Securing access to EGW

kjurkic 2012-06-05 17:51:37 UTC #1

Hi all

My request is for some “EGW admin for idiots” guide to setting up secure, external access to my EGW host.

I presently have off-site access by a redirect through my firewall (www.myfirewallserver.ca/egroupware --> http://10.0.0.x/egroupware)
On site, they direct access via IP (http://10.0.0.x/egroupware)

The above works well for the most part, but sometimes users are forced to re-login when accessing the wiki or knowledge-base.
This setup also causes confusion for some that have bookmarked one or the other site, and forget the alternate when travelling.

I would like to enable access via https://www.my_egw_server.ca and truncate the /egroupware.

I am concerned about what other security concerns I might have with this approach, ie ensuring secure groupdav access for calendars, preventing exposure of MySQL, etc, while ensuring I still have my administrator access to EGW and the underlying linux host.

enable better forwarding through my firewall, so that https://www.my_egw_server redirects to my internal EGW host. I tried this with various settings on my firewall and apache configs, but was never successful.
I have control of FQDN assignments, and was able to get https://www.my_egw_server to point to my firewall, but only ever got 404 or 500 errors, or at best the default apache index page on my firewall.

thanks
Ken

el_es 2012-06-06 08:22:24 UTC #2

Hi all

My request is for some “EGW admin for idiots” guide to setting up
secure, external access to my EGW host.

I presently have off-site access by a redirect through my firewall
(www.myfirewallserver.ca/egroupware --> http://10.0.0.x/egroupware)
On site, they direct access via IP (http://10.0.0.x/egroupware)

or

enable better forwarding through my firewall, so that
https://www.my_egw_server redirects to my internal EGW host. I tried
this with various settings on my firewall and apache configs, but was
never successful. I have control of FQDN assignments, and was able to
get https://www.my_egw_server to point to my firewall, but only ever
got 404 or 500 errors, or at best the default apache index page on my
firewall.

thanks Ken

Does your firewall/gateway do NAT/routing loopback ?

As mine does, I map the server to external IP of my office network,
(also use https not http) but also users on the inside of the network
can type/bookmark

https://[external_IP]:[external_port]/egroupware

and it works from inside as well as from outside, because my gateway
NAT’s it to

https://[server_ip]]:[server_port_if_different_than_443]/egroupware

(so NAT from [external_ip]:[external_port] to [server_ip]:[server_port] is in place
with NAT loopback enabled)

Hope this helps.
Lukasz

Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

el_es 2012-06-06 09:15:49 UTC #3

Hi all

My request is for some “EGW admin for idiots” guide to setting up
secure, external access to my EGW host.

I presently have off-site access by a redirect through my firewall
(www.myfirewallserver.ca/egroupware --> http://10.0.0.x/egroupware)
On site, they direct access via IP (http://10.0.0.x/egroupware)

or

enable better forwarding through my firewall, so that
https://www.my_egw_server redirects to my internal EGW host. I tried
this with various settings on my firewall and apache configs, but was
never successful. I have control of FQDN assignments, and was able to
get https://www.my_egw_server to point to my firewall, but only ever
got 404 or 500 errors, or at best the default apache index page on my
firewall.

thanks Ken

Does your firewall/gateway do NAT/routing loopback ?

As mine does, I map the server to external IP of my office network,
(also use https not http) but also users on the inside of the network
can type/bookmark

https://[external_IP]:[external_port]/egroupware

and it works from inside as well as from outside, because my gateway
NAT’s it to

https://[server_ip]]:[server_port_if_different_than_443]/egroupware

(so NAT from [external_ip]:[external_port] to [server_ip]:[server_port] is in place
with NAT loopback enabled)

Hope this helps.
Lukasz

Having said that, the more secure access would involve IPSec tunneling -
if your gateway supports it - that’s what I’d recommend rather than simple port forward/NAT.

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

kjurkic 2012-06-06 16:24:19 UTC #4

Hi Lukasz

I have already played with tunnelling, and there are a few issues ( I assume VPN is what we are discussing here?):

I have a mix of devices to support, and most users here are not very technically literate.
Users want to access using own PC’s/Macs
Users accessing via friend or loaner device
User tend to forget they are using VPN and start doing general surfing and video streaming, which begins to eat up bandwidth (we are in a remote location on a congested link)

My firewall/router works very well with OpenVPN, in terms of easily generating keys, emailing to user, and even providing a windows installer, but the VPN behaviour has been ‘inconsistent’ across the various OSX versions, Android, and linux boxen.

My ideal is to provide “https://my_egw_server” and have everything else invisible to the end user; whether I expose my actual EGW server, or relay through my NAT/firewall is what I am trying to decide.

My EGW server is live, and staff here work 7AM to 11PM, removing my ability to “tinker” with the system after hours, at least the hours I wish to work…If I break access during the work day, my phone starts to ring far too much.

I am hoping for the “Dummies” guide: ie Edit apache.conf with the proper line, add some line(s) to httpd.conf ( or htaccess or whatever) go to my_egw_server/admin and set name to: https:/whatever_goes_here.
Also does EGW need multiple ports open or is access all strictly via port 443 (or whichever port I set)?

thanks
Ken

Hi all

My request is for some “EGW admin for idiots” guide to setting up
secure, external access to my EGW host.

I presently have off-site access by a redirect through my firewall
(www.myfirewallserver.ca/egroupware --> http://10.0.0.x/egroupware)
On site, they direct access via IP (http://10.0.0.x/egroupware)

or

enable better forwarding through my firewall, so that
https://www.my_egw_server redirects to my internal EGW host. I tried
this with various settings on my firewall and apache configs, but was
never successful. I have control of FQDN assignments, and was able to
get https://www.my_egw_server to point to my firewall, but only ever
got 404 or 500 errors, or at best the default apache index page on my
firewall.

thanks Ken

Does your firewall/gateway do NAT/routing loopback ?

As mine does, I map the server to external IP of my office network,
(also use https not http) but also users on the inside of the network
can type/bookmark

https://[external_IP]:[external_port]/egroupware

and it works from inside as well as from outside, because my gateway
NAT’s it to

https://[server_ip]]:[server_port_if_different_than_443]/egroupware

(so NAT from [external_ip]:[external_port] to [server_ip]:[server_port] is in place
with NAT loopback enabled)

Hope this helps.
Lukasz

Having said that, the more secure access would involve IPSec tunneling -
if your gateway supports it - that’s what I’d recommend rather than simple port forward/NAT.

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

ingoratsdorf 2012-06-07 00:10:06 UTC #5

Hi,

I am really trying to understand what you want to achieve with your setup.

VPN is I guess a no-go - as you said all traffic would go via VPN and
why would that be required. And you cannot expect users to switch on and
off their VPN on their mobile device. In addition, syncs happen in the
background without anybody knowing.
Lukasz was refering to NAT, not VPN. NAT is what your router does to map
internal IP’s and ports to external IP"s and ports and vice versa.
That’s why it’s called NAT (Network Address Translation)

Why do you need to make your setup more secure? In what terms?
eGroupware is made to be available via the internet. That’s one of it’s
main purposes I guess.

Are you rather trying to save Internet Bandwidth with your setup or gain
speed by circumventing the routing?
Your router(having two IP’s) should route any internal traffic back to
your egroupware server anyway without sending the packets through the
internet once people are connected to the office intranet…

I guess in your very early post (that I don’t have at the moment), you
were referring to not exposing your mysql server.
Well, your MySQL server should gbe setup that it only accepts
connections from your intranet or only from localhost when running on
the same machine as apache.
To get access to the database, someone first would have to gain access
to your local server, either via PHP or SSH. So SSH should either be
deactivated, locked to localhost access only or setup for SSH2 key access.
I guess your PHP can be considered secure, there’s a number of patches
and things that you can install like SUHOSIN, SAFE_MODE etc.

Leaves only your trust in egroupware itself, that comes pretty secure
with password attempt blocking etc., all things that can be setup in the
site admin.

You can also block access to site admin to be only allowed from certain
IP ranges only.

So what else would you require to make it more secure?

Cheers,
Ingo

Hi Lukasz

I have already played with tunnelling, and there are a few issues ( I
assume VPN is what we are discussing here?):

I have a mix of devices to support, and most users here are not
very technically literate.

Users want to access using own PC’s/Macs

Users accessing via friend or loaner device

User tend to forget they are using VPN and start doing general
surfing and video streaming, which begins to eat up bandwidth (we are
in a remote location on a congested link)

My firewall/router works very well with OpenVPN, in terms of easily
generating keys, emailing to user, and even providing a windows
installer, but the VPN behaviour has been ‘inconsistent’ across the
various OSX versions, Android, and linux boxen.

My ideal is to provide “https://my_egw_server” and have everything
else invisible to the end user; whether I expose my actual EGW server,
or relay through my NAT/firewall is what I am trying to decide.

My EGW server is live, and staff here work 7AM to 11PM, removing my
ability to “tinker” with the system after hours, at least the hours I
wish to work…If I break access during the work day, my phone
starts to ring far too much.

I am hoping for the “Dummies” guide: ie Edit apache.conf with the
proper line, add some line(s) to httpd.conf ( or htaccess or whatever)
go to my_egw_server/admin and set name to: https:/whatever_goes_here.

Also does EGW need multiple ports open or is access all strictly via
port 443 (or whichever port I set)?

thanks
Ken

From: Lukasz Sokol el.es.cr@gmail.com
To: egroupware-users@lists.sourceforge.net
Sent: Wednesday, June 6, 2012 2:15:49 AM
Subject: Re: [eGroupWare-users] securing access to EGW

Hi all

My request is for some “EGW admin for idiots” guide to setting up
secure, external access to my EGW host.

I presently have off-site access by a redirect through my firewall
(www.myfirewallserver.ca/egroupware --> http://10.0.0.x/egroupware)
On site, they direct access via IP (http://10.0.0.x/egroupware)

or

enable better forwarding through my firewall, so that
https://www.my_egw_server redirects to my internal EGW host. I tried
this with various settings on my firewall and apache configs, but was
never successful. I have control of FQDN assignments, and was able to
get https://www.my_egw_server to point to my firewall, but only ever
got 404 or 500 errors, or at best the default apache index page on my
firewall.

thanks Ken

Does your firewall/gateway do NAT/routing loopback ?

As mine does, I map the server to external IP of my office network,
(also use https not http) but also users on the inside of the network
can type/bookmark

https://[external_IP]:[external_port]/egroupware

and it works from inside as well as from outside, because my gateway
NAT’s it to

https://[server_ip]]:[server_port_if_different_than_443]/egroupware

(so NAT from [external_ip]:[external_port] to
[server_ip]:[server_port] is in place
with NAT loopback enabled)

Hope this helps.
Lukasz

Having said that, the more secure access would involve IPSec tunneling -
if your gateway supports it - that’s what I’d recommend rather than
simple port forward/NAT.

L.

Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
mailto:eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

–
envirology Ltd*

45 Arthur Street | Riverhead | Auckland 0820
p&f +64 9 412 2241 call:+64%209%20412%202241 | skype ingoratsdorf
skype:ingoratsdorf | jabber ingo.ratsdorf@chat.facebook.com
ingo@envirology.co.nz mailto:ingo@envirology.co.nz |
www.envirology.co.nz http://www.envirology.co.nz

*envirology – a term combined from Environment and the greek “logos”
(word, reason, plan)

reetp 2012-06-07 09:22:54 UTC #6

Hi Ken,

I think I can see what you are trying to do as I had a similar situation.

You have not wanted to expose your server to the internet and only
wanted to allow access via the internal network but your users are
getting in a knot when connected via the VPN.

A couple of suggestions/solutions.

VPN - This is probably more of a setup issue on the users machines. I
think that the users networking/VPN needs to be set so that ONLY traffic
for the server goes via the VPN with all other traffic going straight
out via their own generic connection. I think you will find that’s a
routing issue on the users machines. I think as you have a mixture of
hardware & software, this is probably tricky and time consuming to
maintain. However, there is undoubtedly stuff online on how to set this
up correctly.

Port Forwarding - open specific ports on your router to your server so
external users only have access to say web services.

DMZ - on your router you should be able to put your server in a DMZ and
fully expose it to the internet.

In both these latter scenarios you need to ensure that your server is
properly secured - there is no simple answer to this and books have been
written on the subject ! It totally depends on your own situation and
what else you are running. You need to make sure that the services are
secured and proper file permissions are set etc etc

Setting your URL to “https://my_egw_server” is an apache configuration
issue but there is no one httpd.conf that fits all. You may get some
help here but you need to be more specific about how you have things
(Apache) set up currently. If EGW is the only web service that you run,
it will probably be better to set this in httpd.conf and not via
.htaccess (I stand to be corrected on this if need be !!)

If you use port forwarding, other services on the server matter less
(but that never excuses good security). As previously mentioned, if
set-up correctly MySQL should only answer local requests, but again you
make no mention of your current config.

From the sounds of things (and without wishing to be rude) you are still
something of a beginner with this and with all due respect my advice
would be to go and have a good read about server security, Apache, MySQL
and other services first. It is much better to say “I have this set-up
and tried this and tried that” rather than a plain “How do I do it ?”

I am no guru myself so for my own server fortunately the software I use
(www.contribs.org) has default settings set to a high level of security.
I put mine in a DMZ as users needed access to email & other stuff and
all seems to be well. In your position I would try port forwarding to
say just the https port and go from there.

staff here work 7AM to 11PM, removing my ability to “tinker” with the
system after hours

Urrrrr… sorry but there are 24 hours in a day and you have a window
to work from 11PM to 7 AM - that’s a whole 8 hours !

Unfortunately part of being a sysadmin is the necessity to work the wee
small hours… comes with the territory I’m afraid !

HTH,

B. Rgds
John

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

el_es 2012-06-07 11:43:57 UTC #7

Hello Kenneth,

as with everything in life : it depends, on what is more of a priority for you.

Simple (but somewhat effective) solution is to let people from INSIDE your network
use the EXTERNAL address of your server - that way you’re not fully exposing the
server to outside world, only the http/https port; That can be achieved by
doing NAT PF (port forwarding) with NAT Loopback allowed; so the users on your LAN
only need to bookmark the EXTERNAL address of the server, and it will work the same.
If that’s all they need, i.e. the access to egroupware, then that’s all;

Note with iOS/Apple devices you need to disable source address checking of the egw session,
as they tend to use cloud proxies, and even every click to the Safari when they
connect via mobile internet, can be conveyed from a different IP address. (Same with
ones using Opera Mobile/Mini I think)

There is an obvious limitation to that, that is: how sensitive is the data you’re storing
in egw, and how ‘forgetful’ of password changing or even how ‘insensitive’ to password guidance
your users are… or even how resourceful are they in making stupid pranks too (!).

IPSec VPN (don’t confuse that with OpenVPN, aka stunnel, it’s completely different)
when deployed correctly, can give roaming users the same abilities as they were in the LAN,
and also more control for you : they won’t be able to connect/login if you revoke/block their
certificates.

Sorry it’s lengthy and it is mostly IMO.

Hi Lukasz

I have already played with tunnelling, and there are a few issues ( I
assume VPN is what we are discussing here?):

I have a mix of devices to support, and most users here are not
very technically literate.

Users want to access using own PC’s/Macs

Users accessing via friend or loaner device

User tend to forget they are using VPN and start doing general
surfing and video streaming, which begins to eat up bandwidth (we are
in a remote location on a congested link)

My firewall/router works very well with OpenVPN, in terms of easily
generating keys, emailing to user, and even providing a windows
installer, but the VPN behaviour has been ‘inconsistent’ across the
various OSX versions, Android, and linux boxen.

My ideal is to provide “https://my_egw_server” and have everything
else invisible to the end user; whether I expose my actual EGW
server, or relay through my NAT/firewall is what I am trying to
decide.

My EGW server is live, and staff here work 7AM to 11PM, removing my
ability to “tinker” with the system after hours, at least the hours I
wish to work…If I break access during the work day, my phone
starts to ring far too much.

I am hoping for the “Dummies” guide: ie Edit apache.conf with the
proper line, add some line(s) to httpd.conf ( or htaccess or
whatever) go to my_egw_server/admin and set name to:
https:/whatever_goes_here. * Also does EGW need multiple ports open
or is access all strictly via port 443 (or whichever port I set)?

thanks Ken

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users