Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: 0oOo0 on May 12, 2013, 09:47:53 am
-
Hi
I work as a systems integrator and my boss is considering using Zentyal to replace Windows SBS in our corporate clients networks. He has recently asked me to configure a zentyal server on my home network as a Proxy Server as if it were for one of our already established corporate networks.
No problems installing it and gettting internet access, but connected devices can not get out to the internet when connected to the proxy server. I can't even ping the server successfully now that I have configured it as a proxy. I have done a search and tried following this guide: http://doc.zentyal.org/en/proxy.html
Set up is as follows:
DGN2200 Modem router connected to an ADSL line: DHCP disabled.
Firewall rules
Outbound Services: allow all
Inbound Services: Block always
Unmanaged Ethernet Switch connected to the DGN2200
Zental Server (core version 2.2.9) connected to the Switch: upgraded with apt-get update && apt-get upgrade
Module Status:
Network Running
Firewall Running
Antivirus Disabled
Apache Running
Certification Authority Not created
Zentyal Cloud Professional Package Installed
DHCP Running
DNS Running
Backup Running
Events Running
Logs Running
Monitoring Running
VPN Running unmanaged
Zentyal Cloud Client Subscribed
HTTP Proxy Running
Traffic Shaping Disabled
Users and Groups Running
HTTP Proxy General Settings
Transparent Proxy: yes
Ad Blocking: no
Remove advertisements from all HTTP traffic: no
Port: 3128
Cache files size (MB): 40960
Default policy: Always Allow
Packet Filter > Internal Networks
Decision: allow any source, destination and service
Traffic Filter > Traffic coming out from Zentyal
Decision: Allow any destination or service.
Packet Filter > Rules added by Zentyal services (Advanced)
Enabled Type Module Condition Decision Action
Output HTTP Proxy -m state --state NEW -p tcp --dport 443 ACCEPT
Output HTTP Proxy -m state --state NEW -p tcp --dport 80 ACCEPT
Output VPN --protocol tcp --destination-port 80 ACCEPT
DHCP
Default gateway: Zentyal
Search domain: None
Primary nameserver: local Zentyal DNS
Secondary nameserver: 8.8.8.8
NTP server: None
WINS server: None
DNS
Enable Transparent DNS Cache: Yes
Forwarders: none
Domains: none
Domain Name Server Resolution:
127.0.0.1
8.8.8.8
Anything I've missed? Ask me to list it.
-_-
a
-
Nice clear post still you may even improve it a little bit by telling us:
- what is your network design behind Zentyal
- how did you configure Zentyal interfaces.
What I mean it that you describe with lot of detail part of your infrastructure between Zentyal and internet and this one works as Zentyal can access internet but you do not (except if I misunderstood) part between Zentyal and client, unfortunately, this is the one failing :-\
If goal is HTTP proxy test only, then you can also have much lighter deployment.
Some modules are not involved like Cloud related modules or even users & groups
BTW, does it work when you disable HTTP proxy module ?
-
Network design behind Zentyal
I'm sorry, I'm not sure what you are asking about. You want to know what servers are running or the network size and media type etc... ?
Zentyal interface configuration
n.b. I orginally had two ethernet ports on the server, an on-board and a plug in. My boss has asked me to set it up using only one ethernet port as this what will be required of us when we deploy.
Interfaces
Name: eth0
Method: Static
External (WAN): yes
IP address: 192.168.0.2
Netmask: 255.255.255.0
Virtual Interfaces: none
Gateways Configuration:
Enabled Name IP address Interface Weight Default
yes ISR 192.168.0.1 eth0 1 yes
Proxy
Username: <left blank>
Password: <left blank>
Proxy server: <left blank>
Proxy port: 8080
Domain Name Server Resolution
127.0.0.1
8.8.8.8
Objects
None
Services
Service name Description
HTTP HTTP
adsync --
any any protocol and port
any TCP any TCP port
any UDP any UDP port
dhcp --
dns Domain Name Service
eBox administration Zentyal Administration Web Server
ldap --
ssh SSH
Static Routes
None
DDNS
Enable Dynamic DNS: yes
Service: Zentyal Cloud
Username: <blank>
Password: <blank>
Hostname: <blank>
Does it work when I disable the HTTP proxy module? No. I think that's because the clients are recieving a DHCP configuration from Zentyal which tells them to set it's interface IP Address as the default gateway. If I set them statically to point to the router/modem (DGN 2200) at 192.168.0.1 I can get out to the internet.
End
a
-
I think Christian is trying to get at what your network topology is. It looks like you are setup using just one NIC behind a router that opens all ports. All devices (including router) are plugged into the same switch?
-
Much clearer now.
As half_life explains, it looks like your network is flat behind your router. All devices including Zentyal have direct access to internet.
Transparent proxy with such topology is quite complex and requires, at least, that Zentyal is your default gateway.
What do you expect from Zentyal with such design?
- There is no firewall
- proxy may work as explicit proxy but not (well, not easily) as transparent one
I strongly suggest that:
- you set up your Zentyal server with at least 2 NIC
- you read a it of Zentyal documentation that is showing some examples.
-
He can still achieve a full firewall if the switch handles vlans. If the router has decent firewall capabilities he can set it up to only speak to the Zentyal machine and one other "secret" IP for safety purposes.
-
Sure from pure technical standpoint, this can be done however, let's be honest, such design is much more complex and can't be safely handled without significant technical knowledge and background.
At least from my standpoint 8)
-
He said up front that he is a systems integrator. I agree that it is much easier to setup a gateway with two nics but it isn't necessary.
-
Sure from pure technical standpoint, this can be done however, let's be honest, such design is much more complex and can't be safely handled without significant technical knowledge and background.
At least from my standpoint 8)
All in a days work. Right Christian?