Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / Re: HTTP Enable but DNS disable
« on: October 25, 2013, 03:42:26 pm »
That wouldn't be feasible, I'm afraid.
My staff use dozens (if not hundreds) of made-up domain names, and it would interrupt their workflow to constantly request that I add/remove domain names on demand, then update and restart Zentyal services every time a change is made.
If I could add wildcards, eg *.made-up-domain-name.com, that would help greatly, but Zentyal does not allow wildcards for that
My staff use dozens (if not hundreds) of made-up domain names, and it would interrupt their workflow to constantly request that I add/remove domain names on demand, then update and restart Zentyal services every time a change is made.
If I could add wildcards, eg *.made-up-domain-name.com, that would help greatly, but Zentyal does not allow wildcards for that
2
Installation and Upgrades / Re: I need to allow EXTERNAL traffic to INTERNAL subnet... but where is this?
« on: October 25, 2013, 01:15:32 pm »
I have set both NICs to INTERNAL.
I do not need to set a NIC as EXTERNAL, because my third-party Firewall protects us, not Zentyal firewall.
My problem is that I need Application Control to view and block protocol usage, and to do this I need to assign one NIC as external.
But when I do this, all inbound traffic to the EXTERNAL NIC is blocked, even from my DMZ!
I do not need to set a NIC as EXTERNAL, because my third-party Firewall protects us, not Zentyal firewall.
My problem is that I need Application Control to view and block protocol usage, and to do this I need to assign one NIC as external.
But when I do this, all inbound traffic to the EXTERNAL NIC is blocked, even from my DMZ!
3
Installation and Upgrades / Re: HTTP Enable but DNS disable
« on: October 25, 2013, 01:02:20 pm »
We are having this problem as well, because we cannot turn Zentyal DNS off and leave Zentyal Proxy on.
Some of our client computers have entries in their hosts file so that made-up-domain-name.com points to x.x.x.x external IP address.
Now when the client computer accesses made-up-domain-name.com, the Zentyal proxy passes this to Zentyal DNS, and Zentyal proxy returns an error page to the affected client computer, instead of allowing the connection to go through.
Can we turn off DNS and leave proxy on?
Thank you
Some of our client computers have entries in their hosts file so that made-up-domain-name.com points to x.x.x.x external IP address.
Now when the client computer accesses made-up-domain-name.com, the Zentyal proxy passes this to Zentyal DNS, and Zentyal proxy returns an error page to the affected client computer, instead of allowing the connection to go through.
Can we turn off DNS and leave proxy on?
Thank you
4
Installation and Upgrades / Re: I need to allow EXTERNAL traffic to INTERNAL subnet... but where is this?
« on: October 25, 2013, 12:42:59 pm »
It was not difficult to bridge two NICS into one interface using the same IP.
Follow these steps in order, and save the changes after each step:
1) I deleted the default gateway first, and save changes (otherwise Zentyal will not let you make the necessary network interface changes)
2) I changed eth0 to bridged, and create a new bridge called br1, and save changes
3) Set bridge br1 to Static IP, with the same IP address you previously assigned to eth0, and save changes again
4) Change eth1 to bridged, using bridge br1, and save changes again.
5) Add the default gateway back in, and save changes
Now Firewall internal IP -> Zentyal br1 -> Core switch are all on the same VLAN
Follow these steps in order, and save the changes after each step:
1) I deleted the default gateway first, and save changes (otherwise Zentyal will not let you make the necessary network interface changes)
2) I changed eth0 to bridged, and create a new bridge called br1, and save changes
3) Set bridge br1 to Static IP, with the same IP address you previously assigned to eth0, and save changes again
4) Change eth1 to bridged, using bridge br1, and save changes again.
5) Add the default gateway back in, and save changes
Now Firewall internal IP -> Zentyal br1 -> Core switch are all on the same VLAN
5
Installation and Upgrades / Re: I need to allow EXTERNAL traffic to INTERNAL subnet... but where is this?
« on: October 25, 2013, 11:52:47 am »Clearer.
What I understand now, reading your last post and again the first one, is that your Zentyal server has one single interface (even if made of 2 NICs for some reasons, if bridged, there is only "one" interface.
Yes, this is correct.
This means that:
- from core switch, you can reach directly your firewall
We can reach the Firewall from the Core Switch through the proxy. Zentyal sits physically (and logically) between the core switch and firewall, with one NIC connected to each device.
- no one is obliged to use Zentyal as proxy unless you have rules at FW level preventing access except from proxy
Really? Even though http traffic HAS to pass through Zentyal to get to the Firewall?
If so, then I can always add a Firewall rule that blocks the internal VLANs from accessing the internet directly.
- you can't set rule at Zentyal level that are based on the fact that communication is going "through" Zentyal. Only proxy based control is available because client session will stop at proxy level and new session will start from proxy (Zentyal) to server.
Yes, I noticed this yesterday, when I put Zentyal between the core switch and Firewall. Some of our DMZ websites have allow/deny IP entries in the config files, and we had to update these to allow traffic from the Zentyal VLAN (192.168.1.x) as well as the internal 192.18.x.x VLANs!
- On platform like Zentyal, DMZ concept is more internal dedicated network to which you apply specific FW rules but this can't be on the unique external (or even internal) subnet.
Does that mean I CAN NOT allow rules from EXTERNAL to INTERNAL interface? The information that Zentyal published must have confused me. I would still like to have a look at the EXTERNAL to INTERNAL rules to see what is available. Where can I find this setting? I have installed a test Zentyal server will ALL available options but still can not find it
Thank you very much for your help Christian
6
Installation and Upgrades / Re: I need to allow EXTERNAL traffic to INTERNAL subnet... but where is this?
« on: October 24, 2013, 11:19:52 pm »
Our DMZ is on a 172.20.x.x subnet coming off the firewall.
Zentyal can see the DMZ, and can pass traffic between the DMZ and the internal VLAN in its role as a bridge.
Zentyal can see the DMZ, and can pass traffic between the DMZ and the internal VLAN in its role as a bridge.
7
Installation and Upgrades / I need to allow EXTERNAL traffic to INTERNAL subnet... but where is this?
« on: October 24, 2013, 10:07:16 pm »
Hello people
I've installed Zentyal Community Edition 3.2 as a transparent proxy, inline with a bridged interface between my Firewall and my core switch, like this:
Internet -> FW (192.168.1.10) -> Zentyal (192.168.1.5 on br1) -> Core Switch (192.168.1.1) -> internal VLANS 192.168.x.x
and so far, so good! It is all working and I can monitor http traffic
My Zentyal box has TWO NICs, that are bridged together.
Also, we have a DMZ and a site-to-site tunnel to a remote location coming off our firewall.
Now, I need to add application control to block peer-to-peer traffic, but to do that, Zentyal tells me I must enable one interface as EXTERNAL.
When I do this, Zentyal blocks ALL inbound traffic on whichever interface I select as external, meaning either (1) we cannot access our DMZ or the remote site or (2) they cannot access us!
I've looked in the firewall settings, and there is NO option to allow EXTERNAL traffic to INTERNAL subnets, despite some forums posts referring to this option. Where has it gone?
I'm thinking that if I can open up external access from our DMZ and site-to-site tunnel ONLY, then I can still enable the EXTERNAL interface and have my application control
Please advise
Thank you
I've installed Zentyal Community Edition 3.2 as a transparent proxy, inline with a bridged interface between my Firewall and my core switch, like this:
Internet -> FW (192.168.1.10) -> Zentyal (192.168.1.5 on br1) -> Core Switch (192.168.1.1) -> internal VLANS 192.168.x.x
and so far, so good! It is all working and I can monitor http traffic
My Zentyal box has TWO NICs, that are bridged together.
Also, we have a DMZ and a site-to-site tunnel to a remote location coming off our firewall.
Now, I need to add application control to block peer-to-peer traffic, but to do that, Zentyal tells me I must enable one interface as EXTERNAL.
When I do this, Zentyal blocks ALL inbound traffic on whichever interface I select as external, meaning either (1) we cannot access our DMZ or the remote site or (2) they cannot access us!
I've looked in the firewall settings, and there is NO option to allow EXTERNAL traffic to INTERNAL subnets, despite some forums posts referring to this option. Where has it gone?
I'm thinking that if I can open up external access from our DMZ and site-to-site tunnel ONLY, then I can still enable the EXTERNAL interface and have my application control
Please advise
Thank you
Pages: [1]