Koozali.org: home of the SME Server

DNS settings

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: DNS settings
« Reply #15 on: August 20, 2008, 08:19:54 AM »
Suggested Setup...

Code: [Select]
                            +------ ADSL connection
                |           |
                            +------ router DMZ ( 1to1 Nat) ----- corporate DNS servers - >> (No office PCs)
                |           |
                            +------ router DMZ ( 1to1 Nat) ----- SME Server in (server gateway mode) SME Lan side used for SME Admin ONLY.
                |           |
                            +------ router Lan ( 1 to many Nat) ----- office PCs (No SERVERS -- Security Issues & maybe Double Nat Issues)
What is the reason for running SME Server in gateway mode when there are no clients connected to it's subnet? Wouldn't server-only do in this case?
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline electroman00

  • ****
  • 491
  • +0/-0
Re: DNS settings
« Reply #16 on: August 20, 2008, 04:14:49 PM »
What is the reason for running SME Server in gateway mode when there are no clients connected to it's subnet? Wouldn't server-only do in this case?

Well that's an excellent question.

I guess the best answer is, it offers many options as to what you can do, while still maintaining a secure system.

For example...

All server administration client's would use the sme's internal interface and that would free up the external interface bandwidth.
With gigbit nic's on the internal sme interface, backups/transfers/rsync would take less time and allow full
bandwidth on the external interface.

With a vlan switch you only vlan tag to the server you want to administrate thus limiting the admin clients exposure.

You may have a development department that needs to test/evaluate new systems i.e. embedded web controllers, sme's
internal interface is a ideal approach, subnet isolation.

Lets say you have a primary firewall hardware failure, you connect the Office PC LAN to the SME's internal interface, SME's external to
the modem and reconfig SME external interface.  Everyone is happy in 2-3 minutes. Plug and Play..fixed.!!

Keep in mind all SME servers on the DMZ have their firewall enabled (server gateway mode) = better server control.

You could put all SME internal interfaces on the same subnet (security risk) and  backup/transfer/rsync on a cron job between them.
Each server would enable/disable the internal interface only during the backup/transfer/rsync cron job, thus reducing the (security risk).

enable > transfer > disable - via cron

Besides all of the options it offers (to many to list), it's (one of many) required/prudent setups for a commercial system.

SME's Server Gateway mode is the trick and the treat.

Couple SME with a good Firewall and you just might see how sweet the treat is.

If that's not sweet enough, then add vlan switches. (Layered Switches)

Ease of Administration/Control  &  Damage Control (software & hardware subnet isolation)

Hackers - Hack
Spammers - Spam
Hardware - Fails
Users - Abuse

Damage Control isn't a matter of IF....it's a matter of WHEN.

BTW.... Notice I didn't use the word WIRELESS above.

Why...because that's an entire set of options that are available with this type of setup.

i.e. You could easily add a purple interface to Smoothwall and solve that security problem.

Just like a house, you want to build on a solid foundation, this type of setup is a
solid foundation for a network system to build on.

Be it commercial / non-commercial.

HTH

Have a good day....

Offline electroman00

  • ****
  • 491
  • +0/-0
Re: DNS settings
« Reply #17 on: August 20, 2008, 04:50:43 PM »
Sorry....forgot to address....

Quote
Wouldn't server-only do in this case?

Sure would, what ever floats your boat.

Be aware....there are row boats and speed boats.

Here's a speed boat....

Primary Firewall PC LAN is 192.168.0.1
SME's internal lan is 192.168.0.1

Primary Firewall fails....ouch.!!

Connect PC lan to SME's lan interface and SME's external interface to the modem.

Reconfig SME's external for the modem and your done.

Redundant firewall backup ready to go.

Just need a failure to make it happen.

vlan Speed boat...two vlan tag changes and SME external config change & reboot and your done.

When something fails...the race begins.!!

And the winner is "Gateway Mode"..!!

HTH