Zentyal Book Sample Chapter PDF

Zentyal
Zentyal for Network

Administrators
for Network Administrators
VERSION 3.2 SP2
VERSION 3.2 SP1
Preparation for the certication exam

Zentyal Certied Associate (ZeCA)
Zentyal Certied Associate (ZeCA)
o ok
b t
h is por
o f t sup ct
ts to roje
d
e ne use ge P
l b e an
Al ill b ch
w pen
O
Zentyal for Network
Administrators
VERSION 3.2 SP2
PRODUCED BY
Zentyal S.L.
BSSC Building
C/ Eduardo Ibarra N 6
50009 Zaragoza, Spain
www.zentyal.com
COPYRIGHT NOTICE
Copyright 2014 Zentyal S.L. All rights reserved. No part of this manual shall be reproduced,
stored in a retrieval system, transmitted by any means, electronic, mechanical, photocopy,
recording or otherwise, or translated to any language without the written permission of Zentyal
S.L. No patent liability es assumed with respect to the use of the informtion contained herein.
Although every precaution has been taken in the preparation of this training guide, Zentyal S.L.
assumes no responsability for errors or omissions. Nor is any liability assumed for damages
resulting from the use of the information contained herein. The information provided is on an
"as is" basis and no warranty or tness is implied.
The copyright of this manual is owned by Zentyal S.L., Zentyal and the Zentyal logo are
registered trademarks of Zetyal S.L. Other trademarks and registered trademarks referred to in
this manual are the property of their respective owners, and are used for identication
purposes only.
Index
. I Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
.. P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.1. SMBs and ITC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.2. Zentyal: Linux server for SMBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.3. About this manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
.. I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.2.1. Zentyal installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.2. Initial conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.2.3. Hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
.. F Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.3.1. Zentyal webadmin interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.3.2. Network conguration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
1.3.3. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
.. S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
1.4.1. Management of Zentyal components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
1.4.2. System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
1.4.3. Automatic updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.4.4. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
.. S- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
. Z I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
.. Z I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
.. H- Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.2.1. Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.2.2. Network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
.. D N S DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.3.1. Introduction to DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.3.2. DNS cache server conguration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.3.3. Transparent DNS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2.3.4. DNS Forwarders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
2.3.5. Conguration of an authoritative DNS server with Zentyal. . . . . . . . . . . . . . 60
.. T NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
2.4.1. Introduction to NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
2.4.2. Conguring an NTP server with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
.. N DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.5.1. Introduction to DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.5.2. DHCP server conguration with Zentyal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3
.. C CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
2.6.1. Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
2.6.2. Importing certicates in clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.6.3. Certication Authority conguration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . 85
.. V VPN OVPN . . . . . . . . . . . . . . . . . . . . 89
2.7.1. Introduction to the virtual private networks (VPN) . . . . . . . . . . . . . . . . . . . . . . . . 90
2.7.2. Conguration of an OpenVPN client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
2.7.3. Conguration of a OpenVPN server with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . 92
2.7.4. Conguration of a VPN server for interconnecting networks . . . . . . . . . . . 97
2.7.6. Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
.. VPN S IP LTPIPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
.
2.8.1. Introduction to IPsec and L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
2.8.2. Conguring an IPsec tunnel in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
2.8.3. Conguring an L2TP/IPsec tunnel in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
.. S- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
.
. Z G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
.
.. Z G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
.
.. F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
.
3.2.1. Introduction to the Firewall System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
3.2.2. Firewall conguration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
3.2.3. Port forwarding with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
3.2.4. Source rewriting rules (SNAT) with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
3.2.5. Practical examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
.. R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
.
3.3.1. Introduction to network routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
3.3.2. Conguring routing with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
3.3.3. Conguring trac balancing with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
3.3.4. Conguring wan-failover in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
3.3.6. Proposed Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
.. Q S QS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
.
3.4.1. Introduction to Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
3.4.2. Quality of service conguration in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
.. N RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
.
3.5.1. Introduction to RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
3.5.2. Conguring an access point with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
3.5.3. Conguration of the RADIUS client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
3.5.4. Conguring a RADIUS server with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
.. HTTP P S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
.
3.6.1. Introduction to HTTP Proxy Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
3.6.2. Conguring the web browser to use the HTTP Proxy . . . . . . . . . . . . . . . . . . . . .136
3.6.3. HTTP Proxy conguration in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
3.6.4. Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
4
3.6.5. Filter proles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
3.6.6. Bandwidth Throttling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
.. C P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
.
3.7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
3.7.2. Conguring a captive portal with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
3.7.3. Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
3.7.4. List of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
3.7.5. Using the captive portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
.. I P S IDSIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
.
3.8.1. Introduction to Intrusion Detection/Prevention System . . . . . . . . . . . . . . . . .149
3.8.2. Conguring an IDS/IPS with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
3.8.3. IDS/IPS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
.. S- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
.
. Z O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
.
.. Z O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
.
.. U C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
.
4.2.1. Introduction to Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
4.2.2. Conguration of an OpenLDAP server with Zentyal . . . . . . . . . . . . . . . . . . . . . . .156
4.2.3. Conguring external Microsoft Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . .162
4.2.4. Deploying master/slave Zentyal congurations . . . . . . . . . . . . . . . . . . . . . . . . . . .163
4.2.5. Users corner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
.. F D S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
.
4.3.1. Introduction to le sharing and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
4.3.2. Samba 4: the implementation of Active Directory and SMB/CIFS in
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
4.3.3. Conguring Zentyal as a Standalone Domain server. . . . . . . . . . . . . . . . . . . . . .168
4.3.4. Conguring a le server with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
4.3.5. Joining a Windows client to the domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
4.3.6. Kerberos Authentication System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
4.3.7. Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
4.3.8. Joining Zentyal server to an existing domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
4.3.9. Total Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
4.3.10.Know Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
4.3.11.Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
.. F T P FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
.
4.4.1. Introduction to FTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
4.4.2. Conguration of a FTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
4.4.3. FTP server conguration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
.. W HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
.
4.5.1. Introduction to HTTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
4.5.2. HTTP server conguration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
.. P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
.
5
4.6.1. About the printers sharing service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
4.6.2. Printer server conguration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
.. B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
.
4.7.1. Design of a backup system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
4.7.2. Zentyal conguration Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
.. S- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
.
. Z U C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
.
.. Z U C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
.
.. E M S SMTPPOP-IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
.
5.2.1. Introduction to the e-mail service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
5.2.2. SMTP/POP3-IMAP4 server conguration with Zentyal . . . . . . . . . . . . . . . . . . . .208
5.2.3. E-mail client conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
.. M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
.
5.3.1. Introduction to the mail lter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
5.3.2. Mail lter schema in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
5.3.3. External connection control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
.. OC M E . . . . . . . . . . . . . .229
.
5.4.1. Introduction to OpenChange Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
5.4.2. Conguring a stand-alone OpenChange server . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
5.4.3. Conguring the OpenChange Server as an additional exchange server231
5.4.4. Conguring the Microsoft Outlook Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
5.4.5. Conguring Out Of Oce notications from the Microsoft Out-
look client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
5.4.6. ActiveSync support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
5.4.7. OpenChange Webmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
5.4.8. Known Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
.. W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
.
5.5.1. Introduction to Webmail service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
5.5.2. Conguring a webmail in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
.. G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
.
5.6.1. Introduction to the groupware service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
5.6.2. Conguration of a groupware server (Zarafa) with Zentyal . . . . . . . . . . . . . .242
5.6.3. Zarafa basic use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
.. I M S JXMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
.
5.7.1. Introduction to instant messaging service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
5.7.2. Conguring a Jabber/XMPP server with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . .249
5.7.3. Setting up a Jabber client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
5.7.4. Setting up Jabber MUC (Multi User Chat) rooms . . . . . . . . . . . . . . . . . . . . . . . . . . .256
.. S- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
.
. Z M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
.
.. Z M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
.
.. L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
.
6.2.1. Zentyal log queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
6
6.2.2. Conguration of Zentyal logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
6.2.3. Log Audit for Zentyal administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
.. E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
.
6.3.1. Events and alerts conguration in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
.. U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
.
6.4.1. Introduction to Uninterruptible power supply systems . . . . . . . . . . . . . . . . . .271
6.4.2. UPS Conguration with Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
.. M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
.
6.5.1. Monitoring in Zentyal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
6.5.2. Metrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
6.5.3. Memory usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
6.5.4. File system usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
6.5.5. Temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
6.5.6. Bandwidth Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
6.5.7. Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
.. A M Z R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
.
6.6.1. Zentyal Remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
6.6.2. Registering your Zentyal Server to Zentyal Remote. . . . . . . . . . . . . . . . . . . . . . .280
6.6.3. Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
6.6.4. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
6.6.5. Summarized reports and group task management . . . . . . . . . . . . . . . . . . . . . . . .283
6.6.6. Remote management and inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
6.6.7. Free trials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
. A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
.
.. A A: T VB . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
.
7.1.1. About virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
7.1.2. VirtualBox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
.. A B: A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
.
7.2.1. Scenario 1: Base scenario, Internet access, internal networks and
host network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
7.2.2. Scenario 2: Multiple internal networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
7.2.3. Scenario 3: Multiple gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
7.2.4. Scenario 4: Base scenario + external client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
7.2.5. Scenario 5: Multi tenancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
.. A C: D . . . . . . . . . . . . . . . . .302
.
7.3.1. Importing conguration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
7.3.2. Advanced Service Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
7.3.3. Development environment of new modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
7.3.4. Commercial Editions Release Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
7.3.5. Community Edition Release Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
7.3.6. Bug management policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
7.3.7. Community support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
.. A D: A - . . . . . . . . . . . . . . . . . . . . . . .308
.
7.4.1. Answer to self-assessment questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
7
CHAPTER 2
ZENTYAL INFRASTRUCTURE
.. I VPN
The virtual private networks were designed to allow secure access for remote users
connected via the Internet to the corporate network - as well as securely connect
dierent subnets via the Internet.
Your users might need to access to the network resources when they are outside the
company premises, for example sales people or teleworkers. The solution is to al-
low these users to connect to your system via the Internet, although this might mean
risking the condentiality, availability and integrity of the communication. To avoid
these problems, the connection is not made directly, but through virtual private net-
works.
Using VPN, you can create a secure communications tunnel over the Internet that will
only accept connections from authorized users. Trac is encapsulated and can only
be read at the other end. Apart from the security advantages, VPN connections are
seen like another local network connection by the Firewall, thus having access to local
resources and simplifying the infrastructure needed to oer remote services.
The usefulness of the VPN is not limited to remote access by users; an organization
may wish to interconnect networks located in dierent places, such as oces in dif-
ferent cities.
Similarly, Zentyal can operate in two modes, as a server for remote users and also as
a VPN Client of a VPN hub server.
Zentyal integrates OpenVPN and IPsec/L2TP to congure and manage virtual pri-
vate networks. In this section you will see how to congure OpenVPN, the default
VPN protocol in Zentyal. In the following section you will nd out how to congure
IPsec/L2TP.
OpenVPN has the following advantages:
Authentication using public key infrastructure.
SSL-based encryption technology.
Clients available for Windows, Mac OS and Linux.
Easier to install, congure and maintain than IPSec, another open source VPN alter-
native.
Allows to use network applications transparently.
.. C OVPN
In order to congure a VPN client on Windows, rst your system administrator must
give you the bundle for your client.
Figure 2.57: The system administrator gives you the bundle for your client
http://en.wikipedia.org/wiki/Virtual_private_network
http://openvpn.net/
90
You must unzip it (click on the le with right button and select Extract all). You will
nd all the VPN installation les and related certicates.
Figure 2.58: Extracted bundle les
Right click on the installer and click on Run as administrator, OpenVPN needs to create
the virtual network interface and install the drivers.
Figure 2.59: Accept the OpenVPN license
It is recommended you install all the modules.
Figure 2.60: List of modules that will be installed
91
CHAPTER 2
The network Adapter software is not certied for Windows, but it is totally safe to
install.
Figure 2.61: Despite the warning you can install the driver
TIP: You must copy all the les included in the bundle, expect for the OpenVpn
installer, to the folder C:\Program Files (x86)\OpenVPN\cong to guarantee the
daemon will automatically nd them.
Once installed, a double click on the shortcut that has appeared in your desktop al-
lows you to connect to the VPN.
Figure 2.62: Shortcut to connect to the VPN
.. C OVPN Z
Zentyal can be congured to support remote clients (sometimes known as road war-
riors). This means a Zentyal server acting as a gateway and VPN server, with multiple
local area networks (LAN) behind it, allows external clients (the road warriors) to con-
nect to the local network via the VPN service.
Figure 2.63: Zentyal and remote VPN clients
The goal is to connect the data server with other 2 remote clients (sales person and
CEO) and also the remote clients to each other.
92
First, you need to create a Certication Authority and individual certicates for the
two remote clients. You need to explicitly create an unique certicate for each user
that will connect to the VPN through Certication Authority General.
Note that you also need a certicate for the VPN server. However, Zentyal will create
this certicate automatically.
In this scenario, Zentyal acts as a Certication Authority.
Figure 2.64: Server certicate (blue underline) and client certicate (black underline)
Once you have the certicates, then congure the Zentyal VPN server by selecting
Create a new server. The only value you need to enter to create a new server is the
name. Zentyal ensures the task of creating a VPN server is easy and it sets the con-
guration values automatically.
Figure 2.65: New VPN server created
The following conguration parameters are added automatically and can be changed
if necessary: port/protocol, certicate (Zentyal will create one automatically using
the VPN server name) and network address. The VPN network addresses are assigned
both to the server and the clients. If you need to change the network address you
must make sure that there is no conict with a local network. In addition, you will au-
tomatically be notied of local network detail, i.e. the networks connected directly
to the network interfaces of the host, through the private network.
TIP: Zentyal allows the conguration of VPN with UPD or TCP protocols. UDP
is faster and more ecient, as less control information is transmitted, therefore
there is more room for data. TCP, on the other hand, is more reliable and can
cope better with unstable connections and Internet providers that kill long last-
ing connections.
As you can see, the VPN server will be listening on all external interfaces. Therefore,
93
CHAPTER 2
you must set at least one of your interfaces as external at Network Interfaces. In
this scenario only two interfaces are required, one internal for LAN and one external
for Internet.
If you want the VPN clients to connect between themselves by using their VPN ad-
dresses, you must enable the option Allow connections among clients.
In most of the cases you can leave the rest of the conguration options with their
default values.
Figure 2.66: VPN server conguration
In case more advanced conguration is necessary:

VPN ADDRESS: Indicates the virtual subnet where the VPN server will be located
and the clients it has. You must take care that this network does not overlap with
any other and for the purposes of rewall, it is an internal network. By default
192.168.160.1/24, the clients will get addresses .2,*.3*, etc.
SERVER CERTIFICATE: Certicate that will show the server to its clients. The
Zentyal CA issues by default a certicate for the server, with the name vpn-
<yourvpnname>. Unless you want to import an external certicate, usually you
maintain this conguration.
AUTHORIZE THE CLIENT BY THE COMMON NAME: Requires that the common name of
the client certicate will start with the selected string of characters to authorize
the connection.
TUN INTERFACE: By default a TAP type interface is used, more similar to a bridge of
Layer 2. You can also use a TUN type interface more similar to a IP node of Layer
3.
NETWORK ADDRESS TRANSLATION (NAT): It is recommended to enable this transla-
tion if the Zentyal server that accepts the VPN connections is not a default gateway
of the internal networks to which you can access from the VPN. Like this the clients
of these internal networks respond to Zentyals VPN instead of the gateway. If
Zentyal server is both the VPN server and the gateway (most common case), this
option is indierent.
94
Figure 2.67: VPN server using NAT to become the gateway for the VPN connection
REDIRECT GATEWAY : If this option is not checked, the external client will access
through the VPN to the established networks, but will use his/her local connection
to access to Internet and/or rest of the reachable networks. By checking this option
you can achieve that all the trac of the client will go through the VPN.
The VPN can also indicate name servers, search domain and WINS servers to over-
write those of the client. This is specially useful in the case you have redirected the
gateway.
After having created the VPN server, you must enable the service and save the
changes. Later you must check in Dashboard that the VPN server is running.
Figure 2.68: Widget of the VPN server
After this, you must advertise networks, i.e. routes between the VPN networks and
between other networks known by your server. These networks will be accessible by
authorised VPN clients. To do this, you have to enable the objects you have dened,
see High-level Zentyal abstractions, in the most common case, all internal networks.
95
CHAPTER 2
You can congure the advertised networks for this VPN server through the interface
of Advertised networks.
Figure 2.69: Advertised networks of your VPN server
Once you have done this, it is time to congure the clients. The easiest way to cong-
ure a VPN client is by using the Zentyal bundles - installation packages that include
the VPN conguration le specic to each user and optionally, an installation pro-
gram. These are available in the table at VPN Servers, by clicking the icon in the
column Download client bundle. You can create bundles for Windows, Mac OS and
Linux clients. When you create a bundle, select those certicates that will be used by
the clients and set the external IP addresses to which the VPN clients must connect.
As you can see the image below, you have one main VPN server and up to two sec-
ondary servers, depending on the Connection strategy you will try establishing con-
nection in order or trying a random one.
Moreover, if the selected system is Windows, you can also add an OpenVPN installer.
The Zentyal administrator will download the conguration bundles to the clients us-
ing the most appropriate method.
Figure 2.70: Download client bundle
A bundle includes the conguration le and the necessary les to start a VPN connec-
tion.
You now have access to the data server from both remote clients. If you want to use
the local Zentyal DNS service through the private network, you need to congure
these clients to use Zentyal as name server. Otherwise, it will not be possible to ac-
cess services by the hosts in the LAN by name, but only by IP address. Also, to browse
shared les from the VPN you must explicitly allow the broadcast of trac from
the Samba server.
For additional information about le sharing go to section File sharing and Domain Services
96
You can see the users currently connected to the VPN service in the Zentyal Dash-
board. You need to add this widget from Congure widgets, located in the upper part
of the Dashboard.
Figure 2.71: Widget with connected clients
.. C VPN
In this scenario two oces in dierent networks need to be connected via private
network. To do this, you will use Zentyal as a gateway in both networks. One will act
as a VPN client and the other as a server. The following image claries the scenario:
Figure 2.72: Oce interconnection with Zentyal through VPN tunnel
The goal is to connect multiple oces, their Zentyal servers and their internal net-
works so that one, single network infrastructure can be created in a secure way and
through Internet. To do this you need to congure a VPN server similarly as explained
previously.
However, you need to make two small changes. First, enable the Allow Zentyal-to-
Zentyal tunnels to exchange routes between Zentyal servers. And then, introduce a
Password for Zentyal-to Zentyal tunnels to establish the connection between the two
oces in a safer environment.
Another important dierence is the routing information exchange, in the roadwarrior
to server scenario described above, the server pushes network routes to the client. In
the server to server scenario, routes are exchanged in both directions, and propagated
to other clients using the RIP protocol. Therefore, you can, as a client, congure the
Advertised Networks that will be propagated to the other nodes.
http://www.ietf.org/rfc/rfc1058
97
CHAPTER 2
Figure 2.73: Zentyal as VPN client
You can congure Zentyal as a VPN client at VPN Clients. You must give a name to
the client and enable the service. You can congure the client manually or automat-
ically by using the bundle provided by the VPN server. If you do not use the bundle,
you must introduce the IP address and protocol-port for the server accepting requests.
The tunnel password and certicates used by the client will also be required. These
certicates must have been created by the same certication authority the server
uses.
Figure 2.74: Automatic client conguration using VPN bundle
When you Save changes in the Dashboard, you can see a new OpenVPN daemon run-
ning as a client and the objective connection directed towards another Zentyal server
congured as a server.
Figure 2.75: Dashboard of a Zentyal server congured as a VPN client
.. P
P A
In this example you will congure a VPN server and a client on a computer located
on an external network; you will connect to the VPN, through which you can access to
the host located in a local network - and to which only the server can access through
an internal interface.
Therefore:
98

Zentyal Book Sample Chapter PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Zentyal Book Sample Chapter PDF

Загружено:

Авторское право:

Доступные форматы

Zentyal

Zentyal for Network

Preparation for the certication exam

Figure 2.58: Extracted bundle les

Figure 2.59: Accept the OpenVPN license

It is recommended you install all the modules.

Figure 2.60: List of modules that will be installed

Figure 2.62: Shortcut to connect to the VPN

Figure 2.63: Zentyal and remote VPN clients

Figure 2.65: New VPN server created

Figure 2.66: VPN server conguration

In case more advanced conguration is necessary:

Figure 2.68: Widget of the VPN server

Figure 2.69: Advertised networks of your VPN server

Figure 2.70: Download client bundle

Figure 2.71: Widget with connected clients

Figure 2.72: Oce interconnection with Zentyal through VPN tunnel

Figure 2.73: Zentyal as VPN client

Figure 2.74: Automatic client conguration using VPN bundle

Figure 2.75: Dashboard of a Zentyal server congured as a VPN client

Вам также может понравиться