Changes

From SME Server
Jump to navigationJump to search
organise access methods in same order as panel, add detail
Line 4: Line 4:  
====Remote Access====
 
====Remote Access====
 
If you're an advanced user, the SME Server provides several different ways to access the underlying operating system, either from a computer on your internal network or from a computer outside your site on the Internet. Additionally, you have the ability to access your computer network securely from a remote computer. All of these operations are configured from the screen shown below in the server manager.
 
If you're an advanced user, the SME Server provides several different ways to access the underlying operating system, either from a computer on your internal network or from a computer outside your site on the Internet. Additionally, you have the ability to access your computer network securely from a remote computer. All of these operations are configured from the screen shown below in the server manager.
 +
 +
Each of these remote access methods is described below.
    
[[Image:Remote-access-1.png]]
 
[[Image:Remote-access-1.png]]
 
[[Image:Remote-access-2.png]]
 
[[Image:Remote-access-2.png]]
   −
Each of these remote access methods is described below.
     −
===== SSH =====
+
===== PPTP (VPN) =====
If you need to connect directly to your server and login from a remote system belonging to you, we strongly encourage you to use ssh. In addition to UNIX and Linux systems, ssh client software is now also available for Windows and Macintosh systems. (See the section below.)
+
The Point-to-Point Tunnelling Protocol (PPTP) is used to create client-to-server Virtual Private Networks (VPNs) and was developed by the PPTP Forum, an industry group which included Microsoft and several other companies. A VPN is a private network of computers that uses the public Internet to connect some nodes. PPTP allows users to connect to their corporate networks across the Internet.
 +
 
 +
Microsoft's PPTP implementation is widely used in the Windows world to provide remote access across the Internet. If you have a remote Windows system (for instance, a laptop or a home computer) that has access to the Internet, you can also access the information stored on your server.
 +
 
 +
If you wish to enable VPN access, you must decide how many individual PPTP clients you will allow to connect to your server simultaneously, and enter that number here. The simplest method is to enter the total number of remote PPTP clients in your organization. Alternatively, if you have a slow connection to the Internet and do not want all of those PPTP clients to connect at the same time, you can enter a lower number here. For instance, if you have five users who from time to time use PPTP to connect remotely, entering 5 here would allow all of them to connect at any time. Entering 2 would only allow two users to connect at any given time. If a third user tried to connect, he or she would receive an error message and would not be able to connect until one of the other users disconnected. If, on the other hand, you entered 0, no PPTP connections would be allowed.
 +
 
 +
Before the server is ready to accept PPTP connections each user that is to be allowed access is to be granted 'VPN Client Access' in the
 +
[[:SME_Server:Documentation:Administration_Manual:Chapter9#Users |Users]] panel of the /server-manager.
   −
If you do not have any reason to allow remote access, we suggest you set this to No access.
+
To connect using PPTP, the protocol must be installed on each remote Windows client. Typically, this is done through the Network Control Panel (you may need to have your original Windows installation CD available). After it is installed (a reboot of your Windows system may be needed), you can create new connections through the Dial-Up Networking panel by entering the external IP address of the server you wish to connect to. Once you're finished, you should be able to initiate a PPTP connection by double-clicking the appropriate icon in the Dial-Up Networking window. When you then open up your Network Neighborhood window, you should see your server workgroup listed there.
   −
SSH (secure shell) provides a secure, encrypted way to login to a remote machine across a network or to copy files from a local machine to a server. Many people do not realize that many programs such as telnet and ftp transmit your password in plain, unencrypted text across your network or the Internet. ssh and its companion program scp provide a secure way to login or copy files. The ssh protocol was originally invented by SSH Communications Security which sells commercial ssh servers, clients, and other related products. The protocol itself has two versions - SSH1 and SSH2 - both of which are supported by most clients and servers today. For more information about SSH Communications Security and its commercial products, visit http://www.ssh.com/.
+
{{DrawBoxNote|content=After changing the number of pptp clients allowed, the increased number of users is not updated until existing users have logged off.}}
   −
OpenSSH, included with the SME Server, is a free version of the ssh tools and protocol. The server provides the ssh client programs as well as an ssh server daemon and supports both the SSH1 and SSH2 protocols. For more information about OpenSSH, visit http://www.openssh.com/.
+
{{DrawBoxNote|content=PPTP uses TCP port 1723 and the Generic Routing Encapsulation (GRE) protocol. If you are using an external router or gateway to your server, and require an inbound VPN connection to support external users, you will need both TCP port 1723 and the GRE protocol to be forwarded.  
   −
Once ssh is enabled, you should be able to connect to your server simply by launching the ssh client on your remote system and ensuring that it is pointed to the external domain name or IP address for your server. In the default configuration, you should next be prompted for your user name. After you enter admin and your administrative password, you will be in the server console. From here you can change the server configuration, access the server manager through a text browser or perform other server console tasks.
+
However most PPTP passthrough routers only allow outbound connections. Not all allow inbound connections. Forwarding PPTP inbound is frequently unreliable due to the way PPTP works.
   −
If you do enable ssh access, you have two additional configuration options:
+
The simple, reliable solution is to remove the router and let the SME Server handle the link directly.
* Allow administrative command line access over ssh - This allows someone to connect to your server and login as "root" with the administrative password. The user would then have full access to the underlying operating system. This can be useful if someone is providing remote support for your system. In most cases we recommend setting this to No .
  −
* Allow ssh using standard passwords - If you choose Yes (the default), users will be able to connect to the server using a standard user name and password. This may be a concern from a security point of view, in that someone wishing to break into your system could connect to your ssh server and repeatedly enter user names and passwords in an attempt to find a valid combination. A more secure way to allow ssh access is called RSA Authentication and involves the copying of an ssh key from the client to the server. See the [[SME_Server:Documentation:User_Manual:Chapter1#Securing_SSH_With_Public_.2F_Private_Keys User Manual ]] for details
  −
* TCP Port for secure shell access - Change the port the ssh client connects to the server, choose a  random free port eg. 822 This provides some protection from attacks on the usual port of 22.
     −
{{DrawBoxNote|content=By default, only two user names can be used to login remotely to the server: admin (to access the server console) and root (to use the Linux shell). Regular users are not permitted to login to the server itself. If you give another user the ability to login remotely to the server, you will need to access the underlying Linux operating system and manually change the user's shell.}}
+
For a more detailed description of the PPTP protcol see http://en.wikipedia.org/wiki/Point-to-point_tunneling_protocol}}
   −
======SSH clients for Windows and Macintosh systems======
  −
A number of different free software programs provide ssh clients for use in a Windows or Macintosh environment. Several are extensions of existing telnet programs that include ssh functionality. Two different lists of known clients can be found online at http://www.openssh.com/windows.html and http://www.freessh.org/.
     −
A commercial ssh client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note that the client is free for evaluation, academic and certain non-commercial uses.
+
{{DrawBoxWarning|content=To protect your network, the SME Server enforces the use of 128-bit encryption for PPTP connections, rather than the 40-bit encryption provided in earlier versions of Microsoft's PPTP software. If you are unable to establish a PPTP connection to your server, you should visit http://windowsupdate.microsoft.com/ and download the appropriate update. Due to the dynamic nature of Microsoft's web site, the page may appear differently depending upon the version of Windows you are using. In most cases, you will want to look or search for Virtual Private Networking or a Dial Up Networking 128-bit encryption update . You may need to install the 40-bit encryption update first, and then install the 128-bit encryption update. Note that with Microsoft's ActiveUpdate process, if you are not presented with the choice for this update, it is most likely already installed in your system.}}
   −
=====PPTP=====
  −
The Point-to-Point Tunnelling Protocol (PPTP) is used to create client-to-server Virtual Private Networks (VPNs) and was developed by the PPTP Forum, an industry group which included Microsoft and several other companies. A VPN is a private network of computers that uses the public Internet to connect some nodes. PPTP allows users to connect to their corporate networks across the Internet.
     −
Microsoft's PPTP implementation is widely used in the Windows world to provide remote access across the Internet. If you have a remote Windows system (for instance, a laptop or a home computer) that has access to the Internet, you can also access the information stored on your server.
+
===== Remote Management =====
 +
To allow access to the /server-manager from remote networks add allowed IP addresses to the Remote Management section.
   −
If you wish to enable VPN access, you must decide how many individual PPTP clients you will allow to connect to your server simultaneously, and enter that number here. The simplest method is to enter the total number of remote PPTP clients in your organization. Alternatively, if you have a slow connection to the Internet and do not want all of those PPTP clients to connect at the same time, you can enter a lower number here. For instance, if you have five users who from time to time use PPTP to connect remotely, entering 5 here would allow all of them to connect at any time. Entering 2 would only allow two users to connect at any given time. If a third user tried to connect, he or she would receive an error message and would not be able to connect until one of the other users disconnected. If, on the other hand, you entered 0, no PPTP connections would be allowed.
+
To allow a single computer (or network of computers behind a firewall) add it's IP and the netmask.
 +
223.102.19.24  255.255.255.255
   −
After you enter a number and press Save, the server should be ready to accept PPTP connections.
     −
To connect using PPTP, the protocol must be installed on each remote Windows client. Typically, this is done through the Network Control Panel (you may need to have your original Windows installation CD available). After it is installed (a reboot of your Windows system may be needed), you can create new connections through the Dial-Up Networking panel by entering the external IP address of the server you wish to connect to. Once you're finished, you should be able to initiate a PPTP connection by double-clicking the appropriate icon in the Dial-Up Networking window. When you then open up your Network Neighborhood window, you should see your server workgroup listed there.
+
===== SSH =====
 +
If you need to connect directly to your server and login from a remote system belonging to you, we strongly encourage you to use ssh. In addition to UNIX and Linux systems, ssh client software is now also available for Windows and Macintosh systems. (See the section below.)
   −
{{DrawBoxNote|content=Your connection to the Internet needs to be established first before you initiate the PPTP connection. This may involve double-clicking one Dial-Up Networking icon to start your Internet connection, then double-clicking a second icon to start the PPTP connection. To shut down, disconnect your PPTP connection first, then disconnect from your ISP.}}
+
If you do not have any reason to allow remote access, we suggest you set this to No access.
   −
{{DrawBoxNote|content=After changing the number of pptp clients allowed, the increased number of users is not updated until existing users have logged off.}}
+
SSH (secure shell) provides a secure, encrypted way to login to a remote machine across a network or to copy files from a local machine to a server. Many people do not realize that many programs such as telnet and ftp transmit your password in plain, unencrypted text across your network or the Internet. ssh and its companion program scp provide a secure way to login or copy files. The ssh protocol was originally invented by SSH Communications Security which sells commercial ssh servers, clients, and other related products. The protocol itself has two versions - SSH1 and SSH2 - both of which are supported by most clients and servers today. For more information about SSH Communications Security and its commercial products, visit http://www.ssh.com/.
   −
{{DrawBoxNote|content=PPTP uses TCP port 1723 and the Generic Routing Encapsulation (GRE) protocol. If you are using an external router or gateway to your server, and require an inbound VPN connection to support external users, you will need both TCP port 1723 and the GRE protocol to be forwarded.  
+
OpenSSH, included with the SME Server, is a free version of the ssh tools and protocol. The server provides the ssh client programs as well as an ssh server daemon and supports both the SSH1 and SSH2 protocols. For more information about OpenSSH, visit http://www.openssh.com/.
   −
However most PPTP passthrough routers only allow outbound connections. Not all allow inbound connections. Forwarding PPTP inbound is frequently unreliable due to the way PPTP works.
+
Once ssh is enabled, you should be able to connect to your server simply by launching the ssh client on your remote system and ensuring that it is pointed to the external domain name or IP address for your server. In the default configuration, you should next be prompted for your user name. After you enter admin and your administrative password, you will be in the server console. From here you can change the server configuration, access the server manager through a text browser or perform other server console tasks.
   −
The simple, reliable solution is to remove the router and let the SME Server handle the link directly.
+
If you do enable ssh access, you have additional configuration options:
 +
* Allow administrative command line access over ssh - This allows someone to connect to your server and login as "root" with the administrative password. The user would then have full access to the underlying operating system. This can be useful if someone is providing remote support for your system. In most cases we recommend setting this to No.
 +
* Allow ssh using standard passwords - If you choose Yes (the default), users will be able to connect to the server using a standard user name and password. This may be a concern from a security point of view, in that someone wishing to break into your system could connect to your ssh server and repeatedly enter user names and passwords in an attempt to find a valid combination. A more secure way to allow ssh access is called RSA Authentication and involves the copying of an ssh key from the client to the server. See the [[SME_Server:Documentation:User_Manual:Chapter1#Securing_SSH_With_Public_.2F_Private_Keys| User Manual ]] for details
 +
* TCP Port for secure shell access - Change the port the ssh client connects to the server, choose a  random free port eg. 822 This provides some protection from attacks on the usual port of 22.
   −
For a more detailed description of the PPTP protcol see http://en.wikipedia.org/wiki/Point-to-point_tunneling_protocol}}
+
{{DrawBoxNote|content=By default, only two user names can be used to login remotely to the server: admin (to access the server console) and root (to use the Linux shell). Regular users are not permitted to login to the server itself. If you give another user the ability to login remotely to the server, you will need to access the underlying Linux operating system and manually change the user's shell.}}
    +
* SSH clients
 +
A number of different free software programs provide ssh clients for use in a Windows, Macintosh or Linux environment. Several are extensions of existing telnet programs that include ssh functionality. Two different lists of known clients can be found online at http://www.openssh.com/windows.html and http://www.freessh.org/.
   −
{{DrawBoxWarning|content=To protect your network, the SME Server enforces the use of 128-bit encryption for PPTP connections, rather than the 40-bit encryption provided in earlier versions of Microsoft's PPTP software. If you are unable to establish a PPTP connection to your server, you should visit http://windowsupdate.microsoft.com/ and download the appropriate update. Due to the dynamic nature of Microsoft's web site, the page may appear differently depending upon the version of Windows you are using. In most cases, you will want to look or search for Virtual Private Networking or a Dial Up Networking 128-bit encryption update . You may need to install the 40-bit encryption update first, and then install the 128-bit encryption update. Note that with Microsoft's ActiveUpdate process, if you are not presented with the choice for this update, it is most likely already installed in your system.}}
+
A commercial ssh client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note that the client is free for evaluation, academic and certain non-commercial uses.
    
=====FTP=====
 
=====FTP=====

Navigation menu