Council for Clarkconnect implementation
I will set up Clarkconnect community 5 (firewall and SMTP relay on the same machine) for about 150 users with a hardware configuration appropriate recommendations in accordance with Clarkconnect.
I thought to do as follows:
Internet - Firewall and SMTP relay Clarkconnect - Appliance Security Trend Micro AS, AV, Content Filtering - Network LAN
The security appliance is still valid and is installed in "pass through" between CConnection LAN side and the rest of the network (no DMZ in this configuration). The advantage of this appliance is that it will save me from overloading Clarkconnect with SpamAssassin, the AV ...
I want to use the SMTP relay on Clarkconnect because I do not want to translate port 25 on my Domino server that is on the LAN.
My question is:
What do you think of my config? Is DMZ more suitable?
Re: Council for Clarkconnect implementation
To remain neutral, we say that it is a strange configuration. But not very safe for 150 users. Many of us have said here that architecture should be healthy for a configuration with an SMTP relay. I do not really want to repeat for the nth time that post. I will be brief.
The firewall: to be strictly a firewall. Running an smtp relay (grouping or proxy) is a very bad idea. Especially with 150 users.
The relay should be dmz. Clarckconnect works well, its a good choice for this work.
Quote:
I do not want to translate port 25 on my Domino server that is on the LAN.
I do not see the problem and in fact I do not understand what you mean.
In short: use a real firewall, use a DMZ, to place the smtp relay Clarckconnect leave the Domino server lan if you want.
Re: Council for Clarkconnect implementation
Quote:
The firewall: to be strictly a firewall. Running an smtp relay (grouping or proxy) is a very bad idea. Especially with 150 users.
The relay should be dmz. Clarckconnect works well, its a good choice for this work.
A little history, I forgot to mention that I think make this same machine a proxy server. In fact I am looking for solutions reassuring that's why I asked for advice before anything else.
So knowing that I also have a proxy is that it should move towards an architecture of type:
1 firewall machine
and in the DMZ
1 relay SMTP
1 proxy server (right?)
Which means that I should put up 3 machines?
Quote:
I do not see the problem and in fact I do not understand what you mean.
To form a question: Is this a good idea to transfer port 25 to the Domino server on the lan or is it better for me to go through an SMTP relay?
Re: Council for Clarkconnect implementation
Like many, you start thinking in terms of hardware, software, solutions ie, before even having identified all parameters of the problem, ie your needs for security and services to users. For a structure of 150 people it does not seem possible, and even less sure of how the economy of this work.
The assembly must be designed globally, according to a required level of safety and risk that we will be evaluated and prioritized.
From there my answer to your question is rather superficial and not worth more than your upstream work. This one is limited, my answer is of poor quality.
Quote:
So knowing that I also have a proxy is that it should move towards an architecture of type:
1 firewall machine
and in the DMZ
1 relay SMTP
1 proxy server (right?)
Which means that I should put up 3 machines?
If one dmz should (?) while proxy and SMTP relay in the DMZ. Proxy and SMTP relay can be mounted each in a virtual machine on an ESX 3.5 or 4. Partitioning by vlan desirable in the dmz.
There is nothing to say that it suits your needs, simply because we do not know.