Firewall Ports

[rtrice81]

What are all the ports I would need open to run a Scalix Server behind a firewall so someone could get in from the internet?

and i am guessing the
POP3, SMTP, and IMAP ports are the normals?

but what about for the Exchange LIKE Features with Outlook Connect


Thanks
Richie

[florian]

if you want scalix connect for outlook to talk to the scalix server, the available port must be 5729/TCP (scalixual).

However, please note that the communication is not encrypted, so it is not recommended to run the UAL protocol over insecure links.

Florian.

[tuxtattoo]

if you want scalix connect for outlook to talk to the scalix server, the available port must be 5729/TCP (scalixual).

However, please note that the communication is not encrypted, so it is not recommended to run the UAL protocol over insecure links.

Florian.

Florian,

What would the best practice be for traveling users? Say they work on the local network, but travel to remote destinations and would be on insecure networks? Especially since they would want to be able to sync their calendar items, etc.

Thank you,
Nathan

[florian]

We're actually working on solutions here that would allow you do do this securely without special prerequisites, but they are not available yet.

In the meantime (and that's probably at least a couple months), your only choice is to use a VPN connection.

Florian.

[tuxtattoo]

We're actually working on solutions here that would allow you do do this securely without special prerequisites, but they are not available yet.

In the meantime (and that's probably at least a couple months), your only choice is to use a VPN connection.

Florian.

Florian,

Indeed. I also threw together a solution using Stunnel just for kicks. This *could* be used if VPN was not an option (or you/your company doesn't have a VPN). It seems to be working although it's certainly a .. hack.

Here is how I did it:

I installed Stunnel on the client's PC as a service. I edited the stunnel.conf to run in client mode and to accept on 'localhost:5729' and connect to the 'scalixhost.com:443' (you can change 443 to whatever port you want, I did it for tunneling over HTTPS abilities).

One scalixhost.com (my Scalix server, but it could be any server really) I installed another Stunnel process in server mode that accepts on scalixhost.com:443 and connects to localhost:5729 (or whatever your Scalix server IP would be. I chose localhost for obvious reasons).

One thing to keep in mind is if you are running Apache on scalixhost.com and you are using mod_ssl, you'll have to edit your configuration file and change the 'Listen 443' to 'Listen xx.xx.xx.xx:443'. Then you will have to create an IP alias on your eth0 interface with a different IP (your stunnel configuration should accept on this IP). This doesn't matter if you use a different port that's not being used on the Scalix server.

Then I created two Outlook profiles. Outlook Secure and Outlook Insecure.

Outlook Secure's Scalix server would be 'localhost'. All traffic will be tunneled over SSL on port 443 to scalixhost.com, then redirected to the loopback interface to the scalixual port.

Outlook Insecure's Scalix server would be 'scalixhost.com'. All traffic is (as you pointed out) is unencrypted.

nb

[florian]

Hi,

stunnel works as long as you are using a single server; with multiple Scalix servers and delegation, one single instance of outlook will have to use multiple servers with different hostnames. localhost is no longer an option. Therefore, it's a good workaround for single server cases, unfortunately not a solution. Configuration is somewhat awkward.

Having said this, I've used it myself and glad it works for you. Maybe you want to put your summary (plus my note about the limitation) into a How-to on our Wiki?

Thanks,

Florian.

[tuxtattoo]

Hi,

stunnel works as long as you are using a single server; with multiple Scalix servers and delegation, one single instance of outlook will have to use multiple servers with different hostnames. localhost is no longer an option. Therefore, it's a good workaround for single server cases, unfortunately not a solution. Configuration is somewhat awkward.

Having said this, I've used it myself and glad it works for you. Maybe you want to put your summary (plus my note about the limitation) into a How-to on our Wiki?

Thanks,

Florian.

Florian,

Haha, you beat me to it! I wasn't quite finished with my post and I hit submit instead of preview. I was just saying that I'm not sure how it would work in larger environments and it's a bit tricky to set up.

But apart from that, I'd be happy to put it in your Wiki if you'd like. Just lemme know what I need to do.

nb

[jc68]

Having two profiles can create synchronization issues. For example, while still at work, you delete a message in the insecure profile than sync the change to the server. Then, while offline, in the secure profile, you move that same message to another folder. When you try to sync, you have a potential conflict. Additionally, having two profiles waste hard drive space.

So, what I do is create just the one profile and when traveling, I edit the Windows host file to have my Scalix server point to localhost.

For example,

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 your_scalix_server # ADD THIS LINE

The Windows host file is normally found in C:\WINDOWS\system32\drivers\etc\hosts if you're using WinXP or 2000.

Connect to your network using Stunnel and open your Outlook client like you normally would. Instead of searching 192.168.2.2 (for example) for your Scalix server, it will look on your localhost for the Scalix service and get redirected by stunnel to the proper server. When you're back in the office, simply comment out the line with #.

Note that when you're creating your Outlook profile, you have to specify a server name (ie. scalix_server) rather than an ip address for this to work.

Incidentally, instead of stunnel, you can use ssh which is installed by default on most Linux distribution. Enable the ssh service on your scalix server. Then, on your laptop, run an ssh client (ie. SSH Secure Shell, PuTTY, Port Forwarder) with tunneling enabled and configured to point to your scalix server.