Topic: SME Server Behind Router w/ Assigned Static IP

[Hodge]

Hey all.  I've been fooling around with sme server for the past week and reading through the forums in order to prepare for helping my friend set up a file server for his small 3-man business.  I'm not a total newbie re: networking but my skills are still fairly basic.  I've looked through the forums but haven't found anything with this particular setup. 

His ISP has assigned a block of 8 static IPs to be used for his workstations and VOIP phones and I'd like to give sme one of those IPs behind the router so it can be remotely accessed by vpn and ssh.  It will strictly be a file server.  Email, webserver and gateway functions are not required.

What is the best way to set this up?  My instinct is server-only since I don't need gateway or routing functions, but if its IP is exposed maybe the server-gateway setup be more appropriate?

Unfortunately, I won't know the network specifics and topology until I get to his office this saturday.  Hopefully, you can be me some tips and ideas on how to approach this without knowing too much about his specific setup.

thanks,
Hodge

[purvis]

Hodge, You better pack your lunch for a couple of days from what I am seeing.
There are plenty of setups on this forum. I am not sure there is a one best way.
It depends on what they are doing.
With today's computers not being expensive and may be more expensive to keep running.
I would think of having two computers. Basically only because if they want a mail server and maybe having the mail server do some virtual machines for accessing the internet.
We do not let our workstations go to very many places on the internet that is not already approved. They are locked down.
We, I, am scared of viruses. I am here to stay, if i was not, well then who cares much.
We have databases worth millions. That is not to take lightly. When computers are down. You are down.

We have our lans double natted(two routers one behind the other).  The main file server is behind the second router along with workstations.
We have computers for accessing the internet behind the first router. The second router is hooked up behind the first router. DMZ from the first router is pointing to the second router.
If you forward ports on the first router, then they will to any machine hooked behind the first router.
On the second router, you can forward only those ports to what machines you want. The firewall on the second router will provide protection to the workstations and the file server.
If you do not want to have computers setup behind the first router(between the first router and the second). You can even set up those virtual machines I was telling you about.
You can use SME with Virtual software or you can use PROXMOX and put your mail server(being sme) into a virtual machine and a couple of other operating systems on the first computer immediately behind the first router. Your backups for the first sme operating system should be light. You can access the first sme operating system  between the routers.

You can use remote control software to access any computers or virtual computers from behind the second router.
You can setup the remote computers where you cannot transfer the files to the second sme server behind the second router.
IF you do not allow mail accessed by the workstations to the second server. You should be ok.
We do all this because i do not want to worry much about viruses on any workstation or server.

Have a good time during the St PATS weekend fellow.

[steve288]

The above message may be helpful but also here is a simple aproach.

Set up the SME in server mode via the normal install process.
Give it an internal ip address eg 192.168.1.10
Stick it in a warm spot behind the protecting outside router
Open the user interface in a local browser.
\\192.168.1.10\server-manager
go to users and add some employees

Now have your employees go to  \\192.168.1.10 in FILE MANAGER
Each employee will be prompted for a password. After this they will be taken to the place where there files are and a general place called primary where people can share files.

As far as accessing from outside. The filer does not need an outside IP address, and indeed should not have one in server mode, as some protections are not activated. However you can portforward the vpn port (or any port) from your outside router to the SME server. I suggest using vpn port 1773. Then you can access it with the .10 ip from anywhere in the world.
But do the first part to get comfortable with the server. I'm sure the wiki and newsgroups can move you further along when you need it.

Easy Peasy
Regards 

[CharlieBrady]

His ISP has assigned a block of 8 static IPs to be used for his workstations and VOIP phones ...

I'd seriously question the necessity and wisdom of connecting the workstations directly to the Internet. IMO SME server should be used in server-gateway mode with workstations behind it on a private LAN.

[Hodge]

Thanks for the replies, folks.  I got a bit more info from my friend.  His workstations are behind a Cisco 877 router and Sonicwall TZ100.  Configuration of these devices is looking a bit complicated so I think I have some homework to do.  I've found out that the static IPs have been assigned to his VOIP phones and not the workstations.

The main priority is to get it running on the local network.  As I stated, this will only be a file and print server.  Email and web servers aren't required (at least not for the near future).  VPN access can wait until I get more comfortable with the cisco and sonicwall.  At least I was able to confirm that they both can pass through protocol 47, so I can stick with the default PPTP install.

So, for the time being, it will be server-only behind the firewall.  I'm confident I can get that up and running.

Thanks again.  If anybody knows any good learning resources for Cisco and Sonicwall devices, I'd certainly appreciate a few links.

Hodge

[Boris]

That sounds like more reasonable setup with workstations and the server behind the firewall on the private IPs.
Server-only mode is appropriate choice for this. In addition, later on, if external access to the server required, port forward SSH, VPN and other services you going to provide by this SME server on your firewall to the internal SME server address.