Advise on setup of small office locally or via VPS
Hi,
sorry in advance for the lengthy post.
I have some questions on organizing and designing a small office
environment. Clients and server parts Debian. I have always introduced
Debian in every job I had in the last 14 years, and it would be great to
finally use them as the default OS on devices of my own business :)
I currently have one VPS with a few services: hosting my own websites and
DNS (authoritative for my domains), mail (Postfix,Dovecot). As I'm
planning to start my own business, I would like to inform myself on the
available choices.
I would probably get a business vdsl line, which would give me 8 public
IP's. I have experience with most of the techniques described below,
although it has been a while since I used some of those components/
software. I do manage some Debian servers, and have done so for the last
14 years.
At the start, I would only employ 1 or 2 people. I'm trying to keep it
small so I wouldn't want to go over 10 people.
Server part Debian, office parts also Debian as much as possible but we
will also have MS machines as we need this to support our clients. Not
sure if we would need to access any info on the Debian machines or
servers. I have no preference to local infrastructure as opposed to cloud.
That's why I started out with a VPS to host my sites, mail and DNS.
Because of the DNS redundancy requirements, I use a free service that
replicates my DNS. Ideally, I would be able to provide this redundancy
with my own machines, VPS'es or local.
I would like your advise on the way I would set this up locally or with
VPS'es.
Local setup
===========
I would connect a Debian box with 3 nics to the ISP router to serve as
firewall. 1 nic for WAN, 1 for LAN, 1 for DMZ. I have always used
iptables to do this. The wan nic would have 1 public IP, LAN
192.168.1.0/24,
DMZ 172.16.1.0/24.
DMZ would have 2 machines: 1 with web and DNS 1, another with DNS 2 and
SMTP gateway. I would keep the free DNS for added redundancy. On the LAN
part, I would put a file server, local DNS and some internal web apps.
This raises some questions:
- What device could I use for the firewall. I don't want to use an old
computer as I have some public services and need a reliable service.
I'm open to using an appliance as well. Any links or info is welcome.
Any easy way to having this devices redundant?
- I would only allow some traffic (mail for instance) from the DMZ to the
private LAN. LAN could access the DMZ. Any downside to this security wise?
- If I have multiple public IP's, I would assign each public machine a
public IP. I assume it's the ISP's job to redirect the IP's in my range
to their router in my office. I could then map the public IP's to a
private IP by prerouting all allowed traffic on the public IP to the
private IP address of the machine in the DMZ.
- My mail service (only used for my own purposes right now) consists of
Postfix, Clamav, Pyzor, Razor, Spamassassin, with authentication provided
by Dovecot. Domains, users and aliases are stored in a Postgresql
database. Security wise it would be better to place this set up in the
LAN part, and put a SMTP gateway in the DMZ to receive mail, and have the
gateway forward the mail to the setup I just described.
The SMTP gateway should have the same parts (Clamav, Spamassassin, ...)
but just not store the mail locally. Any thoughts on this kind of setup?
- I have Roundcube (webmail) installed as well. I think I could handle
this by forwarding the requests from firewall to the internal mail server.
Not sure if this is the safest way to do this.
One can of course argue about web mail in the first place.
- Central user and document management.
I would like to have a space on the file server where people could store
their own and shared documents. I think I would need NFS for this
(haven't used this before). The docs might need to be accessible from
Windows as well, although I really would like to only use Debian machines
for my own people. Otherwise, this would mean using Samba.
My mail users are in a Postgresql database. I would like to keep it that
way if I would ever provide mail to customers.
I can see LDAP being useful to have central authentication.
It can be a challenge to setup though. Are there other ways of having a
simple central authentication?
I have thought about using a document management system from the start.
But I have only experience with commercial ones and that might be overkill
from the start. Besides, they are Windows based.
VPS
===
The other way I could go is by using multiple VPS servers (or renting
dedicated servers). I could connect them with OpenVPN. I have no
experience with that.
But this would also mean I would have my file server online.
Then I definitely would need to setup a permanent connection from the
office firewall to the online servers.
Might make it a bit harder to fully manage reverse dns. As for my current
VPS, I had to ask my VPS supplier to insert a reverse DNS record for my
mail server as I don't own the range and as such, can't set the reverse
DNS. If I would want to manage this myself, I would need to reserve a
small range with the VPS supplier.
I probably wouldn't need those in the case of receiving a range of public
IP addresses from the ISP that provides the company internet line.
If I would use these public IP's, I wouldn't need the VPS range, and I
could manage my own reverse DNS and have the firewall forward the traffic
from these public IP's to the private IP's (well also public IP's because
you get a public IP with every VPS) of the corresponding VPS'es over the
OpenVPN connection?
Is this also a workable setup? Any other ways to set this up?
Thanks for any advice, thoughts, links or info and for your patience if
you got this far :)
Regards,
Bene
Reply to: