External Users of Zimbra to only use VPN

Ask questions about your setup or get help installing ZCS server (ZD section below).
530randall
Advanced member
Advanced member
Posts: 191
Joined: Fri Sep 12, 2014 10:38 pm

External Users of Zimbra to only use VPN

Postby 530randall » Sun Sep 07, 2008 11:45 pm

Hi All,
We are looking into making all our users, when ever they are on the road, to access their e-mail only using VPN.
I have been looking around the forum for post on similar item but have not found something (or maybe I missed it).
What do we need to do so that users will not be able to access https://mymail.domain.com from any internet connection? And in order for them to access it, they have to do VPN.
I would really appreciate for any feedback or if you can point me somewhere in the forum that have the same requirements.
Thanks in advance. :)


530randall
Advanced member
Advanced member
Posts: 191
Joined: Fri Sep 12, 2014 10:38 pm

External Users of Zimbra to only use VPN

Postby 530randall » Thu Sep 11, 2008 5:23 am

Any idea on this one please? Any kind soul out there?:rolleyes:
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

External Users of Zimbra to only use VPN

Postby uxbod » Thu Sep 11, 2008 5:26 am

Do you not have a firewall in front of your ZCS installation ? If you do then why not just allow the VPN IP block access to port 443 on your server ?
530randall
Advanced member
Advanced member
Posts: 191
Joined: Fri Sep 12, 2014 10:38 pm

External Users of Zimbra to only use VPN

Postby 530randall » Thu Sep 11, 2008 6:11 am

Thanks Uxbod. But can you help understand further your suggestion?
And yeah, really thanks! :)
apatosaur.9
Posts: 31
Joined: Fri Sep 12, 2014 10:07 pm

External Users of Zimbra to only use VPN

Postby apatosaur.9 » Thu Sep 11, 2008 6:19 am

... Firewall restricting/preventing access from outside to your Zimbra box's IP port 443 is (probably) best, but you could probably use DNS, and simply not make the zimbra's IP resolveable via public DNS servers, keep it's record only in your company's internal DNS.
bottom line though. You should have your mailserver in a DMZ (DeMilitarized Zone) behind a firewall.
please post more details of how your servers access the net / how the net accesses your servers so that we can provide better suggestions.
Ciao :)
Bill Brock
Outstanding Member
Outstanding Member
Posts: 618
Joined: Fri Sep 12, 2014 10:35 pm

External Users of Zimbra to only use VPN

Postby Bill Brock » Thu Sep 11, 2008 8:32 am

Accessing your mail server across an SSL connection will give you the same security as through your VPN.
However, I add my private LAN IP of my mail server to the HOSTS file of my branch offices and laptops. The VPN client on the laptops are set to auto connect when the PC tries to access any IP's that exists on my private home office LAN. So when they access the mail server it gets the IP from the hosts file which in turn automatically makes a VPN connection to the home office. You could set the VPN client to manually connect and make the VPN connection first, but that seemed to confuse some users.
530randall
Advanced member
Advanced member
Posts: 191
Joined: Fri Sep 12, 2014 10:38 pm

External Users of Zimbra to only use VPN

Postby 530randall » Fri Sep 12, 2008 10:36 pm

Thanks for the reply guys. :-) Really appreciate your inputs.
To answer apatosaur.9, my zcs server is behind a UTM and not in DMZ. It's part of the private LAN.
Somehow it looks like this:
Internet--->UTM---->ZCS---->Users
And with this setup, users can access their mails from anywhere with internet connection via
We">https.
We
somehow want to make it like this:
External Users-->VPN--->Internet--->UTM--->ZCS--->Internal Users
What we want to happen is for the users to make use of VPN in order to get their mails. Not just ordinarily from any Internet connection.
The reason behind this is to discourage the users from using Internet shops/cafes to access their mails, since alot of these internet shops have keyloggers in their workstations. Several of our user accounts have been already compromised by this type of access from Internet shops/cafes.
If there will be a better suggestion rather than just using VPN, it would be highly appreciated.
Thanks in advance.

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 3 guests