|Version 1 (modified by icorreas@…, 2 years ago) (diff)|
- Tittle: The perfect Zentyal Gateway setup
- Author(s): Carlos Pérez-Aradros Herce (cperez@…)
- Date: 12 Jul 2011
- Version(s): 2.0
- Zentyal profiles: Gateway
The perfect Zentyal Gateway setup
Zentyal is the Linux Small Business Server, it lets you manage all your network services through one single platform. It's a Network Gateway, as well as an Infrastructure, UTM (Unified Threat Manager), Office and Communications Server. All these features are fully integrated and easy to configure, it truly helps to save system administrators time.
In this tutorial you will see how to set up a Zentyal Server to act as a gateway in a very common scenario. Zentyal will provide basic network infrastructure, load balancing between two Internet providers, firewall and HTTP proxy caching and content filtering. All these steps are well explained in the Zentyal Documentation, which is a really recommended reading. The following example network layout is used:
Zentyal runs on top of Ubuntu Server so it will work on the same hardware. You can take a look at the Ubuntu-certified hardware page for more information. There are two ways to install Zentyal:
- Using Zentyal installer that you can download from the project website. This is the recommended choice, it includes all package dependencies for offline install and also makes some custom configuration.
- Install on top of a working Ubuntu Server, you can find detailed info and URL for the repository in the Zentyal Installation Guide.
If you install Zentyal using the installer you will see this screen when booting from CD-ROM and a couple of wizards will guide you through the process. You can choose default settings in all of them.
Zentyal provides a web administration interface, after the installation a Firefox browser will show up giving you access to it (you can also access Zentyal from any client browser typing: https://zentyal_server_ip). User and password are the same you entered during installation.
Now you can select the desired packages to install, for this tutorial you should install the Gateway package. Later DHCP and DNS modules will also be installed by using the Software Management module.
After this step all the necessary packages are installed, now setup will guide you through configuration wizards for installed modules, in this case Network and Users. We can skip network configuration for now, so if you start this tutorial from an already installed Zentyal you can still follow it.
Zentyal Server is now installed. By following the next steps you will configure each module.
As shown in the scenario, you have to configure three network interfaces, two external routers and one for the internal network. Zentyal will balance traffic between the two Internet connections.
Go to Network -> Interfaces and configure each interface by introducing its IP and netmask. Don't forget to mark external interfaces because Zentyal uses this info in firewall rules. In the next image you can see configuration for one of the external interfaces and the internal one.
3.2. Gateways and load balancing
Now you have to set up both gateways in the gateways table (Network -> Gateways):
Go to Network -> Balance Traffic to enable load balancing between the gateways.
Zentyal Server can do failover on gateways. If one of the gateways fails it will be detected and traffic will go through the other one. This guarantees balanced Internet connection (unless both links fail at the same time).
In order to configure failover, Events module must be enabled (in Module Status). You also need to enable WAN Failover in the Events section. Finally, you should add connectivity check rules. Failover event will use them to detect broken link status (Network -> WAN Failover):
Ping to gateway checks if the gateway is up, not the Internet connection itself, ping to an external host also tests for connectivity in a fast way, DNS resolution test is a little slower but it also checks DNS resolution, and the last one, HTTP request will do a complete request to a webpage, it's more complete but also slower.
With this configuration Zentyal will ping 188.8.131.52 each 30 seconds. If two or more pings fail for a gateway it will be deactivated. If the gateway recovers it will be enabled again. None of these events will affect end users' connectivity. It's important to set up a correct time between tests, calculating max test duration times. In this case we have six ping x two gateways, which should be done in less than 30 seconds.
3.4. Basic infrastructure
In order to provide a basic infrastructure for the internal network you need to install DNS and DHCP modules using Software Management -> Zentyal Components section.
Now you have to enable these components in Module Status. DNS will act as a caching server, so you can configure Network -> DNS to 127.0.0.1 to make Zentyal use it (if you set up more than one DNS server 127.0.0.1 should be the first one):
DHCP can also be configured to serve in the internal network: it will automatically configure clients to use Zentyal as a gateway and DNS. You only have to add a default range of IPs you want for the clients, 10.0.0.20-10.0.100 in this case:
At this point you have a working network, with all the necessary basic networking infrastructure. Now, let's take a look to Zentyal's Firewall and how to configure it.
Zentyal is secure by default, by default firewall applies strict rules on the external interfaces and allows outgoing traffic from internal LAN. You can find the configured rules in Firewall -> Packet Filter:
- Filtering rules from internal networks to Zentyal
- Filtering rules for internal networks
- Filtering rules for traffic coming out from Zentyal
- Filtering rules from external networks to Zentyal
- Filtering rules from external networks to internal networks
- Rules added by Zentyal services (Advanced)
All these tables forbid connections by default, if you want to allow some kind of connection you need to create a new rule for this (rules are applied in order). Here are some common examples:
Allow internal clients to use some services except LDAP:
Allow all traffic from clients to the Internet:
5. HTTP Proxy
The last step of this tutorial is the HTTP Proxy setup. Zentyal's HTTP Proxy will cache users Web navigation truly decreasing bandwidth usage and it will also filter content, disallowing banned sites or content types.
From HTTP Proxy -> General you can configure the HTTP Proxy as transparent, so clients browsers don't need to be reconfigured, HTTP requests (port 80) will automatically be redirected through the proxy. You can also increase cache size depending on your hardware and usage.
Finally, you can add a URL to cache exceptions, so the proxy will never cache it. This is useful if you need to access the webpage always in its latest version.
Setting Filter as default policy will enforce the request to go through the content filter. Now you can configure it to allow and disallow your desired pages. In HTTP Proxy -> Filter Profiles menu you will find defined filtering profiles. You can configure the default one, which will apply to all users.
In addition, here you can configure content filter threshold and add banned domain lists. Also, if you install antivirus module the proxy will use it to filter virus downloads.
As you can see you have blocked facebook.com (just as example) but have in mind that HTTP Proxy only filters HTTP on port 80. In this case users can still reach HTTPS version of the page, so we also create a firewall rule blocking that traffic. You will need an object (Objects menu) containing facebook.com address pool:
If it doesn't exist you also create a new service to match the desired traffic. In this case HTTPS (TCP with destination port 443):
Finally you can add the firewall rule for internal networks blocking traffic matching your new object and service as destination:
We have fully configured Zentyal Server as a gateway with load balancing, failover and HTTP proxy cache. Zentyal will be also in charge of basic infrastructure serving DHCP and DNS.
Zentyal, the Linux Small Business Server, offers small and medium businesses an enterprise-level, affordable and easy-to-use network infrastructure. By using Zentyal server, SMBs are able to improve the reliability and security of their computer network and to reduce their IT investments and operational costs. Zentyal server development was started in early 2004 and currently it is the open source alternative to Windows Small Business Server. Zentyal is all-in-one server that can act as a Network Gateway, Unified Threat Manager (UTM), Office Server, Infrastructure Manager, Unified Communications Server or a combination of them. Zentyal server is widely used in the small and medium businesses regardless of sector, industry or location as well as in the public administrations or in the education sector. It is estimated that there are over 50,000 active Zentyal installations all over the globe.
The author, Carlos Pérez-Aradros Herce (aka exekias), works as Zentyal Server and Cloud developer.
- 01-scenario.png (26.3 KB) - added by icorreas@… 2 years ago.
- 02-setup.png (32.7 KB) - added by icorreas@… 2 years ago.
- 03-firstlogin.png (18.3 KB) - added by icorreas@… 2 years ago.
- 04-packages.png (67.5 KB) - added by icorreas@… 2 years ago.
- 05-wizard-network.png (28.1 KB) - added by icorreas@… 2 years ago.
- 06-wizard-users.png (26.5 KB) - added by icorreas@… 2 years ago.
- 07-network-interfaces.png (16.9 KB) - added by icorreas@… 2 years ago.
- 08-network-gateways.png (15.1 KB) - added by icorreas@… 2 years ago.
- 09-network-failover.png (11.9 KB) - added by icorreas@… 2 years ago.
- 10-software-install.png (14.5 KB) - added by icorreas@… 2 years ago.
- 11-network-dns.png (11.4 KB) - added by icorreas@… 2 years ago.
- 12-network-dhcp.png (46.5 KB) - added by icorreas@… 2 years ago.
- 13-firewall-internalToZentyal.png (19.8 KB) - added by icorreas@… 2 years ago.
- 14-firewall-internal.png (11.0 KB) - added by icorreas@… 2 years ago.
- 15-proxy-general.png (26.1 KB) - added by icorreas@… 2 years ago.
- 16-proxy-filter.png (48.3 KB) - added by icorreas@… 2 years ago.
- 17-proxy-objects.png (14.0 KB) - added by icorreas@… 2 years ago.
- 18-proxy-services.png (10.5 KB) - added by icorreas@… 2 years ago.
- 19-proxy-firewall.png (14.3 KB) - added by icorreas@… 2 years ago.