Replacing MS Servers with Linux boxes - Multiple services
 

Finally got the ok to replace our ageing NT 4.0 servers with Linux boxes. I have slowly been adding Linux boxes into the mix for the last couple years and now would like to replace MS Sexchange with Zimbra, Proxy 2.0 with Squid, MS DNS with Bind, and migrate our existing Centos-based OpenVPN server to one of the new ones. I have picked up two IBM 335's Dual 2.4GHZ 2GB Ram w/dual 73GB HDs. Planning on running Centos 5 on them.

We only have about 150 mailboxes and about 30 VPN users.

My question is... which services should/can be combined onto each box. I was thinking of running Zimbra and Bind on one box and Squid and OpenVPN on the other. Will I run into any problems with a setup like this.

Also, I will probably need to migrate our firewall to one of these boxes in the future, right now it's a bridge/iptables box with dual nics and no ipaddresses. Which box would be the best candidate for iptables inclusion? They will both be dual-homed with an internet facing and lan facing ip address.

TIA!
Ken

If i were you i would pair zimbra with bind and openvpn with squid.

Given the fact that your mail server may be the highest dns client of the others.

I would then put the firewall on the squid/openvpn box because they are logically related, and it would then be easy to run a transparent proxy.

For your Firewall/Proxy/VPN box I'd consider a distribution like IPCop: http://ipcop.org/index.php

It requires minimal resources so you could use an older server that you have lying around to fill these functions. It also has a lot of very useful addons like VPN Support, Squid, Squidguard, ClamAV, etc. etc.

I've heard that Smoothwall and Smoothwall express are also pretty good.

Cheers!

Thanks for the tips guys. Sounds like I was on the right track just had never had to run multiple services on a single box before and wasn't sure how they interacted.

Servers are coming in today and would like to get started this afternoon.

I'll take a look at ipcop and smoothwall although I'm more than comfortable with commandline iptables. I have no gui's on any of my Linux boxes and manage everything via putty (except for the firewall which has to be logged on locally since it doesn't have any addresses;)). Right now that box is a P100 with 64MB and just hums along so I know what you mean by minimal resources!

Thanks again, as long as I know it will work, I can get it to work. I just didn't wnat to waste time on trying to put a couple services on the same machine that shouldn't be combinded like that.

Much appreciated!

I hope you have fun setting all of this ish up! I would KILL to be able to migrate this WAMP/MS SQL shop over to LAMP/MySQL. Who the heck uses WAMP anyway? oh yeah... the company I work for... :(

It very much depends on your setup and personal preference.

Personally, I prefer seperate firewall machines - I believe in the "one way in, one way out" method. So I'd have a single machine that does all the firewalling, network access and pretty much nothing else. Simple to audit, simple to check, simple to secure. Plus it needs next-to-nothing in terms of software, which makes it much more secure.

Depending on your confidence with iptables, I'd have OpenVPN on that same machine, or I'd port-forward the one port necessary to a seperate box running OpenVPN. That way you have one single entrance to the network and you know exactly where people are entering the network, where connection problems are, one place to monitor everything in and out no matter where it comes from etc. Wherever I work, I try to get all external network access to a single machines or bank of machines - wireless, VPN, Internet, they all have to go through the same box before they are allowed in, rather than having five or six different entry points which all have to be secured in the same way. On small networks, I usually have one interface per "network" on a single firewall box, one for each VPN, one for wireless, one for internal LAN, one for external Internet etc.

Squid is often run with things like Apache, DansGuardian, scripts, third-party patches and all sorts of other things, so that's much better off on a secured machine on its own. I tend to favour the transparent bridge/proxy approach in between my network and the firewall machine. This stops people being able to circumvent your filtering or cache, but allows you to bypass it quickly in the event of a filtering problem. I usually tie a Cat5e coupler to the Ethernet leads and then if there's a problem, you can literally "bridge" the "in" and "out" cables together and bypass the proxy altogether without having to change client settings - but my needs for filtering and uptime are a bit more intense than most people's, (so all this is behind an upstream filter too) and needing only a few second's of downtime to bypass the main internal proxy while I fix it is worth its weight in gold.

Squid does a lot of DNS too, if you're on a busy network, but also a LOT of traffic on the LAN side, so I tend to site it upstream of the main internal DNS servers for the network and let it do it's own DNS caching, using the upstream DNS for external DNS and passing on internal DNS results directly.


Internet / Wireless / VPN clients
| | |
Firewall / VPN server
|
Squid transparent proxy/bridge and (possibly) DNS cache
| | |
Main internal network with all it's DNS etc. servers


If you look, it also means that at each level, the amount of stuff that NEEDS to go outbound is reduced. The main network does all its own DNS and local HTTP access. If that needs anything external (web updates, web pages, external DNS), it goes to the Squid cache which can answer most of those queries itself, filter them for suitability (i.e. block Microsoft updates etc.) and then only pass on what's left (non HTTP-traffic, uncached external HTTP/DNS) to the firewall. The firewall strips out anything that shouldn't be leaving (wrong ports, stray packets, etc.) and then lets it out.

For those clients coming in on the externalities, it's a similar setup. They have to pass through firewalling rules first, which also includes authenticated VPN clients, so stray network packets from their end are secured - if someone isn't supposed to be able to access network file shares over the VPN, then you can filter them on the same machine that's running all the other iptables rules - quite often you find yourself filtering the incoming Internet connection for everything but VPN, and then the VPN for everything but allowed traffic and this way it all happens on the one machine.

If you're denying direct Internet access through the VPN (quite a sensible idea) then they hit the proxy which can filter and cache websites and also cache local content for them if you set it up correctly, which means that the traffic that hits the local network is lessened at each stage until it's down to the minimum.

And in an emergency, ripping out the proxy server and replacing it with a straight cable affects nothing but your network speeds - no client changes, no settings.

You question typically comes from the Windows domain. For example, our HQ runs about 90 servers which are loaded only a few percent in terms of processor load, but at least 60 are required because of compatability issues.

Everything you mention runs on one Linux box without interaction problems. The only thing you should worry about is performance, but not more than that.

For a managability point of view however, I recommend like most others in this thread that you run the firewall on one box, combined with OpenVPN server. All the other services go on on other box, given you have sufficient processor capacity and sufficient fast disk access.

In my office I run the firewall, OpenVPN, DNS and DHCP on one server. This is the main server which has a fully configured and up-to-date backup server to make sure that downtime is limited to 10 minutes when it happens. Everything else like mail, MySQL and web server run on another machine. Sometimes I split tasks between machines because I prefer to start from scratch when doing a major system upgrade. Like from Debian Sarge to Etch, MySql 4 -> 5 and Apache 1.3 -> 2.

But never because there are incompatibilities.

jlinkels