NethServer Version: 7.6
I am curently running a nethserver vm on a proxmox host and am using it primarily for email/sogo which is accessed mostly from internet
i have been prompted to deploy a seperate dedicated firewall instance of nethserver which has prompted me to look at deploying further dedicated instances of nethserver - for example an AD domain controller (we dont currently use AD but the time has come i think); a nextcloud server; an email server; a web server
Does anyone have a good high level view of such a deployment they could share - i also have a few specific questions as follows:
for nethserver running just email / sogo can presumably be sat in the dmz behind nethserver firewall. What nethserver modules should this server be running? is sogo ok to sit in the dmz (ive seen reference to groupware being sat on green network)? how should the email server communicate with the AD server? (which should presumably be sat on the green network)
this feels like a can of worms being opened!.. an interesting one but one which may benefit from some guidance even if it is “put the lid back on” and just run a single nethserver instance til you grow up a bit!
thanks in advance for any assistance
On Nethserver firewall you should configure a NIC interfaces on DMZ type and then you can set particular rules if you need to some customization… On NethServer email you need to install Email modules and SOGo. Check also Reverse DNS (PTR), A record and blacklists to consent to mail server to work properly.
I never installed a server mail in a DMZ, but I think it can work, because traffic from GREEN -> DMZ should be permitted and also traffic from DMZ -> RED.
Firewall and Mail server should be communicate automatically (any particular rules should be set) but you have to set Remote AD on mail server (if the AD is on firewall) or you have to set remote AD on Firewall if the AD is on Server Mail. Keep in mind that if connection between two server goes down, remote AD doesn’t works.
Yes, you can also install all on one server: NethServer is modular and you can do what do you prefer, but remember that the server should be more powerful and if you have a problem on this server you’re blocked with mail and firewall and if you want to reinstall you have to restore all files of mail server and not only firewall config.
A lot of options are available when you’re not depending on licenses costs. But the environment and the goals are necessary to help you design something that can be a good option.
How many users are going to be served from this infrastructure?
Which services are requested from firewall setup?
Are there Windows Clients that need Group Policies and ACL for SMB Shares?
Which are services and devices who needs centralized password control?
Which is the goal for NextCloud? Few examples: share data with the internet/customers/suppliers, primary document repository of the organization, files archive.
Consider backup and throughput if the mailserver/application server is on DMZ. If there’s no plan to add an out-of-band network for allow backup to be delivered to destination, the bandwidth between segments offered by the firewall could became bottleneck for backup performance.
I know, in virtual environments the upgrades on VM are a bit faster than buy new hardware. But sometimes careful and scalable network structure design can save time and issues when the volume of data grows.
Last words about put application server (email + groupware, webserver, cloud, remote applications) on DMZ/Orange.
If the application is designed to be used also via internet (like webmail, POP3S/IMAPS/SMTPS, MatterMost, Collabora Online) and it’s not necessary to be accessed from LAN-oriented protocols like SMB or NFS, use DMZ is a mind exercise to know what the application server needs to work. It helps you to design tailored (and more restrictive) rules for allow traffic between DMZ and Green, which can be applied also to RED except for backup. A bit more time consuming for the setup, especially if you follow the best practice to use hostnames/aliases instead of IP addresses for reach hosts, but far more viable if the setup changes about network segment or installation/server change.
Put firewall between application server and GREEN network can allow you to gain statistic about traffic and use of your application server: time, bandwidth, key users, data volume. If the application server lays on LAN probably you won’t be able to gather the same amount of data for analysis.
thanks for input chaps, appreciated. still plenty to think about here!