Topic: Cant access my SME9 outside of my local network

[Orest]

Hello,

I used vmware workstation 10 on my HP pavilion dv6 6150sl to install SME 9 and every thing was OK, I installed configured and connected to internet, now I can access my virtual server remotely from my local network.
Virtual machine parameters are:

HDD: Raid 1 20G
CPU: 2 processors, 2 cores for each
Network adapter: bridge
RAM: 2G

I chose to use server-only mode and my SME is behind the the ISP firewall. I tried to port forward inside of my local router but no luck I still can not access server remotely.

It will be great if somebody can point me to the right direction.

Thanks in advance,
Orest

[Stefano]

this is not an SME's issue.. you need to work on your laptop's firewall and on vmware lan setup

[Stefano]

my 2c: your choice to run SME as a virtual machine in a laptop for 10 clients is not a good one

[guest22]

my 2c: your choice to run SME as a virtual machine in a laptop for 10 clients is not a good one

Neither is raid=1

@Orest, for best practices see: http://wiki.contribs.org/Virtual_SME_Server

[Stefano]

doh! you're right.. raid on virtual disks (on a laptop...) is a non sense

[CharlieBrady]

Neither is raid=1

I don't think there is any problem with running raid=1 on a virtual instance. I don't think there is any real benefit, but there is no problem either.

[guest22]

I don't think there is any problem with running raid=1 on a virtual instance. I don't think there is any real benefit, but there is no problem either.

From a technical point of view that may be true, but from a policy/vision point of view it may be different.

e.g. "Keep it simple, if it's not required don't us it."

[Stefano]

I would add that two big files (virtual disks)  on a laptop's hd will create a big bottleneck in I/O

[CharlieBrady]

I would add that two big files (virtual disks)  on a laptop's hd will create a big bottleneck in I/O

Sure, but I was only talking about RAID=1 with a single (virtual) hd. IOW, a  default SME install. Adding 'raid=none' at install time is pointless.

[Orest]

Hello,

Thank you all for replays,

First of all I reinstalled the SME server without RAID configuration and this time I used virtual box.

I took static IP from my ISP, I opened ports 22, 21, 80 and 443 inside my router and forwarded them to my server IP address, Now I can access my virtual server through ssh from outside of my LAN.
Also I can see my starter website when I search http://my-ip/ from everywhere.

The problem is that I can not open server-manager, through https://my-static-IP/server-manager.

What am I doing wrong?

Any replay is appreciated,

With Respect,
Orest
 

[guest22]

console -> remote access -> allow 0.0.0.0/0.0.0.0 server manager access or specific IP/mask

[guest22]

ps. good to see you try out stuff, but you really should read up to the administration manual.

although your server is in server only mode, you might want to consider server/gateway mode. Your external firewall would be fine, but your server is very itchy re security. Which is a good thing.

Most of the 'violations' and security issues come from inside the LAN...

[Orest]

Hi,

Thanks for the quick replay, I have read the manual many times because I have SME Server as degree project, but I totally forgot about the the IP restriction...

Until I finish my project I must keep this configuration, after that  I will be totally dedicated to SME and I definitely will try server&gateway mode, since I am planing to by a modest server-machine for my home network .

Thank you again,
Orest

[guest22]

Thanks for the quick replay, I have read the manual many times because I have SME Server as degree project...

We would be most interested in your challenging project and the results of your(s) project. Please let us know by putting it on a wiki page, or send us a PDF.

Good luck.

guest

[CharlieBrady]

console -> remote access -> allow 0.0.0.0/0.0.0.0 server manager access or specific IP/mask

That would be an unwise thing to do.

[guest22]

That would be an unwise thing to do.

0.0.0.0/0.0.0.0 would indeed be unwise for it would open up server manager access to the whole world. Hence the hint to read the admin manual, whilst get things going for now.

Any other reasons why it would be unwise to assign a specific IP/Mask, for it is a dedicated default feature?

[Orest]

@HF Nah it is not that challenging, and it is made in Albania language. Moslty it is based on sme server administration manual... but later maybe I can use it and some other work to make SME available in Albanian language.

@Charlie I know, I am just entering one specific IP not all 0.0.0.0/0.0.0.0.

Thank you both,

[CharlieBrady]

@Charlie I know, I am just entering one specific IP not all 0.0.0.0/0.0.0.0.

That's a much better idea.

[Orest]

Hello,

Where is the configuration file to modify the allowed networks for remote access through command line (ssh)?

[guest22]

ssh allowed networks is all or none

config show sshd

Or you can use this http://wiki.contribs.org/SSH_Public-Private_Keys

[Orest]

Maybe I was not clear RequestedDeletion. I want know if I can modify the remote management networks with putty(ssh) so I can allow a specific IP, and than I can access https://my-static-IP/server-manager/ with this IP.

Thanks

[Orest]

In other words I want to allow my work network to access web-based server manager but I can not since the IP is not allowed, but I can access my server with ssh.
 

[guest22]

If can ssh in, you can enter the 'console' command and select access server manager text based.

[Orest]

Thanks man ... Also I appreciate If you tell me the configuration file location for this part.
It is possible to allow the a specif IP without using the "console" command, right?

Respect,

[Orest]

I know it is pointless, but I am at learning phase 

[guest22]

config show httpd-admin

will show you all the options for server manager

server manager is a apache vhost and the config options for that are build by a signal-event based on templates and db variables. Direct changes httpd.conf will _not_ survive signal-events or updates.

[guest22]

config setprop httpd-admin ValidFrom 192.168.1.1/255.255.255.0,10.1.1.1/255.255.255.0

would grant access to server manager from 192.168.1.1 AND 10.1.1.1

then:
expand-template /etc/httpd/conf/httpd.conf
signal-event remoteaccess-update
service httpd-admin restart

Should do it

[Orest]

Ok I see,
I really appreciate the time you spent for me H.F, its clear I must go deeper with SME if I want some real understandings about this server.

I am going to make this post as [SOLVED]

See ya in my next post.

Thank you all,
Regards

[Orest]

Can I make my post [SOLVED]?

[guest22]

Yes, you can. Modify your very first post and change the title.

[Orest]

I have only quote, for my first post, maybe because it is posted with a different IP?

There is no modify, for the first post.

[janet]

Orest

There is no modify, for the first post.

You can modify a post within 7 days, after that it's fixed.

Also re server manager GUI access, you can securely create a ssh tunnel via port 443 (google it)
& then access server manager via
https://localhost/server-manager/
No need to open server manager remote access for a fixed IP address, so more secure with a ssh tunnel

[guest22]

Also re server manager GUI access, you can securely create a ssh tunnel via port 443 (google it)
& then access server manager via
https://localhost/server-manager/
No need to open server manager remote access for a fixed IP address, so more secure with a ssh tunnel

Indeed, I didn't think about that!

[CharlieBrady]

Also re server manager GUI access, you can securely create a ssh tunnel via port 443 (google it)

Use public key authentication rather than password authentication.

[Orest]

Hi,

Thanks for all the support, but I am leaving the server in this way for another week, until I finish my degree... than I'm going to buy a machine-server and I am going to apply all your suggestions there.

Until than I wish a great week for all of you!

With all the Respect,
Orest,

[guest22]

Orest,

to make matters more complicated If you are going to buy a physical server, you might want to consider to first install Proxmox on there as the base OS, and deploy many virtual test/production SME Servers (and other server OS's).

You might want to make sure that the hardware has at least 2 NIC's and is compatible with the RH compatibility list. I hear HP micro servers are doing just fine. But search the forums and wiki.

Good way to try and learn without doing any harm

[CharlieBrady]

to make matters more complicated If you are going to buy a physical server, you might want to consider to first install Proxmox on there as the base OS, and deploy many virtual test/production SME Servers (and other server OS's).

I wouldn't recommend that. I would recommend a dedicated physical server, and use other hardware for development/test/virtualization.

[Stefano]

I wouldn't recommend that. I would recommend a dedicated physical server, and use other hardware for development/test/virtualization.

Interesting, Charlie.. would you like to elaborate it? i.e. why?
TIA

[Stefano]

You might want to make sure that the hardware has at least 2 NIC's and is compatible with the RH compatibility list. I hear HP micro servers are doing just fine. But search the forums and wiki.

about microsever/proxmox/esx

http://forums.contribs.org/index.php/topic,50875.msg259191.html#msg259191

it's in italian, but I guess that google translator will help you
I'll ask my mate Nicola to translate it here..

[CharlieBrady]

Interesting, Charlie.. would you like to elaborate it? i.e. why?

KISS.

Running Proxmox and SME server and various other operating systems on a server is more complex and less reliable than running just SME server.  I want my server to be as reliable as possible. Being simpler to set up is also good.

[nicolatiana]

Keeping the discussion about physical-virtual apart from this comment:
1) Microserver N54L & older N36/N40L (the black and cheapest ones):
- very good for Sme stand alone, tried with 7-8-9, ahci supported for 8-9;
- the only chance to use it as Hypervisor is Proxmox, not the native CD but in this way: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Wheezy (to have software Raid);
2) Microserver Gen8 (Grey and silver, more expensive but not so more):
- very good for Sme stand alone, tried 8-9, ahci mode supported;
- Hypervisor with Vmware Esxi 5.5u1: possible with native Raid with B120i integrated controller (it's an Intel chipset less fake than its predecessor) supported with the Hp-customized Vmware CD;
- Hypervisor with Proxmox: you can surely install in the way suggested above (1); never tried with native B120i Raid;
In both situations for entry-level hypervisors, Raid 1 is suggested for decent performances in a production environment.
For your personal experience Esxi gives you experience on a more popular product with large support, knowledge and applications (free and not) and support for veteran OSs (sometimes very important).
Anymore Proxmox is very good too: I presently use for my lab and for a few weeks has worked fine with a SME+Affa vm to replace a failed server.

Nicola