access panel, under Remote Management you need to enter the (static) IP of your remote host.

[oldphart]

Wow.  
Quick response......thanx a huge bunch !

>See Remote Access panel, under Remote Management you need to enter the (static) IP of your remote host.


Um...That's the point.  By default, I can't get to Remote Management & the Remote Access Panel.......

According to the (still in write & re-write) v7.0 Manual, I need to access the text-based browser - at the console - in order to set/allow Remote Access.

I can successfully fire up the text-based browser.  I can get to the correct menu area to set my prefs.....

......What address(es) do I enter here ?

I suppose I could enter one of my Class C addresses here, but the whole point is:  Is this correct ?   If not, what would be correct ?

Thanx again.
- Charlie

[mercyh]

What do you mean by remote administration?

If you mean another computer on the same subnet as the SME, you should be able to hit the server manager panels by entering http://your-server-ip/server-manager.

If you mean a computer that is connected to the internet outside of your SME subnet you will need to enter the static INTERNET IP address of the machine from which you are trying to access the server manager in the page mentioned below.

(this allows that IP address and that IP address only to connect from the WWW through SME's firewall to the server manager pages)

[oldphart]

I think I've got it.........PLEASE - - SOMEBODY CHECK ME TO MAKE SURE.


1. I access the text-based browser - at the console - in order to set/allow Remote Access.

2. I set a static IP of 192.168.1.xxx/255.255.255.255 as the only IP address that's allowed Remote Administration.
.....This is a workstation on my local (inside) LAN.

3. Save changes & re-boot as necessary.


Because this box is sitting in it's own little DMZ......
AND it's set as "Server Only"
...It's not running Server and gateway mode.
...It's not running Private server and gateway mode

[bpivk]

You don't have to set access permissions for LAN. You only have to enter ip for remote administration if you're accessing your server from another computer (on the internet not LAN)

[oldphart]

I guess we're saying the same thing, then.


1. My SME Server is sitting in a DMZ
2. My workstation that I desire to Administer it from is on a different LAN.


I suppose somebody who has editing priveleges for the User's Manual
should expand a bit upon this.....something like:


When Installing - If you need to administer the box from a machine that's not on the same LAN segment as the Server is sitting on, you'll need to:

a. Log in directly to the box
b. Fire up the text-based web browser
c. Enter appropriate IP Address & Subnet of the machine you want to Administer FROM.
d. Save Changes
e. Reboot the Server
f.  Enter "https://your-sme-server-ip-address/server-manager" from your Workstation identified in step C above.
g. Proceed to Administer/configure to your heart's content
h. Dont' forget to go to Remote Access panel, under Remote Management, and verify the information that's there.

[pfloor]

SME is not really designed to be set up the way you have it.  It is designed to be used in place of your "home grown" router as SME is a router/firewall itself.

Putting the server in "Server-Only" mode in a DMZ in most cases is NOT SECURE.  Server-Only is designed to run behind a closed firewall.  If you insist on configuring your lan the way you have it, you need to install a second NIC and put the server in S/G mode and only connect the external NIC to the DMZ.  It will be secure that way.

The easiest (and best) way is to remove your firewall and install SME in S/G mode and put your LAN behind the SME server.

P.S. If every possible lan setup scenario was put into the manual it would be un-managable.

[oldphart]

>Putting the server in "Server-Only" mode in a DMZ in most cases is NOT >SECURE. Server-Only is designed to run behind a closed firewall.

>If you insist on configuring your lan the way you have it, you need to >install a second NIC and put the server in S/G mode and only connect >the external NIC to the DMZ. It will be secure that way.

You're gonna have to explain this one to me - small words, Please <G>


According to TFM (Chapter Two):
"If you prefer, you can also run your SME Server in “server-only” mode. In “server-only” mode, your server provides your network with services, but not the routing and security functions associated with the role of “gateway”. The server-only mode is typically used for networks already behind a firewall. In that configuration, the firewall fulfills the role of gateway, providing routing and network security."


Reminder.....I have three NICs in place
1 of 'em is external facing
1 of 'em is internal facing
1 of 'em is DMZ - - - physically (and logically) separated from anything else - - this is where I parked the server

[mercyh]

I am not sure I am fully following your architecture. Is it as follows?

WEB>>>>Router (Eth2)
                    v
                Router (Eth1 DMZ)>>SME server (IP 10.0.0.11)
                    v
                Router (Eth0 LAN)>>>>>LAN connection (192.168.1.X subnet)

If this is what you are doing I think what pfloor is trying to say is this.

The SME is directly connected to the internet. SME is open to hacking in this scenario if it is run in server only mode with one nic. The server basically sees all traffic on the single nic in server only mode as trusted. I suppose you have a very good reason for setting things up this way but I would agree with pfloor that in this situation for simplicity and security I would set it up as follows.

WEB>>>>>SME>>>>>>LAN
                (server-gateway)

or

WEB>>>>>Router
                   (Eth0)    
                      v
                      v>>>SME in server only mode (IP 192.168.1.XXX) with
                      v       ports forwarded from the router
                      v
                      v
                      v
                    LAN (IPs 192.168.1.XXX)

Or

add another nic to the SME, run in server-gateway mode and connect the router DMZ nic with the WAN nic on the SME. (this nic is the untrusted port on SME)

[oldphart]

Close
WEB>>>>Router (Eth2)
v
Router (Eth1 DMZ 10.0.0.1)>>SME server (IP 10.0.0.11) - - Note added IP of my DMZ NIC
v
Router (Eth0 LAN)>>>>>LAN connection (192.168.1.X subnet)

I suppose you could say the SME is directly connected to the internet.
You'd be wrong, but I can see where you'd think so.

Again, from TFM, in my configuration, the firewall fulfills the role of gateway, providing routing and network security.



As an experiment, somebody (else) try this:

1. Find a spare box
2. Connect it to the DMZ
3. Give it a DMZ IP Address (they ARE separate, yes ?)
4. Perform a base install of SME Server - in Server Only Mode, please
5. Launch a browser (Mozilla, Internet Exploder, etc.) from your workstation - - the workstation is "inside" of course

6. Browse to "https://your-sme-server-ip-address/server-manager"

By default, YOU...WON'T...GET...THERE

[mercyh]

I have not used a router that has a DMZ port. I have used DMZ at times for testing but the way all the routers I have used work, you set a single internal IP address in the DMZ. This forwards all ports to that IP and that IP essentially becomes the external IP of the router. This makes that machine directly connected to the internet as far as a hacker is concerned. If you can add the IP address of the 192.168.1.x machine for remote access in the server-manager and connect by typing the server IP in a browser, Your router is obviously NATing between the LAN interface and the DMZ, However SME is seeing this come in as not from the local network and therefore will not allow it to connect.

By default, YOU...WON'T...GET...THERE

I should hope not. If you could I would be able to connect to your server manager panel from the internet. All I have to know is the WAN address of your router which is simple to get if you are hosting web pages.

[oldphart]

Okay.
I see three basic scenarios here - with one constant.

The constant being: I WILL NOT remove my Firewall/Router

A. Put the box in S/G Mode and attempt to negotiate two gateways.  (this outta be fun)
B. Periodically reconfigure & jack a workstation (Laptop?) in the DMZ - for the sole purpose of administering the server.
C. Park the server on the "inside" - - which defeats the purpose of having a DMZ.

Thanx for your help, guys !

[bpivk]

One more...

4. Use your server in server and gateway and connect your firewall/router to it.

This is the way i use it (for wlan connection).  

[mercyh]

Here is what I do.

Park a server on the inside and only forward the ports that I need to that servers IP address

[pfloor]

Okay.
I see three basic scenarios here - with one constant.

The constant being: I WILL NOT remove my Firewall/Router
I used to think this way myself...You too will come around some day.

A. Put the box in S/G Mode and attempt to negotiate two gateways. (this outta be fun)
You don't need to negotiate 2 gateways.  Just don't hook anything to the internal interface.  You need the server in S/G mode because it is not safe in S/O mode behind a DMZ.  You have to have 2 NICs installed to get the server in S/G mode.

Maybe you don't understand what a DMZ is.  It stands for De-Militarized Zone.  The DMZ is NOT firewalled and it may allow traffic to the SME box that it can't properly handle if it is in S/O mode.  Putting a computer on the DMZ is just like hooking it directly to the internet and we all know how well that works.

B. Periodically reconfigure & jack a workstation (Laptop?) in the DMZ - for the sole purpose of administering the server.
This would be a waste of time.  The workstation in the DMZ would become infected within minutes of being hooked up.  Again, there is no firewall there.

After you put SME in S/G mode, hook a workstation to the internal interface and administer the server from there.  This would protect the workstation.
C. Park the server on the "inside" - - which defeats the purpose of having a DMZ.
Like I said earlier, you will see the benifit of just hooking the server directly to the web.  It will replace your router and make life much easier.  You don't need the router or the DMZ, SME will do all of it for you.

Whatever you do just remember one thing.  SME in S/O mode is not properly protected and needs to be behind a proper firewall.  A DMZ is not a proper firewall.

[bpivk]

I agree with pfloor.

I use it like that:

Modem ====> Server =====> Hub (for LAN network)
                                 |
                                 |
                                   =====> (Router for Wlan)

[psoren]

- - which defeats the purpose of having a DMZ.

The purpose of DMZ is not having a server with samba filesharing and stuff like that, but a server running just mailserver or webserver and NO other unnessesary services which could be used to break in with.

The SME server is a very good and secure router/firewall option. But in server mode it is like an open book. So you need another good router/firewall before it.

Many people run there server this way:

Internet-----router/firewall------SME server in server/gateway mode-----LAN.

I believe that is a good and safe way to do it. Double firewall (If the router is a good one).

Per

[bpivk]

Double firewall (If the router is a good one).

And if your router gives a s**t when you set him to do something.

My (Belkin wlan) router was set to forward port 80 to my sme box and he didn't do it. When you typed your ip he would open his setup panel (even after i checked the option to disable this pannel for wan).

So some of us are forced to use double firewall because of dumb routers.  

[psoren]

Double firewall (If the router is a good one).

And if your router gives a s**t when you set him to do something.

My (Belkin wlan) router was set to forward port 80 to my sme box and he didn't do it. When you typed your ip he would open his setup panel (even after i checked the option to disable this pannel for wan).

So some of us are forced to use double firewall because of dumb routers.  

Hmm.. Can you not tell you router to use a different port than 80 for setup page? Maybe that would do the trick.

per

[bpivk]

I can't. I have an option to disable it but id doesn't matter if it's off or on. It works in both cases.

But i have resolved my issue. I don't use belkin products and i use this router for wlan access point only. Sme helped me with that  

[mercyh]

oldphart,

Is there some reason this wouldn't work??

WEB>>>>Router (Eth2)
v
Router (Eth1 DMZ 10.0.0.1)>>SME server ( WAN IP 10.0.0.11)--LAN IP (192.168.1.XX)
v....................................................................................................v
Router (Eth0 LAN)>>>>>>>>>>>>>>LAN connection (192.168.1.X subnet)

connect as above with SME in server-gateway mode (two nics). Assign an IP to the LAN nic of 192.168.1.x and connect to your internal LAN. You can then do administration from any machine on the LAN. You would need to be sure that DHCP server was turned off for the inside as that function is already taken care of by your current setup.

This creates two gateways to your network but I don't really think that is a problem as you would not have SME set as the gateway on your clients.

[bpivk]

This could be a problem if both gateways asign ip's from the same pool.

I had this problem when i forgot to switch off the dhcp function of my router when i conected my SME to it.

[mercyh]

You would need to be sure that DHCP server was turned off for the inside as that function is already taken care of by your current setup.

The DHCP server MUST be turned off for the LAN on the SME server

[meanpenguin]

oldphart,

Maybe it would help if you
  1.  explain why you want the SME in a DMZ
  2.  along with a description of other servers / functions
  3.  what router you are using - one with the DMZ port

and the community can give you a better architecture.
The way we are progressing here doesn't make sense.
I have NOT found too many cases where you would really need a server in the DMZ.

ed

[oldphart]

Found the solution.....A different firewall/router product.

The new/current (working just fine) architecture:

eth0 (Internal LAN)
Addr: 192.168.1.1 Mask: 255.255.255.0

eth1 (My DMZ's NIC)
Addr: 10.0.0.1 Mask: 255.255.255.0

eth2 (My connection to the outside world)
Addr: xxx.xxx.xxx.xxx Mask:255.255.252.0


Or, if you prefer a (shamelessly plagarized) graphic


WEB--->Router (Eth2)
          v
Router (Eth1 DMZ)--->SME server (IP 10.0.0.11)
          v
Router (Eth0 LAN)--->LAN connection (192.168.1.X subnet)


I've set up the server on
Addr: 10.0.0.11 Mask: 255.255.255.0 GW: 10.0.0.1 (The DMZ's NIC)


The issue(s):
1. (Almost) Everybody who responded loudly protested that my DMZ is exposed, and that the SME Server should be in Server/Gateway Mode.

2. Cable Internet Service provider blocking inbound ports 80 & 25.
(not blocking outbound 25 for some weird reason)

3. I've always been taught that Good Network Design(tm) means that
you place boxes that are (even minimally) public-facing behind the public IP and into a DMZ.  I see no reason to violate that.

 
The requirements:
Just a private mail server......w/moderately easy configuration.
No added bells/whistles needed, thanks.



The firewall/router solution:
Smoothwall (smoothwall.org)

I've run every penetration and open relay test I can find over the past three days.

No Open Relay (didn't really expect it, but.....)

No penetration.  
NOTHING that is un-invited gets past the outside NIC.

SUCCESS !