Topic: Using SME when your website is ISP hosted

[Ed Form]

Howto gain access to your ISP hosted domains from behind an SME server using virtual-domain aliases

For those who cannot obtain connections of sufficient bandwidth to host their own website or mail server, and are forced to use an outside ISP for these services, SME should still be an attractive way to supply file, print, centralised-email, and fire-walled web-browsing services to small networks. In this role, however, the software has a drawback which can make it unacceptable to many users - in order to use company email addresses for network users, the SME server must have the company domain name. This means that an ISP-hosted company website cannot be seen by machines connected to the in-house server. All requests for the company domain result in connections to the corresponding service of the SME server.

I've worked out a method to solve this problem in which you configure your in-house server with a different domain name to that used by the company and fool the mail system into treating internal and external email, addressed to the company domain, as though it was addressed to the new in-house server domain.

Since I've needed something to do this for the longest time, I figured others might find it useful, so I've made it available on my webpage at...

http://www.gopaperless.co.uk

...until the Mitel folks get round to adding it to the contributed Howto lists.

Ed Form

[Kelvin]

Hi Ed,

I'm not certain of the need.

If you configure your SME server to have your actual domain name, you can go to hostnames and addresses under server manager and point the www entry back to your ISP hosted website, which solves the problem of local users not being able to access the company website.

And depending on your ISP / domain host, you could either :-

1. Have the ISP / domain host list your SME as the primary MX (even on dial-up and even if you use Dynamic DNS services)

2. Use multidrop as you have done in your How-to (although I much prefer Vincent's multidrop addin over the dugong's one).

I do this on many, many servers.

Kelvin

[Ray Mitchell]

Dear Ed & Kelvin

You can also quite simply put a one line entry in an index page in /primary/html which points to your outside hosted web site ie www.outsidehostdomainname.com.

That way you can have the majority of your web site on an external host site, but still have pages on your sme server like www.yourdomain.com/otherstuff, and host your own domain based email as well.

No need to set up anything else on your sme server, your external MX records of course point to your sme server which is setup with your actual domain name.
Of course if your server is down, then your whole web site is down, external and internally hosted, but then again whenever does your sme server go down !!??

I look after a site where it is done this way and it works quite nicely.

Regards
Ray Mitchell

[Cyrus Bharda]

I have a SME 5.5U3 using a 56k dial-up connection to the net, because that's all that is available, and we host our own email @langs.net.au BUT we have our website hosted by a private company.

Its easy as basically add in the Host Names and Addresses the External IP for www.langs.net.au (you dmain of course) and bob's your uncle! When people from the inside LAN access www.langs.net.au it loads from our hosts not our SME and all the mail is sent to our SME not host, this is done via a cname in our MX records.


[root@esmith root]# dig @ozemail.com.au langs.net.au

; <<>> DiG 9.1.3 <<>> @ozemail.com.au langs.net.au
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58257
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;langs.net.au.                  IN      A

;; ANSWER SECTION:
langs.net.au.           86400   IN      A       203.63.219.194

;; AUTHORITY SECTION:
langs.net.au.           2181    IN      NS      spook.cia.com.au.
langs.net.au.           2181    IN      NS      snoop.cia.com.au.

;; ADDITIONAL SECTION:
spook.cia.com.au.       10250   IN      A       203.17.36.1
snoop.cia.com.au.       10250   IN      A       203.17.36.2

;; Query time: 593 msec
;; SERVER: 203.2.194.3#53(ozemail.com.au)
;; WHEN: Tue Feb 18 14:27:03 2003
;; MSG SIZE  rcvd: 138

[root@esmith root]# dig mx @ozemail.com.au langs.net.au

; <<>> DiG 9.1.3 <<>> mx @ozemail.com.au langs.net.au
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37359
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 5

;; QUESTION SECTION:
;langs.net.au.                  IN      MX

;; ANSWER SECTION:
langs.net.au.           86400   IN      MX      10 mail.langs.net.au.
langs.net.au.           86400   IN      MX      20 smtp.bne.server-mail.com.
langs.net.au.           86400   IN      MX      30 smtp3.bne.server-mail.com.

;; AUTHORITY SECTION:
langs.net.au.           2155    IN      NS      spook.cia.com.au.
langs.net.au.           2155    IN      NS      snoop.cia.com.au.

;; ADDITIONAL SECTION:
mail.langs.net.au.      86400   IN      A       203.22.141.171
smtp.bne.server-mail.com. 19    IN      A       203.147.151.186
smtp3.bne.server-mail.com. 18   IN      A       203.147.151.183
spook.cia.com.au.       10224   IN      A       203.17.36.1
snoop.cia.com.au.       10224   IN      A       203.17.36.2

;; Query time: 677 msec
;; SERVER: 203.2.194.3#53(ozemail.com.au)
;; WHEN: Tue Feb 18 14:27:28 2003
;; MSG SIZE  rcvd: 253

[root@esmith root]#

This way all http traffic goes to host and all mail to SME. The only thing is that SME still provides http to mail.langs.net.au, but I have put in a little forwarder index.htm to forward anyone looking at that to www.langs.net.au, but still I would love o be able to turn all external http off so that I could develop an internal intranet, anyone know how?

Cyrus Bharda

[Kelvin]

Hi Cyrus,

I'm not certain of your intranet requirements but,

For my various installations, I get my clients to access their "intranet" via their SME server name (ie. called "smeserver" for example), instead of their domain name. That way, when they want to get to the ISP hosted web page, they enter :-

www.mydomain.com

into their web browser and when they want to access their "intranet", just type in

smeserver

into their web browser. And this won't break any of the add-ins you might want like twiggi, etc.

ie.

https://smeserver/twiggi

A whole lot shorter to type too !

Kelvin

[Cyrus Bharda]

The only problem is that if you want to put info on your intranet that you dont want anyone but company employees to look at here http://smeserver it is also available at http://mail.yourdomain.com which isnt really good if you are putting financial info on the intranet

I thought it would probably be easier just to setup another sme box just for serving the intranet and then it is not conected to the outside at all

Cyrus Bharda

[Ray Mitchell]

Cyrus
I think my post answers your requirements, but to expand a little.

Treat your sme server as the primary web site server and have all MX records set accordingly.
Do not put any entries in the hostnames and addresses panel.
Therefore all external traffic to www.yourdomain.com comes to your /primary/html folder and reads the index.htm file. This file has one line in it which redirects requests for your web sites primary web page to the externally hosted location, which of course is NOT using your domain name, but say www.ozemail.com.au/cyrus (or whatever).

All other requests for www.yourdomain.com/otherstuff or www.yourdomain.com/ibayname will go directly to your server, including requests for your own intranet hosted on your sme server. Local users requests for www.yourdomain.com are also forwarded to the external site to get the primary web site page.

You can create pages in subfolders in the /primary/html folder and access them via www.yourdomain.com/subfoldername OR you can create pages in ibays and access them by www.yourdomain.com/ibayname.

Mail and everything else is hosted locally by default.

Regards
Ray Mitchell

[Kelvin]

Hi Cyrus,

Simple, this is how it's done on a few sites :-

http://smeserver/intranet

where intranet is a password protected ibay.

If you don't advertise the fact that "intranet" exists, then someone must know the name to look for it.

Additionally, even if they found the name, they still need a valid username and password to get to it.


Kelvin

[Cyrus Bharda]

Yes but arent all the i-bays/subdirs under /primary/html accessable from the outside, and another thing, we also use our piddly little modem for net access, I dont know how our link would go if we subjected it to redirecting web traffic all day .

See if I make a sub dir under /primary/html/test without the entry in the hostnames, when someone internally types in http://smeserver/test it will load, but it will also load if someone internally/externally types in http://www.domain.com/test , meaning that if someone externally guesses a name of the subdirectory then it will load to them. Is that correct?

Internal: (without hostnames)

http://smeserver = /primary/html
http://www.domain.com = /primary/html
http://smeserver/test = /primary/html/test
http://www.domain.com/test = /primary/html/test

Internal: (with hostnames)

http://smeserver = /primary/html
http://www.domain.com = http://hostname_entry
http://smeserver/test = /primary/html/test
http://www.domain.com/test = http://hostname_entry/test

External: (DNS Records pointed to SME)

http://www.domain.com = /primary/html/index.htm (forwarder to ISP site)
http://www.domain.com/test = /primary/test

External: (DNS Records pointed to ISP and MX pointed to SME)

http://www.domain.com = http://isp_site.com/
http://www.domain.com/test = http://isp_site.com/test
http://mail.domain.com = /primary/html/index.htm (forwarder to ISP site)
http://mail.domain.com/test = /primary/test


meaning that if I do put information that is private and someone guesses the subdir then they get access to it, wether I like it or not

Am I wrong/right? Am I confused, Yupp!



Cyrus Bharda

[Cyrus Bharda]

So basically as long as you make an i-bay with password protection then its all good? Is it possible for someone to "break" into an i-bay from an external source, eg someone hacks in ?

Cyrus Bharda

[Cyrus Bharda]

Ok

_BONK SELF IN HEAD_

I just went and had a look at creating an i-bay for the first time and found out that I can set it to:

Local network (no password required)
Local network (password required)

Which means that it wont be accessable from the outside right?

(winding up for another bonk if it is correct)



Cyrus Bharda

[Kelvin]

>Is it possible for someone to "break" into an i-bay from an external source, eg
> someone hacks in ?

Of course ! No system in the world is 100% unbreakable. The question is how easy it is (are your passwords secure ????), is it worth it, and do you know how.

I personally don't know how to break into a password protected i-bay. That's not to say someone else doesn't. If I did, I would have sent a report to mitel quick smart as I have people set up this way !

Kelvin

[Kelvin]

OOhhhh,

>(winding up for another bonk if it is correct)

>

Think you're gonna need that ice pack. Now where did you last put it ????



Kelvin

[Ray Mitchell]

Cyrus
As I understand it. Kelvin is correct to say that anything you want to be private, you should put in an ibay which is password protected set to say Entire internet (password required outside local network). This would allow your local users to access it via www.yourdomain.com/ibayname without needing a password whereas external users would need to enter a password.

I don't think the web requests are that big but a lot of them could slow your modem to a crawl. I don't believe the actual web traffic is passed through your modem, only the requests for the site which are redirected.

It really depends on the number of hits to your site.
Perhaps you may want to upgrade to a ADSL service (if available).
I priced them recently and it turned out that a basic ADSL from TPG ended up being cheaper that a dial up service when the cost of the phone calls and line rental were included (and that was a permanent dial up connection by the way). Unfortunately one phone call connection only lasts a few days before it drops out.

Hope this helps
Regards
Ray Mitchell

[Kelvin]

Ok, to be fair, I must apologise to Ed who started this thread. This discussion has deviated slightly from his original posting.

Next time, we'll start a new thread.

Kelvin