zentyal for network administrators · chapter2 zentyal infrastructure creating the ca will be...

Index

. I Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.. P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.1.1. SMBs and ITC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.1.2. Zentyal: Linux server for SMBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.1.3. About this manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

.. I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.2.1. Zentyal installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.2.2. Initial configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191.2.3. Hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

.. F Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251.3.1. Zentyal webadmin interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251.3.2. Network configuration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331.3.3. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

.. S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421.4.1. Software updates in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421.4.2. Management of Zentyal components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421.4.3. System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441.4.4. Automatic updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451.4.5. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

.. L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461.5.1. Zentyal log queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461.5.2. Configuration of Zentyal logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481.5.3. Log Audit for Zentyal administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491.5.4. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501.5.5. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

.. B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511.6.1. Design of a backup system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511.6.2. Zentyal configuration Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

.. S- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

. Z I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55.. I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

.. H- Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552.2.1. Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562.2.2. Network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582.2.3. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592.2.4. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

.. D N S DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642.3.1. Introduction to DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642.3.2. DNS cache server configuration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682.3.3. Transparent DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702.3.4. DNS Forwarders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

3

2.3.5. Configuration of an authoritative DNS server with Zentyal. . . . . . . . . . . . . . 712.3.6. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762.3.7. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

.. T NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822.4.1. Introduction to NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832.4.2. Configuring an NTP server with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832.4.3. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

.. N DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852.5.1. Introduction to DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852.5.2. DHCP server configuration with Zentyal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862.5.3. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902.5.4. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

.. C CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912.6.1. Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912.6.2. Importing certificates in clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932.6.3. Certification Authority configuration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . .1012.6.4. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

.. V VPN OVPN. . . . . . . . . . . . . . . . . . . .1062.7.1. Introduction to the virtual private networks (VPN) . . . . . . . . . . . . . . . . . . . . . . . .1062.7.2. Configuration of a OpenVPN server with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . .1062.7.3. Configuration of a VPN server for interconnecting networks . . . . . . . . . . .1132.7.4. Configuration of an OpenVPN client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1152.7.5. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1172.7.6. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

.. VPN S IP LTPIPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1202.8.1. Introduction to IPsec and L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1202.8.2. Configuring an IPsec tunnel in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1202.8.3. Configuring an L2TP/IPsec tunnel in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

.. F T P FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1242.9.1. Introduction to FTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1242.9.2. Configuration of a FTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1252.9.3. FTP server configuration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1282.9.4. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

..S- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

. Z G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133.. I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

.. F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1333.2.1. Introduction to the Firewall System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1333.2.2. Firewall configuration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1343.2.3. Port forwarding with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1383.2.4. Source rewriting rules (SNAT) with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1393.2.5. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1403.2.6. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

.. R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1423.3.1. Introduction to network routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1423.3.2. Configuring routing with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1433.3.3. Configuring traffic balancing with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1453.3.4. Configuring wan-failover in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1473.3.5. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1493.3.6. Proposed Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

4

.. HTTP P S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1523.4.1. Introduction to HTTP Proxy Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1523.4.2. Configuring the web browser to use the HTTP Proxy . . . . . . . . . . . . . . . . . . . . .1533.4.3. HTTP Proxy configuration in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1573.4.4. Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1583.4.5. Filter profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1603.4.6. Bandwidth Throttling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1643.4.7. HTTPS block by domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1653.4.8. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1653.4.9. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

.. I P S IDSIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1673.5.1. Introduction to Intrusion Detection/Prevention System . . . . . . . . . . . . . . . . .1673.5.2. Configuring an IDS/IPS with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1673.5.3. IDS/IPS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1693.5.4. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1693.5.5. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

.. S- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171

. Z D D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173.. I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173

.. U, C F S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1734.2.1. Introduction to Directory and Domain Services. . . . . . . . . . . . . . . . . . . . . . . . . . . .1734.2.2. Samba: the implementationof ActiveDirectory andSMB/CIFS in Linux1744.2.3. Configuring a Domain Server with Zentyal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1754.2.4. Configuring Zentyal as a Standalone Domain server. . . . . . . . . . . . . . . . . . . . . .1814.2.5. Joining a Windows client to the domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1834.2.6. Kerberos Authentication System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1874.2.7. Changing the user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1884.2.8. Group Policy Objects (GPO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1884.2.9. Joining Zentyal Server to an existing domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1894.2.10.Total Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1934.2.11.Know Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1944.2.12.Configuring a file server with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1944.2.13.Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1994.2.14.Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

.. S- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201

. Z C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203.. I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203

.. E M S SMTPPOP-IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2035.2.1. Introduction to the e-mail service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2035.2.2. SMTP/POP3-IMAP4 server configuration with Zentyal . . . . . . . . . . . . . . . . . . . .2065.2.3. E-mail client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2125.2.4. Webmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2195.2.5. ActiveSync® support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2215.2.6. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2225.2.7. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223

.. M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2235.3.1. Introduction to the mail filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2235.3.2. Mail filter schema in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2245.3.3. External connection control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2305.3.4. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2305.3.5. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

5

.. I M S JXMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2315.4.1. Introduction to instant messaging service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2315.4.2. Configuring a Jabber/XMPP server with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . .2325.4.3. Setting up a Jabber client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2345.4.4. Setting up Jabber MUC (Multi User Chat) rooms . . . . . . . . . . . . . . . . . . . . . . . . . . .2405.4.5. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2455.4.6. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

.. S- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247

. A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249.. A A: T VB . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249

6.1.1. About virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2496.1.2. VirtualBox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

.. A B: A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2626.2.1. Scenario 1: Base scenario, Internet access, internal networks and

host network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2626.2.2. Scenario 2: Multiple internal networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2646.2.3. Scenario 3: Multiple gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2656.2.4. Scenario 4: Base scenario + external client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2676.2.5. Scenario 5: Multi tenancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268

.. A C: D . . . . . . . . . . . . . . . . . .2696.3.1. Importing configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2696.3.2. Advanced Service Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2706.3.3. Development environment of new modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2726.3.4. Commercial Edition Release Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2726.3.5. Development Edition Release Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2736.3.6. Bug management policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2736.3.7. Community support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273

.. A D: A - . . . . . . . . . . . . . . . . . . . . . . .2746.4.1. Answers to self-assessment questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274

6

CHAPTER 2ZENTYAL INFRASTRUCTURE

2. ACTION From the certificate list, you will download the one of the CA, a file with aname such as CA-key-and-cert.tar.gz containing the public key ca-public-key.pemand the certificate ca-cert.pem. Following the previously described procedure,import the certificate file ca-cert.pem on the Windows clients.

EFFECT: The new certificates will appear in the certificate list, and any certificateissued by this CA will be accepted by the Windows clients.

V VPN OVPN

I VPN

The virtual private networks were designed to allow secure access for remote usersconnected via the Internet to the corporate network - as well as securely connectdifferent subnets via the Internet.

Your users might need to access to the network resources when they are outside thecompany premises, for example sales people or teleworkers. The solution is to al-low these users to connect to your system via the Internet, although this might meanrisking the confidentiality, availability and integrity of the communication. To avoidthese problems, the connection is not made directly, but through virtual private net-works.

Using VPN, you can create a secure communications tunnel over the Internet that willonly accept connections from authorized users. Traffic is encapsulated and can onlybe read at the other end. Apart from the security advantages, VPN connections areseen like another local network connection by the Firewall, thus having access to localresources and simplifying the infrastructure needed to offer remote services.

The usefulness of the VPN is not limited to remote access by users; an organizationmay wish to interconnect networks located in different places, such as offices in dif-ferent cities.

Similarly, Zentyal can operate in two modes, as a server for remote users and also asa VPN Client of a VPN hub server.

Zentyal integrates OpenVPN to configure and manage virtual private networks. Inthis section you will see how to configure OpenVPN, who has the following advan-tages:

Authentication using public key infrastructure.

SSL-based encryption technology.

Clients available for Windows, Mac OS and Linux.

Easier to install, configure andmaintain than IPSec, another open source VPN alter-native.

Allows to use network applications transparently.

C OVPN Z

Zentyal can be configured to support remote clients (sometimes known as road war-riors). This means a Zentyal server acting as a gateway and VPN server, with multiplelocal area networks (LAN) behind it, allows external clients (the road warriors) to con-nect to the local network via the VPN service.

http://en.wikipedia.org/wiki/Virtual_private_network http://openvpn.net/

106

Fig. 2.68: Zentyal and remote VPN clients

The goal is to connect the data server with other 2 remote clients (Business managerand Client) and also the remote clients to each other.

First, you need to create a Certification Authority and individual certificates for thetwo remote clients. You need to explicitly create an unique certificate for each userthat will connect to the VPN through Certification Authority→ General.

Note that you also need a certificate for the VPN server. However, Zentyal will issuethis certificate automatically when new VPN server is created.

In this scenario, Zentyal acts as a Certification Authority.

Fig. 2.69: Server certificate (blue underline) and client certificate (black underline)

Once you have the certificates, then configure the Zentyal VPN server by selectingCreate a new server. The only value you need to enter to create a new server is thename. Zentyal ensures the task of creating a VPN server is easy and it sets the con-figuration values automatically.

Fig. 2.70: New VPN server created

The following configuration parameters are added automatically and can be changedif necessary: port/protocol, certificate (Zentyal will create one automatically using

107


the VPN server name) and network address. The VPN network addresses are assignedboth to the server and the clients. If you need to change the network address youmust make sure that there is no conflict with a local network. In addition, you will au-tomatically be notified of local network detail, i.e. the networks connected directlyto the network interfaces of the host, through the private network.

TIP: Zentyal allows the configuration of VPN with UPD or TCP protocols. UDPis faster and more efficient, as less control information is transmitted, thereforethere is more room for data. TCP, on the other hand, is more reliable and cancope better with unstable connections and Internet providers that kill long last-ing connections.

As you can see, the VPN server will be listening on all external interfaces. Therefore,you must set at least one of your interfaces as external at Network → Interfaces. Inthis scenario only two interfaces are required, one internal for LAN and one externalfor Internet.

If you want the VPN clients to connect between themselves by using their VPN ad-dresses, you must enable the option Allow connections among clients.

In most of the cases you can leave the rest of the configuration options with theirdefault values.

108

Fig. 2.71: VPN server configuration

In case more advanced configuration is necessary:

VPN ADDRESS: Indicates the virtual subnet where the VPN server will be locatedand the clients it has. You must take care that this network does not overlap withany other and for the purposes of firewall, it is an internal network. By default192.168.160.1/24, the clients will get addresses .2,*.3*, etc.

SERVER CERTIFICATE: Certificate that will show the server to its clients. TheZentyal CA issues by default a certificate for the server, with the name vpn-<yourvpnname>. Unless you want to import an external certificate, usually youmaintain this configuration.

CLIENT AUTHORIZATION BY COMMON NAME: Requires that the common name of theclient certificate will start with the selected string of characters to authorize theconnection.

109


TUN INTERFACE: By default a TAP type interface is used, more similar to a bridge ofLayer 2. You can also use a TUN type interface more similar to a IP node of Layer3.

NETWORK ADDRESS TRANSLATION: (NAT) It is recommended to enable this transla-tion if the Zentyal server that accepts theVPN connections is not a default gatewayof the internal networks towhich you can access from the VPN. Like this the clientsof these internal networks respond to Zentyal’s VPN instead of the gateway. IfZentyal server is both the VPN server and the gateway (most common case), thisoption is indifferent.

Fig. 2.72: VPN server using NAT to become the gateway for the VPN connection

REDIRECT GATEWAY : If this option is not checked, the external client will accessthrough the VPN to the established networks, but will use his/her local connectionto access to Internet and/or rest of the reachable networks. By checking this optionyou can achieve that all the traffic of the client will go through the VPN.

The VPN can also indicate name servers, search domain and WINS servers to over-write those of the client. This is specially useful in the case you have redirected thegateway.

After having created the VPN server, you must enable the service and save thechanges. Later you must check in Dashboard that the VPN server is running.

110

Fig. 2.73: Widget of the VPN server

After this, you must advertise networks, i.e. routes between the VPN networks andbetween other networks known by your server. These networks will be accessible byauthorised VPN clients. To do this, you have to enable the objects you have defined,see High-level Zentyal abstractions, in the most common case, all internal networks.You can configure the advertised networks for this VPN server through the interfaceof Advertised networks.

Fig. 2.74: Advertised networks of your VPN server

Once you have done this, it is time to configure the clients. The easiest way to config-ure a VPN client is by using the Zentyal bundles - installation packages that includethe VPN configuration file specific to each user and optionally, an installation pro-gram. These are available in the table at VPN → Servers, by clicking the icon in thecolumn Download client bundle. You can create bundles for Windows, Mac OS andLinux clients. When you create a bundle, select those certificates that will be used bythe clients and set the external IP addresses to which the VPN clients must connect.

As you can see the image below, you can have onemain VPN server and up to two sec-ondary servers depending on the Connection strategy when defining the connectionorder, or you can also try a random order.

Moreover, if the selected system is Windows, you can also add an OpenVPN installer.The Zentyal administrator will download the configuration bundles to the clients us-ing the most appropriate method.

111


Fig. 2.75: Download client bundle

A bundle includes the configuration file and the necessary files to start a VPN connec-tion.

You now have access to the data server from both remote clients. If you want to usethe local Zentyal DNS service through the private network, you need to configurethese clients to use Zentyal as name server. Otherwise, it will not be possible to ac-cess services by the hosts in the LAN by name, but only by IP address. Also, to browseshared files from the VPN you must explicitly allow the broadcast of traffic from theSamba server.

You can see the users currently connected to the VPN service in the Zentyal Dash-board. You need to add this widget from Configure widgets, located in the upper partof the Dashboard.

For additional information about file sharing go to section Users, Computers and File Sharing

112

Fig. 2.76: Widget with connected clients

C VPN

In this scenario two offices in different networks need to be connected via privatenetwork. To do this, you will use Zentyal as a gateway in both networks. One will actas a VPN client and the other as a server. The following image clarifies the scenario:

Fig. 2.77: Office interconnection with Zentyal through VPN tunnel

The goal is to connect multiple offices, their Zentyal servers and their internal net-works so that one, single network infrastructure can be created in a secure way andthrough Internet. To do this you need to configure a VPN server similarly as explainedpreviously.

However, you need to make two small changes. First, enable the Allow Zentyal-to-Zentyal tunnels to exchange routes between Zentyal servers. And then, introduce aPassword for Zentyal-to-Zentyal tunnels to establish the connection between the twooffices in a safer environment. Take into account that you need to advertise the LANnetworks in Advertised Networks.

Another important difference is the routing information exchange, in the roadwar-rior to server scenario described previously, the server pushes network routes to theclient. In the server to server scenario, routes are exchanged in both directions, andpropagated to other clients using the RIP protocol. Therefore, you can, as a client,configure the Advertised Networks that will be propagated to the other nodes.

http://www.ietf.org/rfc/rfc1058

113


Fig. 2.78: Zentyal as VPN client

You can configure Zentyal as a VPN client at VPN→ Clients. You must give a name tothe client and enable the service. You can configure the client manually or automat-ically by using the bundle provided by the VPN server. If you do not use the bundle,youmust introduce the IP address and protocol-port for the server accepting requests.The tunnel password and certificates used by the client will also be required. Thesecertificates must have been created by the same certification authority the serveruses.

Fig. 2.79: Automatic client configuration using VPN bundle

When you Save changes in the Dashboard, you can see a new OpenVPN™ daemonrunning as a client and the objective connection directed towards another Zentyalserver configured as a server.

Fig. 2.80: Dashboard of a Zentyal server configured as a VPN client

The propagation of routes can take a few minutes.

114

C OVPN

In order to configure a VPN client on Windows, first your system administrator mustgive you the bundle for your client.

Fig. 2.81: The system administrator gives you the bundle for your client

You must unzip it (click on the file with right button and select Extract all). You willfind all the VPN installation files and related certificates.

Fig. 2.82: Extracted bundle files

Right click on the installer and click on Run as administrator, OpenVPN™ needs tocreate the virtual network interface and install the drivers.

115


Fig. 2.83: Accept the OpenVPN license

It is recommended you install all the modules.

Fig. 2.84: List of modules that will be installed

The network Adapter software is not certified for Windows, but it is totally safe toinstall.

116

Fig. 2.85: Despite the warning you can install the driver

TIP: You must copy all the files included in the bundle, expect for the OpenVPNinstaller, to the folder C:\Program Files (x86)\OpenVPN\config to guarantee thedaemon will automatically find them.

Once installed, a double click on the shortcut that has appeared in your desktop al-lows you to connect to the VPN.

Fig. 2.86: Shortcut to connect to the VPN

P

P A

In this example you will configure a VPN server and a client on a computer locatedon an external network; you will connect to the VPN, through which you can access tothe host located in a local network - and to which only the server can access throughan internal interface.

Therefore:

1. ACTION Access Zentyal, go to Module status and enable OpenVPN module, to dothis click on the corresponding box in the Status column.

EFFECT: Zentyal requests permission to perform certain actions.

2. ACTION Study the actions that will be performed and grant Zentyal permissioncarry them out.

EFFECT: The Save Changes button is now enabled.

3. ACTION Access Zentyal interface, go to the section VPN → Servers, click on Addnew, a form with the fields Enabled and Name will appear. Enter a name for theserver.

117


EFFECT: The new server will appear on the list of servers.

4. ACTION Click on Save changes and accept all changes.

EFFECT: The server is active and you can verify its status in theDashboard section.

5. ACTION To make the configuration of the client easier, download the configura-tion bundle. Click the icon in the Download client bundle column and fill in theconfiguration form with the following options:

Client type: select Linux, as it is the client OS.

Client certificate: select client1. If this certificate is not created, create it follow-ing the instructions of the previous example.

Server address: enter here the address that the client has to use to connect tothe VPN server. In this scenario, this address will be the same as the address ofthe external interface connected to the same network as the client computer.

EFFECT: Once the form is completed, you candownload afilebundle for the client.It will be a compressed file in .tar.gz format.

6. ACTION Configure the client computer. Unzip the bundle in a directory and con-tinue with the previously mentioned steps, depending on the operating system.Note that the bundle contains thefileswith the necessary certificates and the con-figuration file with the .conf extension.

If you have not experienced any problems in the earlier steps, the configurationis now ready and you only need to establish the connection.

EFFECT: The client host is connected to the VPN.

7. ACTION Before checking that there is a connection between the client and thecomputer in the private network, you need to be sure that the latter uses Zentyalas default gateway. Otherwise, there is no return route to the VPN client - so youwill need to add it.

Finally, check that you can access some of your client services within the privatenetwork.

EFFECT: You have proved that the VPN works by creating a virtual network withhosts from different networks.

P B

The goal of this exercise is to connect two networks that use Zentyal servers as agateway towards the external network, allowing the members of both networks toconnect to each other.

1. ACTION Access the Zentyal web interface that will take the role of the tunnelserver. Make sure that the VPN module is enabled and enable it if necessary. Atthe VPN → Servers section create a new server using the following configurationparameters:

Port: choose a port that is not in use, such as 7766.

VPN address: enter a private network address that is not in use anywhere elsein your infrastructure, for example 192.168.20.0/24.

Enable the Allow Zentyal-to-Zentyal tunnels. This is the option that enforces atunnel server.

Enter a Password for Zentyal-to-Zentyal tunnels.

Finally, at Interfaces where the server is listening, choose an external interface toconnect to the Zentyal client.

118

To complete the server configuration, you must advertise networks, following thesame steps as in the previous examples. Advertise the private network to whichthe client needs access. It is convenient to remember that this step is not neces-sary on the client. The client will provide all its routes automatically to the server.All you have to do is to enable the service and save the changes.

EFFECT: Once you have carried out all the previous steps, you have a VPN serverrunning and its status can be checked using the Dashboard.

2. ACTION

To make the configuration process of the client easier, get a client configurationbundle by downloading it from the server. To download it go to the Zentyal Webinterface and in the VPN → Servers, click on the Download client configurationbundle. Before you can download the bundle you must establish few parametersin the download form:

Type of client: choose Zentyal-to-Zentyal tunnel.

Client certificate: choose a certificate that isn’t the certificate of the server nor isused by any other client. If you don’t have enough certificates, follow the stepsof the earlier exercises to create a certificate the client can use.

Server address: enter an address the client can use to connect to the server, inthis scenario the correct address is the address of the external interface con-nected to the visible network - both by the server and the client.

Once you have entered all the data, click on the Download button.

EFFECT: You will download a tar.gz file with the configuration data necessary forthe client.

3. ACTION Access the Web interface of the Zentyal server that will take the role ofclient. Check that the VPN module is enabled Go to the VPN → Clients section.Here you can see a empty list of clients and the option to create one. Click on Addclient and enter a name for it. As it is not yet configured, you will not be able toenable it and therefore youmust return to the list of clients. Click on the configu-ration section that corresponds to your client. As youhave the client configurationbundle, you do not need to fill in the sections manually. Use the Upload the clientconfiguration bundle option, select the file obtained in the previous step and clickon Change. Once you have loaded the configuration, you can go back to the list ofclients and enable your client. To enable it, click on the Edit icon, in the Actionscolumn. A form opens where you can check the Enabled option. Now you have afully configured client and you just need to save the changes.

EFFECT: After saving the changes, you have an enabled client. You can see thisclient by viewing the Dashboard. If both the server configuration and the clientare correct, the client will start the connection and the tunnel will be ready in-stantly.

4. ACTION Now verify that the computers on the internal network and the clientsare visible to each other. Besides the tunnel, the following requirements must befulfilled:

The computers must know the path back to the other private network. If, as inthis scenario, Zentyal is being used as a gateway, there will not be any need foradditional routes.

The firewall must allow connections between routes for required services.

Once these requirements are verified, you can check the connection. To do this,go to one of the computers in the private network of the VPN server and try toaccess a service hosted by the other network.

119


Once these checks are completed, youmust repeat them from a computer locatedon the network of a VPN client, choosing a computer located in the VPN servernetwork as a target.

P

E A

Configure a VPN server using NAT. Follow the same steps as in Practical example B, butenable the NAT option. Connect a client to the server and check that it is carrying outNAT services correctly.

VPN S IP LTPIPSEC

I IP LTP

The IPsec protocol (Internet Protocol security) is a set of protocols that aim to im-plement security over the TCP/IP network communications. It provides both authen-tication and encryption of the session. Unlike another solutions like SSL or TLS, IPsecdoes not work in the application layer but in the network layer. This allows you toprovide security to any communication without having to modify the application youare using.

Like OpenVPN™, IPsec is used to deploy virtual private networks (VPN). It can operatein several modes, host to host, network to host and network to network, being the lastone the more frequent: you have subnetworks that you want to link in a secure wayover an untrusted network, like the Internet.

IPsec is an optional annex of the IPv4 protocol, but it is integrated in IPv6. The mainadvantage of IPsec against other VPN protocols included in Zentyal like OpenVPN™is that IPsec is an standard defined by the Internet Engineering Task Force (IETF) thatmany manufacturers have implemented in their devices, so it is the ideal option toconnect Zentyal with third party UTM devices (Cisco, Fortinet, CheckPoint, etc).

L2TP operates in layer 2 of the TCP/IP model , thus allowing your clients to operateinside the internal network just like anyother host of the LAN, insteadof behaving as aPoint-to-point type connection. L2TP performs the tunneling and user authenticationtasks but Zentyal’s implementation relies on IPsec for traffic encryption.

Zentyal integrates Libreswan as its IPsec and L2TP/IPsec solution. This service usesthe ports 500, 1701 and 4500 of UDP and the ESP protocol.

C IP Z

To configure IPsec in Zentyal go to VPN → IPsec. Here you can define all the tunnelsand IPsec connections you need. You can enable or disable each one of them and addan explanatory text.

Fig. 2.87: IPsec connections

http://en.wikipedia.org/wiki/IPsec http://www.ietf.org/rfc/rfc2661.txt http://libreswan.org/

120

zentyal for network administrators · chapter2 zentyal infrastructure creating the ca will be...

Documents