Build a DMZ with SMEserver
- Separating local services from public services for increased security
- One (physical) box for cost-efficiency
- Benefit from SMEserver built-in capabilitys
- Keep SMEserver security and design policys with minimal modification
- Build a multi-purpouse environment for flexibility
- End(?) this old discussion about three nic in SME
Virtual layout, inside host computer.
There have been much written about adding more than two nic's to an SMEserver in the community. The dev team have argued against it (on good grounds) as it would break design and security policys.
But if one would have two SME servers, one in server-gateway mode, serving internet with public services like web apps, FTP and mail. The other in private server-gateway mode, serving local network with increased security, file sharing and intranet. Between those two there would be a DMZ network to hook up wireless devices, VoIP and your Microsoft server.
And if we go virtual we can have most of this in one box. Wouldn't that be great?
I would much appreciate your input and corrections about this HowTo as my experience are limited, don't hesitate to send me a mail.
Build the physical machine who is going to be our private server and LAN firewall:
Install VMware Server, look at this HowTo.
When running vmware-config.pl, use defaults but:
- Make a bridge between vmnet2 and eth1 (DMZ).
- Make a bridge between vmnet3 and eth2 (WAN).
- Enable NAT is optional
- Enable Host-only networking is optional
- If you didn't install GCC, answer no to question about gcc path.
Do not enable/configure optionals if not needed.
Host external connection, final settings.
Log in as admin in console, go to "Configure this server":
Configure external IP to "Static"
Set external IP to 192.168.1.16 (in this example).
It must be on another subnet than the local IP.
Change gateway IP to DMZ_FW VM local IP (192.168.1.23)
Add DNS IP to DMZ_FW VM local IP (192.168.1.23)
Connect to VMware server from a VMware console on a client machine.
Build the virtual machine who is going to be our public server and DMZ firewall (DMZ_FW):
- Make new VM, based on RHEL 4.
- Use bridged networking.
Edit virtual machine settings.
Use custom settings for ethernet adapters:
- Connect eternet adapter to vmnet2 (DMZ).
- Add ethernet adapter(2) and connect to vmnet3 (WAN).
Install and configure DMZ firewall.
- Install SMEserver
- Mode: Server-gateway
- Local connection: vmnet2
- Local (DMZ) IP: 192.168.1.23
- Connect WAN NIC to WAN.
Connect a physical switch to DMZ NIC.
From VMware console, log in as admin and test internet access.
Connect a client machine to DMZ NIC (via a switch) and:
- Test internet access.
- Configure and update DMZ firewall from the Server-Manager web panel.
Test everything else, then your done!
- Make sure that DMZ and LAN have the same domain or workgroup names.
- Allow access by VPN in DMZ firewall server.
- Create a VPN connection on a LAN client to publicIP.of.your.server or www.your.server.
- Enjoy surfing/filesharing in both, and between, DMZ and LAN. All at LAN speeds.
This may be a security risk, I don't know what the potential are if something in your DMZ have been hacked. Could this evil exploit the VPN connection to crawl into your LAN?
My current opinion is this: Don't use it permanently, only temporary.
It doesn't make sense to have a DMZ at all if DMZ are connected to LAN all the time.
One can have a client machine that is connected both to LAN and DMZ, bypassing the LAN server, and access both LAN and DMZ resources. Obviously this would be a serious security weakpoint and should not be used other than for troubleshooting.
Non (currently), it just seems to work...
Tested software version
This is tested on SME server 7.x and VMware Server 1.x.