Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » To DMZ or not to DMZ? (Where should our KMS sit on our network...)
  •  
heimi

Messages: 17
Karma: 0
Send a private message to this user
Morning all

We're running KMS 6.7.2 (on Linux, for what its worth). Having some challenges thinking about where it should sit on the network...

Its fully integrated with our AD for user auth, but needs to be web facing for webmail and iPhone ActiveSync. We have a properly configured DMZ that it can go in if appropriate.

Its currently set up with 2 NIC's, one on the LAN and one in the DMZ but I recognise that this sucks security-wise and needs to be fixed.

I'd be really grateful if any of you could share your experiences/recommendations about how you handle this sort of set up.

Thanks in advance.
  •  
campodoro74

Messages: 119
Karma: 0
Send a private message to this user
Since Kerio doesn't have a front-back server setup, putting the server in a DMZ is not very useful AFAIK, especially when you use 2 network interfaces to connect your separated networks.

My Kerio server is running on an ESX server on the local LAN and the firewall is forwarding the usual ports to the server. That's it. LAN has got unlimited access to the server and communicating from the Kerio to the AD controller is therefor no problem at all.

I would love to have the web part in the DMZ and use the mailserver part on the LAN; so my firewall can protect my LAN from attacks to the front part of Kerio. Too bad it's not supported.
  •  
ssampier

Messages: 5
Karma: 0
Send a private message to this user
I have considered this problem, too.

If you are using a SMTP gateway you just limit the IP range on the firewall of the filtering box. That reduces your attack surface.

Of course, web mail traffic is still vulnerable. You can potentially get around that with a web proxy.

But then you have 3 servers/appliances to maintain instead of 2.
  •  
heimi

Messages: 17
Karma: 0
Send a private message to this user
I have been told that using a web proxy will break the push functionality to iPhone. Does anyone know if this is the case?
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
I have several setups where KMS runs on OS X Server with one interface in the public and one on the LAN. Enable the firewall, have good passwords and all seems fine.
Turn off SSH, at least on the outside, as there is a lot of SSH attack attempts (just in case).

If you then have the public interface in a DMZ with a firewall controlling it, you have an even better setup - at least with some filter on it.

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
ssampier

Messages: 5
Karma: 0
Send a private message to this user
I am having a difficult time understanding how the 2 NICs provides more security. Can you explain it to me?

I am familiar with networking and I have setup several Juniper and Pix firewalls, etc.

Thanks!
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
It's the machines inside the LAN that are made safer by putting only necessary machines in a DMZ.

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
heimi

Messages: 17
Karma: 0
Send a private message to this user
ssampier wrote on Mon, 02 November 2009 23:28
I am having a difficult time understanding how the 2 NICs provides more security. Can you explain it to me?


Having 2 NIC's does NOT provide more security - quite the opposite. If you have one NIC in the DMZ and one NIC on your LAN, you are risking your whole LAN being compromised if someone manages to break down your internet facing DMZ port.

It basically makes your DMZ redundant as its not doing the job it was designed to do.

Does anyone else have any input they can offer regarding my original question, please?

Thanks
Toby
  •  
sjourney

Messages: 132
Karma: 0
Send a private message to this user
We use a reverse proxy with no issues. Have around 80 phones attached.
  •  
heimi

Messages: 17
Karma: 0
Send a private message to this user
sjourney wrote on Thu, 05 November 2009 22:52
We use a reverse proxy with no issues. Have around 80 phones attached.


Is that just using something like Squid? And it all works OK? Doesn't break the push functionality of KMS to your phones?

Many thanks in advance for your advice...

Toby
Previous Topic: Logs from iPhone connection, Help Please
Next Topic: Non-wrapping of long lines in Kerio Webmail
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 01:55:35 CET 2017

Total time taken to generate the page: 0.00572 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.