NethServer Version: Nethserver 7.9.2009 final Module: SOGo
Hi,
I ran into a problem.
There are two locations A and B. The routers at the two locations are connected by VPN and the devices of both locations are accessible from both locations. The IP address range of the site is 192.168.1.x, and that of site B is 192.168.0.x.
The Nethserver is on site A and SOGo is accessible from this network. When I want to connect to SOGo from location B (IP address range), I get an error message:
“You don’t have permission to access SOGo dir”.
Access to SOGo from the Internet (Red) is not allowed, access is only allowed from the internal (Green) network.
Can someone tell me the reason for this and how to solve it?
The issue you are experiencing here is probably a classic DNS / Routing issue…
I assume you have set both LAN IPs under the other side in “Trusted Networks”.
I also assume that you are using LE validated DNS names to connect (allowing https access).
My third assumption is that you don’t have any DNS entries on internal DNS, that will force your clients to use the VPN (Overwriting the IPs recieved from external DNS…).
→ This means, your client is attempting to use an external connection to SiteA, via Internet and not via VPN…
To solve this, create on siteB NethServer DNS an entry, same as your clients are using (eg sogo.domain.tld), but pointing to the internal IP of your SoGo server at siteA.
@Andy_Wismer
Sorry, but I didn’t write that this is what I thought at first and I set a fixed DNS entry to the IP address of the Nethserver in the router in site B, but it didn’t solve the problem.
On site A, I access the Nethserver’s SOGo via its IP address and when connecting, Firefox says that the Nethserver’s LE certificate is for the domain name, but allows it to be accepted for connection. This is not a problem in the local network.
When connecting from the site with the IP address to the Nethserver’s SOGo on site A, Firefox also says that the certificate is for the domain name, but after acceptance, the above error message appears.
If I want to connect to the Nethserver’s SOGo with the domain name and the fixed DNS is set in the site B router to the IP address of the Nethserver on site A, then Firefox does not connect and returns a time out.
In the site A router, I previously set the fixed DNS entry to the Nethserver’s IP address, so I can also connect to the Nethserver’s SOGo by entering the domain name from site A.
However, I cannot connect to Nethserver’s SOGo from site B in any way.
It is interesting that I can connect to the Nethserver’s Cockpit from both site A and site B by specifying an IP address or domain name.
That’s why I don’t understand the “You don’t have permission to access SOGo dir” error message.
User @LayLow is implying that one should NEVER use 192.168.0.x on a private or home network, even though it is legitimate.
Too any devices (WLan access points, routers etc) use 192.168.0.1 out of the box. A user or family member just has to buy one in a shop and hook it up to your network - your network would be dead, no internet access, no working DHCP (IP conflict!)…
Troubleshooting would be made difficult due to the IP conflict and a not working network.
Then again, this may be all too complicated…
Ignorance is bliss…
@mrmarkuz
Thanks, that’s a good idea and I’m working on it, but it’s not time yet.
I have already set up secure passwords for users, but I would like to increase security before making SOGo available over the Internet.
I saw in the SOGo user account setting that it uses port 143 without encryption on localhost. I wanted to change it to 993 and SSL, but it doesn’t work for me, it doesn’t read the user’s imap directories. This was set up in Thunderbird.
Most DLink, Netgear, etc routers on the market have a factory set IP address of 192.168.0.1.
And have an active DHCP server running. Most other DHCP server implementations, including Microsoft, will stop running if detecting a second DHCPmon the Network…
If any such box is plugged in your network, you won’t have a running network, no Internet, etc. Big headaches…
At the moment, your network is NOT protected at all against this.
If earlier bad planning defines your network, I’d place less value on your own opinion.
Then again, as said, ignorance can be bliss…
As to SSL: you need a valid ssl cert (eg LetsEncrypt) for this to work correctly, and you need to use valid host names, no IP numbers. LetsEncrypt only works for valid DNS names…
Don’t “assume”, if you don’t know or “think” you know…
NO other client can connect via localhost, as localhost (127.0.0.1) is not available using the normal network, only the host itself can use localhost… More indication of not quite understanding - or bad communication here to the forum…
@Andy_Wismer
You are absolutely right, I agree with you.
This is a closed network, no one can access and connect to the network either wired or WiFi without permission. The router has a different IP address anyway. Soon I will have to reorganize the office network due to the home office and then a different IP address range will be set for other reasons.
Thanks for the good advice, they always come in handy.
Soon I will have to reorganize the office network due to the home office and then a different IP address range will be set for other reasons.