Zentyal 2.2 Official Documentation 01. INTRODUCTION 01.01 Presentation SMBs and ITC About 99% of companies in the world are small and medium businesses (SMBs). They generate more than half of the global GPD. SMBs constantly look for ways to reduce costs and increase productivity, especially in times of crisis like the one we are currently facing. However, they often operate under very limited budgets and limited workforces. These circumstances make it extremely challenging to offer suitable solutions that bring important benefits, at the same time keeping investments and operational costs within budget. Perhaps, this is the reason why being an enormous market with almost infinite potential, technology vendors have traditionally shown scarce interest in developing solutions that adapt to the needs of SMBs. In general, enterprise solutions available on the market have been developed for large corporations and therefore their implementation requires considerable investments of time and resources, as well as a high level of expertise. In the server market, this has meant that until now SMBs have had few solutions to choose from and in addition, the available solutions have usually been too large. Considering the real needs of SMBs - too complex to manage and with high licensing costs. In this context it seems reasonable to consider Linux as a more than interesting SMB server alternative, since technically it has shown very high quality and functionality. The acquisition price, free, is unbeatable. However, the presence of Linux in SMB environments is symbolic and the growth is relatively small. How is this possible? The reason is simple: to adapt an enterprise level server to an SMB environment, the components must be well integrated and easy to administer. SMBs don’t have the resources or the time required to deploy high-performance, but complex solutions. Similarly, the ICT service providers that work for SMBs also need server solutions that require low deployment and maintenance time to stay competitive. Traditional Linux server distributions don’t offer these characteristics. Zentyal: Linux server for SMBs Zentyal [1] was developed with the aim of bringing Linux closer to SMBs and to allow them to make the most of its potential as a corporate server. Based on the popular Ubuntu Linux distribution, Zentyal has become the open source alternative to Windows Small Business Server. Zentyal allows ICT professionals to manage all network services such as Internet access, network security, resource sharing, network infrastructure or communications in an easy way via one single platform. Zentyal allows to manage the network in an easy way During its development, the focus has been put on the usability. Zentyal offers an intuitive interface, that includes the most frequently needed features although there are other, some more complex, methods used to carry out all kinds of configuration. Importantly, Zentyal incorporates independent applications into fully integrated functions automating most tasks. This is designed to save systems management time. Given that 42% of security issues and 80% of service outages in companies are due to human error in the configuration and administration of these systems [2], Zentyal is a solution that is not only easier to manage, but also more secure and reliable. Besides bringing Linux and open source to SMBs, providing them with significant savings, Zentyal improves security and availability of network services within the companies. Zentyal development began in 2004 under the name of eBox Platform and it has grown to become a widely used and highly recognised solution, The platform integrates over 35 open source systems and network management tools into a single technology. Zentyal has been included in Ubuntu since 2007, it is downloaded 1,000 times every day and has an active community of more than 5,000 members. There are over 50,000 active Zentyal installations, mainly in America and Europe, although its use is extended to virtually every country on earth. The US, Germany, Spain, Brazil and Russia are the countries with most installations. Zentyal is mainly used in SMBs, but also in other environments such as schools, governments, hospitals and even in prestigious institutions such as NASA. Zentyal development is funded by eBox Technologies which also offers management tools and services designed to reduce maintenance costs of ICT infrastructures. These commercial tools and services are offered through subscriptions to Zentyal Cloud and include: • • • • quality assured system updates, alerts on events in the server, reports on the system usage, monitoring and central administration of multiple Zentyal servers. Zentyal Cloud offers enterprise-level network which is always up-to-date and secure Subscription services are aimed at two clearly different types of customers. On one hand Professional Subscription is aimed at small businesses and ICT providers with a limited number of Zentyal servers which always need be kept up-to-date, running and that benefit from system updates, alerts and reports. Alternatively Enterprise Subscription is aimed at large businesses or managed service providers who in addition need to remotely monitor and manage multiple Zentyal installations . Also, customers with a commercial server subscription can access additional subscription services such as disaster recovery, advanced security updates, technical support or Zarafa subscriptions. These subscription services are complemented with additional services such as training, deployment and/or maintenance support - usually provided by certified Zentyal partners. Zentyal has a rapidly growing Global Partner Network that allows the company to offer the products and necessary services to SMBs all over the world. The most typical Zentyal The documentation is divided into seven chapters plus some appendices. For more information regarding the benefits and how to become a partner. . ensuring its smooth running. please visit the Partner section at zentyal. [1] http://www. resolving incidents and recovering the system in case of a disaster.com/partners/ About this documentation This documentation describes the main technical features of Zentyal. It is also possible to deploy any combination of Zentyal server functionality.inteco. deployment.com [3]. as an office server or communications server. helping you to understand the way you can configure different network services with Zentyal and become productive when managing SMB ICT infrastructure with Linux based systems. This differentiation into five functional groups is only made to facilitate the most typical Zentyal deployments. The following five chapters introduce you to the five typical installation profiles: Zentyal as a network infrastructure server. This first introductory chapters helps to understand the context of Zentyal as well as the installation process and walks you through the first steps required to use the system.zentyal.zentyal. optimising its deployment. consultants and managed service providers that offer consultancy. The combination of the server and subscription services provide significant benefits that translate into savings higher than 50% of the total cost of installation and maintenance of a SMB server.pdf [3] http://www. support and full outsourcing of infrastructure and network services to their customers. when comparing costs of a Zentyal server installation with the costs of a typical Windows Small Business Server installation.partners are local ICT support and service providers. as a server giving access to the Internet or Gateway.es/images/stories/Ponencias/T25/marcos%20polanco. the last chapter describes the tools and services available to carry out and simplify the maintenance of a Zentyal server.com/ [2] http://enise. Finally. as a security server or UTM. Zentyal runs on top of Ubuntu [1] server edition. focused on laptops. in the first case the installation and deployment process is easier as all dependencies reside on a single CD or USB. However. Zentyal is meant to be installed exclusively on one (real or virtual) machine. you choose the installation language. in this example English is chosen. However. For a detailed description about the publication of Ubuntu versions it is recommended you consult the Ubuntu guide: https://wiki.org/wiki/Document/Documentation/InstallationGuide. Those already familiar with this installer will also find the installation process very similar.02 Installation Generally speaking. For more information about installing from the repository please go to http://trac. always on LTS (Long Term Support) [2] versions. this does not prevent you from installing other applications. that are not managed through the Zentyal interface.01.com/Releases. You can install Zentyal in two different ways: • • using the Zentyal installer (recommended option). using an existing Ubuntu Server Edition installation.ubuntu. PCs and servers: http://www.zentyal. . Another benefit of using the CD or USB is to have a graphical environment that allows the use of a web interface from the server itself. In the second case the official Zentyal repositories must be added and installation continued by installing the modules you are interested in [3].com/. LTS has longer support periods: five years instead of three. To start with.ubuntu. [1] [2] [3] Ubuntu is a Linux distribution developed by Canonical and the community. These applications must be manually installed and configured. Zentyal installer The Zentyal installer is based on the Ubuntu Server installer. Most users should choose the default option unless they are installing on a server with RAID software or they want to create special partitioning according to specific requirements. .Selection of the language You can install Zentyal by using the default mode which deletes all disk contents and creates the partitions required by Zentyal by using LVM [4] or you can choose the expert mode which allows customised partitioning. . To set the language. in this example the United States is chosen. you are asked for your country.Installer start In the next step choose the language for your system interface. you can select the model manually by choosing No.Geographical location You can use automatic detection for setting the keyboard: a few questions are asked to ensure the model you are using is correct. . Otherwise. Autodetection of the keyboard . Selection of the keyboard If you have more than one network interface. . for downloading updates). the system will ask which one to use during installation (i. you will not see this question.e. If you have just one. Network interface selection Now choose a name for your server: this name is important for host identification within the network. . It is automatically configured depending on the location chosen earlier on. .Hostname In the next step you are asked for your time zone. but you can modify it in case this is incorrect. . the administrator name is requested.Time zone Once you have finished these steps. the installation process will start and the progress bar informs you of installation progress. Later. . the same user will be used to access the Zentyal interface. log into the system by inserting the username or login.Username Afterwards. This user will have administration privileges and in addition. System username In the next step you are asked for the user password. both system (via SSH or local login) and the Zentyal web interface. It is important to note that the user defined earlier. using the same password. . can access. Therefore you must be especially careful to choose a secure password (more than 12 characters including letters. numbers and symbols). Password Here. insert the password again to verify it. . . You must wait for the basic system to install.Confirm password The installation progress bar will now appear. This process can take approximately 20 minutes. depending on the server. . you can eject the installation CD and restart the server.Installation of the base system Once installation of the base system is completed. After the first restart.Restart Now your Zentyal system is installed! A graphical interface in a web browser is started and you are able to access the administrative interface. the graphical environment was automatically started. from now on you must authenticate before it will begin. . [4] LVM is the logical volume manager in Linux. Initial configuration When you access the web interface for the first time. To simplify this selection. you must insert the username and password indicated during the installation process.howtoforge.Graphical environment with administrative interface To start configuring Zentyal profiles or modules. you can choose the functionality for your system. you can find an introduction to LVM management in http://www. To start with. Any user you later add to the admin group can access the Zentyal interface and has sudo privileges in the system.com/linux_lvm. . in the upper part of the interface you will find the pre-designed server profiles. a configuration wizard will start. internal security threats and enables secure interconnection between local networks via the Internet or other external network. offering secure and controlled access to Internet. calendars. You can select any number of profiles to assign multiple roles to your Zentyal Server. user profiles and groups. contacts.Zentyal profiles Zentyal profiles available for installation: Zentyal Gateway: Zentyal will act as a gateway of the local network. Zentyal Infrastructure: Zentyal manages the infrastructure of the local network with basic services such as DHCP. NTP. DNS. handling e-mail. HTTP server. instant messaging and VoIP. and so on. Zentyal Office: Zentyal can act as server for shared resources of the local network: files. Zentyal Unified Communications: Zentyal can act as a communications center for the company. intrusions. . printers. Zentyal Unified Threat Manager: Zentyal protects the local network against any external attacks. This selection is not definitive and later you can install and uninstall any of the Zentyal modules via the software management tools.We can also install a manual set of services just clicking on their icons. In the example only the Gateway installation profile is used. Additional services available for Zentyal will also be displayed. if there are any recommended complimentary components. . only the necessary additional packages will be installed. Confirmation and recommended complimentary components The system will begin the installation process of required modules and you will be shown a progress bar as well as brief introduction to core Zentyal functions. Another possibility is to install a profile and then manually add the required extra packages. without having to comply with any specific profile. Once you have finished the selection. you will be asked if you want to install those too. In addition. or to a local network. you select Stand-alone server. you must select the type of server you want in the “Users and Groups” module. whether it will be used to connect to an external network such as Internet. If. If you are going to have only one server. Strict firewall policies will be applied to all the traffic coming in through external network interfaces. in other words. First of all.Installation and additional information Once the installation process has completed. Initial configuration of network interfaces Next. on the contrary. the configuration wizard will configure the new modules and then you are asked some questions. you are . you are asked for information regarding your network configuration. Then you need to define each network interface as internal or external. it is possible to automatically register a free basic subscription. or if you are interested in synchronising the users with Microsoft Active Directory. Zentyal Cloud subscription wizard . you just need to enter your credentials. Select a type of server for Users and Groups module The last wizard will allow you to subscribe your server to Zentyal Cloud. Both ways. then select Advanced configuration. In case you already have a subscription. This step is available only if you have installed the Users and Groups module.deploying a master-slave infrastructure with several Zentyal servers and centralised management of users and groups. The configuration of the “Users and Groups” mode can take a few minutes. This is the name that will identify your Zentyal server in the Zentyal Cloud interface. the form will request a name for your server. If you still don’t have an account in Zentyal Cloud. Initial configuration is finished Saving changes When the system has finished saving changes.Once you have answered these questions. you will continue to configure all the installed modules. access to the Dashboard: your Zentyal server is now ready! . Otherwise you can check Ubuntu Linux Hardware Compatibility List [5].6. You should be able to check this information directly from the vendor. .32) supports the hardware you are going to use. The Zentyal server hardware requirements depend on the modules you install. how many users will use the services and what their usage patterns are. Others. Proxy and File sharing modules benefit from faster disks due their intensive I/O usage. list of servers certified for Ubuntu 10. Some modules have low resource requirements.Dashboard Hardware requirements Zentyal runs on standard x86 or x86_64 (64-bit) hardware. like Mailfilter or Antivirus need more RAM memory and CPU. you must ensure that Ubuntu Lucid 10. like Firewall. However. DHCP or DNS.04 LTS (kernel 2. A RAID setup gives a higher level of security against hard disk failures and increased speed on read operations.04 LTS [6] or by searching in Google. a more detailed analysis should be done including usage patterns. If you are deploying Zentyal in an environment with more than 100 users. use one network card for each router or connect them to one network card keeping them in the same subnet. one network card is enough. these are the recommended minimum requirements: Zentyal Profile Gateway UTM Infrastructure Office Communications Users <100 <100 <100 <100 <100 CPU P4 or equivalent P4 or equivalent P4 or equivalent P4 or equivalent Memory Disk Network cards 2G 80G 2 or more 160G 2 or more 80G 1 160G 1 80G 1 160G 1 250G 1 500G 1 250G 1 500G 1 2G 1G 2G 1G 100 or more Xeon Dual core or equivalent 4G 100 or more Xeon Dual core or equivalent 4G 100 or more P4 or equivalent 100 or more Xeon Dual core or equivalent 2G Xeon Dual core or equivalent 4G 100 or more Xeon Dual core or equivalent 8G Hardware requirements table When combining more than one profile.04%20LTS/servers/ . Also. [5] http://www.ubuntu. but if you use it as a standalone server. you should think in terms of higher requirements. you will need at least two network cards. If you have two or more Internet connections. benchmarking and considering high availability strategies. For a general purpose server with normal usage patterns.com/certification/catalog [6] http://www.ubuntu.com/certification/release/10. VLAN is also an option. it is always recommended that a UPS is deployed along with the server.If you use Zentyal as a gateway or firewall. you must use Mozilla Firefox. . The first screen asks for the username and password. Please note that other browsers such as Microsoft Internet Explorer are not supported. Login Once authenticated. where ip_address is the IP address or the hostname on which Zentyal is installed. Warning To access to the web interface. separated into categories. When you select a service in this menu. The user created during the installation and any other user of the admin group can authenticate as administrator. the first time it is accessed the browser will ask you whether you trust the site.01.03 First steps with Zentyal Administrative web interface of Zentyal Once you have installed Zentyal. you will see the administrative interface. Because access is through HTTPS. a sub menu might appear to configure a particular requirement in the selected service. using the address: https://ip_address/. you can access to the administrative web interface of Zentyal both through its own graphical environment included in the installer and from anywhere on the internal network. You simply accept the self-generated certificate. this is divided in three main parts: Left side menu: Contains links to all the services that can be configured by using Zentyal. consists of one or more forms or tables with information about service configuration that are selected through the left side menu and its sub menus. Sometimes. you can see a bar with tabs: each tab represents a different subsection within the section you have accessed. and log out. in the top. Top menu Main content: The content that occupies the central part. .Side menu Top menu: Contains actions: save the changes made in the contents to ensure the changes are effective. . You can reorganise the widgets at all times by clicking on their titles and dragging them. By clicking on Configure Widgets the interface changes. click on the X in the upper right corner of the window. It contains a series of widgets that can be configured. allowing you to remove and add new widgets.Contents of a form Dashboard Dashboard is the initial interface screen. To add a new widget. To remove a widget. Dashboard configuration One of the important widgets in the Dashboard displays the status of all modules installed on Zentyal. you need to search for it using the top menu and drag it to the central section. The different statuses are: Running: .Widget showing status of the modules The image shows the status of a service and the action you can carry out for this service. it will be running with the default configuration set by the distribution. You can restart the service by clicking on Restart. Stopped: The service is stopped either because the administrator has stopped it or because a problem has occurred. Configuration of the module status Zentyal uses a modular design in which each module manages a different service. To configure each of these services you must enable the corresponding module from Module Status. Disabled: The module has been explicitly disabled by the administrator. . All those functions that have been selected during the installation will be enabled automatically. You can restart a service using Restart.The service is running and listening to client connections. Running unmanaged: If you haven’t enabled the module yet. Configuration of the status module . changes must be accepted in the form. This button will change to red if there are any unsaved changes. For instance. then to make these changes effective and apply them permanently you must click on Save Changes in the top menu. DHCP module needs to have the network module enabled so that it can serve IP addresses through the configured network interfaces. Save Changes Warning . Confirmation to enable a module Applying the configuration changes An important feature to consider when working with Zentyal is the way configuration changes are applied when made through the interface. you are asked to accept the set of actions that will be carried out and configuration files that will be overwritten.Each module may have dependencies on others modules in order to work. The first time you enable a module. you can’t enable the module. After you have accepted all the actions and listed files. The dependencies are shown in the Depends column and until these are enabled. Failure to follow this procedure will result in the loss of all changes made during the session once you end it. An exception to this rule is the users and groups management: here the changes are applied directly. you must save changes in order to apply the configuration. Initially. General configuration There are several parameters in the general configuration of Zentyal that can be modified in System ‣ General. firewall or administrative interface port.If you change the network interface configurations. If this is the case you should change the URL in the browser or reconfigure through the local GUI. General configuration Password: You can change the password of an user. you might loose the connection. It is necessary to introduce . Date and Time You can specify the date and time for the server. Language: You can change the interface language using Select a language.his/her Username. New password and to confirm the password again in the Change password section. it is the HTTPS port 443. Hostname: It is possible to change the hostname or the hostname. server for network (local or Internet) services. as long as you are not synchronizing automatically with an external NTP server. Location in a Zentyal network Zentyal can be used in two fundamental ways: • • gateway and firewall for Internet connection. Time Zone: You can specify city and country to adjust your time zone offset. you must change it to another port and specify it in the URL when you access https://ip_address:port/. Administrative interface port: By default. but if you want to use it for the web server.home. You can decide to install everything on a single host or to separate the different services into several hosts. The hostname is helpful so the server can be identified from other hosts in the same network. for example zentyal. depending on the requirement characteristics of each deployment. both working as a link between networks or as a server within the network itself. .lan. Current password. The image Locations in the network shows the different locations a Zentyal server can take within a network. If you don’t do this. In addition. VLAN (802. . And of course you will also see how to configure Zentyal when it acts as another server within a network.1Q) trunk. you can define each interface to be External if it is connected to an external network. in order to apply stricter firewall policies. the interface is considered internal.Locations in the network In this documentation you will find out how to configure Zentyal as a gateway and firewall. dynamic (DHCP configuration). PPoE or bridged. such as the Internet. connected to a local network. Network configuration with Zentyal Through Network ‣ Interfaces you can access the configuration of each network card detected by the system and you can select between a static configuration (manually configured). you only have to select PPPoE and introduce the Username and Password supplied by your provider. to facilitate the migration from a previous scenario or to have a web server with different domains using SSL certificates. To do this. you can also configure these types of connections. These additional addresses are useful to provide a service in more than one IP address or subnetwork. but also the DNS servers and gateway. This is usual for hosts within the local network or for external interfaces connected to the ADSL routers. You can also associate one or more Virtual Interface to this real interface to use additional IP addresses. .When you configure an interface to serve DHCP. Static configuration of the network interface If you use an ADSL router PPPoE [1] (a connection method used by some Internet providers). DHCP configuration of the network interface If you decide to configure a static interface you must specify the IP address and the network mask. not only do you configure the IP address. VLAN configuration of the network interface The bridged mode consists of associating two physical network interfaces attached to your server that are connected to two different networks. select Trunk (802. Once selected. By using this association you can redirect the network traffic transparently from one card to the other. is that client configurations do not need changing when the Zentyal server gateway is deployed. using this method you can create as many interfaces associated to the defined tag as you wish and consider them as if they were real interfaces. one card connected to the router and another card connected to the local network. The main advantage here. The VLAN network infrastructure allows you to segment the local network to improve performance and security.11q). Traffic that passes through the server can be managed using content filtering or the intrusion detection system. without the need to invest in hardware that would usually be necessary to create each segment.PPPoE configuration of the network interface If you connect the server to one or more VLAN networks. . For example. You can then choose the group of interfaces you want to associate to this interface. Configuration bridged interfaces In case you need to configure the network interface manually. even the traffic moves through in transparent mode. You can see how by choosing this option for a new Bridged network.You can create this association by changing the interface with Bridged network. if an HTTP proxy is required for Internet access. Normally this is automatic if DHCP or PPPoE is in use. you can also configure this in this section. In addition. it can be used to offer other services such as the administrative interface of Zentyal or a file server. The Weight defines the priority compared with other gateways and whether it is Predetermined by all of them. define the gateway to Internet using Network ‣ Gateways. such as update and installation of packages or update of the anti-virus data files. For each gateway you can indicate the Name. Creation of a bridge This will create a new virtual interface bridge which will have its own configuration as well as a real interface and therefore. Interface to which it is connected. but not in all other cases. . IP address. This proxy will be used by Zentyal for connections. Configuration of gateways To allow the system to resolve domain names. To do this. Password and Hostname which needs updating when the public address changes. Configuration of DNS servers If the Internet connection assigns a dynamic IP address and you need a domain name to redirect. you need a provider of dynamic DNS. . Finally select Enable dynamic DNS. you must indicate the address of one or several name servers in Network ‣ DNS. Username. you must select Network ‣ DynDNS where you can choose the Service provider. By using Zentyal you can configure some of the most popular providers of dynamic DNS. Ping is a tool that uses the ICMP network diagnosis protocol to observe whether a particular remote host is reachable by means of a simple “echo request”. Network diagnosis To check that the network has been configured correctly.wikipedia. you must not forget to create a rule to ensure the connections to the provider always use the same gateway. [1] http://en.Configuration of Dynamic DNS Zentyal connects to a provider to obtain a public IP address avoiding any translation of the network address (NAT) between the server and Internet. If you are using this feature in the multirouter [2] scenario.org/wiki/PPPoE [2] Check Configuring traffic balancing with Zentyal for more details. you can use the tools available in Network ‣ Diagnosis. . Tool traceroute .Network diagnosis tools. ping You can also use the traceroute tool that is used to determine the route taken by packages across different networks until they reach a given remote host. which is used to verify the correct functioning of the name service. you can use the domain name resolution tool.Also. Domain name resolution . . However. a web interface is provided to simplify the process.ubuntu. APT [1].com/10.org/Apt For a more extensive explanation on how to install software packages in Ubuntu. Zentyal distributes its software as packages and it uses Ubuntu’s standard tool.01.debian. mainly to correct potential security flaws. either to add new features or to fix defects or system failures. Zentyal server requires periodic updates.html The web interface allows checking for new available versions of Zentyal components and installing them in a simple way. in order to ease this task.04/serverguide/C/package-management. [2] Advanced Packaging Tool (APT) is a system for the management of software packages created by [1] the Debian Project which greatly simplifies the installation and removal of programs on Linux http://wiki.04 Software updates Like any other software system. It also allows you to update the software supporting Zentyal. please read the [2] chapter on package management in Ubuntu’s official documentation https://help. Management of Zentyal components The management of Zentyal components allows you to install. update and delete Zentyal modules. To manage Zentyal components you must access Software Management -> Zentyal components. Management of Zentyal components . Component update The following tag. On this view. Update list. Updating and Deleting Zentyal components. To install the required components. In a similar way as with the previous view. on which you can install package collections depending on the role of the server you are setting up. Apart from this feature. another for the version currently available in the repositories and a third to select the component. one for the component name. can improve or increase the options of the installed components. . let’s view in detail the actions that are available. simply select them and click on the Install button. Delete. Getting back to the advanced view. There are three columns here. Confirm the installation The Update list button synchronises the list of packets with the repositories. you can select packages to uninstall and then click the Delete button in the lower left part of the table to complete the action. that you might have seen already during the installation process. Component deletion The last tag. You will then be taken to a page with a complete list of the packages to be installed. In the lower part of the table you can view the buttons to Install. This view has three tabs. each one for the actions of Installing. although not being required dependencies. An additional column indicates the version currently installed and in the bottom of the table you can see a button which can be clicked to select packages to upgrade. shows between brackets the number of available updates. As with the installation of components. this section is organised in a similar way to the installation view. Update. with only some minor differences. as well as some recommendations that. there is an option to change to basic mode. shows a table with the installed packages and their versions. is available. access to a confirmation screen showing the packages to be installed. like antivirus or filtering services. Select all and Deselect all.When entering this section you will see the advanced view of the package manager. Component installation This is the visible tab when you enter in the component management section. These programs are referenced as dependencies. a list of packages that can be upgraded is displayed. To see the system updates you must go to Software Management ‣ System Updates.Before performing the action. System Updates . this data may be outdated. or any of the required modules. If you install packages on the server without using the web interface. otherwise. Such a search can be forced by clicking on the button Update list on the lower part of the page. just like in previous examples. but it may be interesting to install it in order to use its improvements or its patches to fix security flaws. System Updates The system updates section performs the updating of third party software used by Zentyal. Similarly. Therefore. This guarantees the correct operation of the server. Here you can see if your system is already updated or. Usually the update of a dependency is not important enough to create a new Zentyal package with new dependencies. these programs may have dependencies too. Zentyal will ask for confirmation before deleting the selected packages and their dependencies. they are also installed. every night a process is executed to search for available updates for the system. ensuring that when installing Zentyal. select the packages on which to perform the action and press the appropriate button. This feature can be enabled by accessing the page Software Management -> Settings.For each update. Status messages will be displayed during the update operation. If it is a security update the details about the security flaw included in the package changelog will be displayed by clicking on the icon. If you want to perform an update. As a shortcut. Automatic updates Automatic updates allow Zentyal server to automatically install any updates available. the button Update all packages can be used. . you can determine whether it is a security update using the information icon. Automatic updates management On that page you can also choose the time of the day during which these updates will be performed. It is not advisable to use this option if the administrator needs to keep a higher level of security and control for the management of updates. In the following pages. as well as realtime monitoring and centralised management of multiple Zentyal installations. Please remember that Zentyal servers in production environments should always have commercial subscription to guarantee maximum security and system uptime. This gives you a preview of Zentyal Cloud and access to some limited features. . aimed at testing environments. alerts and reports on server performance. network inventory.01. This is installed by default if you used Zentyal installer. disaster recovery.05 Zentyal Cloud Client About Zentyal Cloud Zentyal Cloud is a solution that provides automatic maintenance of servers. you will learn how to subscribe your server to Zentyal Cloud with a Basic Subscription and you will see the additional functionality and services the Basic Subscription and Zentyal Cloud offer. [1] If you don’t have a commercial Zentyal Cloud subscription. It also allows you to store one remote configuration backup. It offers features such as.zentyal.com/services/subscriptions/ Subscribing Zentyal server to Zentyal Cloud (Basic Subscription) To subscribe your Zentyal server to Zentyal Cloud. You can register your Basic Subscription during installation or later from the Subscription ‣ Server Subscription menu. reports and remote monitoring and management options. for example. centralised and secure management of groups of servers. such as basic alerts. Internet connection should be available. create zentyal. network monitoring and remote.me subdomain for your server and to see your Zentyal server name in the web browser tab. In addition to this. quality assured software updates. advanced security updates.com/services/ [2] http://www. [2] [1] http://www.zentyal. you must first install the Zentyal Cloud Client component. an account purchased from the Zentyal Online Store. By default. security audits. you can still register a free Basic Subscription. you will see the form to enter the credentials of an existing account. . Zentyal name: Unique name for this server that will be used within the Zentyal Cloud. This name is displayed in the control panel and it must be a valid domain name. register a new Zentyal Cloud account clicking on the Basic Subscription link that you can find in the first green information box. Each server should have a different name. Otherwise. Password: The same password you use to sign in the Zentyal Cloud Web site. if two servers use the same name for connecting to the Cloud.Enter the credentials for the existing account User Name or Email Address: You must set the user name or the email address you use to sign in the Zentyal Cloud Web site. only one will be able to connect. Make sure that you save changes after this process. During the registration process. [3] For more information about VPN. the VPN [3] module will be enabled.zentyal. this ‘hostname’ will be added to the dynamic domain ‘zentyal.me’.me’ you can connect both to the administration page and the SSH console (as long as you have allowed this type of connections in your Firewall). After you have entered your data. thus. Additionally. thus. see the Virtual private network (VPN) service with OpenVPN section. so you can quickly check which hosts you are using if you have several interfaces open at the same time in your browser.Registering a new account using the Wizard The Server name field will be used as the title of the administration webpage of this Zentyal server. you will be able to see a Zentyal Cloud widget in the dashboard with the following info. If the connection to Zentyal Cloud was successful. click on the Subscribe button: The subscription will take around two minutes to complete. . using the address ‘<yourzentyal>. a VPN connection between the server and Zentyal Cloud is established. The configuration backup is made on a daily basis if there is any change in Zentyal server configuration. stored in the cloud.Zentyal Cloud connection Widget After a while. You can do this from System – > Import/Export configuration and then clicking on the tab Remote in Zentyal Cloud. you will be able to see the subscription level and rest of the purchased services. You can make manual configuration backups if you want to make sure there is a backup of your last configuration changes. Remote configuration backup . in this widget. The free Basic Subscription allows you to save one configuration backup remotely. you can save up to seven different configuration backups. Configuration backup in Zentyal Cloud One of the features of Zentyal Cloud is automatic configuration backup of your Zentyal server. If you have a commercial subscription (Professional or Enterprise Subscription). if any. download or delete the configuration backups that are stored in Zentyal Cloud. Restoring configuration backup . go to the System ‣ Import/Export configuration ‣ Remote in Zentyal Cloud from other subscribed hosts menu. Additionally. you can restore or download the configuration from other subscribed Zentyal servers using the same account.You can restore. To do this. to improve the disaster recovery process. This may be caused by a network failure or event or by a complete system failure. Available updates: An alert is sent each time new security updates are available.zentyal.Other available services in the Basic Subscription Once your server is subscribed with the Basic Subscription. . visit the Zentyal Cloud and try a reduced demo version of the Zentyal Cloud services. After accessing the Zentyal Cloud webpage [4] and entering your login details. you can see the following welcome page: Zentyal Cloud’s web panel [4] https://cloud.com Your basic subscription will provide you the following features: Basic Alerts Basic alerts gives you access to alerts regarding: Zentyal connectivity: An alert is sent each time the server loses the connection with the Cloud. me subdomain for your server with multigateway support and with up to 3 aliases. Report current system status (processes. Basic Reports Basic monthly reports summarise the following data: • • • • Disks use average. Internet connection uptime.me A zentyal. Network speed test. memory and swap usage and uptime). Basic Jobs Basic jobs you can run from the Zentyal Cloud include: • • • Check current Linux kernel version. Please note that the free Basic Subscription gives you access only to a limited set of Zentyal Cloud features.zentyal. Disk space usage. Basic Monitoring Basic monitoring graphics related to hardware performance include: • • • • System load. Alerts summary. Memory usage.First configuration backup: You are notified when your first configuration backup is successfully completed.zentyal. Add a user. Hostname in browser tab Distinguish Zentyal servers by their name in the web browser tab. CPU usage.com/doc/ .com/services/subscriptions/ [6] https://cloud. For information about the features included in the Professional and Enterprise Subscriptions. Hostname added to dynamic domain zentyal. Automatic backup: An alert is sent each time backup process has failed to complete. [5] http://www. check out the Zentyal website [5] or Zentyal Cloud documentation [6]. The Virtual Machines module offers you a way to integrate virtualized services in a simple. the management of a certification authority and virtual machines. integrity and privacy of communications has increased interest in the deployment of certification authorities. many businesses use Web applications installed on an HTTP server spanning different domain names allowing HTTPS connections.01 Zentyal Infrastructure This section explains several of the services used to manage the infrastructure of your local network and to optimise internal traffic. The growing importance of ensuring the authenticity. Moreover. Certificates allow configuration of SSL or TLS to securely access most services and provided certificates for user authentication. domain management. time synchronisation. Domain Name System or DNS provides access to services and hosts using names instead of IP addresses. The Network Time Protocol or NTP. DNS servers or the gateway which is used to access to the Internet. publication of internal Web sites. keeps the system time synchronised on the different computers within a network. The DHCP service is widely used to automatically configure different network parameters on computers such as. elegant and transparent way to the final user.02. automatic network configuration. these are easier to memorise. These facilitate access to various services in a safe way. your deployment requires a few applications that can’t be ported to Linux environments given their characteristics or age. IP address. Sometimes. These services include.Zentyal Infrastructure 02. . Berkeley and currently maintained by the Internet Systems Consortium.conf with the option intnets=: # Internal networks allowed to do recursive queries # to Zentyal DNS caching server. this DNS cache server might need to be queried from internal networks that are not directly configured in Zentyal.02 Domain Name System (DNS) Introduction to DNS BIND [4] is the de facto DNS server on the Internet.0/24. Then it will store the data locally during the time period set in the TTL field. # Example: intnets = 192.98. it may occur in networks with routes to internal segments or VPN networks. Sometimes.168.1 as the first DNS server.99. so if you only want your server to perform cache DNS queries. You can add these networks to the file /etc/zentyal/80dns. Localnetworks are already # allowed and this settings is intended to allow networks # reachable through static routes.192. which you just configured. simply enable the module.168. originally developed at the University of California. . Although this case is quite rare. therefore increasing the look-up speed for users and reducing the overall Internet traffic.org/software/bind DNS cache server configuration with Zentyal Zentyal’s DNS module always works as a DNS cache server for networks marked as internal. [4] http://www. BIND version 9. Zentyal’s DNS cache server will ask root DNS servers directly.isc. Zentyal allows configuration of the DNS server to accept queries from these subnets by a configuration file. go to Network ‣ DNS and set 127.0/24 intnets = And after restarting the DNS module the changes will be applied.0. To set the Zentyal server to use its own DNS cache server. which one will provide an authoritative resolution for each DNS request.0. With this functionality you can reduce the time required to start each network connection. rewritten from scratch to support the latest features of the DNS protocol is used by Zentyal’s DNS module.02. foocorp. When a user tries to access the host example. resulting in successful name resolution.com. the name resolution will fail. your search domain could be foocorp. which by using dig shows the details of a DNS query to the server you have set in Network ‣ DNS.DNS configured as local cache The search domain is basically a string that is added to a search in case a user defined string is unresolvable. In Network ‣ Diagnosis tools you have a tool for Domain Name Resolution. but it can be provided automatically by DHCP. then the user’s operating system will automatically provide example. For example. so that when the clients receive the initial network configuration.com. they can also receive the search domain. as it is not present among its known hosts. Domain name resolution using the DNS local cache . The search domain is set on the clients. Cache servers only respond to queries from internal networks. this feature is not needed. it will respond to queries about these domains coming both from internal and from external networks. but anyone can resolve these configured domains. The configuration of this module is done through the DNS menu. Only if the forwarders are not able to answer the request. DNS Forwarders Configuration of an authoritative DNS server with Zentyal In addition to DNS cache. As an authoritative server.Transparent DNS Proxy Zentyal’s transparent DNS Proxy gives you a way to force the use of your DNS server without having to change the clients’ configuration. Zentyal can act as an authoritative DNS server for a list of configured domains. you need specific name server. Given that these private domains are not accessible from the Internet. The main use of the forwarders is to give your server access to the private domain server. When this option is enabled. To have this option available. If you do not want to resolve private domains. so that not only local clients. where you can add as many domains and subdomains as required. the firewall module must be enabled. The clients have to use Zentyal as its gateway to make sure the requests will be forwarded. Transparent DNS proxy DNS Forwarders DNS Forwarders are the DNS servers that your server will check first. all the DNS requests that are routed through your server are redirected to Zentyal’s internal DNS server. your server will try to resolve it. . com and store. you can configure the Domain name and optionally the IP address which will be referenced by the domain.example.com has the aliases smtp.com for mail services and the host rick.example. For example. Normally the names point to the host where the service is running and the aliases to the services hosted in it. you can define as many names as required within the table Hostnames.example. display the form by clicking on Add new. amongst others.example. for each name you can define as many Alias as necessary. From here.com and mail.com has the aliases www. for web services.example. the host amy. Moreover. Adding a new domain Once the domain has been created. For each one of these names Zentyal will automatically configure reverse resolution.com. Adding a new alias .List of domains To configure a new domain.example. more frequently. If a domain is set to dynamic it can not be configured through the interface. to be consumed by software. It is extensively used in several anti-spam applications (SPF or DKIM). you can set the server that will attempt to receive messages from other servers. If the preferred server fails. the next one in the list will be queried. In Zentyal. you can define the mail servers responsible for receiving messages for each domain. The text records are DNS registers that will offer additional information about a domain or a hostname using plain text. Using Priority. Adding a new name server Note that when you add a new domain the field called Dynamic contains a value which is set to false. . A domain is set as dynamic when it is updated automatically by an external process without restarting the server. This information could be useful for human use or.Additionally. Adding a new mail exchanger It is also possible to set NS records for each domain or subdomain using the table Name servers. see Dynamic DNS updates. In Mail exchangers you will choose a server from the list defined at Names or an external list. dynamic domains are automatically updated by DHCP with the names of the hosts that have been assigned an IP address. the more likely to be chosen. Adding a service record . used mainly for instant messaging. You can access the list of service records through the field Services of the domain list. The XMPP protocol.Adding a text record To create a text record. uses these records extensively. It is possible to associate more than one text record to each domain or hostname. You can choose whether this record is associated with a specific hostname or the domain and its contents. In each service record you can configure the Service name and its Protocol. go to the field TXT records of the domain. When two machines have the same priority level the weight will be used to determine which machine will receive more workload. To provide better availability and/or balance the load you can define more than one record per service. in which case the fields Priority and Weight will define the server to access each time. You can identify the host that will provide the service with the fields Target and Target port. The service records provide information about the services available in your domain and which hosts are providing them. The less priority. you can enable or disable the service and choose the external servers that you want to synchronize to.edu/~mills/ntp/html/ntpd. You still need to configure your time zone. . By default. the list already has three preconfigured servers.02. so it is important to enable it.03 Time synchronization service (NTP) Introduction to NTP Zentyal integrates ntpd [2] as its NTP server. [2] http://www. NTP uses UDP port 123. NTP module installed and enabled If you access to NTP.udel. you can check in System ‣ General that it is running and that manually adjusting the time is disabled.eecis. chosen from the NTP project [3].html Configuring an NTP server with Zentyal Zentyal uses the NTP server to both synchronise its own clock and offer this service on the network. Once you have enabled the module. NTP configuration and external servers Once Zentyal is synchronised, you can offer your clock timing using the NTP service. As always, you must not forget to check the firewall rules, as NTP is usually enabled only for internal networks. [3] <http://www.pool.ntp.org/en/> 02.04 Network configuration service (DHCP) Introduction to DHCP Zentyal uses ISC DHCP Software [4] to configure the DHCP service, which is the de facto standard on Linux systems. This service uses the UDP transport protocol, port 68 on the client and port 67 on the server. [4] https://www.isc.org/software/dhcp DHCP server configuration with Zentyal The DHCP service needs to be deployed on an interface configured with a static IP address. This interface should also be internal. You can configure the DHCP server from the DHCP menu. DHCP service configuration The following parameters can be set in the Common options tab. Default gateway: This is the gateway that clients will use to communicate with destinations not on your local network, such as the Internet. Its value can be Zentyal, a gateway set Network ‣ Routers or a Custom IP address. Search domain: This parameter can be useful in a network where all the hosts are named under the same subdomain. Thus, when attempting to resolve a domain name unsuccessfully (for example host), a new attempt would be carried out by adding the search domain at the end (host.zentyal.lan). Primary name server: It specifies the DNS server that clients will use first when they have to resolve a domain name. Its value can be Local Zentyal DNS or the IP address of another DNS server. If you select your own Zentyal as the DNS server, make sure that the DNS module [5] is enabled. Secondary name server: DNS server to be used by clients in case primary DNS server is unavailable. Its value must be an IP address of a DNS server. NTP server: NTP server that clients will use to synchronise their system clock. It can be None, Local Zentyal NTP or the IP address of another NTP server. If you select your own Zentyal server as the NTP server, make sure that the NTP module [6] is enabled. WINS server: WINS server (Windows Internet Name Service) [7] that clients will use to resolve names on a NetBIOS network. It can be None, Local Zentyal or another Custom. If you select your own Zentyal server as the WINS server, make sure that the File Sharing module [8] is enabled. Configuring DHCP ranges Under these options, you can see the dynamic ranges of addresses and static allocations. For the DHCP service to work properly, you should at least have a range of addresses to distribute or static allocations; otherwise the DHCP server will not allocate IP addresses even when listening on all network interfaces. Address ranges and static addresses available for assignment from a certain interface are determined by the static address assigned to that interface. Any available IP address of the subnet can be used in ranges or static allocations. In order to add a range in the Range section you have to introduce a name to identify the range and the values you want to assign within the range listed above. You can perform static assignment of IP addresses to specific physical addresses in the Fixed addresses section. To fill this section you need an object which members are pairs of host IP addresses (/32) and MAC addresses. You can create this object from Network ‣ Objects or directly in the quick menu offered in the DHCP interface. An address assigned in this way can not be part of any range. You can add an optional Description for the allocation as well. [5] See Domain Name System (DNS) section for details. [6] See Time synchronization service (NTP) section for details. [7] http://en.wikipedia.org/wiki/Windows_Internet_Name_Service [8] See File sharing and authentication service section for details. Advanced options Advanced DHCP options The dynamic address allocation has a time limit. After expiry of that time a renewal must be requested (configurable in the Advanced options tab). This time varies from 1800 seconds to 7200. This limitation also applies to the static allocation. or. .Zentyal supports remote boot for thin clients. As to static domain. the hostname will follow this pattern: <name>. In Next server you can configure the PXE server to which the thin client must connect. you have to access the Dynamic DNS options tab and to enable this feature the DNS module should be enabled too. Dynamic DNS updates Dynamic DNS updates allow you to assign domain names to DHCP clients by integrating DHCP and DNS modules. The PXE server can be an IP address or a hostname. It is required to provide the path to the boot image. if Zentyal is the PXE server it is possible to upload the file with the image through the web interface. The dynamic domain refers to hostnames which IP addresses belong to a range and the associated name follows the pattern dhcp-<offered-IP-address>. which will both be added to the DNS settings automatically.<static-domain> being the name of the set on the table Static allocations. Configuration of Dynamic DNS updates To use this option.<dynamic-domain>. This will ease the recognition of the machines in the network through a single domain name instead of an IP address that could change. This server will then send everything the thin client needs to boot the system. There should be a Dynamic domain and a Static domain. the Common Name of the certificate should match the domain name of that server.02. stopping all services depending on those certificates.lan to access the web administrative interface in Zentyal.home. Go to Certification Authority ‣ General and you will find the form to create the CA. if you are using the domain name zentyal. You are required to fill in the Organization Name and Days to expire fields. For example.org/ Certification Authority configuration with Zentyal In Zentyal. you will . The required data are the Common Name of the certificate and the Days to expire. you will be able to issue certificates. it is possible to specify the Country code (a two-letter acronym following the ISO-3166-1 standard [5]). the Certification Authority module is self-managed. you have to initialize the CA to make the functionality of the module available. which means that it does not need to be enabled in Module status.openssl. Create the CA certificate When setting the expiration date you have to take into account that at the moment of expiration all certificates issued by this CA will be revoked. However. [4] http://www. Once the CA has been initialised. City and State.05 Certification authority (CA) Public Key Infrastructure (PKI) Zentyal uses OpenSSL [4] for the management of the Certification Authority and the life cycle of the issued certificates issued. This last field is limited by the fact that no certificate can be valid for a longer time than the CA. Optionally. In case you are using the certificate for a service such as a web server or mail server. mail clients. And if you renew the CA. . you could set Subject Alternative Names [6] for the certificate. all certificates will be renewed with the new CA trying to keep the old expiration date. then the date of expiration is set as the one of the CA. If you renew a certificate. Reissue a previously revoked or expired certificate. These are useful when setting common names to a certificate: a domain name or an IP address for a HTTP virtual host or an email address when signing email messages. Renew the certificate. private key and the certificate. it will appear in the list of certificates and it will be available for the administrator and for the rest of modules. Revoke the certificate. Through the certificate list you can perform several actions on the certificates: • • • • Download the public key. the current certificate will be revoked and a new one with the new expiration date will be issued. If this is not possible because it is after the date of expiry of the CA.need a certificate with the same Common Name. Optionally. etc. In case you are setting a user certificate. the Common Name will usually be the user’s email address. Certificate list page The package with the keys contains also a PKCS12 file with the private key and the certificate and it can be installed directly into other programs such as web browsers. Once the certificate is issued. removeFromCRL: currently unimplemented. The expiration date of each certificate is automatically checked once a day and every time you access the certificate list page. certificateHold: certified suspended.openssl. superseded: the certificate has been renewed and it is now replaced by a new one. affilliationChanged: the issued certificate has changed its affiliation to another certification authority from other organization.html#Subject_Alternative_Name Services Certificates On Certification Authority ‣ Services Certificates you can find the list of Zentyal modules using certificates for their operation. it provides delta CRLs support.org/wiki/ISO_3166-1 [6] For more information about subject alternative names. Revoke a certificate When a certificate expires all the modules are notified. Each module generates its own self-signed certificates. you can select the reason of the certificate revocation: • • • • • • • • unspecified: reason non specified. cessationOfOperation: the certification authority has ceased its operations. lists of certificates whose revoked status has changed. keyCompromise: the private key has been compromised. CACompromise: the private key for the certification authority has been compromised. but you can replace them with others issued by your CA. that is.wikipedia. visit http://www. .org/docs/apps/x509v3_config. Optionally. [5] http://en.Renew a certificate If you revoke a certificate you will not be able to use it anymore as this action is permanent and it can not be undone. If a previous certificate with the name does not exist. . you need to restart the service to force the module to use the new certificate. the CA will create it automatically. This also applies if you renew a certificate for a module.You can generate a certificate for each service by defining its Common Name. Services Certificates Once enabled. to the extent that it has become the “public face” of the Internet for most users. There are several methods that clients can use to request data. for example. A client request follows this format: • • • • Initial line with <method> <URL> <HTTP version>. These resources are identified by using URLs (Uniform Resource Locators) [3] . like GET. only the header. A line. it allows you to obtain metadata from the resource without downloading it. The data is included in the body of the request. will be resolved to the same IP address of the server .com informs that a request is made to the domain zentyal. The server with the requested resource processes it and gives a response with the resource. This service is based on web page transfer using the HTTP protocol. makes a request to access a resource on a HTTP server. for instance. identifiers usually know as web site addresses. This allows different domains with different web pages to exist on the same server. It is a harmless method as far as the server is concerned and does not cause any changes to the hosted web applications. PUT: . Cookie. The domains. to send data to the server using the POST method. HEAD: Requests data from a resource.06 Web data publication service (HTTP) Introduction to HTTP The Web [1] is one of the most common services on the Internet. with headers. POST: Sends data to a resource that the server must process. although the most common ones are GET and POST: GET: Requests a resource. Referer or User-Agent amongst others. HTTP (Hypertext Transfer Protocol) [2] is a request and response protocol. The client. this can be an HTML web page. image or any other file that is generated dynamically . but the response will not include the the body.after reading the Host header the server can designate the virtual host or domain to which the request is addressed.com. the GET /index. used. A blank line. therefore. through a web form. For example Host: zentyal.html HTTP/1.1 protocol. A body with optional format.html using GET and by using the HTTP/1. The Host header is used to specify which domain you need to send the HTTP request.based on a series of request parameters.02. For example. such as Host.1 requests the resource /index. also known as the User Agent. Hence. . The first line contains <status code> <text reason>. 404 Not Found: The requested resource was not found. 403 Forbidden: The client does not have permission to access the requested resource. for example. This is useful to see whether the request has been modified on its way to the server. preventing the correct processing of the request. 500 Internal Server Error: Server error has occurred. Also used by WebDAV. by WebDAV [4]. The most common response codes are: 200 OK: The request has been processed correctly. except for the first line. The server response has the same structure as the client request. which is the response code and textual explanation of it. It is used. a set of HTTP protocol methods which allow collaboration between users when editing and managing files. DELETE: Deletes the specified resource.Sends an item to be stored on a specific resource. TRACE: Informs the server that it must return the header sent by the client. for example by an HTTP Proxy. Request schema and HTTP response . Zentyal uses Apache for its HTTP server module and for its administrative interface.wikipedia.org/wiki/World_Wide_Web [2] http://en. the default port of the HTTP protocol. hosting more than 54% of all web pages. The Apache [5] HTTP server is the most widely used on the Internet. [1] http://en.wikipedia.org/wiki/URL [4] http://en. SSL listening port: HTTPS port.org/wiki/WebDAV [5] http://httpd.wikipedia.apache. by default port 443.wikipedia.By default. Configuration of Web server module In the General Configuration you can modify the following parameters: Listening port: HTTP port. HTTPS is the HTTP protocol sent via SSL/TLS connection to guarantee encrypted communication and authentication of the server.org/wiki/HTTP [3] http://en. HTTP uses the TCP port 80 and HTTPS uses the TCP port 443. Enable the public_html per user: .org/ HTTP server configuration with Zentyal You can access to the HTTP server configuration through the Web server menu. by default port 80. the default port of the HTTPS protocol. You must enable the certificate for this service and change the Zentyal administrative interface port to another port if you want to use the port 443. If the users have a subdirectory called public_html in their personal directory. Virtual servers or Virtual hosts is where you can define different domains associated to certain web pages. if the DNS module is installed. then the top level domain will be created. . if SSL has already been configured. this option allows them to access it via the URL http://<zentyal>/~<user>/. When you use this option to define a new domain. If a subdomain does not already exist.although you can modify the domain later if necessary. it is possible to apply a customised Apache configuration to each Virtual host by adding a file to the /etc/apache2/sites-available/user-ebox-<domain>/ directory. you can fix HTTPS connections to a domain or even force all the connections to work over HTTPS. Besides being able to enable and disable each domain of the HTTP server. In addition. then it will be added. This domain or subdomain creates a pointer to the address of the first internal interface configured with a static address . The DocumentRoot or root directory for each page is in the /srv/www/<domain>/ directory. In Anonymous access you can choose between three possible configurations for the public directory: Disabled: No access is granted to anonymous users. Read only: Users can access the directory with an FTP client. Read and write: Users can access the directory with a FTP client and anyone can add. modify.beasts.07 File Transfer Protocol (FTP) Introduction to FTP Zentyal uses vsftpd [5] (very secure FTP) to provide this service. download and delete files from this directory. which . This configuration is not recommended unless you are very confident of what you are doing. [5] http://vsftpd.org/ FTP server configuration with Zentyal You can access the FTP server configuration through the menu FTP: FTP Server Configuration The FTP service provided by Zentyal is very easy to configure and it allows the provision of remote access to a public directory and/or personal directories of the system users. you can also activate Restrict to Personal directories. In this case. Another configuration parameter Personal directories allows each Zentyal user access to their personal directory. The default path of the public directory is /srv/ftp while all users have personal directories located within /home/user/. but users are only allowed to list the files and download them. This configuration is appropriate when making content globally available for download.02. only accessing the files and directories under /home/user. Using the SSL Support option. if it is optional the decision will depend on the client support and if it is forced. you must check that the neccesary firewall ports are open. you will not accept clients that do not support it. As usual. before enabling this service.will prevent users to navigate the entire file system. . you can force the secure connection. If it is disabled you will not be able to access securely. make it optional or disable it. Zentyal will be in charge of starting or stopping the machine along with the rest of the services. Which one will be used depends on what is already installed in the system.08 Virtualization Manager Introduction Zentyal provides an easy management of virtual machines. and decide whether you want to: Autostart If this option is enabled. you have to click in Add new and then fill the following parameters: Name Just for identification purposes. integrating the KVM and VirtualBox solutions. When you create a machine. It is not possible to use both solutions at the same time. Creating virtual machines with Zentyal Through the Virtual Machines menu you can access the list of currently available machines.02. otherwise Zentyal will just create the machine the first time you configure it and save changes. you have a configuration row associated with your new machine. . Creating a new virtual machine After this. KVM is the default option when you use the Zentyal installer. as well as add new ones or delete the existing ones. you can enter any alphanumeric label. You also have other maintenance options that will be described in detail in the next section. it will also be used to pick the file system path where you will store the data associated with this machine. The system administrator will be in charge of performing these actions manually when he/she considers necessary. but essentially. System configuration for the virtual machine Network Settings It contains the list of network interfaces of the virtual machine. By default this value is 512. so other virtual machines will be able to connect. If you uncheck the Enabled checkbox. which name you have to define. you can temporally disable any of the network interfaces. in bridged mode with one of the host system interfaces or forming an isolated internal network. through the Settings column. which can be configured as NAT (only Internet access). or half the available memory if you have less than 1GB in the real host.Virtual machine registered in the table The next step will be configuring your new virtual machine. where you will find the following tabs: System Settings It allows you to define the architecture (32 or 64 bits) and also the type of operative system in case you are using VirtualBox for the machines management. You can also define the size of the RAM memory allocated for this machine in megabytes. . and also hard drives. and a button that allows you to Stop or Start them if you want to.VM network settings Device Settings It contains the list of storage drives associated with the machine. or just specify the size in megabytes and an identifier name and Zentyal will create the new empty disk. you can temporally disconnect any of the drives without deleting them. you can also provide a image file of either KVM or VirtualBox. You can associate CDs or DVDs (providing the path to an ISO image). By unchecking the checkbox Enabled. VM device settings Virtual machine maintenance In the Dashboard you have a widget that contains the list of virtual machines and their current state (running or not). VM widget in your Dashboard . For the hard drives. the ‘start button’ will resume execution. the following actions you can execute over a machine: VM actions You can execute the following actions: View Console It will open a pop-up window where you can access to the terminal of the virtual machine. .In the Virtual Machines section you can see. depending on its current state. you can click the same button to resume execution. In case the machine is in ‘Pause’ state. Pause/Continue From here you can pause the execution of the machine while it is running. Delete Delete this Virtual Machine Edit Edit the configuration of this Virtual Machine At the top left you can also see an indicator that be either red. Start/Stop It allows you to start or stop the machine. from left to right. without losing the running state. using the VNC protocol. yellow or green depending whether the machine is stopped. Once the machine is pause. paused or running. VM console view . Offering more reliable and secure network. Captive portal along with bandwidth monitoring will allow you to give Internet access only to the designated host machines.Zentyal Gateway 03. you will also find an introduction to the HTTP proxy service. you can balance the load between several connections and define different rules to use one or another connection depending on the traffic. RADIUS module allows authentication of the network users and.03. When you access Internet. by giving higher priority to a specific type of traffic or by limiting the speed in some cases. These modules assist with the management of network objects and services and simplify firewall configuration. Among other options this service allows faster proxy Internet access by storing the cache and establishing different content filtering policies. traffic shaping and QoS. redirecting the traffic to your login page. as in the P2P example. captive portal and RADIUS. .01 Zentyal Gateway This chapter focuses on the functionality of Zentyal as a gateway. bandwidth management and clear definition of connection and content policies. The advanced firewall module allows you to define rules to manage the incoming and outgoing traffic of both the server and the internal network. advanced firewall and routing. you will see how to guarantee the quality of service. These services include: configurable network interfaces. advanced HTTP proxy. with live reports of the connected users and network consumption. In addition. Instead of defining the same firewall rule for all IP addresses. or a group of them. Representation of a network object . it is enough to define it for the network object that already contains the addresses. This means you can apply the same configuration to all elements. They allow you to simplify and consequently make it easier to manage network configuration: network objects allow you to give an easily recognisable name to elements or a group of them.02 High-level Zentyal abstractions Network objects The Network objects are a way to represent network elements.03. For example. you can give a recognisable name to an IP address or a group of them. Network objects Each one of these objects consists of a series of members that can be modified at any time. This value will be applied when the MAC address is accessible. edit and delete objects that will be used later by other modules. Therefore you must be careful when using them in the other modules to avoid conflicts. You can create. with the name of all the objects and a series of actions you can carry out on each of them.Management of Network objects with Zentyal To start to work with the Zentyal objects. IP Address and Netmask. The MAC address is optional and logically you can only use it on members that represent a single host. a quick embedded menu will be offered. Initially you will see an empty list. In other configuration sections of Zentyal where you can use network objects ( like DHCP or Firewall). . go to Network ‣ Objects section. so you can create and configure the network objects without explicitly accessing this menu section. The members must have at least the following values: Name. Add a new member The members of one object can overlap with members of other objects. you also have to use the HTTPS port 443/TCP and the alternative port 8080/TCP. . each one contains Protocol. it is not necessary to apply a rule that affects the browsing of each one of the ports. where the server listens to the ports 137/TCP. TCP. for example DNS. UDP. A service is Internal if the ports configured for the service are being used in the same server. but the service that represents browsing and contains these three ports. ICMP. You can see the Name. Another example is the file sharing in Windows networks. You can introduce the value Any in all of the fields to specify. GRE or ICMP protocols are supported. for example. Description and an indication whether the service is Internal or not. go to Network ‣ Services menu. Furthermore. 138/TCP. where you will find a list of available services. The purpose of the services is similar to that of the objects: objects simplify reference to a group of IP addresses with a recognisable name. Source port and Destination port values. Services allow identification of a group of ports by the name of the services the ports have been allocated to. for example. Again. the services for which the source port is different to the destination port. Management of Network services with Zentyal To manage services with Zentyal. created by all the installed modules and those that were added later. Client connection to a server When browsing. 139/TCP and 445/TCP. the most usual port is the HTTP port 80/TCP. But in addition. ESP. etc) and the ports used by applications. UDP. You can also use a TCP/UDP value to avoid having to add the same port twice when both protocols are used by a service.Network services Network services is a way to represent the protocols (TCP. each service has a series of members. Network services . . trying at the same time to minimise the effort when adding a new service.org/ Firewall configuration with Zentyal Zentyal’s security model is based on delivering the maximum possible security with the default configuration. for internal interfaces. Zentyal denies all the connection attempts. When Zentyal is configured as a firewall. except the ones that are targeted to services defined by the installed modules.netfilter. package marking and connection redirection capabilities. These rules can be modified later by the system administrator. The modules add rules to the firewall to allow these connections. On the other hand.03. [2] http://www. Functionality includes filtering. External interface The default policy for external interfaces is to deny any new connections. An exception to this are the connections to the LDAP server. which add a rule but it is configured to deny the connection for security reasons. it is normally installed between the internal network and the router connected to the Internet. The default configuration for connections to hosts outside the network and connections from the server itself is allow all.03 Firewall Introduction to the Firewall System Zentyal uses the Linux kernel subsystem called Netfilter [2] in the firewall module. therefore the firewall can establish stricter policies for connections initiated outside your network. The network interface which connects the host with the router has to be marked as External in Network -> Network interfaces. You have to take into account that the last two types of rules could compromise in security of Zentyal and the network. Traffic from external networks to Zentyal (example: allow the mail server to receive messages from the Internet).Packet filtering Definition of firewall policies can be made from: Firewall ‣ Packet filtering. Five different sections are available for configuration depending on the work flow of the traffic you are addressing: • • • • • Traffic from internal networks to Zentyal (example: allow access to the file server from the local network). so you must be very careful when modifying them. Traffic from external networks to internal networks (example: allow access to a internal server from the Internet). Schema illustrating the different traffic flows in the firewall . Traffic between internal networks and from internal networks to the Internet (example: restrict access to Internet or to specific addresses to some internal clients and restrict communication between internal networks) Traffic from Zentyal to external networks (example: allow to download files using HTTP from the server itself). The more relevant parameter is the Decision to take on new connection. • • Accept the connection.Zentyal provides a simple way to define the rules that will form the firewall policy. . each rule has a Source and a Destination which can be Any. While the services with destination ports are used for rules related to incoming traffic to internal services or from outgoing traffic to external services. List of package filtering rules from internal networks to Zentyal Normally. for example Zentyal will always be the Destination in the Traffic from internal networks to Zentyal section and always the Source in Traffic from Zentyal to external networks Additionally each rule is always associated with a Service in order to specify the protocol and the ports (or range of ports). or Any TCP. Is important to note that there is a set of generic labels that are very useful for the firewall like Any to select any protocol or port. Deny the connection. an IP address or an Object in case more than one IP address or MAC address needs to be specified. Any UDP to select any TCP or UDP protocol respectively. for example an internal HTTP server. In some sections the Source or Destination are omitted because their values are already known. The definition of these rules uses the high-level concepts as defined in Network services section to specify which protocols and ports to apply rules and in Network objects section to specify to which IP addresses (source or destination) are included in rule definitions. The services with source ports are used for rules related to outgoing traffic of internal services. Zentyal allows this parameter to use three different decisions types. ignoring incoming packets and telling the source that the connection can not be established. Only the parameter Decision needs to be changed and you do not need to create a new rule. if you want to register the connections to a service. A generic rule at the beginning of the chain can have the effect of ignoring a more specific one that is located later in the list. using Maintenance ‣ Logs -> Log query -> Firewall you can check which connections were attempted. Creating a new rule in the firewall For example. Finally. Note that these rules are added during the installation process of a module only. There are a series of rules which are automatically added during installation to define an initial version of firewall policies: allow all the outgoing connections to external networks to the Internet. first restrict the desired sites or clients and then allow access to the rest. This way. swapping the location of the rules will give complete access to every client. from the Zentyal server (in Traffic from Zentyal to external networks) and also allow all the connections from internal to external networks (in Traffic between internal networks and from internal networks to Internet). By default. The rules are inserted into a table where they are evaluated from the beginning to the end. If these two rules are in inverse order. each installed module adds a series of rules in sections Traffic from internal networks to Zentyal and Traffic from external networks to Zentyal. There is the option of applying a logical not to the rule evaluation using Inverse in order to define more advanced policies. the decision is always to deny connections and you have to add explicit rules to allow them. and they are not automatically modified during future changes. normally allowing traffic from internal networks and denying from the external networks. this is why ordering of rules is very important. first you use the rule that will register the connection and then the rule that will accept it. but it simplifies the firewall management by allowing the service. the rest are ignored. This is made implicit.• Register the connection event and continue evaluating the rest of the rules. Once a rule accepts a connection. . Following the same logic if you want to restrict the access to the Internet. because the first rule has already accepts the connection. nothing will be registered. Additionally. there is an additional field Description used to add a descriptive comment about the rule policy within the global policy of the firewall. The Original source (which can be the Zentyal server. There is also an optional field called Description used to clarify the purpose of the rule.Port redirection with Zentyal Destination port redirection can be configured using Firewall ‣ Port redirection. which is useful if Zentyal is not the gateway for the internal machine. This can be same as the original or not. the Original source port (which can be Any. a Default port or Port range). an IP address or an Object). If you check this last option the internal host will see Zentyal as the original source of the connection. a source IP or an object). Additionally you can also Log the connections that go through this redirection and Replace source address. You will also specify the IP address of the Destination and finally the Port where the destination host will receive the requests. the Protocol and the Source (which can be also Any. Port redirection . To configure a redirection you have to establish the Interface where received traffic needs translation. 04 Routing Introduction to network routing Zentyal uses the Linux kernel subsystem for the routing. Adding a Gateway Enabled: Indicates whether this gateway is effectively working or if it is disabled. .org/iproute2. [1] http://www. This means.policyrouting. Interface: Network interface connected to the gateway. if the system does not have static routes defined or if none of these match with the desired transmission. Name: Name used to identify the Gateway.html Configuring routing with Zentyal Gateway The gateway is the default router for the connections associated with a destination that is not in the local network.doc. configured using the tool iproute2 [1]. This address has to be directly accessible from the host Zentyal is installed on. To configure a gateway in Zentyal go to Network ‣ Gateways. The packets sent to this gateway will be sent using this interface. which contains the following parameters. this means. without other routers in the middle. IP Address: IP Address of the gateway. the gateway will be used by default.03. because they are automatically managed. A User and Password can be specified if the proxy requires them. . Nevertheless.Weight The higher the weight. for software and antivirus updates. go to Network ‣ Gateways. a static gateway is added. you can still enable or disable them by editing the Weight or choosing whether one of them is the Default. you have to use Network ‣ Static Routes. If you have configured interfaces as DHCP or PPPoE [2] you can not add a gateway explicitly for these.wikipedia. or for HTTP proxy re-direction. This can be used. [2] http://en. Gateways list with DHCP and PPoE Additionally Zentyal may need a proxy in order to access the Internet. Here you can specify the address for the Proxy server and also the Proxy port. for example. Default If this option is enabled. In order to configure this external proxy. for example. For making a manual configuration of a static route. but it is not possible to edit any other attributes.org/wiki/PPPoE Static route table If all the traffic directed to a network must go through a specific gateway. to interconnect two local networks via their default gateways. more packets will be sent using this gateway if you have traffic balancing enabled. this will be the default gateway. allow the network to use multiple connections to the Internet. also known as multigateway rules. List of gateways The routing rules for more than one gateway.so if the connections have different capacities. Traffic balancing shares the outgoing connections to the Internet in a equitable way. The simplest configuration is to establish the different weights for each gateway . a single host can have more than one configured gateway. allowing complete use of the available bandwidth. This can be very useful for organisations that require more bandwidth than can be offered by a single ADSL line . which leads to a situation where new parameters need to be taken into account during the configuration of a Zentyal server. in a transparent way.Static route configuration These routes can be overwritten if the DHCP protocol is in use. . you can specify optimal use. Configuring traffic balancing with Zentyal As mentioned previously. which is very common nowadays.or that can not tolerate interruptions to Internet access. it is recommended to enable the wan-failover feature. it is possible to define sets of tests for each gateway to check whether it is operative or if there are problems and should no longer be used as an outgoing route to the Internet. In case you are balancing traffic between two routers and one of them suffers a failure. through a specific router. DNS resolution or an HTTP request. the Zentyal server itself or Any). depending on the Interface. This way. to an external host.Traffic balancing Additionally. the destination (an IP address or an Object). The multigateway rules associated with this gateway will be deectivated and the quality of service rules will be consolidated. the Source (it can be an IP address. so when the acceptance rates are satisfied again. These tests will continue running. if this feature is not enabled. Configuring wan-failover in Zentyal When performing traffic balancing between two or more gateways. the associated gateway will be disabled. not reaching acceptance rate. By using failover configuration. the gateway will be enabled again. one Object. causing connectivity problems for the network users. If any test fails. Disabling a gateway ensures that all the traffic will use the other enabled gateways. Multigateway rules and balancing can be established in the section Network ‣ Gateways. Zentyal can be configured to always send given types of traffic through a specific router as needed. part of the traffic will still try to use the non-functioning router. the network users will not suffer any problems with their . These tests can consist of a ping to the gateway. A common example is to always send e-mail traffic or all the traffic from a pre-determined subnet. the Service to which you want to associate this rule and the Gateway to where the specified traffic should be routed. It is also possible to define how many tests are to be executed and the percentage of acceptance required. Traffic balancing tab. In this section rules can be added to ensure certain connections to a specific gateway. Internet connection. Ping to host: . To add a rule click on the Add new option and a form with the following fields will be displayed: Enabled: Indicates if the rule is to be applied during the connectivity checks of the routers. multigateway rules and quality of service. you first need to have the Events module enabled. select the gateway from the lists of previously configured gateways. It is possible to add different rules and enable or disable them depending on your needs. Failover is implemented as a Zentyal event. This checks that there is connectivity between both hosts and that the gateway is active. it will restore normal behaviour of the traffic balancing. Once Zentyal detects that the disabled gateway is operative again. Type of test: You can choose one of the following values: Ping to gateway: A control packet is sent from the Zentyal server to the gateway and awaits for a response. This doesn’t check whether the gateway has an Internet connection or not. and after this enable the WAN Failover event. To use it. without having to delete and add them. WAN failover To configure these options and test the failover you need to go to the Network ‣ Gateways menu WAN failover tab. Gateway: Here. It is possible to specify the event period by modifying the value of the option Time between tests. so not only is the gateway connection tested .html . configure an event emitter. HTTP Request: This could be the most complete test.zentyal.the Internet connection is tested too. which requires not only connectivity between the server and the gateway and from the to there Internet . [3] http://store. the event is only registered in the log file /var/log/zentyal/zentyal.com/serversubscriptions/subscription-professional. This time it is sent to an external host. if you want to receive the notifications using other methods. after disabling a gateway.but also. DNS Resolution: Obtains the IP address for the specified host name.log. which requires all of the former tests to be satisfactory. Host: The server that is going to be used for the destination in tests. that the DNS servers are still accessible. as described in the chapter Events and alerts or acquire a Zentyal Professional Subscription [3] which includes automatic event alerts. By using the default configuration. Number of tests: Number of times you are going to repeat the test.This test sends a control packet and waits for a response. Required success rate: Indicates the rate of successful attempts needed to evaluate a test as ‘passed’. considering that it tries to download the content of a specific web site. Not applicable to Ping to gateway. if any of these rules are enabled. In addition. based on identifying the last level . Guaranteed rate or Limited rate. by artificially adjusting the window size for the data flow in the TCP connection as well as controlling the rate of acknowledgements (ACK) segments being returned to the sender. 7: lowest priority). If. one configured gateway. at least. These rules apply to traffic bound to a Service. an internal network interface and an external interface is required. then you are limiting Zentyal output traffic to the Internet. TCP. you shape an internal network interface. it is possible to install the component Layer-7 Filter which allows you to configure a more complex analysis of the traffic shaping. If the external network interface is shaped. There are specific techniques taken from various protocols used to handle the incoming traffic. at least. a Source and/or a Destination of each connection. In Traffic Shaping ‣ Interface Rates you can set the upload and download rates that will be provided by the routers connected to your external interfaces. The shaping rules are specific for each interface and they may be selected for those external network interfaces with assigned upload rate . In order to perform traffic shaping. shaping input traffic is not possible directly. Traffic shaping rules Additionally. however.and for all internal interfaces. The maximum output and input rates are given by the configuration in Traffic Shaping ‣ Interface Rates. you need. then the Zentyal output to internal networks is limited. allowing a guaranteed or limited rate. As you can see. or assigning a priority to certain types of data connections through the menu Traffic shaping ‣ Rules. because input traffic is not predictable nor controllable most of the time. You can add rules for each network interface in order to give Priority (0: highest priority.03.05 Quality of Service (QoS) Quality of service configuration in Zentyal Zentyal is able to perform traffic shaping on the traffic flowing through the server. you can use this filter by choosing Application based service or Application based service group as Service. given that you may have servers configured to provide the service on non-default ports. This will be unnoticed if you do not analyze the traffic itself.protocols by their content rather than the port. As you can see when you install this component. It is expected that this type of analysis usually means a heavier processing load for the Zentyal server. The rules based on this type of filtering are more effective than the ones that just check the port. . All the NAS devices that are going to send authentication requests to Zentyal must be specified in RADIUS clients.03. the most popular in Linux environments.org/ Configuring a RADIUS server with Zentyal To configure the RADIUS server in Zentyal. For each one you can define: . You can create a group from the menu Users and Groups ‣ Groups and add users to the system from the Users and Groups ‣ Users menu. General configuration of RADIUS To configure the service. Here you can define if All users or only the users that belong to a specific group will be able to access the service. Once you have added groups and users to your system. you need to enable the module in Module status by checking the RADIUS box. While you are editing a group. [2] http://freeradius. The configuration options for users and groups are explained in detail in chapter Directory Service (LDAP). you need first to check in Module status if Users and Groups is enabled. because RADIUS depends on this. go to RADIUS in the left menu. you can choose the users that belong to it.06 Network authentication service (RADIUS) Introduction to RADIUS Zentyal integrates the FreeRADIUS [2] server. similar idea to the host name. This password must be known for both sides. .Enabled: Whether the NAS is enabled. IP Address: The IP address or range of IP addresses from where it is allowed to send requests to the RADIUS server. Client: Name for this client. Shared password: Password to authenticate and cypher the communications between the RADIUS server and the NAS. Configuring a captive portal with Zentyal Through the Captive Portal menu you can access the Zentyal’s captive portal configuration. By default access is allowed to all registered users.07 Captive Portal Introduction Zentyal implements a Captive Portal service.03. which allows you to limit the access to the network from the internal interfaces . HTTP port and HTTPS port You can find the web redirection service under HTTP port. and the registration portal in HTTPS port. Captive portal configuration Group If you define a group. Zentyal will automatically redirect the web requests to the registration portal. only users belonging to it will be allowed to access through the captive portal. located in https://ip_address:https_port/ Captive interfaces . . leaving him without Internet access. you can limit the user’s bandwidth use. The Bandwidth Settings section allows you to limit the upload and download for external networks. List of Users The Current users tab contains a list of the users which are currently registered in the captive portal. Current users The following information for each user is available: User Name of the registered user. Bandwidth Monitor If the Bandwidth Monitor module is active. The captive portal will limit the access to the interfaces that are checked in this list. This action will instantly close the user’s session. From this list it is also possible to “kick” the users. IP address IP address of the user Bandwidth use (Optional) If the Bandwidth Monitor module is enabled. this field will show the bandwidth use (in MB) of the user for the configured period.Here you can find a list of all the internal network interfaces. Using the captive portal When a user. connected to Zentyal through a captive interface. tries to access any web page using his/her browser. asking for authentication. . he/she will be automatically redirected to the Captive Portal.Configuring the Captive Portal with bandwidth limitation If this option is enabled. the users reaching the defined Bandwidth quota (in MB) in the defined Period will automatically lose the connection. so it should be kept open until the user disconnects from the Captive Portal. a pop-up window will be shown to the user.Captive Portal authentication webpage After a successful login. This window keeps the user session open. Session window . dansguardian. The size of the cache will define the maximum disk space used to temporally store web contents.. [1] http://www. In this case in Port you will establish the port for incoming connections. traffic saving and better speed. but still have the advantages of the cache. Allow all. you can allow the users to browse the web without any type of restrictions. so an internal network address must be used for the web browser configuration. Deny All: This policy totally denies all the access to the web.08 HTTP Proxy Service Introduction to HTTP Proxy Service Zentyal uses Squid [1] as HTTP proxy. Even though it may seem not useful at first glance. given that you can achieve the same effect with a firewall rule. The authentication will be explained in HTTP Proxy advanced configuration. This policy determines whether the web can be accessed and if the content filter is to be applied. Filter: This policy allows the users to browse.03. You can choose one of the options below: Allow All: With this policy.squid-cache. but enables the content filtering which can deny the access to some of the web pages requested by the users.org/ HTTP Proxy configuration in Zentyal To configure the HTTP Proxy go to Proxy HTTP ‣ General. . This value is set in Cache size and it is the system administrators’ decision to set the optimal value. other typical ports may be 8000 or 8080. users and groups. where authentication is required. You can define which mode you need the proxy to operate in Transparent Proxy. taking into account the server’s characteristics and expected traffic. The Default policy for the access to HTTP web contents through the proxy can be configured.org/ [2] http://www. Zentyal proxy will only accept connections that come from internal network interfaces. along with Dansguardian [2] for the content control. therefore using this policy to deny by default and then choosing carefully what will be accepted. Deny All: These policies are versions of the previous policies. you can later establish particular policies to different objects. Filter. The default port will be 3128. Authorize and. if you want to force the configured policies or use a manual configuration. There is also the possibility of defining an hour range outside which access to the network object is denied. so it is possible to sort the object to indicate priority. Only apply the object policy with a higher priority. you will not speed up the access using the cache and the memory that can be used to store remote server contents is wasted. These domains are defined in Cache exceptions. A network address can be contained in different objects. If access to the proxy from any member of the object associated with this policy occurs. For example. if you have local web servers. not with filter policies. This option is only compatible with Allow or Deny policies. Choose any of the six policies for each object. when a request is received for this domain. the cache is ignored and only the data is forwarded from the server without storing it. .HTTP Proxy It is possible to select which domains will not be stored in the cache. more specific policies can be defined for Network objects in the HTTP Proxy ‣ Object Policy menu. If a domain is excluded from the cache. After setting the global policy. it will have preference over the global policy. To configure this go to HTTP Proxy ‣ Limit bandwidth. and using the network empties them. The ad blocking affects all the web accesses made through the proxy. non will be applied. bandwidth and download speed are limited.Object Policies Blocking ads from the web The HTTP proxy can block ads displayed on the web pages. go to HTTP Proxy ‣ General and enable Ad Blocking. Volume: Maximum capacity of the box in bytes. let’s say that the box will empty if you have transmitted this number of bytes. To use this feature. Delay Pools class 1 and class 2. in . Zentyal allows you to limit the bandwidth using two different methods. You can represent the Delay Pools as boxes that contain a limited amount of bandwidth. and allow configuration of a transferred data limit. The restrictions of the class 1 have priority over class 2 restrictions. you can configure the following values: Ratio: Maximum bandwidth that can be used once the box is empty. they are being filled with the time. When they are completely empty. Class 1 Delay Pools These Delay pools limit the bandwidth globally for a subnet. Limiting downloads with Zentyal Another configurable feature Zentyal offers is to limit the download bandwidth using network objects through the Delay Pools. This will save bandwidth and reduce distractions for the users. Bearing in mind this representation. The File size and a maximum bandwidth restriction. if a network object does not match with any of the limitations in the rules. The limitation will be enabled when the data limit has been reached. Class 2 Delay Pools These Delay Pools have two types of boxes.Download rate. If a member of the subnet empties his/her box. but if there is no specific profile for this user or object the default will be applied. as in the Class 1 all the transmitted traffic is accumulated and one dedicated to each client. a general one where. but it will not affect other clients. These Delay Pools are a single box shared by all the network objects. Bandwidth limit Content filtering with Zentyal Zentyal supports web page filtering depending on the content. You can define multiple filtering profiles in HTTP Proxy ‣ Filtering profiles. . all the clients will be limited to the Network download rate. To do this global policy must be set or the specific policy of each object must be Filter or Authorize and filter. his/her bandwidth will be limited to Client download rate. If they empty the shared box. Keep in mind that this analysis can block allowed pages. To control this process you must establish a threshold that is more or less restrictive. amongst others. If it is enabled then HTTP traffic containing detected viruses will be blocked. which is known as a false positive. This is the value to be compared with the score assigned to the site.whether a specific web site can be accessed or not. MIME type. If the content is inappropriate (pornography.Filtering profiles. The final decision is . but there is always the risk of a false positive with new pages. The first filter to be configured is antivirus. the MIME type filtering and the Domain filtering options are available. To use it. The threshold can be set in the Content filtering threshold section. the Antivirus module must be installed and active. white lists and black lists. . etc. Also the File extension filtering. extensions. violence. Content filtering for web pages can be achieved using different methods. Heuristic filtering consists mainly of the analysis of the text in web pages. racism. including heuristic filtering. This problem can be remedied by adding the domains of this site to a whitelist.) the filter will block access to the page. You can disable this filter by choosing the value Off. In a similar fashion in MIME type filtering you can select which MIME types are blocked and add new ones if necessary. .Filtering profile In the File extension filtering tab select which extension will be blocked. Available sections are: • Block domains specified only as IP. as with extensions. In the Domain filtering tab the filtering configuration based on domains can be found. This option blocks the domains based only on the IP address and not in the domain. allowing you to choose a policy for a entire domain category. Always deny: Access to the domain contents will never be allowed. Once a file has been downloaded it can be incorporated into configurations and policies set for the different categories. this option blocks all the domains that are not present in the Domain rules section or in the categories present in Domain list files and which policy is not set to Ignore. These lists are normally maintained by third parties and have the advantage of classifying domains by categories. The policies that are available for each category are the same as those used for domains and will be applied to . It is useful if you have enabled the Block non listed domains option. Next are the domain lists. These lists are distributed as a compressed file. all the filters are ignored. Filter: Usual rules are applied to this domain.• Block not listed domains. where domain names can be inserted and one of these policies can be chosen: Always allow: Access to the domain contents will be always allowed. Domain filtering The work of the systems administrator can be simplified if you use classified domain lists. Category list Using the Advanced Security Updates in Zentyal [3].in order to have a professional content filtering policy level. This is the default policy for all the categories. as the name implies.all the domains in the category.zentyal. an updated database of domain categories can be automatically installed . There is an additional policy Ignore. this will ignore all of this category when filtering.html .com/other/advanced-security. [3] http://store. not only on the content of the pages. amongst other options. group and time . These tools allow you to interconnect different subnets safely. Finally.com/other/advanced-security. define advanced browsing policies. security alerts on harmless events and also by false negatives . By using the Advanced Security Updates from Zentyal [1] the IDS rules can be automatically updated using a wide range of rules and patters pre-selected by security experts. ports or protocols. it is possible to interconnect different private subnets via the Internet in a completely safe way. detect attacks on your network from Internet or hosts in the internal network. This element analyses network traffic searching for patterns of attacks. Like other filters it can be affected by false positives. You can lessen these drawbacks by keeping the recognition rules and patterns regularly updated. which imposes static rules predefined by the administrator.04. so Zentyal offers great configurability and integration of services to cover it.perhaps the most important feature of the UTM . you will learn about .html . It will be explained on the communications chapter due to logical dependencies with the mail module. but also on the different profiles per subnet. Unlike the firewall.including malware analysis. A typical example of this feature is the communication between two or more offices of the same company or organisation.the IDS (Intrusion Detection System). By using VPN (Virtual Private Network). [1] https://store. You can also use VPN to allow users to connect remotely and securely to the corporate network.01 Zentyal Unified Threat Manager The UTM (Unified Threat Manager) is a more advanced concept than the firewall.zentyal. This feature allows you to go one step further when maintaining the security of your network and be immediately aware of what is going on.unidentified potentially dangerous events. The UTM not only defines a policy based on source or destination. In addition to the openvpn protocol. Zentyal offers you the IPSec and PPTP protocols to ensure compatibility with third party devices and windows boxes where you do not want to install additional software.Zentyal Unified Threat Manager 04. but provides the necessary tools to secure your network. Email filtering is a fundamental feature for the security of your server and users. an IDS analyses each real-time connection. Another feature included in Zentyal is the definition of advanced browsing features based on. user. In each policy you can specify the network Object it will be applied to. all you need to do is to click on Use default configuration. The configuration options are exactly the same as those explained in the configuration of the default profile in the chapter HTTP Proxy Service. You could have.02 HTTP Proxy advanced configuration Configuration of filter profiles You can configure the filter profiles in the HTTP Proxy ‣ Filter Profiles section. save for one important exception: it is possible to use the default profile configuration for the different values of the filter profiles. This option is useful if you want to define different security policies for different computer classrooms or groups of hosts that access through Zentyal gateway. Policy configuration form per object will be displayed. Policy. Filter profile per object You can choose a filter profile for a source object. for example. Allowed time period and Filter profile. To add this type of configurations. The requests coming from this object will use the chosen profile instead of the default profile. Or a classroom for students where the content is filtered whilst in the teachers lounge all traffic is allowed. . you must go to the HTTP Proxy ‣ Object policy and click on Add new.04. To do this. a group of computers in a public access classroom that require authentication for browsing while in the offices with private hosts general network policies will be used. Filter profiles You can create and configure new filter profiles to be used by user groups or network objects. you can choose the users that belong to it. The Allowed time period is the time during which the profile that you are configuring will be enabled. While you are editing a group. These policies ensure the proxy uses a valid user identification to allow access. you must choose Filter if you want the Filter profile to be applied.Add a new object policy The policies are the same as you already saw in the chapter HTTP Proxy Service. You can define the weekly hours and days for which the policy will be enabled. first you need to use one of the options that force Authorize as a global or network object policy. The configuration options for users and groups are explained in detail in chapter Directory Service (LDAP). In order to do that first you need to enable the module Users and groups in Module status. During other time periods. To define user group based filtering follow these steps. To make things easier and to avoid overlaps. Once you are able to authenticate the users. User group based filtering You can use the user groups in access control and filtering. You can create a group from the menu Users and Groups ‣ Groups and add users to the system from the Users and Groups ‣ Users menu. you are not allowed to create different policies for the same object. . the default configuration will be applied. These policies give control over the scope of members of a specific group and assign them filter profiles other than the default profile. you can also establish global group policies. these policies only affect the access and not filtering. As with the global group policies. If you wish to apply a specific filter. These only decide whether the user can or can not access the web. you can define a Policy for this group that can be either Allow or Deny. User group based filtering for objects Filtering policies per network objects have priority over the general proxy policy and global group policies. you must set the global policy or the object policy from which they connect to Authorize and filter. The group policies are managed in the HTTP Proxy ‣ Group Policy section. you can also define policies per group.Warning A technical limitation in the HTTP authentication protocol means you can not apply the authentication policies if the proxy is being used in transparent mode. Global group policy The priority of each group policy is reflected by its position in the list (the higher on the list. if you have chosen a policy with authorisation. As in the case of network object policies. The priority is important because when you have users that belong to several groups. The Time period and the Filter profile are to be applied in case the host from which the user authenticates has a filter policy or a policy has already been established in the global configuration. In addition. Filtering will be determined by the policy of the object to which they belong. the higher the priority). they will only be affected by the group policies with the highest priority. . the policies with authentication can not be deployed if you’re using proxy in transparent mode. HTTP Proxy ‣ Object Policy list. it is important to notice that you can not assign filtering profiles to groups in object policies. independent of the network object from which it accesses the proxy. Finally. a group will apply the filtering profile established in its global group policy.Likewise. Object policies . You can add these policies from the Group policy column. Therefore. Allows to use network applications transparently. OpenVPN has the following advantages: • • • • • Authentication using public key infrastructure. SSL-based encryption technology. another open source VPN alternative. Mac OS and Linux. . [2] http://openvpn.net/ Configuration of a OpenVPN server with Zentyal Zentyal can be configured to support remote clients (sometimes known as road warriors). This means a Zentyal server acting as a gateway and VPN server with a local area network (LAN) behind it allows external clients (the road warriors) to connect to the local network via the VPN service. The following figure can give a more accurate view: Zentyal and remote VPN clients The goal is to connect the data server with other 2 remote clients (sales person and CEO) and also the remote clients to each other.03 Virtual private network (VPN) service with OpenVPN Introduction to the virtual private networks (VPN) Zentyal integrates OpenVPN [2] PPTP and IPsec to configure and manage virtual private networks. Easier to install.04. the default VPN protocol in Zentyal. configure and maintain than IPSec. In the following section you will find out how to configure PPTP and IPsec. Clients available for Windows. In this section you will see how to configure OpenVPN. you must set at least one of your interfaces as external at Network ‣ Interfaces. i. the VPN server will be listening on all external interfaces. However.First. the networks connected directly to the network interfaces of the host. one internal for LAN and one external for Internet. Once you have the certificates. certificate (Zentyal will create one automatically using the VPN server name) and network address. The VPN network addresses are assigned both to the server and the clients. The only value you need to enter to create a new server is the name. If you need to change the network address you must make sure that there is no conflict with a local network. In this scenario only two interfaces are required. you will automatically be notified of local network detail. you must enable the option Allow connections among clients. through the private network. In this scenario. VPN server configuration .e. Therefore. As you can see. Zentyal will create this certificate automatically when you create a new VPN server. The following configuration parameters are added automatically and can be changed if necessary: port/protocol. Note that you also need a certificate for the VPN server. You can leave the rest of the configuration options with their default values. If you want the clients to connect between themselves by using their VPN addresses. In addition. Zentyal ensures the task of creating a VPN server is easy and it sets the necessary values automatically. you need to create a Certification Authority and certificates for the remote clients. Zentyal acts as a Certification Authority. then configure the Zentyal VPN server by selecting Create a new server. to browse shared files from the VPN [3] you must explicitly allow the broadcast of traffic from the Samba server. If you want to use the local Zentyal DNS service through the private network. These are available in the table at VPN ‣ Servers. The Zentyal administrator will download the configuration bundles to the clients using the most appropriate method. you need to configure these clients to use Zentyal as name server. it is time to configure the clients.installation packages that include the VPN configuration file specific to each user and optionally. Download client bundle A bundle includes the configuration file and the necessary files to start a VPN connection. you must enable the service and save the changes.e. After this. if the selected system is Windows. . Later you must check in Dashboard that the VPN server is running. Keep in mind that Zentyal will advertise all internal networks automatically. but only by IP address. routes between VPN networks and between VPN networks and other networks known by your server. Mac OS and Linux clients. You now have access to the data server from both remote clients. you can also add an OpenVPN installer. Otherwise. [3] For additional information about file sharing go to section File sharing and authentication service You can see the users currently connected to the VPN service in the Zentyal Dashboard. The easiest way to configure a VPN client is by using the Zentyal bundles . These networks will be accessible by authorised VPN clients. When you create a bundle select those certificates that will be used by the clients and set the external IP addresses to which the VPN clients must connect. Also. by clicking the icon in the column Download client bundle. Obviously. Once you have done this. Moreover. i. it will not be possible to access services by the hosts in the LAN by name. you must establish networks. You can create bundles for Windows. you can add or remove the necessary routes. In this scenario a local network will automatically be added to ensure the 3rd client is visible to the other two clients. an installation program.After having created the VPN server. . you must ensure that the firewall module is enabled. Zentyal as a VPN client The goal is to connect the client 1 on the LAN 1 with client 2 on the LAN 2 as if they were in the same local network. Therefore. i. With this option. it will act on behalf of all the advertised networks in order to ensure that it receives all the response packages that it will later forward through the private network to its clients. The following image clarifies the scenario: Zentyal as VPN server vs.If you need a VPN server that is not the gateway of the local network. This is best explained by the following image: Connection from a VPN client to the LAN with VPN by using NAT Configuration of a VPN server for interconnecting networks In this scenario two offices in different networks need to be connected via private network. As this is one of the firewall options. you must configure a VPN server as previously explained. To do this. then you need to use the Port redirection with Zentyal. you will use Zentyal as a gateway in both networks.. One will act as a VPN client and the other as a server. the host does not have any external interfaces. otherwise you can not enable this option.e. the VPN server will act on behalf of the VPN clients within the local network. In reality. enable the Allow Zentyal-to-Zentyal tunnels to exchange routes between Zentyal servers.However. you need to make two small changes. You should bear in mind that the LAN 1 network must be advertised in the Advertised networks. introduce a Password for Zentyal-to Zentyal tunnels to establish the connection between the two offices in a safer environment. If you do not use the bundle. You can configure the client manually or automatically by using the bundle provided by the VPN server. First. These certificates must have been created by the same certification authority the server uses. The tunnel password and certificates used by the client will also be required. you must introduce the IP address and protocol-port for the server accepting requests. And then. Client configuration When you Save changes in the Dashboard. you can see a new OpenVPN daemon in the LAN 2 running as a client and the object connection towards another Zentyal server within the LAN 1. . You must give a name to the client and enable the service. You can configure Zentyal as a VPN client at VPN ‣ Clients. Dashboard of a Zentyal server configured as a VPN client When the connection is complete. the hosts with client roles will only have access to those routes the server has explicitly advertised. the host with the server role has access to all routes of the client hosts through the VPN. . However. which you can configure under PSK preshared key. . If you want to configure a tunnel between two networks using IPsec. the local subnet behind Zentyal that will be accessible through the VPN tunnel. both ends must have a static IP address. and the General tab you will define the Zentyal’s IP address that you will use in each connection to access the external subnet.04 Virtual Private Network (VPN) Service with IPsec Introduction to IPsec Zentyal integrates OpenSwan [2] as its IPsec solution.org/ Configuring an IPsec tunnel in Zentyal To configure IPsec in Zentyal go to VPN ‣ IPsec.04. [2] http://www. You can enable or disable each one of them and add an explanatory text. the remote IP address you will contact in the other end of the tunnel and the local subnetwork you will have available in the other end.openswan. Here you can define all the tunnels and IPsec connections you need. This service uses the ports 500 and 4500 of UDP and the ESP protocol. IPsec connections Inside Configuration. Currently Zentyal supports PSK authentication only (preshared key). This parameters determine the behaviour of the IPsec protocol and have to be identical in both ends of the tunnel.General configuration In the Authentication tab you will configure the specific parameters of the tunnel authentication. check IPsec specific documentation. To learn more about the meaning of each one of the options. Authentication configuration . 05 Virtual private network (VPN) service with PPTP PPTP Introduction Zentyal integrates pptpd [2] as its PPTP server. This subnet has to be different to any other internal network you are using in your local network or another VPN. it is not currently possible to integrate the LDAP users. In the same way you can configure the Primary WINS and Secondary WINS servers. using the configuration field IP Address.net/ Configuring a PPTP server in Zentyal To configure your PPTP server in Zentyal go to VPN ‣ PPTP. Additionally. you can statically assign the same IP address to a user inside the VPN subnet. so it will be in the tab PPTP Users where you will define the list of users and its associated passwords that will be able to connect to the VPN PPTP server. . You can also define the Primary Nameserver and Secondary Nameserver. This service uses the port 1723 of the TCP protocol and the GRE encapsulation protocol. [2] http://poptop. In the General configuration tab define the subnet used for the VPN. managed through Users and Groups.sourceforge. General configuration Given the limitations of the PPTP server.04. you have to check that the current rules of the firewall allow the connection to the PPTP server. before being able to connect to your PPTP server.PPTP Users As usual. which includes the 1723/TCP port and the GRE protocol. . 04. In this section. those related to services not available in your network. A typical set of rules is enabled by default. you have to specify which network interfaces you need IDS to listen on. However. . for example. All of them are disabled by default due to the increased network latency and CPU consumption caused by the inspection of the traffic. First. one of the most popular IDS. you can enable any of them by clicking on the checkbox. you can choose different groups of rules that will matched to the captured packets in order to obtain alerts. You can access both configuration options through the IDS menu. If you have extra hardware resources you can also enable additional rules. [2] http://www. on the Interfaces tab. Network interface configuration for IDS In the Rules tab you have a table preloaded with all the Snort rulesets installed on your system. You can save CPU time disabling those rules you are not interested in. in case of positive results.snort. a table with all the configured network interfaces will appear. You only have to enable or disable a number of elements.06 Intrusion Detection System (IDS) Introduction to Intrusion Detection System Zentyal integrates Snort [2].org Configuring an IDS with Zentyal Configuration of the Intrusion Detection System in Zentyal is very easy. After this. available for both Windows and Linux systems. you can query the different IDS alerts using the usual procedure. .IDS rules IDS Alerts So far the basic operation of the IDS module has been described. The IDS module is integrated with the Zentyal logs module so if the latter is enabled. Similarly. As you are going to see. This is not very useful by itself because you will not be notified when the system detects intrusions and security attacks against the network. For additional information. this notification can be made simpler and more efficient. you can configure an event for any of these alerts to notify the systems administrator. thanks to the Zentyal logs and events system. see the Logs chapter. Sharing printers. you can define a hierarchical structure controlling the access to the organisation’s resources. the backups tools for both Zentyal configuration and user’s date is without any doubt a critical and indispensable tool in any enterprise server to ensure the recovery process after a failure or mishap of your systems. protecting you from data loss and downtime. and so on. Security policy allows the protection of critical files within an organisation. Directory services allow you to manage user permissions within an organisation in a centralised way. tasks. since this allows you to optimise the resources usage and availability. Also. thanks to the master/slave architecture integrated within Zentyal. Finally. File sharing and establishing access control for users and groups. as well as groupware services such as sharing calendars. Finally. contacts. In particular. the sharing of files and printers. centralised user management can be applied to large organisations with multiple network locations. Meaning that users can authenticate into the network securely. its ability to manage network users in a centralised way.01 Zentyal Office This section explains some of the services offered by Zentyal as an office server. Zentyal Office 05.05. using user and group permissions is also a very important service in any organisation. is one of the most important features of an office server and it greatly eases workgroup documents access in an intuitive way. . The slave configuration needs two more fields. Zentyal is designed in a modular way. You can obtain this . Zentyal users mode Other servers can be configured to use a master as a source for their users and they become slave servers. you can change this on the text field LDAP DN.openldap. choose slave mode in Users and Groups ‣ Mode.02 Directory Service (LDAP) Introduction to Directory Service (LDAP) Zentyal integrates OpenLDAP [3] as a directory service. allowing the system administrator to distribute the services between several hosts in the network.wikipedia. the IP address or name of the host containing the master directory and its LDAP password. This password is not the Zentyal password. Go to the menu Users and Groups ‣ Mode.05.org/wiki/Samba_(software) Configuring Zentyal servers in master/slave mode As mentioned earlier. To do this. the users and groups module can be configured using a master/slave architecture in order to share users between the different servers. If you want to configure a different DN. [3] http://www. but one automatically generated when you enable the users and groups module. To make it real. with Samba [4] to implement the domain controller functionality of Windows and also file and printer sharing. [7] Every entry on a LDAP directory has a unique identifier called Distinguished Name which has some similarities with the concept of a complete path on a file system. the module will act as a master LDAP directory and the Distinguished Name (DN) [7] of the directory will be established using the host name.org/ [4] http://en. The master needs to be able to resolve the name of the slave machines using DNS. The slaves will create a copy of the master directory when they register for the first time. You can see the slave list in the Users and groups ‣ Slave status menu in the master Zentyal machine. Slave status . and it will be automatically maintained when new users and groups are added. so it is necessary to make the required adjustments before continuing. By default. To do this. LDAP info There is another requirement to register a slave server against a master. If the firewall module is enabled in the master server. the slave can be registered in the master Zentyal server enabling the module users and groups in Module status. adding a new domain with the slave host name and the IP address. the firewall forbids this traffic. Once all the parameters have been established and the host name of the slave can be resolved from the master. you need to configure the DNS service in Zentyal. it must be configured in a way that it will allow the incoming traffic from the slaves.password in the field Password using the Users and group ‣ LDAP data option in the master server. they must be un-installed before trying to register any slave. Some modules need extra actions to be executed when you add users. which needs to create the user directories. acting as master.The modules which have users like mail and filesharing can now be installed in the slaves and they will use the users configured in the master Zentyal directory. In this case. In the Windows server. The replication can be performed only in one direction. From this section it is also possible to remove a slave. The master Zentyal server can not have modules which depend of users and groups. and there are two separate processes for data and for passwords. it will launch the configuration tool automatically and you can enter the following data: . for example filesharing and mail. a Zentyal server can be used in the role of slave like a Windows Active Directory host. Nevertheless. the master will remember that there are remaining actions that must be performed and will periodically retry. you will need to register the master server. There is an important limitation of the master/slave architecture. The system administrator can also check the slaves status on the menu Users and groups ‣ Slave status and then force the retry of the actions manually at any time. There can be some problems running these actions in some circumstances. for instance filesharing. To do so.net/projects/zentyal/files/ Once downloaded and executed. If the master has any of these modules installed. the master will notify the slaves about the new users and groups when they are created . Configuring Zentyal as a slave of Windows Active Directory Apart from the master-slave configuration that can be set-up between different Zentyal hosts. from Windows to Zentyal. for the different versions of Zentyal from the download page of the project [8] [8] http://sourceforge. To deploy a scenario with this feature. the passwords can be transferred through a cyphered TCP communication. with the server listening in the Zentyal host and the client notifying the passwords when a new user is created or the password in the master Windows server is modified. All the user data from users and groups will be synchronised through the LDAP protocol. for example if one of the slaves is powered down. you will need a working Zentyal server with an advanced configuration of the users directory and a Windows server with Active Directory configured. providing the opportunity for the slaves to perform the associated actions. These packages can be downloaded. you need to install the software that will perform the slave synchronisation and for the slave machines. Configuring the Windows server as a master You need to install a special software package in the Active Directory server in order to notify the password changes to Zentyal. as there are some configuration steps remaining. It is not recommended to restart the server yet. as explained in the following section. Port: You can use the default value or change it to a different one which is available of the Zentyal host. click on the button Save to Registry and Exit. go to Administrative Tools ‣ Domain security policy and activate the complexity requirements for a password as shown in the figure: . Secret key: You can choose any password. as long as its length is at least 16 characters Enable service: Check this box if you want to write the data in the Windows registry. Configuration dialogue during installation The values for port and secret key have to be entered after the Zentyal host configuration. It will not have effect until the server is restarted. In the Start menu.Zentyal slave host: IP Address of the Zentyal host. To finish the installation. Editing password policy. Now add a user and then assign a password. You have to take into account that these credentials will be used to connect via LDAP, thus, the relevant part is the complete name (CN) and not the user name. The recommendation for avoiding any conflict is to leave fields for name and surname blank then assign the same value to the Complete Name and the Session startup name. Adding the new user eboxadsync Once you have finished this configuration the hosts can be restarted as described by the installer. Configuring the Zentyal server as slave Once the Windows server is ready, you can proceed to configure Zentyal from Users and groups ‣ Mode. Here, you must enter the following data: Mode: Choose the Windows AD slave option. Master host: IP address of the Windows server. User mode in Zentyal Once you have entered these values, you can activate the Users and groups module and save the changes. When Zentyal is prepared to work in this mode, the authentication information can be inserted from the Windows server from Users and groups ‣ Windows AD synchronisation. AD User: Name of the user that you have created in the Windows host. AD Password: The password of the user. Reception port: Port entered during the Windows server configuration. AD Secret key: The 16 character key used during the configuration in the Windows host. Warning The passwords assigned to existing users must be reassigned again (or changed) and the Zentyal server notified. Once the users are synchronised, these updates can take up to 5 minutes to complete. Configuration of an LDAP server with Zentyal LDAP configuration options After configuring the Zentyal server as master, from Users and Groups ‣ LDAP Configuration Options you can check the current LDAP configuration and perform some adjustments related to the configuration of PAM authentication on the system. In the upper part, you can see the LDAP Information: LDAP configuration in Zentyal Base DN: Base of the domain names in this server. Root DN: Domain name of the server root. Password: The password of other services and applications that want to use this LDAP server. If you want to configure a Zentyal server as a slave of this server, this is the password that will be used. Users DN: Domain name of the users’ directory. Groups DN: Domain name of the groups’ directory. In the lower part you can establish some PAM settings PAM Settings in Zentyal. Enabling PAM, you will allow the users managed by Zentyal to also act as normal system users, rendering it possible to start sessions in the server. You also specify in this section the default command interpreter for your users. This option is initially configured as nologin, blocking the users from starting sessions. Changing this options will not modify the existing users in the system, and will only be applied to the users created after the change. Creating users and groups You can create a group from the Users and groups ‣ Groups menu. A group will be identified by its name, and can also contain a description. Adding a group to Zentyal Going to Users and groups ‣ Groups you can see all the existing groups, edit or delete them. While you are editing a group, you can choose the users that belong to the group, and also the information associated with the modules in Zentyal that have some specific configuration associated with user groups. Editing a group Among other things, with users groups is possible to: • • • • Have a directory shared between the members of the group. Set permissions to a printer for all the users of a group. Create an alias for a mail address that will forward to all the users of a group. Assign access permissions of different groupware applications to the users of a group. The users created from the Users and Groups‣ Users menu, is where you need to add the following information: Adding a user to Zentyal User name: Name of the user on the system, it will be the name used in the authentication processes. Name: Name of the user. Surname: Surname of the user. Comment: Additional information about the user. Password: Password that will be used in the authentication processes. This information will have to be typed twice to avoid typing errors. Group: Is possible to add the user to a group during the creation process. From Users and Groups ‣ Users you can obtain a list of the users, edit or delete them. List of users in Zentyal While editing a user, you can change all the details, except the user name and the information that is associated with the installed Zentyal modules. These contain some specific configuration details assigned to users. You can also modify the list of groups that contain this user. Editing a user When editing a user you can: • • • • • • Create an account for the jabber server. Create an account for the filesharing or PDC with a personalised quota. Grant permissions to the user to use a printer. Create an e-mail account for the user and alias for it. Assign a telephone extension for the user. Enable or disable the user account for Zarafa and check if it has administrator rights. In a master/slave configuration, the basic user and groups fields can be edited in the master, while the rest of attributes related with other installed modules in the slave will be edited from the slave. User’s corner The user’s data can only be modified by the Zentyal administrator, which can be inefficient when the number of users to be managed becomes too big. Administration tasks like changing the password of a user can be very time consuming. For this reason, you need the User’s corner. This corner is a Zentyal service designed to allow the users to change their own data. This functionality has to be enabled like the rest of the modules. The user’s corner is listening on another port different to other processes to enhance the system security. Configure user’s corner port The user can access the User corner using the URL: https://<Zentyal_ip>:<usercorner_port>/ Once the user enters his/her name and password, he/she can perform changes in his personal configuration. User’s corner offers the following functionality: • • • Change the current password. Configure the voice mail for the user. Configure an external personal account to retrieve the mail and synchronise it with the content of the mail server in Zentyal. Change the current password in user’s corner even if the PDC is not.05. [4] http://en.wikipedia. .03 File sharing and authentication service Introduction to files sharing and authentication Zentyal uses Samba [4] to implement SMB/CIFS. Each user has a personal directory and each group can be assigned a shared directory. go to File Sharing ‣ General configuration.org/wiki/Samba_(software) Configuring a file server with Zentyal The file-sharing services are active when the file sharing module is active. All group members have access to that directory and can read or write to all the files and directories within the shared directory. File sharing is integrated with users and groups. Creating a shared directory for a group To configure the general settings of the file sharing service. It is also possible to create a shared directory for a group using Users and Groups ‣ Groups ‣ Edit group. The user’s personal directory is automatically shared and can only be accessed by the user. Using Samba Group it is possible to configure an exclusive group where member users are assigned an account for file sharing. there is the option to set a quota limit.General configuration of file sharing The domain is set to work within the Windows local network. use File Sharing ‣ Shares and click Add new. Adding a new share Enabled: Leave it checked if this directory needs to be shared. and the NetBIOS name is used to identify the Zentyal server. Share name: The name of the shared directory. In addition. Disable to stop sharing. You can use a long description to describe the domain. To create a shared directory. Share path: . Directory path to be shared. . Comment: A more detailed description of the shared directory simplifies management of shared assets. Guest access: Enabling this option allows a shared directory to be accessible without authentication. or use an existing file system pathway by selecting Filesystem path. Adding a new ACL (Access Control List) You can also create a share for a group using Users and Groups ‣ Groups. All group members will have access: they can write their own files and read all the files in the directory. write and delete any user files within that directory. List of shares Shared directories can be edited using Access control. Any other access settings will be ignored. You can create a sub-directory within the Zentyal specific directory /home/samba/shares. read/write or administration permissions to a user or group. he/she can read. If a user is a shared directory administrator. By clicking on Add new. you can assign read. If you want to store deleted files in a special directory called RecycleBin. . such as the directory name.conf. Configuring a Zentyal authentication server To harness the potential of the PDC as authentication server. Other default settings for this feature. the Zentyal antivirus module must be installed and enabled. If you do not want to use this for all shared resources. you can check the Enable recycle bin box using File Sharing ‣ Recycle bin. add exceptions using Resources excluded from Recycle Bin. Also. and its Samba implementation for Linux. check the Enable PDC box using File Sharing ‣ General Configuration. Exceptions can also be defined where virus scanning is not required. can be modified using the file /etc/zentyal/samba. To use this feature the package samba-vscan must be installed on the system. Recycle bin Using File Sharing ‣ Antivirus virus scanning of shared resources can be enabled and disabled. • • • Minimum password length.PDC enabled If the Roaming Profiles option is enabled. the PDC will not only authenticate users. the user will have access to their work environment on multiple computers. the password must be renewed after the the set days have passed. PDC settings . this option will force the recording of password history. therefore the PDC server must contain enough disk space. you must consider that the user information can be several gigabytes in size. Outlook email accounts and documents. When a user logs in. You can also configure the drive letter to which the personal user directory will be linked after authenticating against the PDC in Windows. the user profile will be retrieved from the PDC server. Before enabling this option. Enforce password history. These policies are applicable only when you change the Windows password from a machine that is connected to your domain. These profiles contain all the user information. but will also store their profiles. Therefore. In fact. making it impossible for the user to use repeated passwords. Maximum password age. You can set password policies for users through File Sharing ‣ PDC. Windows will force compliance with this policy as a machine is registered on the domain. including preferences in Windows. Zentyal integrates CUPS [1] (Common Unix Printing System). Zentyal integrates Samba. https://zentyal_address:631/admin For convenience. USB or through the local network.org/wiki/Common_Unix_Printing_System Printer server configuration with Zentyal In order to share a printer in your network and allowing or denying users and groups access. [1] http://en. . For the authentication use the same username and password with which you use to access the Zentyal interface.05. This can be done through direct connection. as by default. the manufacturer. As a printing system. Printer management The CUPS management port is by default 631 and you can access the management interface by using the HTTPS protocol via the network interface on which you have enabled CUPS to listen to. in coordination with Samba. you will need to know the following information. you can access CUPS directly through the CUPS web interface link. you need to have access to a printer from a host running Zentyal. it is worth noting that the configuration and maintenance of printers is not through the Zentyal interface but from the CUPS interface. as described in the Configuring a file server with Zentyal section. the model and the driver a printer uses in order to obtain good results during operation. Localhost can be used if you are operating directly on the Zentyal host. if you are using the Zentyal interface. Besides that. but if you want to give access to other machines on the network you must explicitly allow access to the network interface. If you manage the Zentyal server locally then you do not need to do anything special.04 Printers sharing service About the printers sharing service For the management of printers and their access permissions. CUPS will not listen to it for security reasons. parallel port.wikipedia. First. Connection parameters . you must establish the IP address and the port as shown in the image. The first step of the wizard used to add a new printer is. Therefore. in most cases it is possible that your printer is automatically detected thus making the configuration easier. Add printer Depending on the method you have selected. For example. you might need to configure the connection parameters. This method depends on the printer model and how it is connected to your network. select the type of printer. CUPS also provides a feature for the automatic discovery of printers. for a network printer.Once you have logged onto the CUPS administration interface. you can add a new printer through Printers ‣ Add printer. the name can not include spaces nor special characters. These descriptions can be any character string and their value will be only informational. a list of available models will appear.In the next step. model and which printer driver to use. with different drivers for each model on the right. Once you have selected the manufacturer. you must set the manufacturer. On the other hand. Manufacturer and model . You also have the option to upload a PPD file provided by the manufacturer. separated by a slash. if your printer model does not appear on the list. together with other additional descriptions of its features and placement. you can specify the printer’s name that will be used to identify it later on. Name and description Later. your printer will be configured. you can start allowing access to these resources by editing groups or users (Groups ‣ Edit Group ‣ Printers o Users ‣ Edit User ‣ Printers). Once the service is enable and changes are saved. Zentyal can export it by using Samba. You can check which printing jobs are pending or on progress through Jobs ‣ Manage jobs within the CUPS interface.php Once the printer has been added through CUPS. General settings Once you have completed the wizard. Management of printer access . you will have the option to modify the general settings.cups.Finally. [3] http://www. such as print a test page. For more information about printer management with CUPS it is recommended to read the official documentation [3].org/documentation. You can perform many other actions. With any of these three options. the free Basic Subscription [1] . saving them on the local hard drive of the Zentyal host. since they are included in the subscription services provided by Zentyal. in case a server failure or human error causes a problem with the server configuration. After this. you can always recover it quickly from the Zentyal repositories in Zentyal Cloud.html . If your Zentyal server has Professional or Enterprise Subscription. also offers one remote configuration backup.com/serversubscriptions/subscription-basic.zentyal. Configuration backup screen Backups can be made locally. designed for testing environments. [1] http://store. for example a hard disk failure or a human error while managing configurations. Likewise. you have the option to remotely backup both your server configuration and the data kept on your server. It is also possible to make these backups to a remote host. it is recommended to save them to an external physical system. to ensure the recovery of a server when a disaster occurs. part of the commercial offering of Zentyal.05 Backup Zentyal configuration Backup Zentyal offers a configuration backup service. you still have access to this data. so if the machine suffers a failure.05. as the current configuration will be completely overwritten. . go to System ‣ Import/Export configuration. you will see a window which will show the progress of the different modules until the message Backup successfully completed is displayed Afterwards. Configuring the backup Once you have entered the Name for the backup. associated with a former Zentyal server installation in another host and restore it using Restore. In the Restore backup from a file section you can send a security copy file that you have previously created. chosen the type of backup (incremental or full) and clicked on Backup. you can see in the bottom of the page a Backups list. You can not backup if there are unsaved changes in the configuration. download to a client disk or delete any of the saved copies. Additionally. for example. Using this list you can restore. The restoration process is similar to the copy. if you return to the former window. you will have data about the creation date and size. simply remember to be careful.To access the backup options. after showing the progress. the user will be notified with a success message if there is no error. You will be asked for confirmation. if you restore a copy of the firewall module which depends on a configuration of the objects and services module. Another interesting option is the possibility of making partial restorations. In the latter case. button Generate and Download report file in the web interface. you have to decide whether you are going to store your backups locally or remotely. Data backup configuration in a Zentyal server You can access the data backup menu going to System ‣ Backup First of all. the user’s passwords are replaced for increased security. which can be useful if used with care. only of the selected modules. Note that in this mode. It also has an option to extract information from the file. among the options you can select the backup you want to execute. This is the typical case when you want to restore part of the configuration from an old copy. you have to restore these first. It is also useful when the restoration process has failed for any reason. You can see all the options of the program with the parameter –help.CLI tools for the configuration backup There are two CLI tools available that will also allow you to save and restore the configuration. You can find them in /usr/share/zentyal. they are called make-backup and restore-backup. make-backup allows you to make configuration backups. If you want to see all the options of this program use the parameter –help. You have to take special care with the dependencies between modules. The configuration report can also be generated from System ‣ Import/Export configuration. For example. Even then. you have the option of ignoring dependencies. you need to specify which protocol is going to be used to connect the remote server. restore-backup allows you to restore configuration backup files. and also the configuration report that can help the developers to diagnose a failure with the extra information. . Zentyal Cloud is the Zentyal Disaster Recovery Service [2] that guarantees that your most critical data is backed up. All the methods except File system use remote servers. . you must have a Professional or Enterprise Subscription. File system. because the connection with the server will fail. you will have to provide more or less information. Rsync or SCP. monitored and recovered quickly and easily in case of a disaster. you will have to enter the associated authorisation to connect with the server and the remote server’s address.zentyal.Data backup configuration Method: The different supported methods are FTP. SCP. [2] https://store.html Warning When using SCP.com/other/disaster-recovery. If you do not perform this operation. secured. Rsync. Zentyal Cloud. you have to run sudo ssh user@server and accept the server fingerprint in order to add to the list of servers known by SSH. In order to use this service. Take into account that depending on the method you choose. the backup will not work. If you select FTP. Backup process starts at This field is used to set the time a backup copy is started. you will see a selection option to choose the exact day of the week or month to perform the backup. plus the last complete copy will be stored. Twice a month or Monthly is selected. If the incremental copy is enabled. you only need the local directory path. It is a good idea to set it to a time frame where no other activities are being performed in the network. The GPG keyring is extracted from ebox user. If Only the first time is selected. Full Backup Frequency This parameter is used to determine the frequency for complete backups to be performed. then it is mandatory to set a frequency for incremental backups. because it can consume a lot of upstream bandwidth.Host or destination: For remote methods you have to enter the remote server name or its IP address with the following format: other. The values are: Only the first time. . The days that you have scheduled a full backup. Twice a month and Monthly. you have to decide the day of the week. for both the full and the incremental backup. Daily. If Weekly. you will only save full copies that are newer than the indicated period. When a full copy is deleted. Encryption: You can cypher the data in the backup using a symmetric key that will be entered in the form. only the set number of copies. You can limit by number or by age. Zentyal will not perform any scheduled incremental copy. you can choose a Daily or Weekly frequency. Password: Password to authenticate in the remote host.host:port/existing_directory In case you are using File system. either way you have to take into account the chosen frequency which has to be greater than the full backup. If you limit by age. If you limit by number. Incremental Backup Frequency This value sets the frequency of the incremental copy or disables it. Weekly. or you can use a GPG key already created to perform asymmetric cyphering in your data. all the incremental copies associated with it are also deleted. Keep previous full copies This value is used to limit the total number of copies that can be stored. User: User name to authenticate in the remote host. In the latter case. A full copy of a Zentyal server with all its modules. /media. full or incremental and the execution date. it will be included in the backup. You can set path exclusions and exclusions that match a regular expression. /dev. The order of application of inclusions and exclusions can be changed using the arrow icons. /var/cache and /proc. The default configuration will perform a copy of all the file system except the files and directories explicitly excluded. Any excluded directory will also exclude all its contents. In case you are using the method File system. Exclusions by regular expression will exclude any path which matches the expression.Configuration of the directories and files that are saved From the Includes and Excludes tab you can configure the specific data you want to backup. because they may cause the backup process to fail. It is a bad idea to include any of these directories. you can see the type of backup. when the path matches an inclusion before it matches with an exclusion. you can also define inclusions. Inclusion and Exclusion list Checking the status of the backups You can check the backups status in the Remote Backup Status section. the destination directory and all its contents will be excluded as well. The default list of excluded directories is: /mnt. In order to further refine the backup contents. Within this table. but without user data will be around 300MB. /tmp. . /sys. For big files. all its contents will be restored.Backup status Restore files There are two ways of restoring a file. the process is time consuming and you can not use the Zentyal web interface while the operation is being made. If the path to restore is a directory. /var or /usr while the system is running can be very dangerous. if the file is not present in the backup that day. but they can be restored using the command line. On the other hand. restoring system file of directories like /lib. If there is no copy of the file in any of the versions. It is possible to restore files directly from Zentyal server’s control panel. it will be safe to restore data files that are not being used by applications at the current time. are not shown. Warning The files shown in the interface are the ones that are present in the last backup. These data files are located in the directory /home/samba. and the dates of the different versions you can restore. Depending on the file size or the directory you want to restore. The version found in the former backups will be restored. . including sub-directories. You can use this method with small files. Normally. The file will be restored with its contents on the selected date. The files that are stored in former copies. you will be notified with an error message. but not in the last one. Don’t do this unless you are really sure of what you are doing. You have to be especially careful with the type of file you are restoring. In the System ‣ Backup ‣ Restore files section you have access to the list of all the files and directories contained in the remote backup. The -t option is used to select the date you want to restore. . You just execute the following command: duplicity restore --file-to-restore -t 3D <file or directory to restore> <remote URL and arguments> <destination> [3] duplicity: Encrypted bandwidth-efficient backup using the rsync algorithm <http://duplicity. In any case. to rescue system directories. The restoration process of a file or directory is very simple. In this case 3D means three days ago. use a rescue CD. On the other hand. You can obtain <Remote URL and arguments> reading the note that is included above the Restore files section in Zentyal. Using now you can restore the latest copy.nongnu. you can do it while the system is running. as explained later. Depending on the file.Restore a file The big files and the directories and system files should be restored manually. you must be familiar with the tool used by this module duplicity [3].org/>. you need to add the option –force. for example grml [4] [4] grml <http://www. otherwise duplicity will refuse to overwrite files.odc The command shown above will restore the file in /tmp/balance. you will boot the system using a rescue CD-ROM that includes the backup software duplicity. if you want to restore the file /home/samba/users/john/balance.Remote URL and arguments For example.odc scp://backupuser@192. If you need to overwrite a file or a directory during a restore operation.grml.122. To recover from a total disaster. How to recover from a disaster As important as knowing how to make backups is to know the procedure to perform a recovery during a critical event.odc you will execute the following command: # duplicity restore –file-to-restore home/samba/users/john/balance.org/> .1 –sshaskpass –no-encryption /tmp/balance.odc.168. You need to be able to restore the service as soon as possible after the system is rendered non operative by a disaster. . You can use the parameter nofb in case you experience problems with screen size.You will download the grml image and boot the host with it. Obviously. you need to restore the /etc/passwd and /etc/group. let’s suppose that your root partition is /dev/sda1. you will delete all the existing directories in the partition. The next step is to mount the hard drive of your system. Therefore there will be problems if you restore the files to a system where the users and . execute: # rm -rf /mnt/* duplicity must be installed if it is not available: # apt-get update # apt-get install duplicity Before doing a complete restore. if you do not do a complete restoration. The problem appears because duplicity stores the usernames and groups and not the numerical values. First. In this case. So execute: # mount /dev/sda1 /mnt The former command will mount the partition in the directory /mnt. To delete all the existing files before the restore.Grml boot Once the boot process is finished. this step is not necessary. In this example you perform a complete restore. you can execute netcardconfig to configure it. go to a command line interpreter pressing enter. Starting a command line interpreter If your network is not correctly configured. Otherwise you may have problems restoring files with an incorrect owner. additional data is stored to allow the direct restoration of some services. you have to click “Save changes” to make this effective.122. Restoring services Apart from the files. If you do not perform this operation. and clean the temporary directories: # # # # # mkdir -p /mnt/dev mkdir -p /mnt/sys mkdir -p /mnt/proc rm -fr /mnt/var/run/* rm -fr /mnt/var/lock/* The restoration process is finished and you can boot in the original system.168. because the connection with the server will fail. To avoid this problem. The security copy of Zentyal configuration contains the configuration of all the modules that have been enabled at least once. you have to execute sudo ssh user@server and accept the server fingerprint in order to add to the list of servers known by SSH.122.168. .1 /etc/passwd --ssh-askpass \ --no-encryption --force # duplicity restore --file-to-restore etc/group \ scp://
[email protected]. you will overwrite /etc/passwd and /etc/group in the rescue system.122. Nevertheless. the backup will not be possible.groups have different UID or GID. all the LDAP data and any other additional files needed by the modules to function properly. Execute: # duplicity restore --file-to-restore etc/passwd \ scp://
[email protected] /etc/group --ssh-askpass \ --no-encryption --force Warning When using SCP. You have to be careful when restoring Zentyal configuration because all the current configuration and LDAP data will be replaced. you have to create the excluded directories.1 /mnt/ --ssh-askpass -no-encryption --force Finally. for the case of configuration not stored in LDAP. This data includes: • • security copy of Zentyal configuration security copy of the registers database of Zentyal In the tab Service restoration both can be restored for a given date. Now you can proceed with the complete restore running duplicity manually: # duplicity restore scp://backupuser@192. Restoring services . which enable centralised management of an organisation’s communications and allow users to work with them all using the same password. you will see an introduction to voice over IP (or VoIP). based on Jabber/XMPP. This service provides conference rooms. Zentyal can be configured to connect to the traditional telephone network and make phone calls to any country in the world at significantly reduced rates. For this. tasks. You will also see how to filter incoming and outgoing e-mail within your network and to avoid both the reception of unwanted emails and block outgoing mail from any potentially compromised computer of your network. The corporate instant messaging service.Zentyal Unified Communications 06. This module provides an internal IM service without having to rely on external companies or an Internet connection and ensures that conversations will be kept confidential. is also described. To start with. It allows. Since email became popular. to have synchronous written communication in the organisation. through an external provider. this service offers each user an extension to easily make calls or participate in conferences. sent in bulk. offering also spam and viruses prevention. the e-mail service is described.01 Zentyal Unified Communications In this section you will see the different communication services integrated in Zentyal. Finally. Zentyal integrates a groupware tool which allows users to share information such as calendars. It allows quick and easy integration with the user’s e-mail clients. This type of mail is often used to deceive the recipient in order to obtain money fraudulently. It is becoming increasingly important to use a system to help coordinate the daily work of employees within an organisation. it has suffered from unwanted mail. addresses and so forth. through the use of any of the many available clients. .06. Additionally. or simply unwanted advertising. preventing data being passed through third parties. otherwise spammers could use the server to send spam all over the Internet.dovecot. [6] Dovecot Secure IMAP and POP3 Server http://www. Mail relay is restricted. The following options are available: TLS for SMTP server: This forces the clients to connect to the mail server using TLS encryption.02 Electronic Mail Service (SMTP/POP3-IMAP4) Introduction to the e-mail service For sending/receiving mails Zentyal uses Postfix [5] as SMTP server. Require authentication: . [7] http://fetchmail. thus requiring forwarding of the message to other servers. Zentyal uses Fetchmail [7] .berlios. Reception occurs when the server accepts a mail message which recipients contain an account that belongs to any of its virtual mail domains. Both come with support for secure communication over SSL. thus avoiding eavesdropping. For the mail reception service (POP3.org . Relay occurs when the mail server receives a message which recipients do not belong to any of its managed virtual mail domains. A source address that belongs to a network object which has a allowed relay policy enabled. 2. General configuration You can manage the authentication options Through Mail ‣ General ‣ Mail server options ‣ Authentication. To fetch mail from external accounts.06. Zentyal allows mail relay in two cases: 1. the difference between receiving mail and relaying mail must be made clear. Authenticated users. Mail can be received from any client that is able to connect to the server. [5] Postfix The Postfix Home Page http://www.postfix. IMAP) Zentyal uses Dovecot [6].de/ SMTP/POP3-IMAP4 server configuration with Zentyal Receiving and relaying mail To understand the mail system configuration.org . This setting enables the use of authentication. A user must provide an e-mail address and a password to identify; once authenticated, the user can relay mail through the server. An account alias can not be used to authenticate. General Mail configuration In the Mail ‣ General ‣ Mail server options ‣ Options section you can configure the general settings for the mail service: Smarthost to send mail: Domain name or IP address of the smarthost. You could also specify a port appending the text :[port_number] after the address. The default port is the standard SMTP port, 25. If this option is set, Zentyal will not send its messages directly, but each received email will be forwarded to the smarthost without keeping a copy. In this case, Zentyal is an intermediary between the user who sends the e-mail and the server that actually sends the message. Smarthost authentication: This sets whether the smarthost requires authentication using a user and password pair, or not. Server mailname: This sets the visible mail name of the system; it will be used by the mail server as the local address of the system. Postmaster address: The postmaster address by default is an alias of the root user, but it could be set to any account; either belonging to any of the managed virtual mail domains or not. This account is intended to be a standard way to reach the administrator of the mail server. Automatically-generated notification mails will typically use postmaster as reply address. Maximum mailbox size allowed: Using this option you could indicate a maximum size in MB for any user’s mailboxes. All mail that exceeds the limit will be rejected and the sender will receive a notification. This setting could be overridden for any user in the Users and Groups ‣ Users page. Maximum message size accepted: It indicates, if necessary, the maximum message size accepted by the smarthost in MB. This is enforced regardless of any user mailbox size limit. Expiration period for deleted mails: If you enable this option, those mail messages which are in the users’ trash folder will be deleted when their dates exceeds the established limit. Expiration period for spam mails: This option applies, in the same way as the previous option, but refers to the users’ spam folder. To configure the mail retrieval services go to the Mail retrieval services section. Here, Zentyal can be configured as POP3 and/or IMAP server, together with the corresponding secure versions; POP3S and IMAPS. Also, allowing the retrieval of e-mail for external accounts and ManageSieve services can be enabled in this section, which will be explained in the Mail retrieval from external accounts section. In addition to this, Zentyal can be configured to relay mail without authentication from some network addresses. To do this, you can add relay policies for Zentyal network objects through Mail ‣ General ‣ Relay policy for network objects. The policies are based on the source mail client IP address. If relay is allowed by an object, then each object member can relay e-mails through Zentyal. Relay policy for network objects Warning Be careful when using an Open Relay policy, i.e. forwarding e-mail from everywhere, since your mail server will probably become a spam source. Finally, the mail server can be configured to use a content filter for messages [9]. To do so, the filter server must receive the message from a specific port and send the result back to another port where the mail server is bound to listen to the response. You can choose a custom mailfilter or use Zentyal as a mail filter through Mail ‣ General ‣ Mail filter options. If the mailfilter module is installed and enabled, it will be used by default. [9] This topic is deeply explained in the Mail filter section. Mailfilter options E-mail account creation through virtual domains To set up an e-mail account, a virtual domain and a user are required. You can create as many virtual domains as you want from Mail ‣ Virtual Domains. They provide the domain name for e-mail accounts of Zentyal users. Moreover, it is possible to set aliases for a virtual domain, so that sending an e-mail to a particular virtual domain or to any of its aliases becomes transparent. Virtual mail domains In order to set up e-mail accounts, you have to follow the same rules used when configuring filesharing. You can select the main virtual domain for the user from Users and Groups ‣ Users ‣ Edit Users ‣ Create mail account. You can create aliases if you want to set more than a single e-mail address for a user. Regardless of whether aliases have been used, the e-mail messages are kept just once in a mailbox. However, it is not possible to use the alias to authenticate, you always have to use the real account. Mail settings for a user Note that you can decide whether an e-mail account should be created by default when a new user is added to Zentyal. You can change this behaviour in Users and Groups ‣ Default User Template ‣ Mail Account. Likewise, you can set up aliases for user groups. Messages received by these aliases are sent to every user of the group with an e-mail account. Group aliases are created through Users and Groups ‣ Groups ‣ Create alias mail account to group. The group aliases are only available when, at least, one user of the group has an e-mail account. You can define an alias to an external account as well. The mail sent to that alias will be forwarded to the external account. These kind of aliases are set on a virtual domain basis and Using the configured virtual domain.do not require an e-mail account. you will find new panels under Users and Groups that will assist you managing the email accounts of your users. You can also change the type of quota (custom. following the format user@ourdomain. You just have to choose a name and click the ‘add’ icon. Users and Groups add-ons Once you have at least one configured virtual mail domain. . you can see those e-mail messages that haven’t been delivered yet. Adding a mail alias for the group Queue Management From Mail ‣ Queue Management. There are also two buttons to delete or re-queue all messages in queue. content viewing or retry sending (re-queueing the message again). They can be set in Mail ‣ Virtual Domains ‣ External accounts aliases. default or no quota) and configure the maximum size of the mailbox for the custom quota. Automatic mail configuration for new users Another interesting add-on of the mail system can be found in Users and Groups ‣ Groups -> Edit desired group. a mail account will be automatically created for the new users. an address to broadcast a message to all the members of this group. where you can configure a mail alias for the group. The allowed actions to perform are: deletion. in other words. together with all the information about each message. In this page a list of user’s external accounts is shown and the user can add.Queue management Mail retrieval from external accounts You could configure Zentyal to retrieve e-mail messages from external accounts. The user must have an e-mail account to be able to do this. Mail server: Address of the mail server which hosts the external account. it can be one of the following: POP3. Each user can configure his/her external accounts through the User’s corner [10]. and deliver them to the user’s mailboxes. Each account has the following fields: External account: The username or the mail address required to login in to the external mail retrieval service. which are stored on external servers. To configure this you have to enable this service in Mail ‣ General ‣ Mail server options ‣ Retrieval services section. a user must login in the User corner and click on Mail retrieval from external mail accounts in the left menu. POP3S. Port: Port used to connect to the external mail server. The external servers are pooled periodically so e-mail retrieval is not instantaneous. Once it is enabled. edit and delete accounts. User corner settings for external accounts . IMAP or IMAPS. Protocol: Mail retrieval protocol used by the external account. Password: Password to authenticate the external account. the users will have their mail fetched from their external accounts and delivered to their internal account’s mailbox. To configure his/her external accounts. info/clients [13] The webmail module is explained in Webmail service chapter.info/ . The ManageSieve is a network protocol that allows the users to easily manage their Sieve scripts. if ManageSieve is enabled and the webmail [13] module is in use. [12] To enable ManageSieve in Zentyal you have to enable the service in Mail ‣ General ‣ Mail server options -> Retrieval services and it can be used by any user with an e-mail account. Sieve scripts for an account are executed regardless of whether ManageSieve is enabled or not. you will need the following parameters: Sieve server: The same as your IMAP or POP3 server. so that it is possible to classify the mail in IMAP folders. a management interface for Sieve scripts will be available in the webmail interface. Sieve scripts and ManageSieve protocol The Sieve language [11] allows the user to control how the mail messages are delivered. The ManageSieve authentication is achieved by using the user’s e-mail account and password. Port: 4190. In addition to this. select it. forward it or use a vacation message among other things. beware that some applications mistakenly use port number 2000 as default for ManageSieve. [11] For more info about Sieve http://sieve. if this is allowed. To be able to use ManageSieve. Password: User’s password. E-mail client configuration ManageSieve client parameters To connect to ManageSieve. as mentioned before. Username: Full e-mail address. avoid using the username or any of the email address aliases. an e-mail client that understands this protocol is required . Some clients allows you to select the same authentication than your IMAP or POP3 account. [12] See a list of Sieve clients http://sieve. Secure connection: Set to true. .[10] The user corner settings is explained in User’s corner section. Zentyal allows you to define a catch-all account for every virtual domain. . it will be returned to the sender. To define it you must go to Mail ‣ Virtual domains and then click in the Settings cell.Catch-all account A catch-all account is an account which receives a copy of all the mail sent and received by a mail domain. All the messages sent and received by the domain will be e-mailed as Blind Carbon Copy (BCC) to the defined address. If the mail to the catch-all address bounces. If the email passes through this filter.06. If the email passes through all the filters. When you have a grey list system. the emails considered as potential spam are rejected and the mail server is asked to send the email again. the system requests that the email is forwarded to the source server.ch/) as a postfix policy manager. On the contrary. messages are auto-generated and sent without caring if they are received. you can see the different steps an e-mail passes through before being tagged as valid or not.schweikert.03 Mail filter Mail filter schema in Zentyal Zentyal offers a powerful and flexible mail filter to defend your network and users from these threats. For this. First. . hindering the spamming process. This will use a statistical filter to check a series of email features to discover whether it contains virus or is junk mail. if the email was legitimate. If the server is actually a spammer server. it probably doesn’t have the necessary tools to manage this request and therefore the email will never reach the recipient. it will move to the mail filter. the sending server will simply re-send mail. The behaviour is matched and all mail from the servers is discarded or not. Grey list The grey lists [1] exploit the expected performance of mail servers dedicated to spam. In this section the details of each filter and how to configure them in Zentyal will be explained step by step. Mail filter schema in Zentyal In the figure. [1] Zentyal uses postgrey (http://postgrey. the email server sends it to the greylisting policies manager and if considered as potential spam. These servers are optimised to send as many emails as possible in minimal time. it is considered valid and it is sent to the recipient or stored on the server’s mailbox. ” [2]. Zentyal does not include email sent from internal networks on the gray list. If the sending server complies with the request.e. Zentyal responds “I am temporarily out of service. moved to the grey list and pending to allow or disallow the mailing once the configured time has passed. [2] Actually the mail server responds “Greylisted”. try again in 300 seconds. Schema on how the grey list works The Grey list can be configured via Mail ‣ Grey list with the following values: Grey list configuration Enabled: Click to enable greylisting. . it will re-send the email after this time and Zentyal will mark it as a valid server. i. or from objects with an allowed email relay policy or from addresses that are in the antispam whitelist. When a new server sends an email.The Zentyal strategy is to pretend to be out of service. as you will see in Software updates. the amavisd-new [4] application is used to ensure that the email is not spam and it does not contain viruses. software that transfers the emails. [3] MTA: Mail Transfer Agent. Antivirus message You can update it from Software Management. postfix in case of Zentyal. Retry window (hours): Time in hours in which the sending server can send mail. [4] Amavisd-new: http://www. . In addition. After the configured days. In a grey list the server can send all the emails it wishes with no time restrictions.ijs. Zentyal uses an interface between the MTA [3] and these applications.net/ In Antivirus you can check if the system’s antivirus is installed and updated.si/software/amavisd/ Antivirus Zentyal uses the ClamAV [5] antivirus. this interface carries out the following checks: • • File extension and black and white lists. Furthermore. the antivirus is capable of native scanning of a number of file formats. Mail filtering of emails with malformed headers. PDF and so on. Entry time-to-live (days): Days the data of the evaluated servers will be stored in the grey list. this server will go to the grey list. an antivirus toolkit especially designed to scan email attachments in a MTA. [5] Clam Antivirus: http://www. To carry out this task. BinHex. such as Zip. when the server sends email again. Therefore.Grey list duration (seconds): Seconds the sending server must wait before re-sending the email.clamav. ClamAV uses database updater that allows the programmed updates and digital signatures via the freshclam program. If the server receives any mail during this time. Content filtering system The mail content filtering is processed by the antivirus and spam detectors. it must go through the greylisting process described above. The spam scanner uses the following techniques to assign scores: • • • • • • Blacklists published via DNS (DNSBL). Antispam The antispam filter gives each email a spam score and if the email reaches the spam threshold it is considered junk mail.wikipedia. Other. [6] You can find a long list of antispam techniques at http://en. [6] Zentyal uses Spamassassin [7] as spam detector.apache. The general configuration of the filter is done from Mail filter ‣ Antispam: .org . such as the SMTP filter. but with some few changes. Filters based on the message checksum. URI blacklists that trac antispam websites. POP proxy. If not. but if you do install it.org/wiki/Antispam_techniques_(e-mail) [7] The Powerful #1 Open-Source Spam Filter http://spamassassin. you can see that it integrates several other Zentyal modules. it is considered as legitimate email.It is optional to install the antivirus module. checking emails that are identical. The latter kind of email is often called ham. Static rules. This integration increases the security of the configuration options of different services. a statistical algorithm that learns from its past mistakes when classifying an email as spam or ham. HTTP proxy or file sharing. Bayesian filter. Use Bayesian classifier: If marked. the filter will learn from the received messages. Autolearn spam threshold: . it is highly probable that the next email will be ham and not spam. if the sender has sent plenty of ham emails. which score passes the auto-learn thresholds. Otherwise it will be ignored Auto-whitelist: Considers the account history of the sending server when giving the score to the message. Auto-learn: If marked.Antispam configuration Spam threshold: Mail will be considered spam if the score is above this value. Bayesian filter will be used. Spam subject tag: Tag to add to the mail subject in case it is spam. the better results you get when testing if a message is junk or not. Here. . The value must be less than 0. independent of the the used email client. You should not set a low value. since it may cause false negatives. You should not set a high value. From Sender Policy you can configure senders whose emails are always accepted (whitelist). Mbox and maildir are email storage formats. since it may cause false positives. The value must be greater than the spam threshold.Filter will learn that email is spam if the score is above this value. all the emails are stored in a single file. always marked as spam (blacklist) or always processed by the antispam filter (process) From Train Bayesian spam filter you can train the Bayesian filter by sending it a mailbox in Mbox [8] format. whilst maildir organises emails into separate files within a directory. containing only spam or ham. The more trained the filter is. You can find many sample files from the Internet to train the Bayesian filter. File-based Access Control Lists You can filter the files attached to the mails by using Mail filter ‣ Files ACL (File Access Control Lists). you can allow or deny mail according to the extensions of the attached files or their MIME types. Autolearn ham threshold: Filter will learn that email is ham if the score is below this value. For [8] Mbox. but usually you get more accurate results if you use email received in the sites you need to protect. when Zentyal receives mail by SMTP.Attached file filter SMTP mail filter From Mail filter ‣ SMTP mail filter you can configure the behaviour of the described filters. From General you can configure the general behaviour of all incoming mail: . From Filter policies you can configure how the filter must act with different types of emails. Notify of non-spam problematic messages: You can send notifications to a mailbox when you receive problematic emails that aren’t spam. Reject: Discard the message before it reaches the recipient. notifying the sender that the message has been rejected. Bounce: . Antivirus enabled: Check to ensure the filter searches for viruses. for example. Antispam enabled: Check to ensure the filter searches for spam. SMTP filter policies You can perform following actions with problematic emails: Pass: Do nothing.General parameters for the SMTP filter Enabled: Check to enable SMTP filter. let the email reach its recipient. Service’s port: Port to be used by the SMTP filter. emails infected by a virus. you can add addresses to your whitelist. but enclosing a copy of the message in the notification. the filter records ham. All the email sent to ham@domain will be recorded as not spam whilst the email sent to spam@domain will be recorded as spam. the email received in this domain will be filtered in search of viruses or spam Spam threshold: You can use the default score for spam or custom value.Like Reject. These settings override the previously defined default settings. without notifying the sender. To customise the configuration of a virtual domain of the email. From Virtual domains you can configure the behaviour of the filter for virtual domains of the email server. Also. when emails are taken to the spam folder the filter learns them and records spam. blacklist or force the processing from Antispam policy for senders. Once you have added the domain. Those configured in Mail ‣ Virtual domain are available. ham@domain and spam@domain accounts will be created. Ham / spam learning account: If enabled. Filter parameters per virtual domain of the mail The parameters that can be overridden are the following: Domain: Virtual domain you want to customise. Learn from the spam IMAP folders of the accounts: If enabled. External connection control lists . if you move a message from the spam folder to a regular folder. click on Add new. Use virus / spam filtering: If enabled. The users can send emails to these accounts and train the filter. Discard Discard the message before it reaches the recipient. This way. Zentyal can distribute the load between two hosts. external to Zentyal.You can configure the connections from external MTAs using their IP addresses from Mail filter ‣ SMTP mail filter ‣ External connections or domain name forwarding towards the mail filter configured using Zentyal. Zentyal uses p3scan [9]. [9] Transparent POP proxy http://p3scan. .net/ From Mail filter ‣ Transparent POP proxy you can configure the behaviour of the filtering. that have been allowed. you can allow these external MTAs to filter mail from those virtual domains. The Zentyal host will be placed between the real POP server and the email (MTA). To do this. External mail servers Transparent proxy for POP3 mailboxes If Zentyal is configured as a transparent proxy.sourceforge. In the same way. one acting as a mail server and another as the server for mail filtering. it can filter POP email. Filter virus: If checked. POP email will be filtered. POP email will be filtered and set to to detect spam. . add it here so that the server notifies the filter that all the emails with this header can be considered spam. POP email will be filtered and set to detect viruses.POP transparent proxy configuration Enabled: If checked. Filter spam: If checked. ISP spam subject: If the server marks the spam with a header. net/ Configuring a webmail in Zentyal The webmail service is enabled in the same way as any other Zentyal service. Then the user has to enter his/her e-mail address and password. Only the real e-mail addresses are accepted for login. not aliases.04 Webmail service Introduction to Webmail service Zentyal integrates Roundcube to implement a webmail service [1]. Webmail options You can access the settings by clicking in the Webmail section in the left menu. The webmail login screen is available at http://[Zentyal’s address]/webmail using the browser. HTTP traffic must be allowed by the firewall from the source address used. Without this configuration.06. This title will be shown on the login screen and in the HTML page titles. offering a far superior user experience compared to traditional webmail clients. IMAPS or both and the webserver module must be enabled. webmail will refuse to work. . Roundcube is developed with the latest web technologies. The e-mail configuration in Zentyal is explained in depth in the Electronic Mail Service (SMTP/POP3-IMAP4) section and the webserver module is explained in the Web data publication service (HTTP) section . Here you can establish the title that will be used by webmail to identify itself. [1] http://roundcube. However. General Webmail settings Login to webmail To be able to log into the webmail interface. the email module must be configured to use either IMAP. Webmail login SIEVE filters The webmail software also includes an interface to manage SIEVE filters. This feature is only available if the ManageSIEVE protocol is enabled in the e-mail service. . Check out Sieve scripts and ManageSieve protocol section for more information. This groupware module integrates with the existing mail module so that the users can consider themselves associated with a quota and use a Zarafa account.com/ Configuration of a groupware server (Zarafa) with Zentyal In order to use Zarafa. you must start with a mail server configured as explained in Electronic Mail Service (SMTP/POP3-IMAP4). [1] http://www. In this scenario.05 Groupware service Introduction to the groupware service Zentyal integrates Zarafa [1] as a complete solution for groupware environment aiming to offer an alternative to Microsoft Exchange. the mail which target is any email account located in that domain will be stored in Zarafa and not in the server you were using previously. The mail destined to other virtual domains will continue to be stored in the same way. from that moment. you select one of the existing virtual domains in the groupware module and.zarafa. You can access the configuration in Groupware where the following parameters can be set: Configuration of groupware (Zarafa) .06. for example bob@home. The user will receive a notification email when the specified percentage in the first limit is exceeded and if the second limit is exceeded. Finally. calendars and tasks. see the list of supported devices [4] . http://mail. the quota defined in the mail module for each user will be applied to Zarafa. for example. Zarafa web interface. select the corresponding Zarafa Gateways. Configuration of a Zarafa account As mentioned earlier. You should create at least one virtual domain Mail -> Virtual Domain as described previously.from all IP addresses and domains associated with the server. contacts. i. POP3 on SSL. Configuration for delivery through SMTP does not change. IMAP or IMAP on SSL access to their mailboxes. Virtual host: The default installation allows access to the Zarafa web interface at http://ip_address/webaccess (and http://ip_address/webaccess-mobile for mobile devices) . Until now. you can define the email quota. each user should have a Zarafa account.Virtual domain: Domain associated with Zarafa. Keep in mind that if any of these services is already enabled in the mail module. . this can be unlimited globally defined or specifically set per user. it can not be enabled here. as bob in the previous example. expects users to be identified by their username.e. besides an email account. mail users were authenticated by the name of their email account. emails sent to this user are rejected. Also the Zarafa Gateways can only authenticate users with a Zarafa account and not users with only an email account. the maximum mailbox size each user can have.home. It is possible to make this web interface available through a virtual host configured on the HTTP server. Enable ActiveSync: Enable the support for ActiveSync mobile devices for synchronizing email. Furthermore.lan. To provide users with POP3. For more information. Enable correction: Enable this option to check spelling while you type an e-mail using the Zentyal web interface. or its gateways. When a user reaches the maximum quota. the user will not be allowed to continue sending emails until they have freed up some space.lan/webaccess. Contacts.Zarafa basic use cases Once you have configured your Zarafa server and have authorized users. Tasks and Notes . showing the email interface and different tabs to access the Calendars. you can access it through the configured Virtual Host Zarafa login screen After login in you can see the main Zarafa page. simply double clicking in the desired date and time. for example a meeting To do this. reminders. . there are many parameters you can configure like duration. schedule. As you can see. During the event configuration or editing it later. you can invite other users from the Invite attendees tab.Zarafa main page Shared calendars Suppose a very common use case where you want to schedule an event between several users. etc. attached files. You only need to fill his/her mail address and click on Send. you should go to the Calendar tab and create an event. including a submenu that allows him/her to accept or decline the invitation. Receiving a mail invitation .Sending an event invitation The recipient will receive a custom mail with the event specification. or even propose a new time. attached files. in this submenu. department. role. In case you accept the event.Whether you accept or decline the event invitation. Add the user ‘Everyone’ (access for all Zarafa users) and choose the Profile Only read. email and addresses. As you can see the form is quite complete: you can include several phone numbers. you can share the folder right clicking over the folder and accessing Properties. you can create a contact through the New ‣ Contact menu. . it will be automatically added to your personal calendar. portrait. First of all. Creating a new contact Once you have created the contact. etc. you access the tab Permissions and click on the Add button. you can notify the sender back and include an explanatory text. After this just Accept. Shared contacts Another common use case is to share your business contact to have a centralized and organized point to retrieve this information. com/wiki/index. where you can see the shared contacts.com/trunk/Administrator_Manual/en-US/html/index.zarafa. you can access with other user and click on the Open shared folders link that you can see in the main Zarafa webpage. In the pop-up window.zarafa. see the User Manual [5]. fill in the Name with the email address of the user that has shared the contacts and in Folder type choose Contacts.html .zarafa.html [6] http://doc.php/Z-Push_Mobile_Compatibility_List [5] http://doc. For administrators that require a deeper understanding of the application. A new folder will appear in you main window.Sharing a contact with other Zarafa users After this.com/trunk/User_Manual/en-US/html/index. [4] http://www. For more information about Zarafa. reading of the Administration Manual [6] is recommended. To configure the service.ejabberd.Jabber depends on this. mark the Jabber checkbox to enable the Jabber/XMPP Zentyal module. User accounts will be user@domain. You can disable it. Connect to other servers: . SSL Support: It specifies whether the communications (authentication and chat messages) with the server are encrypted or plain text. [3] http://www.06 Instant Messaging Service (Jabber/XMPP) Introduction to instant messaging service Zentyal uses Jabber/XMPP as its IM protocol and jabberd2 [3] XMPP server. integrating network users with Jabber accounts. Then.im/ Configuring a Jabber/XMPP server with Zentyal To configure the Jabber/XMPP server in Zentyal. this setting will be selected from the Jabber client. If you set it as optional. and set the following parameters: General Jabber Configuration Jabber Domain: Used for specifying the domain name of the server. go to Jabber in the left hand menu. first check the Module Status and that the Users and Groups module is enabled .06. make it mandatory or leave it as optional. Message Of The Day) and send a notice to all connected users (broadcast).If you want to allow your users to contact other users on external servers. where you can select whether the account is enabled or disabled. leave it unchecked. set the message displayed when connecting (MOTD. go to Users ‣ Add User if you want to create a new user account. a section called Jabber account will appear. if you want a private server for your internal network. or the other way around. Otherwise. check this box. or to Users ‣ Edit User if you just want to enable the Jabber account for an existing user. Administrator privileges allow you to see which users are connected to the server. . Setting up a Jabber account As you can see. you can specify whether the user will have administrator privileges. send them messages. To create a Jabber/XMPP user account. Moreover. Enable MUC (Multi User Chat): Enables conference rooms (chat with more than two users). 07 Voice over IP service Introduction to Voice over IP Zentyal uses Asterisk [6] to implement the VoIP module. providing the features of a PBX (Private Branch eXchange) to connect multiple phones.org/wiki/Asterisk_(PBX) VoIP server configuration with Zentyal Zentyal VoIP module allows you to easily manage an Asterisk server with the users that already exist on the system’s LDAP server. [6] http://en. Asterisk is a software only application that works on any commodity server. It also offers services such as voice mail.06. and to configure the most common features. using a VoIP provider or the analog telephone network. Basic diagram of how VoIP works . interactive voice responses and so on. conferences.wikipedia. Go to Module Status and select the VoIP checkbox. A call to extension 400 starts music on hold if configured. the following general parameters should be configured: Enable demo extensions: This enables the extensions 400. VoIP configuration window in Zentyal To change the general configuration.com. Extension 600 provides an echo test to estimate your call latency. 500 and 600. the module must be enabled first. The Users and groups should be enabled beforehand. These extensions can help to check if a client is well configured. go to VoIP ‣ General.As usual. Once there. Extension 500 starts an IAX call to guest@pbx. .digium. the default option Zentyal is behind NAT: No is correct. Password: The password to log into the provider service.tld or at 1122@domain. To call through the SIP provider. Server: The provider server. enter the credentials supplied by the SIP provider. The NAT configuration section defines the network location of your Zentyal host. In the SIP provider section. a user user with an extension 1122 can be called at
[email protected] outgoing calls: This enables outgoing calls through a SIP provider to call regular phones. User and password are the extension assigned by Zentyal when you create the user or assign it for the first time. so that Zentyal can route calls through it: Name: The identifier of the provider in Zentyal. For example. It is strongly recommended that the password is changed immediately from User Corner [10]. listen to recorded messages and delete them. User name: The user name used to log into the provider service. so it does not accept incoming calls from other servers. For security reasons. to call Zentyal offices (+34 976733506 or 0034976733506) dial 00034976733506.tld. Recipient of incoming calls: The internal extension that will receive the incoming calls to the provider account. Voicemail extension: This is the extension to call to check voicemail. it is only accessible to the users of the Zentyal server. VoIP domain: This is the domain assigned to the user addresses. add an additional zero before the number to call. If it has a public IP address. [10] User corner is explained in the User’s corner section. [11] You may buy Zentyal VoIP credit in Zentyal store if you have Professional or Enterprise Server Subscription. The application listening on this extension allows you to change the welcome message. If it has a private IP . For instance. If you have a fixed public address. Voicemail: The device available through this extension will store the voicemail for this phone. you can add the local networks to which Zentyal has direct access without NAT.address. you must configure the dynamic DNS service (Dynamic DNS) available in Network ‣ Dynamic DNS (or configure it manually) and enter the domain name in Dynamic hostname. like a wireless network. like VPN or network segments not configured from Zentyal. go to VoIP ‣ Phones Adding a VoIP phone Enabled: Whether this phone configuration is enabled. Email notified: . To configure the authentication of the VoIP phones. Password: Needed to authenticate the phone against Zentyal. you must provide Asterisk with your Internet public IP address. select Fixed IP address and enter it. This is required due to SIP behaviour in NAT environments. it will have to be configured in the phone itself as well. In the Local networks section. if the IP is dynamic. Extension: Extension to dial to reach this phone. an administration password and a description. These rooms extension should fit in the 8001-8999 range and optionally have an access password.tld. Here you can configure multiple conference rooms.This email address will receive the voicemail messages as an attachment. Description: Description of the specific phone You can access the conference configuration through VoIP ‣ Meetings. These extensions can be accessed from any server by dialling extension@domain. List of meetings . When you edit a user. you will be able to enable and disable this user’s VoIP account and change his/her extension. you must use queues. if you need to call more than one user from an extension. Take into account that an extension can only be assigned to one user and no more. Managing the VoIP per user . The extension the call has been parked to will be announced to the called person. A queue is an extension and when a call is made to a queue. You can hang up afterwards as the call will be ringing on the called extension.When editing a group. You can hang up now. press # and then dial the extension where you need to transfer the current call. Managing the VoIP queues per group Using Zentyal VoIP features Call transferring The call transferring feature is quite simple. The caller will listen to call hold music. On Zentyal. Whilst you are in a conversation. the call parking can hold up to 20 concurrent calls and the maximum time a call can be parked is 300 seconds. the called person or group will dial the announced extension and the parked user will receive a wake up. Call parking Call parking works on the extension 700. all the users who belong to this queue will receive the same call. then dial 700. press # to initiate a transfer. if configured. you can enable and disable group’s queue. . From a different phone or a different user. and the call can start. While you are in a conversation. or carry out server monitoring. receive notifications for certain events or incidents. Remote monitoring and management • • Monitoring of hardware performance. mail usage. file sharing activity. Advanced security updates • Commercial Antispam. printers usage and backup activity.01 Zentyal maintenance Zentyal server is not just meant to configure network services. network availability. Alerts • Alerts on hardware performance. but it also offers a number of features to ease general server management and maintenance.07. These subscription services are available through Zentyal Cloud web interface and include: Quality assured software updates • All upgrades.Zentyal maintenance 07. VPN usage. network activity. the customers’ will not introduce any regressions on their already working systems. HTTP proxy activity. bugfixes and security updates that are taken to Zentyal’s Quality Assured Package Repository are extensively tested to make sure that by updating. included in Zentyal server that help to find out what has happened in your network and when. Zentyal Cloud offers a series of subscription services that help to automate the server management and maintenance tasks. software management and group tasks (including jobs). mainly service logs. IDS performance. Content filtering and Ad-blocking updates applied automatically to the system. Antivirus. Internet usage and service status. IDS activity. Reports • Reports on hardware performance. Besides these maintenance tools integrated in Zentyal server. antivirus performance. mail activity and backup status. Management including remote access to servers. IDS. This section will explain the tools. . The available remote support tools are also described. Internet usage. The free Basic Subscription explained in the chapter 1. .Disaster recovery • Remote system configuration and data backup and easy recovery of the data lost in case of a disaster.5 Zentyal Cloud Client gives you a preview to Zentyal Cloud and free access to some basic cloud features. Zentyal offers logs for the following services: • • • • • • • • • • OpenVPN Virtual private network (VPN) service with OpenVPN SMTP Filter SMTP mail filter POP3 proxy Transparent proxy for POP3 mailboxes Printers Printers sharing service Firewall Firewall DHCP Network configuration service (DHCP) Email Electronic Mail Service (SMTP/POP3-IMAP4) HTTP Proxy HTTP Proxy Service Shared files File sharing and authentication service IDS Intrusion Detection System (IDS) You can also receive notifications of the following events: • • • • • • • Specific values in the logs.org/rss-specification/. Service status. Events of the RAID subsystem per software. These logs are available through the Zentyal interface.07. Logs are stored in a database so making queries. Zentyal health status. reports and updates is easier and more efficient. go to Module status and check the logs box. You can also configure different dispatchers for the events so that the administrator can be notified in different ways (Email.02 Logs Zentyal log queries Zentyal provides an infrastructure that allows its modules to log all types of events that may be useful for the administrator. To start with. to be able to work with the logs. . To obtain reports from the existing logs. Jabber or RSS [2]). you must make sure that the module has been enabled. [1] PostgreSQL The world’s most advanced open source database http://www. Free disk space.org/.postgresql. Completion of a full data backup. [2] RSS Really Simple Syndication is an XML format used mainly to publish frequently updated works http://www. just like with any other Zentyal module. The database manager used is PostgreSQL [1].rssboard. Problems with the outgoing Internet routers. you can go to the Maintenance ‣ Logs ‣ Query logs section via the Zentyal menu. To enable the module. . you can create a customised query which allows you to filter by time period or other values that depend on the type of domain. For example. some of them provide an interesting Summarised Report. the results will automatically refresh with new data.You can obtain a Full report of all log domains. giving you an overview of the service during a time period. Moreover. The information provided depends on each domain. You can store these queries as events so that you will be notified when a match occurs. if the query doesn’t have an upper time limit. Query log screen In the Full report you have a list of all registered actions for the selected domain. Therefore. Furthermore. for the HTTP Proxy you can see the pages denied to a specific client. for the OpenVPN domain you can see the connections to a VPN server of a client with a specific certificate or for example. Full report screen . The Summarised reports allow you to select the time period of the report. together with a summary table with total values of different data types. which may be one hour. In the image you can see. a week or a month. The information you obtain is one or more graphics. one day. daily request statistics and daily HTTP Proxy traffic. Summarised report screen . for example. but rather with the Zentyal’s administrative panel itself. All the values that are older than the specified time will be discarded. This feature is specially useful for servers managed by more that one person. you can also force the instant removal of all the logs before a certain time period. Log configuration screen The values you can configure for each installed domain are: Enabled: If this option is not enabled. You can do this by clicking on the Purge in the Force log purge section. it is also important to know that you can configure them in the Maintenance ‣ Logs ‣ Configure logs section from Zentyal menu. Log Audit for Zentyal administrators In addition to the logs available for the different Zentyal services. Purge logs older than: This option establishes the maximum time during which the logs will be saved.Configuration of Zentyal logs Once you have seen how to check the logs. . In addition. This allows selection of different intervals. ranging from one hour to 90 days. no logs are written for this domain. there are two other log registries not associated with any of the services. with their associated timestamps. Setting up audit log Once you have saved these changes. Administrator sessions: It contains the information related with all the administration login attempts. By default. go to Maintenance ‣ Logs ‣ Query logs to see the following two tables: • • Configuration changes: Here you can see the module. and current and former changes (if applicable) for all the configuration changes made after the audit log was enabled. If you want to enable it. section.since you have a stored log of the successive configuration changes and executed actions for each user. with their associated IP addresses. this feature is disabled. as explained in the former section. successful or not. you just have to go to Maintenance ‣ Logs ‣ Configure logs and enable the audit domain. type of event. . session log outs and expired sessions for the different users. The instant actions will be logged permanently (until the registry is purged) and the ones pending to save will be displayed in the save changes interface itself. like most of the configuration changes. in case you want to discard changes. offering the system administrator a summary of all the modifications since the last save point. like restarting a server. and some others that are not applied until you save the changes. the audit log treats them in a different way. the actions that will be removed from the log. or.Query audit logs Since there are some actions in Zentyal that take effect instantly. Logs saving changes . Before enabling any event you have to make sure that the events module is enabled. you need to enable the events that might be of interest to you. you have to click on the menu entry Maintenance ‣ Events ‣ Configure Events and mark the Enabled box. Configure events page .03 Events and alerts Events and alerts configuration in Zentyal The events module is a convenient service that allows you to receive notifications of certain events and alerts that occur on your Zentyal server. Unlike the Logs module. (Electronic Mail Service (SMTP/POP3-IMAP4)). Zentyal allows you to receive these alerts and events via the following dispatchers: • • • • Mail [1] Jabber Logs RSS [1] The mail module needs to be installed and configured. To enable an event. where all services are enabled by default except the firewall. Go to Module status and check the events module.07. you can add filtering rules that depend on the domain. as well as the feed link. Some examples are: denied HTTP requests by the proxy. RSS: You can select the policy for authorised readers. cancelled printer jobs.There are some events that need further configuration to work properly. The public feed can be made private or authorised by source IP. to enable events. which writes its output to /var/log/zentyal/zentyal. You can also set the subject of the messages. address or object. The only required parameter is the free space percentage value that will trigger the event as it occurs. The configuration of the free storage monitoring is straightforward. and so on. DHCP leases for a given IP. For every domain. first you need to select which domains you want to use to generate events. all the other dispatchers require more configuration: Mail: You need to set the recipient’s email address (usually the Zentyal administrator). Except for the log watcher. you need to mark the Enabled box. From this page you can also create a new Jabber account with these new parameters in case they do not exist. . Jabber: You need to set the Jabber server address and port that will be used to send the messages. You also need to set the username and password of the user that will send the messages and the Jabber address of the administrator who will receive the notifications. You can also create an event filter from an existing log query by clicking on the Save as an event button through Maintenance ‣ Logs ‣ Query Logs ‣ Full Report.log. For the log monitor. This is true for the log and free storage space monitoring. To control the selection of channels for event notification. select the event dispatchers in the Configure dispatchers tab. Configure dispatchers page In a similar way. month or year. Monitoring is displayed using graphics which give a quick overview of resource usage trends. To do this.07. You can see the graphical monitor by viewing the menuselection:Monitor module. a day. This information is essential to assist with both troubleshooting and advanced planning of resources in order to avoid problems. You can choose the time scale of the graphics to view an hour. Placing the cursor somewhere over the line on the graphic you are interested in. This metric is defined as the number of runnable tasks in the run-queue and is provided by many operating systems as a one. Tabs with the different monitoring reports Metrics System load The system load attempts to measure the rate of pending work over the completed work. five or fifteen minutes average. . the exact value for a given instant can be determined.04 Monitoring Monitoring in Zentyal The monitor module allows the administrator to view the status of system resources from the Zentyal server. simply click on the tab you are interested in. CPU usage graphic Memory usage This graphic displays the memory usage. input/output wait. For multi-core or multi-cpu machines you will see one graphic for each core. In most Linux systems this value is 100 per second. but scheduling units known as jiffies. inactive. but this may differ. and so on. The following variables are monitored: Free memory: . The time is not a percentage. system code. These graphics represent the amount of time that the CPU spends in each of its states: running user code.System load graphic CPU usage This graphic shows detailed information of the CPU usage. Amount of memory not used Page cache: Amount of memory that is cached in a disk swap Buffer cache: Amount of memory that is cached for input/output operations Memory used: Amount of memory that is not included in any of the above Memory usage graphic File system usage This graphic displays the used and free space of every mount point. In order to enable this metric. the server must have this system installed and the kernel must support it. File system usage graphic Temperature This graphic allows you to view the system temperature in Celsius degrees by using the ACPI system [1]. . [1] Advanced Configuration and Power Interface (ACPI) is an open standard to configure devices focused on operating systems and power management.acpi. there is also a Bandwidth Monitoring module. http://www. you can access it through Network –> Bandwidth Monitor.info/ Temperature sensor diagram graphic Bandwidth Monitoring Apart from the monitoring module. Using this module you can study the network use for each client connected to Zentyal’s internal networks. Once you have installed and enabled the module. . which monitors the network flow. Configuration tabs for the interfaces to monitor Configure interfaces In this tab you can configure the internal interfaces you are going to monitor. By default it is enabled for all of them. Alerts The monitoring system would be largely unused if it was not coupled with a notification system to warn users when uncommon values are produced.Tab detailing the badwidth usage in the last hour Last hour bandwidth usage Here you can see a list of the bandwidth usage during the last hour for all the clients connected to the monitored interfaces. Note the data in this tab is updated each 10 minutes. Monitoring alerts are configured in Events module. . the amount of traffic trasmitted to and from the external network and the internal networks. The columns show. the relevant events are grouped in the Monitor event. thus. here you can see the full list of available alerts. Go to Maintenance ‣ Events ‣ Configure Events. you will not have any available information for the first moments after configuring and enabling the module. This ensures that you know when the host is suffering from an unusual load or is close to maximum capacity. for each client IP. You can choose any of the monitored metrics and establish thresholds which trigger events. this allows the user to filter events based on severity. Each measure has a metric that is described as follows: System load: The values must be set in average number of runnable tasks in the run-queue. You can use the option reverse: to swap the values that are considered right and wrong. warning and failure. you can receive alerts for the free space in hard disk metric. Configuration screen for event thresholds There are two different thresholds. . for instance. Other important option is persistent:. Depending on the metric you can also set other parameters. you access the event configuration.Configuration screen for the monitor observers Clicking on the cell configuration. or the short term load in system load metric and so on. Once you have configured and enabled the event at least one observer must also be configured. File system: The values must be set in bytes. Check the Events and alerts chapter for more information. Physical memory usage: The values must be set in bytes. Temperature: The values must be set in degrees.CPU usage: The values must be set in jiffies or units of scheduling. The observer configuration is the same as the configuration of any other event. . Through the command line run the command /usr/share/zentyal/configuration-report. Configuration report Remote access support In some difficult cases. you can save time as it will probably contain much of the information required by the support engineers. In the web interface go to System ‣ Configuration Report. The module Zentyal Cloud Client provides a feature which streamlines this procedure. click on the button to generate the report. you can check the commercial support offerings on Zentyal’s web site [1]. The remote access is achieved by using ssh and public key encryption [2] and thus it is not necessary to share any password information. it can be helpful to give support engineer direct access to your Zentyal server. when the report is ready it can be downloaded through your browser. if your work environment permits it. Furthermore. By providing this when requiring technical support. [2] You can find more information on public key encryption on chapter Certification . 2.com/en/services/support/ Configuration report The configuration report is file which contains your Zentyal server configuration and a great deal of information about your system. When the report is generated the command will show you its location in the file system.zentyal.05 Support tools About Zentyal support Zentyal servers contain some tools that ease the delivery of technical support. There are two ways to generate the report: 1.07. The most important tools will be described in this chapter. [1] http://www. Remote access support Once you have provided the server’s Internet address to the support engineer. The user created during the installation process fulfills this requirement. Once logged in. the support session. so it is recommended that the feature is switched on only for the time necessary to carry out the work. The sshd service configuration option PubkeyAuthentication. there is an option to allow Zentyal team access from any Internet address. it must be configured to allow incoming ssh connections (these connections normally use TCP/22). Service sshd must be running. access is only granted through Zentyal Cloud’s virtual private network. also check the option Allow access from any Internet address. they will have the ability to login in to your server . If you need to allow access from the Internet.authority (CA). To enable this feature you must be logged in with a user belonging to the group adm. in real time. then save the changes as usual. that is. you can join the session with this command: . Furthermore. You can use the screen program to see. To enable this feature. Before enabling it these prerequisites must be met: • • • • You server must be either subscribed to Zentyal Cloud or be visible from the Internet. The access will only be available as long as this feature is enabled.as long as this feature is enabled. For situations where the server can not be subscribed to Zentyal Cloud or the virtual private network is not working properly. guaranteeing the security of the complete support process. You should provide your Internet address to the support engineer and ensure that ssh access is allowed from the Internet. go to System ‣ Remote access support and check the Allow remote access to Zentyal staff control. this could be useful for sharing information. If you are using a firewall. must be enabled this is the default configuration. it must accept connections from external networks. screen -x ebox-remote-support/ By default you can only see the session. if you need to write to the command line and execute programs you should ask the support engineer to grant you the correct permissions. . $user). $user->{'password'} = $password.Zentyal Advanced Management 08. For example.org/ An example on how to create a small utility is shown below. interpreted. $line). and to know the public methods exposed by the Zentyal modules you want to use. my @users. my $user. $user->{'givenname'} = $givenname. my $usersModule = EBox::Global->modInstance('users'). EBox::init(). Zentyal web interface uses the same programming interface. dynamic programming language. open (my $USERS. using the Zentyal API to automatically add an arbitrary number of users defined in a Comma Separated Values (CSV) file #!/usr/bin/perl use strict. 'users'). http://www. use EBox::Global.'. You only need a basic knowledge of Perl [1]. my ($username.perl. foreach my $user (@users) { $usersModule->addUser($user. } close ($USERS). $password) = split('.01 Importing configuration data Although Zentyal UI interface greatly eases the system administrator work. $user->{'user'} = $username. $user->{'surname'} = $surname. } . use EBox. 0). use warnings. some configuration tasks through the interface can be tedious if you have to perform them repeatedly. [1] Perl is a high-level. $surname.08. while (my $line = <$USERS>) { chomp ($line). These tasks can be automated easily through the Application Programming Interface (API) which is provided by Zentyal. adding 100 new user accounts or enabling an e-mail account for all 100 users. general-purpose. In fact. $givenname. push (@users. overwrite the original system configuration files for the services they manage. . there are cases where there are so many configuration settings that it would be impossible for Zentyal to control them all. one of the main goals of Zentyal is simplicity.Bar./bulkusers This section has shown a small example of task automation using the Zentyal API. it tries to cover the most common configuration options. The values of these variables are assigned before overwriting the file and are taken from the configuration previously set using the Zentyal web interface.02 Advanced Service Customisation This section discusses two options for system customisation for users with special requirements: • • Tailor service configuration files managed by Zentyal. One of the possibilities of doing this is by editing the configuration files that handle the service directly. you must be in the directory where files are placed and run: sudo . The appearance of this file should be as follows: jfoo. Perform actions in the process of saving changes in configuration. some of the parts are parametrised through variables.Jack.jbarpassword. In addition to this. there are users who want to adjust some of those unhandled parameters to adapt Zentyal to their requirements.1. but the possibilities are almost unlimited. Finally. However. However. you must have a file called users in the same directory. Save the file with the name bulkusers and grant it execution permission using the following command: chmod +x bulkusers. jbar. Modules do this through templates that essentially contain the basic structure of a typical configuration file for the service. you must understand how Zentyal works internally.Foo. 08. Before running the script. Before deciding to modify a configuration file manually.jfoopassword. The Zentyal modules.John. once enabled. However. When a module is responsible for automatically setting up a service. mas /usr/share/zentyal/stubs/dns/named. they will not apply anymore if you update the module containing the template. and prevent them from being overwritten every time Zentyal saves changes. copy the template inside and modify this copy: sudo mkdir /etc/zentyal/stubs/dns sudo cp /usr/share/zentyal/stubs/dns/named.conf. you have to copy the template to /etc/zentyal/stubs/ inside the directory with the name of the module.options. for example. the first thing the firewall module does is to remove all existing rules. if you want to make your changes persistent. For example.mas /etc/zentyal/stubs/dns Another advantage of copying the templates to /etc/zentyal/stubs/ is that you can keep control of the modifications that you have done over the original templates.options. you will create the directory /etc/zentyal/stubs/dns/.options. if you want. These templates are in /usr/share/zentyal/stubs and their names are the original configuration file names plus the . This way. when Zentyal saves changes related to the firewall.options. .conf. For example.mas /etc/zentyal/stubs/dns It is possible that you need to perform certain additional actions while Zentyal is saving changes instead of customising configuration files.mas. to modify the template:file:/usr/share/zentyal/stubs/dns/named.mas extension.conf. and you will always be able to check these differences using the ‘diff’ tool. for the former case: diff /etc/zentyal/stubs/dns/named. If you want these changes to be effective even when you update the module.How the configuration template system works Therefore. When you reinstall a package the .conf. you must edit templates instead of system configuration files.mas files will be overwritten. Take into account that these changes will persist even if you modify the Zentyal configuration. preservice is executed.postsetconf file is executed after saving <module> configuration. it will disappear when saving firewall module changes. a development tool called zmoddev [3] is provided to ease the development of new modules. the hook is executed prior to overwriting the module configuration.postservice is executed. The remaining parts are generated automatically by Zentyal. After restarting the service: /etc/zentyal/hooks/<module>. Before saving module configuration: Writing /etc/zentyal/hooks/<module>. To prevent that. Two of them are general and the remaining four are per module: Before saving changes: In /etc/zentyal/pre-save directory all scripts with running permissions are run before starting the save changes process. There are six points during the process when you may execute these scripts. After saving module configuration: /etc/zentyal/hooks/<module>. This script could be useful to load Apache modules. These options have great potential and allow highly customisable Zentyal operations. auto-generating templates depending on the parameters provided by the user. If you manually add a custom iptables rule that is not covered by Zentyal interface. its explanation and development is beyond the scope of this course. This will save time. all the extra rules must be added here. 08. It is the ideal time to modify configuration templates from a module.and then add the ones configured in Zentyal. however. Zentyal lets you run scripts while the saving changes process is being performed. [2] An explanation about Model-View-Controller design pattern . offering better integration with the rest of the systems. Zentyal design is completely object-oriented and it takes advantage of the Model-ViewController (MVC) design pattern [2]. for instance. also known as hooks. and also benefit from the integration with the rest of the modules and the common features from the vast Zentyal library.presetconf file being <module> the module name you want to tailor. Before restarting the service: /etc/zentyal/hooks/<module>. In the firewall case. To simplify the process further. After saving changes: Scripts with running permissions in /etc/zentyal/post-save directory are executed when the process is finished. so the developer only needs to define those features required by the data model. Anyone with Perl language knowledge may take advantage of the Zentyal development framework to create web interfaces.03 Development environment of new modules Zentyal is designed with extensibility in mind and it is relatively simple to create new Zentyal modules. . this means that 2. Each Zentyal release is based on the Ubuntu LTS version that is available at the moment the release is launched. during the three months stabilization period.org/wiki/Model_View_Controller. in September. 2.. 2.3. for both users and for developers.1. 2.0 Zentyal Release Candidates Zentyal Release Candidates are published from July to September.10. As the Zentyal Development Team follows the “Release early. 2.x -> 3.1.1.1.1 series followed this pattern: 2. [3] zmoddev SVN repository access svn://svn. . A virtual system to develop on is the recommended option as Appendix A: Test environment with VirtualBox explains in depth. The Zentyal Development Team has opted for time based release cycle most importantly because it makes easier. These beta versions introduce new features that are not yet fully tested for bugs.04 Release policy Zentyal server development follows time based release cycle: a stable Zentyal release is published once a year.2. 1.3.1.. 2.1.zentyal. Zentyal Beta versions Zentyal Beta versions are unstable software releases that are published from September to June.3. 1.3.http://en. Developing on the same host is highly discouraged. 2.1. 2. Zentyal Release Cycle There are three types of Zentyal server releases the Zentyal Development Team will publish during the Zentyal Release Cycle: Beta versions.3. Beta releases always have odd major numbers: 1.5.org/zentyal/trunk/extra/zmoddev.1.3. to make long-term decisions regarding the development. . deployment and maintenance of the server and helps the Development Team to deliver well tested. highquality software. 2.2 The 2.. This recommendation is also extended to the developing scheme.2. 2. As Beta versions will eventually become stable releases.3.3 series will follow this pattern: 2.wikipedia.1.3.3..10.. release often” guideline.11. Zentyal is designed to be installed on a dedicated machine. Release Candidates and Stable versions. 2. 2.3. The stable versions will be supported for three years after which they reach their “end of life” date and become unsupported.. There are as many release candidates as the Development Team deems necessary to stabilize the new code and bug fixes introduced before publishing the next stable version.x -> 2. there might be an important number of beta versions published during this time period. It is important to notice that all Zentyal releases are based on the Ubuntu LTS versions. 08. 2.11..1. . The first version number changes every time the base system.zentyal. the stable Zentyal versions are supported for three years during which support for all security issues is granted.04 LTS. Stable Zentyal versions Stable Zentyal versions are published once a year.0. [4] Trac: is an enhanced Viki and issue tracking system for software development projects http://trac.0-rc1.4.4 were based on Ubuntu 8. the versions 1. Timetable • • • June: Zentyal development is frozen. The project management tool Trac [4] is used by the Zentyal Development Team to manage bugs and other tasks.. October-June: Zentyal development continues.edgewall.0. The necessary beta versions are published during this period. In addition to security issues. in September.0. 2. 3.05 Bug management policy Each open source software project has its own bug management policy. Once the ticket is created by a user. Support policy The Zentyal Development Team offers three years of support for the stable Zentyal versions. You may reach Zentyal Trac at http://trac. support for all security issues as well as commercial support and subscription services will be granted for this version during the next three years. For example. This means that since the publication of a stable Zentyal version. A suffix of “rc1” would be used for the first release candidate. “rc2” for the second release candidate. is upgraded. September: Stable Zentyal version is published.0 and 2.2. Stable releases always have even major numbers: 1.2. its state can be tracked by the user through the web or email.org. 1. The necessary release candidate versions are published during this period. Ubuntu LTS version. Three months stabilization period starts. As mentioned previously. The latest Zentyal version always includes all the bug fixes.Release candidates always have the version number of the next stable release and the “rc” suffix to indicate that the version is a release candidate.2 and 1..04 LTS and the 3. 08. the stable version reaches its “end of life” date and becomes unsupported.0-rc2. It is highly recommendable to report a bug when you are fairly sure that your problem is really a bug and not just an expected result of the program under determined circumstances..04 LTS . other modifications might be added to fix several bugs at once.0.org. “rc3” for the third release candidate. 2. 2.0 will be based on Ubuntu 12. 3. and so on: 3.2 were based on Ubuntu 10. 1. 1. It lets users open tickets to report problems and it is open to all users. .. After this time period. . Zentyal is not an exception. It is absolutely necessary to include detailed steps to reproduce the issue so that the Zentyal Development Team can fix it. fixing a known vulnerability. provided by companies that charge a fee for their services. That is. Patches and security updates A patch is a modification in the source code used to fix a bug or add a new feature to that software. you can still help by confirming that you have reproduced it and giving additional details about the issue. In open source projects. check first in the Trac if the bug was reported already. projects like Zentyal. the users help each other.log file or any other useful information you think it’s related with your issue. report the bug via the Zentyal web interface (if the crash appears there) or manually via the Zentyal bug tracker. Developers themselves often publish official patches too.06 Technical support Open source software projects usually provide technical support to the users through different methods.To report a bug. community members are able to send patches to the project maintainers and if the patches are considered suitable. Community support Community support is provided mainly on the Internet. This could be done by modifying the application itself through a patch or by following some steps to avoid the problem temporarily (workaround).zentyal.com/services/subscriptions/ 08. You can check out the available community updates and install them using the web interface through the software module [5]. Screenshots are also welcome if you think they will help to see the problem. But. There are many occasions in which the community is able to support itself. and the commercial support. quality assured software updates will be automatically applied to your Zentyal server to guarantee your installation with maximum security and uptime. If you are reporting manually. Finally. You must distinguish between two kinds of support: the support provided to and by the community. release a new version of the package including the official patch. which is free. If the bug was reported already. If not. for example. it is even better if you can provide a solution to the issue. [6] http://www. typically. then they will be merged into the application. [5] Software updates section shows this module in depth. If you have a commercial server subscription [6]. include at least the /var/log/zentyal/zentyal. commercial support ensures no time is wasted trying to find out what hardware you should purchase. This voluntary support. In addition to this. in the community section of Zentyal web site (http://www. even fundamental. [7] http://forum. what modules you should install. Support from well-trained professionals backed by the Zentyal Development Team. Commercial support The commercial support allows the user access to obtain support as a professional service.freenode. although mailing lists [8] and IRC channels [9] are also available. timing or any other circumstances. does not offer any guarantees. logically. how to make the initial configuration. These advantages are pretty clear for companies whose business relies on this software. Additional features which add value to the product and are not available to the community. Users contribute by discovering hidden bugs and help developers to improve the product so it becomes more attractive to more users. etc. . All this information is available. with further documentation.org).zentyal. #Zentyal (English) and #Zentyal-es (Spanish) channels. providers of information for the product development. Unlike community support. the commercial support offered by Zentyal Development Team or Authorized Zentyal Partners offers several guarantees: • • • Maximum response time: depending on the service package the response time will be different. it is possible that no reply is given depending on the question format. how to integrate Zentyal with existing systems.The community members are an important. Zentyal community support channels is centered on the forum [7].net server.zentyal. If a user asks a question.org [8] http://lists.org [9] irc.zentyal.