Topic: Need solution suggestion smeserver outside world

[ramasule]

Ok here is the deal.

I have infront of me, my main sme server which is located behind another companies firewalls.
Origanally they said it would be no problem to give me an outside facing IP so I could use it for webhosting / mail / etc.
The IT guy was about to give me the ip/routing when the security guy said no because he was affraid of my box becoming a zombie or something.

Anyways so now I have this big server which I needed to be able to access from outside there network.

So at home I set up another sme server which is working.

Using openvpn I can connect from work to the home server.

Is this what I want?  Or should I be putting the large server at my house and then have a small one at work to vpn to the large one?

I would like my webpage/ftp/files stored on the large server.

right now this is how my network topology is   
[internet] ---- [home smeserver] ---- [openvpn] ------[company firewall/nat/nas/bullcrap] ---[work smeserver]---[wireless router]

Thanks for your time I appriciate it,

Derek L

[jester]

Can't they just forward the needed services/ports to your server?!

[ramasule]

NOPE.

Like I said the IT guy was ready to do it but the security guy dosnt know what he is doing.
They do this for other companies behind thier firewall, but with a vpn box they set up.
When the security guy found out it was a "server" I wanted he flipped out and said no.
So I find ways around it

I'd rather not go into more details because this has gone on for 5 months and I finally said screw it im getting around your system.

[cactus]

I'd rather not go into more details because this has gone on for 5 months and I finally said screw it im getting around your system.

So much for control and security then...

[ramasule]

Exactally

[uniqsys]

When the security guy found out it was a "server" I wanted he flipped out and said no.

He must be only familiar with MS systems. I know the kind. 

If you have enough bandwidth, why not just put the large server on your home network and vpn in to do the work on it from the office.  That maintenance must be small, leaving most of your bandwidth for user access.

[ramasule]

Yeah thats what I was going to probably do.

The crappy thing is that I had my group set on using vmware and to load "programs" into thier own oses.
We have a lot of differnt hardware we talk to and they each need thier own serial port settings, conflict with other programs, etc.
This would have also enabled us to keep master copies on the server and update them in only one place and have backups for when some of the people "wrecked" thier install.
Problem is each of the images was 5 gb so good luck serving those :/

[arne]

I do something like that, even though I have the sever(s) at home, and then I use my Windows laptop as client from anywhere.

The home server is not only one server but a number of virtual servers running as equired under Centos 64 / Wmware.

I use a virtual Windows 2000 running Windows 2000 as "remote control unit" on the "virtual server farm" via logmein. The Windows 2000 desktop can be braught up from anywhere and allow all kind of remote control.

Then I also use putty and winscp for logon to, and for file transfere to and from virtual servers. For this I ue tcp 443 which is usually open out on most networks. I also use some other alernate ports.

For remote logon to the virtual Asterisk server I use Zoiper using IAX2 via udp 53 that is also normally open direction out on most networks.

I also use puty for tunnelling to the "vitual network" as required.

With a few simple remote tools most things can be done as one were there: logmein.com, putty and winscp, and eventually for iptelephony using Zoiper.

Except for some delay, allmost anything can be done "as you were there" even though you were on the other side of the earth,

There should not be any big risk for the network you are doing the remote access from, and also no big risk for your home network that eventually has open tcp 443 and udp 53. Like the way I do it I can also close all ports, and open them for one and one connection via logmein/windows200/Smoothwall.

It might sonun complicated, but it's not, and this arrangement have now runned with zero errors for appox one year now.

I used a few hours to find out how to do these things, but it is quite easy, and quite stable, when it works. Could supply with some more info if any interest.

[ramasule]

Thanks, the issue of security is not mine to make.. Hence why I have to sneek around and open a vpn to get our server, serving.  I have it all up and running right now I'm just trying to make the sme box auto connect / loginto the vpn at my house.  So that should be done soon.
All thats holding me up is the new dawn of war 2 beta on steam

[arne]

How does this work ?

I uderstand that if you connect the office server to the home server via a vpn connection, the home server will be vissible from the office server.

Will it also work the other way so that the office server (behind a firewall or a nat router) will be vissible from the home server and the home lan ? (So that you can connect from the homesserver to the office server or from the home lan to the office server.)

I have never tried or tested such an arrangement, and it could be interesting to know if it could work ..

[ramasule]

My (work) is a large corporation that has one outside facing IP.  This IP serves lots of networks and thousands of computers.
I do not have access to the multiple levels of routers that lay between me and the final gateway.

So if I connect from work to my house which has a definable IP, I do not need to forward ports, etc, etc. 

A good example is you have your home network right with a router or sme box.  You can connect from a client computer to a ftp on the outside network right?  But what happens if an outside network tries to connect to you with your ip.. they get your gateway box... Unless you have port forwarding, which I cannot have / access.

[arne]

I know.

What I actually ask about is if you are also able to connect from the outside to the inside of the corporate firewall without any portforwarding.

Some commersial solutions with a "server in the middle" works more or less like this, like the logmein.com (For remote control of PC's and file transfer.)

I guess it should be possible to set up a "bidirectional vpn" the same way, so it will give access "from the outside and in", but I gues two "vpn connected" SME boxes will not work this way .. (Or will they ?)

[ramasule]

No I cannot.  No outside to inside acess.  This is why I want to go inside to out and establish a vpn tunnel.