ipcop support

Hi,

I am having a few minor issues with SBS2008 IPCOP and VMware...

I have configure VMware on my new SBS 2008 server, with IPcop running virtually within the sbs 2008 box.
I just follwed this guide http://www.dslreports.com/forum/r19782334-IPCop-in-VMWare-A-Howto

SBS 2008 (192.168.1.2)----(192.168.1.1) IPCOP (RED)----Router (bridged PPPoe)----Internet
..............................|
XP Clients(192.168.1.x)--|


I can connect to web-proxy and browse the internet no problems.
I can connect to web interface from SBS 2008 and XP Clients.
So the connectivity is there.

The problem I am facing is in the SBS 2008 Console, when I try and find the internet connection SBS fails to find IPcop as my router.
SBS 2008 console gives me and option to manually setup the router and Server settings,
so I enter Router as 192.168.1.1
and server as 192.168.1.2
But it still fails to connect, and then cannot complete the wizard.

So I cannot get exchange 2007 working via the console...

One option looks like I should remove IPcop and setup the open router to SBS2008 (so SBS 2008 can find my router and configure for me), but I would prefer to have IPcop sitting on my perimeter (secured)...

Can someone please provide some suggestions/tips/walkthru on how I can complete this configuration...

Cheers and regards,
the silly one...

PS I have put IPcop into VMware so I make make use of SnapShots when I am installing the IPcop addons to secure my internet connection.
fyi i will be using copfilter, advproxy, URL filter (if HAVP fails), update accelerator and BOT.

also:

I have setup port forwarding for:
• Port 25: SMTP e-mail
• Port 80: HTTP Web traffic
• Port 443: HTTPS Web traffic
• Port 987: HTTPS Web traffic for Windows SharePoint® Services through Remote Web Workplace
• Port 1723: VPN if you plan to enable VPN on the Destination Server. You may also need to enable the point-to-point tunneling protocol (PPTP) pass-through on your router

Why would you want (or trust) your edge firewall to run in a VM on your main app/file/email server?

_________________
For the 2.5^15th time :: Better Details = Better Answers

Hi VonSkippy Thanks for response,

I assumed it was safe as all NIC components are unticked (ie tcp/ip, filesharing etc) except for VMware...(ie the Host cannot access the NIC assigned to the VM)
I was just trying to make use of the second NIC on the SBS box...

Would this setup only be good for a test environment?

Ok, what I could do is at least set it up and ensure it works (ie IPcop with addons), then perhaps if you feel its not trust worthy I could always rebuild the IPcop box on a physical PC...

Is this vmware ESX running SBS2003 in a VM and ipcop in a VM? Or are you running SBS2003 with vmware workstation and ipcop in a VM under SBS2003?

Hi up4fun


I have it setup as the later, running SBS2003 with vmware workstation and ipcop in a VM under SBS2003

I am setting up on a Dell PowerEdge 295 Rack Server, I have 2 of these but was only setting up one first, then was going to replicate them...One server in main-ofiice, the other on a leased line (fibre optics) in another location.

I do not have funds to purchase ESX...

I am discontinuing our old NT4 server, exchange 5.5 with IPcop firewall, and creating a new server from scratch.
(will just recreate users and shares) here we come AD and server 2008 and build a whole new IPcop
(i wanted one in VMware for ADDON installations as they always seem to break on me in a phyiscal PC so I'm sick of restarting the whole process over and over, i would rather revert to a snap shot)
one for test environment)

Should I setup differently....any suggestions?

The former is considerably more secure.

On these servers, I would run XenServer5.5 (free!) or ESX (expensive!) with SBS2003 in one VM and ipcop in another. The XenServer will have 2 physical and one virtual nics, one phys will be called RED and will be connected to your upstream, the other phys will be called GREEN and will be connected to your LAN. The ipcop VM will see both RED and GREEN. The ipcop will also see the virtual NIC, called ORANGE.

The SBS 2003 will see only ORANGE. Then, setup ipcop in the normal way, port-forward, etc. I think that you need exchange 2008 or beyond to be able to run exchange edge services in Orange, forgotten the details, sorry.

Of course, if you do not need to present any services from your SBS to RED, then you can simplify by cutting out the virtual NIC and letting the SBS server see only GREEN.

In either case, the ipcop VM (and the XenServer host, of course) are the only services that can possibly see the RED nic.

This should be fairly easy to setup and test, though you will need to install SBS again.

Hey Thanks Up4fun,

Sorry i've been up too late...
I have SBS 2008...I believe it is an Edge server...(go figure, i don't know why M$ have done it this way..)

I was also editing my last message, when your 2nd reply came thru

Okay, that xenServer5.5 sounds like its the go, I'll try and do some research on it first thing tomorrow...
Yeah i think exchange 2007 has Edge server role... But yeah, i'll need to do a bit of research on that too
( i think in SBS 2008, Exchange 2007 is installed on the same server...but i could be wrong...)

Thanks for your recommendations...

I would prefer the most secure setup possible...so will look into Xenserver5.5 and what options I have with SBS 2008 and Exchange 2007. I am pretty sure SBS2008 did away with ISA....I like IPCOP and would prefer that over any M$ gateway/firewall

OK all seems ok now

I have installed xenserver 5.5

My Dell PowerEdge 2950's only came with 4GB each (which is bare-minimum for SBS2008) so I have removed RAM from 1 Physical Server and placed all into the other.

So I have XenServer 5.5 with 8GB RAM (I am ordering another 8GB RAM for the other physical Server; and will also install XenServer 5.5 onto that) and 1TB storage.


I configured my IPCOP appliance with 80GB Hdd and 1GB RAM: Is this enough RAM and Storage space (or too much?)
I plan to use Copfilter(privoxy disabled), AdvProxy, Update accel, URL filter, and BOT...(but have not installed any Addons yet, will do that tomorrow..)

I have configured SBS 2008 4GB and 500GB

How much RAM does XenServer need to run the Host (itself) OS smoothly? Should I assign more RAM to SBS2008?

Also I have set up SBS2008 with only Green network access (1 NIC Physical)
IPcop green and red access (2 NIC both physical)
No Orange - I plan to use BOT to close off ports etc... and will only open up my exchange server to my ISP's SMTP servers (ie will not open to rest of world)

Or do you think I should configure Orange, and setup my second SBS2008 to host Exchange and be placed in Orange network??



My SBS2008 server managed to find my router first go so this has answered my original thread...

Up4FUN thanks for your suggestion...I like VM's but have only used MS Virtual PC and then VMware player...
Xenserver looks alot better and should perform better then a VM device running inside a Windows OS...

That's probably too much. I run ipcops on xen with 256Mb Ram, 1 cpu, 4Gb HD. Since you are using advproxy and update accell, you will need some space for cache, so 8Gb HD and 512Mb Ram should do it.

Not much. Since this box is mainly for SBS, I would allocate 512M for ipcop and 6GB to the SBS (presuming you are running 64-bit). That leaves you 1Gb free for any other small services that you might need to run in the future (or in case you need to do HA, which requires a little more memory).


I think you should think through the approach very carefully. You have two servers, both running XenServer that can be used to provide a good working failover to each other. If you keep average CPU utilisation below 40% on each one, you could build a system that takes advantage of both servers at the same time and allows for automatic transparent failover in the event of any server being unavailable or if maintenance is needed. To achieve this you need off-server disk, but otherwise you probably have it. This is probably getting quite off-topic for this forum.

In terms of the use of Orange, it is a balance between security and simplicity. Even tied to your ISP's IP addresses, you are still presenting an attack vector to RED. I would install an incoming SMPT agent (in a vm) and have that see only Orange, with a pinhole from there to your exchange server for incoming mail. This way you have NO ports forwarded from RED to GREEN. That's pretty safe.

Cool,

I'll look into your suggestions, maybe I should look into Orange network then - and it would be good just incase we get a web-server running sometime in the furture etc...

I'll chop back the Resource on my IPcop and look into setup of Orange on a virtual network (internal Xen). But require more work in setting up port forwards, but it should be beneficial...and worth the effort.

awesome,

yeah, I realised i was going off topic for this forum - my apolygises if I have been...but hopefully this can help someone else in a similar situation.
again thanks for the guidance, now time to configure my IPCOP