Letysite.ru

IT Новости с интернет пространства
0 просмотров
Рейтинг статьи
1 звезда2 звезды3 звезды4 звезды5 звезд
Загрузка...

Http access directive in pmta

Khai’s personal knowledge vault.

Materials on this site are not original. When possible, references to original articles are listed on each page.

Where did I move the list of most frequently used commands to?

For now, I put them a file on my Google Drive under the tech folder.

How can we determine the version of PMTA server that we are using?

How can we show a list of queues that are paused?

How can we pause a queue?

How can we resume a queue?

How can we extract data from the PMTA accounting CSV file?

Power MTA server produces a daily accounting log file that is a giant CSV file containing the delivery status of every email it sends. If you’re sending a lot of email, these accounting files can be very big.

How can we avoid the ‘connection timed out’ issue?

Occassionally, our mail service received a ‘connection timed out’ error message when it connect to PMTA. I think the problem happens when the PMTA server is handling a lot of bounced message. See http://stackoverflow.com/questions/16186600/pmta-out-of-connections-slot-error

Where is the configuration file?

Where can we find the user guide?

What do we need to do when we receive the license file?

We need to save it as /etc/pmta/license before starting PMTA.

What are essential PMTA configuration tips?

  1. Utilize source directives to make sure your email headers are correct. ESPs and many high volume senders send email on behalf of other organizations and often feel they do not have full control over the email headers. This is not the case, and if best practices are not followed, email almost inherently will end up being routed to the junk folder. With PowerMTA™, you can add missing data or Message-ID headers. You can also hide internal sources in the “received header,” or completely disable adding the received header altogether. The latter is often used to make it look as if the email originated from the sender’s public IP. In an upcoming release slated for Fall of 2014, you will have granular rate limiting control of both the source IP and sending IP basis.
  2. Keeping a clean configuration by using parameter inheritance more wisely. For manageability of configurations, it is important to keep them DRY. PowerMTA™ merges the settings from all matching sources, top to bottom. Thus you can often move common settings to the source that matches 0/0. Except for always-allow-relaying of course, which should only be allowed from specific sources, by removing settings with obvious default values, you can further reduce redundant configurations. With domain directives, all matching domain entries are merged, giving preference to more specific entries, regardless of the order in the configuration. By using sensible default settings for the wildcard domain, you can reduce the configuration to only a few exceptions. For example, the following settings string reduces the need to set limits on “many” specific domains:
    • max-smtp-out 2 # enough for small domains, increase for common domains
    • max-msg-per-connection 100 # most ISPs accept 100 emails per session
    • max-errors-per-connection 10 # avoid disconnect due to long sequence of invalid recipients
  3. Don’t waste resources on invalid email domains. If the local part of an email address does not exist, you’ll usually get an error message from the ISP. However, if the domain is not valid, you might run into repetitive errors such as failed DNS lookup, non-responsive servers, or servers that refuse to relay from a particular domain. PowerMTA™ should be configured not to waste resources on these domains, and focus delivery of resources to valid domains. For example, use a rather low max-smtp-out for default domains, and increase this for important valid domains. A setting of 20 is enough to send millions per hour, and completely over the top for many domains. Furthermore, you can instruct PowerMTA to bounce email if an MX record is missing. Invalid domains caused by typos often have an “A “record without a proper mail server, causing these domains to languish in the queue until they timeout. You can also use a domain macro combined with black-holing to drop mail known for discontinued domains or domains with anonymous discardable accounts. In any event, the goal is to keep the configuration “lean” for invalid or less important domains.

How can we determine the most important domains?

You can use data from PowerMTA’s accounting files to determine what are the most important domains in your case. By looking at the bounce reports, you can determine which errors should trigger the back-off mode for example.

How can we log transient errors?

The PowerMTA accounting logs are often used to record deliveries or bounces. But by enabling logging of transient errors, you can get a wealth of information about the delivery, and how to optimize it. Large webmail providers, but also smaller ISPs, have limits on the number of messages they accept from a certain IP. When the limit is reached, they return a temporary error, which can be logged by PowerMTA. This information can be used to adjust the volume for IP seasoning (warm-up) or maximum rate of sending, or tune the configuration of the back-off mode.

How can we play well with Hotmail?

Windows Live Hotmail is famous for throttling senders based on IP reputation. PMTA offers a number of parameters for tuning email delivery to specific domains. The max-connection-rate and max-msg-rate parameters can be used to prevent the «421 SMTP» error message (rate throttled) from occurring. If we do not react to these errors and keep on pushing your mail, your reputation could become even worse.

What is a domain-macro?

Delivery settings in PMTA are made within the context of a recipient domain, such as hotmail.com. PMTA uses a separate mail queue for each unique combination of virtual MTA and recipient domain. But there are many other domains related to Windows Live Hotmail, such as hotmail.co.uk, hotmail.de, live.com, live.nl, live.be, msn.com, etc. All these domains and many others are handled by the same mail servers (mx1.hotmail.com to mx4.hotmail.com). Luckily, PMTA offers domain-macro that can be used to make settings for a set of domains. For example:

This effectively create separate queues for each domain using the same settings. But because there are more queues, the number of connections and message rate is increased with each queue. This is far from ideal, because the mail servers of Hotmail look at all the traffic from a sender IP, regardless of the recipient domain. What we want is a single queue in PMTA for all mail traffic going to Hotmail. For this, we have to resort to an undocumented feature of PMTA, the queue-to parameter. This allows us to place mails for a domain in the queue of another domain. The latter queue will send all mail to the mail servers that its name resolves to. We can use this to collect the mails for a list of domains in a single queue.

The route parameter is used to make the MX lookup more explicit, and allowing us to use a special, arbitrary name for the queue to make clear that it is a special queue for all mails to Hotmail.

Now, we are able to control the mail traffic going to Hotmail’s servers much more accurately. However, there is one catch to this configuration, and that is that MX lookups of other domain than hotmail.com are hard-coded in your configuration. Chances may be slim, but if one of the domains listed in the domain-macro is moved to another set of MXs, all mails will bounce, because they are always routed to the MXs of hotmail.com. Also, because of the list of domains that are queued to the special queue are hard-coded, there could be other domains that also resolved to Hotmail’s servers.

We can further enhance this configuration by using smtp-pattern-list to detect the errors mentioned above, and automatically put the queue into back-off mode running at a slower pace. Refer to the PMTA user guide.

After analyzing the connection data during «exceeded the connection limit» errors, I concluded that it is not the connection rate that causes the errors. Instead, I found a correlation between the errors and the number of concurrent connections. This suggests that max-smtp-out should be used instead of max-connect-rate to prevent these errors. A value of 1 to 5 concurrent connection is a good limit for volumes between 1000 to 10000 per hour.

PowerMTA Multiple Virtual PMTA config file sample

66 thoughts on “ PowerMTA Multiple Virtual PMTA config file sample ”

只能看懂大概 具体还是有点不明白
max-smtp-out 3
max-msg-per-connection 20
smtp-greeting-timeout 1m # added in v3.2r17
mx-connection-attempts 5 # added in v3.2r16
smtp-pattern-list backoff
backoff-to-normal-after 2h # added in v3.5
backoff-max-msg-rate 50/h # Use with PowerMTA 3.5
backoff-retry-after 90m
# backoff-notify admin@mydomain.com
dk-sign yes
dkim-sign yes

Читать еще:  Access поле со списком присоединенный столбец

我是看 PowerMTA 用户指南英文版的,最近有空会把重要的参数翻译出来

谢谢 有些还是不太明白 这个大哥能不能帮忙解释想一下呢
1.这些每个域的发信数量 并发连接 设置的都是控制一个IP的吗?还是控制所有ip加在一起的最大的并发连接 发送量
这个关系有点搞不懂啊
2.建立这些虚拟的mta组 就自动循环使用各自的ip发送了吗

1. 每个域的发信数量并发连接 max-smtp-out 是针对所有IP到这个域的总并发连接数。如果想控制每个IP的并发连接,用参数 max-smtp-out-per-source-ip
2. 是的,pmta会自动循环使用可用的IP发送

是不是还缺少反弹规则啊 能不能贴一个出来 让我们学习一下呢

I have a PMTA4 and Server with /27, (192.168.10.1, 192.168.10.2, 192.168.10.3…..30) so this all ip in my server as a Additional Ip and main IP of the server is

192.168.10.0,
So i want to send a first 5000 email only with ip 192.168.10.9 (bind with domain is ; abcd.com) after completing that email,
I want to send a Second email with another Ip is 192.168.10.16 (bind with domain is ; Pqrs.com) after completing that email…
doing So on with all individual IP’s ……

so i need a 30 smtp with 30ip and 30 domain in PMTA.

How can i do that with my Powermta4.

I don’t think PMTA has a directive/option for this. You might have to customize the frondend app(Interspire or Oempro) to accomplish this.

you can see the user’s guide : 8.4 Selecting a VirtualMTA or VirtualMTA Pool
there are have 5 methods to select a VirtualMTA

max-smtp-out 3
。。。。。
。。。。。
这个是指向hotmail邮箱发送的规则吗?

您好,老师
1、开头中postmaster admin@mydomain.com 这个不需要设置吗
2、这么多IP是同一个服务器拥有的IP吗
3、Settings per outgoing domain 这个设置是什么?

1. postmaster 后面的邮箱当然要换成你自己的
2. IP都是同一台服务器上的,有些VPS可以买256个IP地址
3. Settings per outgoing domain 前面有个#号,表示那些代码都注释掉了。这是基于邮箱域名的设置。比如你想对发往 hotmail 的邮件做哪些限制。

max-smtp-out 3
max-msg-per-connection 50
smtp-pattern-list backoff
backoff-to-normal-after 2h # added in v3.5
backoff-max-msg-rate 50/h # Use with
backoff-retry-after 90m
# backoff-notify admin@mydomain.com
dk-sign yes
dkim-sign yes

这个设置中,smtp-pattern-list backoff ,下面几个backoff开头的指令前没有#。我看有些人的配置有#号。有区别吗?新手正在学习中,麻烦您啦

例如,如果你需要设置在 backoff 休息模式下,等待90分钟后重新尝试发送邮件,
那么 backoff-retry-after 90m 前面就不要加 # 号

您好,还想请教一下
1.backoff 是延迟发送的意思吗
2.是整个队列都延迟发送 还是单独的这一个邮箱地址 延迟
3.为什么我看我的队列 模式都变成backoff了

Backoff 通常指相应的MTA进入缓慢发送模式。具体发送速率在 backoff-max-msg-rate 中设置。

上面示例中设置了 max-msg-rate 100/h ,如果某个MTA发送速度超过这个值,就进入 backoff 模式了。

Thank you for wirting such a good article.

But still i am confused.

I want to setup powerMTA in load balancing mode which distribute email to relay power MTA server.

And load balancer server will receive mail from php app.

Kindly suggest me how can i do this.

Sorry, I don’t have a config for load balancing mode.

Hi Jack,
Can you pls check our categorization patterns for hard bounce, soft bounce and block and suggest any improvements.

Thx and rgds
priti

多IP mta 再配置virtual-mta-pool,

轮询IP发信是通过pmta的设置来实现的,上面实例中的参数 default-virtual-mta mta-pool 就是让邮件通过 mta-pool 这个池里配置的 mta 来轮询发信。不用在 Oempro 里设置了。
PMTA 说明书的中文翻译还没去做。

Hey guys! Great post.
you can find a lot of useful information at https://contacthd.com its a community forum about email marketing.
you can find expert to do the PMAT config and set up

Is it possible for you to tell, where to place this configuration file?

The PMTA config file is located at /etc/pmta/config.
Check out this post http://www.huangzhong.ca/install-and-config-powermta-pmta/

Hello Jack,
Thank you for wirting such a good article
I have a litte problem : i created 2 VMTA (2IP/2domains) but when i send an email , there is always the same IP : event when i send from a diffrent domain.

Do you have an idea ?

The outgoing IP is not based on the sender’s email address/domain. It’s configured using “default-virtual-mta mta-pool”. The VirtualMTAs in the mta-pool are used in round-robin fashion(take turns). Check your default-virtual-mta settings.

You can also use “default-virtual-mta by-smtp-source-ip”. The VirtualMTA is selected based on which PMTA IP is
used for the connection. The corresponding VirtualMTA is configured with that outgoing IP.

Hi, is it possible with PMTA to route emails to hotmail.com using external smart server? it’s coz server has good IPs but block banned in Microsoft.

virtual-mta mta2
virtual-mta mta3
virtual-mta mta4
virtual-mta mta5
virtual-mta mta6

thank you Jack Huang

你好Jack,这个有些不懂。 通过mail-tester.com发现我配置的pmta+oempro DKIM总是通不过。我的是一个3个二级域名对应3个IP,
smtp-source-host 142.2.134.444 mail1.domain.com
domain-key mail1,domain.com,/etc/pmta/dkim/mail1.moledonline.com.pem
请问这个改怎么改呢? 谢谢

1. 检查主机上是否已经安装了 dkim-milter? 是否已经配置好了?
2. 检查 /etc/pmta/dkim/mail1.moledonline.com.pem 这个文件是否存在,其中是否包含 PRIVATE KEY 的内容?

I’m having an issue with processes on a VPS server, the processes exceed the limit and PMTA is killed. It was suggested to me to change the backoff configuration

mode=backoff
change it to mode=normal

or simply comment the pattern-list backoff, and this way powermta will not report back the connections and will use less processes.

What is your opinion?

Hello Jack, thanks for your informative post.

I would like to ask if there is a way i could load some Virtual MTA Tags into my “config” file from another file ! I shall explain:

1. let’s say my file ends with:

2. And i have a file (“includedVMTAs.txt”) that contains the following syntaxe:

3. Is there a way i can make the pmta “config” file load VMTAs from “includedVMTAs.txt” so the final outcome in “config” file looks like this?

Thanks in advance .. (y) (y)

The “include” directive specifies an additional configuration file to process. This can be used, for example, to facilitate maintenance of the configuration files across multiple hosts, by storing those settings which differ from host to host in a separate file and including it from the main (common) file. Wildcards may be used. An include may be used anywhere including in a SOURCE, DOMAIN, or VIRTAL-MTA tag.

include /etc/pmta/includedVMTAs.txt
include /etc/pmta/includes/*

Thank you Jack that was very informative.. (y)

Thank you! for such a nice explanation. I have configured pmta with interspire. In interspire I have set the bounce email address as bounce@mydmain.com but the bounces are going to the above email address from pmta. Do I have do add any parameter in config file for the bounce to be forwarded to bounce@mydomain.com?

Use MX records to specify the *@mydomain.com email destination.

how i can make alogin to my pmta like i want befor you start you will add password and usernam

Thanks for the post
i just want to ask one thing
I have pmta installed on a server , and when i send, i want pmta to handle the MESSAGE(header and body) and RECIPIENTS(RCPT TO) and RETURN PATH(MAIL FROM) trough variables and pass it to a php file , before deliver it to the final recipient.
Thank you

Hello jack Huang I am trying to get an application to send bulk emails that is copateble with powerMTA algen my can help please ??

First, thanks for your help to the world
I’m sorry also for the derangement,

Then my question:
I want to configure a powerMTA server to send mails en masse but I do not have that to start, I do not have the config, …

Is what you can help me plz?

Thank you and sorry

Hello
i have a problem in PMTA, and it’s when it bounce an email, it send it to the returnpath email address
I want to do : when it bounce the email, delete it from the queue
Thank you

Hello, dear friend
I have a problem. When connect to smtp to different server Ips i have the same SMTP banner. How to change it to different domains
Help me, pls

I am newbie to pmta.Can we configure pmta with cwp panel or cpanel

Sir,Can you help me how to send bulk mails using postfix mail server

good evening, excellent information! we are having an issue on sending that the PMTA will slow to a crawl after sending 50% of the queue. no matter what the send amount is. we have noticed that it mainly happens with yahoo and gmail.

Example if the cnfig file:

dkim-sign yes
second-dkim-sign yes
second-dkim-identity @[website].com
max-msg-rate 15/m

We added the following for Yahoo:

max-msg-per-connection 20
mx-connection-attempts 10

Hello
everytime i have to change my ip address thats how i can connect to pmta ?
there is any solution

I’m not sure if I understand correctly but you don’t need to change the IP address to connect to PMTA.

if you face any problem about powermta. You can contact with me.

Hello Jack
i would like to ask you if there is any PMTA config for collecting bounced email
i do not ask about regular send where bounced emails are collected in a file
i’m asking about a sent especially for collecting bounce where you send a false email that interrupted just after we know if the email record exist or not so customer does not get any email and bounced emails stored in a file
thank you

I don’t think PMTA has a config for this.

I am new user of PMTA, just thinking is this config file will work with 4.5r8? also is this config file rotate IP address?

I haven’t tested this config on v4.5r8.

This config file rotates all IP addresses in the mta-pool

virtual-mta mta2
virtual-mta mta3
virtual-mta mta4
virtual-mta mta5
virtual-mta mta6

We are The Softimony Group & having 20+ years of experience in IT fields. We have a team of IT Professionals.

Читать еще:  Форма со списком access

We offer Installation and configuration of Linux Web Servers, Bulk mail Servers with powerMTA & Interspire/MailWizz, SSL Certificate, Configuration of Google G-Suite & any PHP Script Installation etc.

We can do a live 1 on 1 teamviewer session, i will show you how to install the powermta with interspire, all will be completed on your computer. I will also give you all the softwares.

Reach me on skype to get started, username – kayodeseung
You can also checkout my website – http://www.softimony.com

Hello Jack ,
first of all thank you for posting your config file.
i am new to powermta i would appreciate if you could advise me what’s the best optimal configuration for performance / speed
the target is to send more but keep connection low not to be banned
thank you in advance
here is my config

max-smtp-out 20 # max. connections *per domain*
bounce-after 1m # 4 days, 12 hours
retry-after 10s # 10 minutes
max-msg-rate 100/h
max-msg-per-connection 20
max-errors-per-connection 10
smtp-greeting-timeout 5m # added in v3.2r17
mx-connection-attempts 30000 # added in v3.2r16
smtp-pattern-list backoff
backoff-to-normal-after 2h # added in v3.5
backoff-max-msg-rate 50/h # Use with PowerMTA 3.5
backoff-retry-after 90m
dkim-sign yes
ignore-8bitmime true

Http access directive in pmta

The /etc/security/access.conf file specifies (user, host), (user, network/netmask) or (user, tty) combinations for which a login will be either accepted or refused.

When someone logs in, the file access.conf is scanned for the first entry that matches the (user, host) or (user, network/netmask) combination, or, in case of non-networked logins, the first entry that matches the (user, tty) combination. The permissions field of that table entry determines whether the login will be accepted or refused.

Each line of the login access control table has three fields separated by a «:» character (colon):

The first field, the permission field, can be either a «+» character (plus) for access granted or a «» character (minus) for access denied.

The second field, the users field, should be a list of one or more login names, group names, or ALL (which always matches).

The third field, the origins field, should be a list of one or more tty names (for non-networked logins), host names, domain names (begin with «.»), host addresses, internet network numbers (end with «.»), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), ALL (which always matches) or LOCAL (which matches any string that does not contain a «.» character). If supported by the system you can use @netgroupname in host or user patterns.

The except operator makes it possible to write very compact rules.

The group file is searched only when a name does not match that of the logged-in user. Only groups are matched in which users are explicitly listed. However the PAM module does not look at the primary group id of a user.

The «#» character at start of line (no space at front) can be used to mark this line as a comment line.

EXAMPLES

These are some example lines which might be specified in /etc/security/access.conf.

User root should be allowed to get access via cron, X11 terminal :0, tty1, . tty5, tty6.

+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6

User root should be allowed to get access from hosts which own the IPv4 addresses. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too.

+ : root : 192.168.200.1 192.168.200.4 192.168.200.9

User root should get access from network 192.168.201. where the term will be evaluated by string matching. But it might be better to use network/netmask instead. The same meaning of 192.168.201. is 192.168.201.0/24 or 192.168.201.0/255.255.255.0.

User root should be able to have access from hosts foo1.bar.org and foo2.bar.org (uses string matching also).

+ : root : foo1.bar.org foo2.bar.org

User root should be able to have access from domain foo.bar.org (uses string matching also).

User root should be denied to get access from all other sources.

User foo and members of netgroup admins should be allowed to get access from all sources. This will only work if netgroup service is available.

+ : @admins foo : ALL

User john and foo should get access from IPv6 host address.

+ : john foo : 2001:4ca0:0:101::1

User john should get access from IPv6 net/mask.

All other users should be denied to get access from all sources.

SEE ALSO


AUTHORS

Original login.access(5) manual was provided by Guido van Rooij which was renamed to access.conf(5) to reflect relation to default config file.

Network address / netmask description and example text was introduced by Mike Becher .

access.conf(5) — Linux man page

access.conf — the login access control table file

Description

The /etc/security/access.conf file specifies (user/group, host), (user/group, network/netmask) or (user/group, tty) combinations for which a login will be either accepted or refused.

When someone logs in, the file access.conf is scanned for the first entry that matches the (user/group, host) or (user/group, network/netmask) combination, or, in case of non-networked logins, the first entry that matches the (user/group, tty) combination. The permissions field of that table entry determines whether the login will be accepted or refused.

Each line of the login access control table has three fields separated by a «:» character (colon):

The first field, the permission field, can be either a «+» character (plus) for access granted or a «» character (minus) for access denied.

The second field, the users/group field, should be a list of one or more login names, group names, or ALL (which always matches). To differentiate user entries from group entries, group entries should be written with brackets, e.g. (group).

The third field, the origins field, should be a list of one or more tty names (for non-networked logins), host names, domain names (begin with «.»), host addresses, internet network numbers (end with «.»), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), ALL (which always matches) or LOCAL. LOCAL keyword matches if and only if the PAM_RHOST is not set and field is thus set from PAM_TTY or PAM_SERVICE«. If supported by the system you can use @netgroupname in host or user patterns. The @@netgroupname syntax is supported in the user pattern only and it makes the local system hostname to be passed to the netgroup match call in addition to the user name. This might not work correctly on some libc implementations causing the match to always fail.

The EXCEPT operator makes it possible to write very compact rules.

If the nodefgroup is not set, the group file is searched when a name does not match that of the logged-in user. Only groups are matched in which users are explicitly listed. However the PAM module does not look at the primary group id of a user.

The «#» character at start of line (no space at front) can be used to mark this line as a comment line.

Examples

These are some example lines which might be specified in /etc/security/access.conf.

User root should be allowed to get access via cron, X11 terminal :0, tty1, . tty5, tty6.

+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6

User root should be allowed to get access from hosts which own the IPv4 addresses. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too.

+ : root : 192.168.200.1 192.168.200.4 192.168.200.9

User root should get access from network 192.168.201. where the term will be evaluated by string matching. But it might be better to use network/netmask instead. The same meaning of 192.168.201. is 192.168.201.0/24 or 192.168.201.0/255.255.255.0.

User root should be able to have access from hosts foo1.bar.org and foo2.bar.org (uses string matching also).

+ : root : foo1.bar.org foo2.bar.org

User root should be able to have access from domain foo.bar.org (uses string matching also).

User root should be denied to get access from all other sources.

User foo and members of netgroup admins should be allowed to get access from all sources. This will only work if netgroup service is available.

+ : @admins foo : ALL

User john and foo should get access from IPv6 host address.

+ : john foo : 2001:db8:0:101::1

User john should get access from IPv6 net/mask.

Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group.

Читать еще:  Point in time

-:ALL EXCEPT (wheel) shutdown sync:LOCAL

All other users should be denied to get access from all sources.

See Also

Authors

Original login.access(5) manual was provided by Guido van Rooij which was renamed to access.conf(5) to reflect relation to default config file.

Network address / netmask description and example text was introduced by Mike Becher .

Разворачиваем DirectAccess на базе Windows Server 2012 R2

В этой статье мы пошагово опишем процедуру разворачивания службы удаленного доступа Direct Access на самой свежей серверной платформе Microsoft — Windows Server 2012 R2. Вообще говоря, служба Direct Access предполагает несколько сценариев работы, мы попытаемся рассмотреть наиболее общий сценарий организации сервиса DirectAccess.

Прежде чем приступить, вкратце напомним о том, что такое служба DirectAccess. Компонент DirectAccess впервые была представлена Micrisoft в Windows Server 2008 R2 и предназначался для организации прозрачного доступа удаленных компьютеров ко внутренним ресурсам сети компании. При подключении через DA пользователь может полноценно пользоваться корпоративными и доменными сервисами, а сотрудники ИТ-поддержки управлять таким компьютеров и поддерживать его актуальном с точки зрения безопасности состоянии. По своей сути DirectAccess во многом напоминает традиционное VPN подключение к корпоративной сети. Рассмотрим основные отличия DirectAccess от VPN:

  • Для установки соединения с помощью DirectAccess пользователю не нужно запускать VPN клиент – подключение осуществляется автоматически при наличия доступа в Интернет
  • Для организации соединения между клиентом DA и сервером нужно открыть только 443 порт
  • Компьютер пользователя обязательно должен находится в домене AD, а это значит что на него действуют все доменные групповые политики (конечно есть трюки, позволяющие запускать VPN до входа в Windows, но это обычно практически не практикуется)
  • Канал связи между удаленным ПК и корпоративным шлюзом шифруется стойкими алгоритмами с использованием IPsec
  • Возможно организовать двухфакторную аутентификацию с использованием системы одноразовых паролей

В чем же основные отличия версии DirectAccess в Windows Server 2012 / 2012 R2 от версии Windows 2008 R2. Основное отличие – снижение требований к смежной инфраструктуре. Так, например:

  • Сервер DirectAccess теперь не обязательно должен быть пограничным, теперь он может находиться за NAT.
  • В том случае, если в качестве удаленных клиентов используется Windows 8 Enterprise, разворачивать внутреннюю инфраструктуру PKI не обязательно (за аутентификацию клиентов будет отвечать Kerberos-прокси, расположенный на сервере DA)
  • Не обязательно стало наличие IPv6 во внутренней сети организации
  • Поддержка OTP (One Time Password) и NAP (Network Access Protection) без необходимости развёртывания UAG

Требования и инфраструктура, необходимы для развертывания DirectAccess на базе Windows Server 2012 R2

  • Домен Active Directory и права администратора домена
  • Выделенный (рекомендуется) сервер DA под управлением Windows Server 2012 R2, включенный в домен Windows. Сервер имеет 2 сетевые карты: одна находится во внутренней корпоративной сети, другая – в DMZ сети
  • Выделенная DMZ подсеть
  • Внешнее DNS имя (реальное или через DynDNS) или IP адрес, доступный из интернета, к которому будут подключатся клиенты DirectAccess
  • Настроить перенаправление трафика с порта TCP 443 на адрес сервера DA
  • Развернутая инфраструктура PKI для выпуска сертификатов. В certificate authority нужно опубликовать шаблон сертификата Web Server и разрешено его автоматическое получение (auto-enrollmen) (Если в качестве клиентов будут использоваться только Windows 8 — PKI не обязателен).
  • В качестве клиентов могут выступать компьютеры с Windows 7 и Windows 8.x редакций Professional / Enterprise
  • Группа AD, в которой будут состоять компьютеры, которым разрешено подключаться к сети через Direct Access (допустим, эта группа будет называться DirectAccessComputers)

Установка роли Remote Access

Запустим консоль Server Manager и с помощью мастера Add Roles and Features установим роль Remote Access.

В составе роли Remote Access нужно установить службу DirectAccess and VPN (RAS).

Все остальные зависимости оставляем по умолчанию.

Настройка службы Direct Access в Windows Server 2012 R2

После окончания установки службы Remote Access, откройте оснастку Tools -> Remote Access Management.

Запустится мастер настройки роли удаленного доступа. Укажем, что нам нужно установить только роль DA — Deploy DirectAccess only.

После этого должно открыться окно, в правой половине которого в графическом виде показаны четыре этапа (Step 1 – 4) настройки службы DA.

Первый этап (Step 1: Remote Clients).

Укажем, что мы разворачиваем полноценный DirectAccess сервер с возможностью доступа клиентов и их удаленного управления Deploy full DirectAccess for client access and remote management.

Далее, нажав кнопкуAdd нужно указать группы безопасности AD, в которой будут находиться учетные записи компьютеров, которым разрешено подключаться к корпоративной сети через Direct Access (в нашем примере это группа DirectAccessComputers).

Следующий шаг – нужно указать список внутренних сетевых имен или URL-адресов, с помощью которых клиент может проверить (Ping или HTTP запрос), что он подключен к корпоративной сети. Здесь же можно указать контактный email службы helpdesk и наименование подключения DirectAccess (так оно будет отображаться в сетевых подключениях на клиенте). В случае необходимости можно включить опцию Allow DirectAccess clients to use local name resolution, позволяющую разрешить клиенту использовать внутренние DNS-сервера компании (адреса DNS серверов могут получаться по DHCP).

Второй этап (Step 2: Remote Access Server)

Следующий шаг — настройка сервера Remote Access. Указываем, что наш сервер удаленного доступа представляет собой конфигурацию с двумя сетевыми картами — Behind an edge device (with two network adapters), одна их которых находится в корпоративной сети, а вторая подключена напрямую в Internet или DMZ-подсеть. Здесь же нужно указать внешнее DNS имя или IP адрес в Интернете (именно с этого адреса пробрасывается 443 порт на внешний интерфейс сервера DirectAccess), к которому должны подключаться клиенты DA.

Затем нужно указать какая сетевая карта будет считаться внутренней (Internal – LAN), а какая внешней (External – DMZ).

Свернем пока мастер настройки сервера Direct Access и сгенерируем сертификат сервера DA. Для этого создадим новую оснастку mmc, в которую добавим консоль Certificates, управляющую сертификатами локального компьютера (Computer Account)

В консоли управления сертификатами запросим новый персональный сертификат, щелкнув ПКМ по разделу Certificates (Local Computer) -> Personal -> Certificates и выбрав в меню All Tasks-> Request New Certificate

Запросим сертификат через политику Active Directory Enrollment Policy. Нас интересует сертификат на основе шаблона WebServers.

В настройках запроса нового сертификата на вкладке Subject заполним поля, идентифицирующие нашу компанию, а на вкладке Private Key укажем, что закрытый ключ сертификата можно экспортировать (Make private key exportable).

Сохраним изменения и запросим новый сертификат у CA.

Вернемся в окно настроек сервера DirectAccess и, нажав кнопку Browse, выберем сгенерированный сертификат.

На следующем шаге мастера выберем способ аутентификации клиентов Direct Access. Укажем, что используется аутентификация по логину и паролю AD (Active Directory credentials – username/password). Отметим чекбокс Use computer certificates (Использовать сертификаты компьютеров) и Use an intermediate certificate. Нажав кнопку Browse, нужно указать центр сертификации, который будет отвечать за выдачу сертификатов клиентов.

Третий этап (Step 3: Infrastructure Servers)

Третий этап – настройка инфраструктурных серверов. Нам будет предложено указать адрес сервера Network Location Server, находящегося внутри корпоративной сети. Network Location Server — это сервер, с помощью которого клиент может определить, что он находится во внутренней сети организации, т.е. не требуется использовать DA для подключения. NLS – сервером может быт любой внутренний веб-сервер (даже с дефолтной страничкой IIS), основное требование – сервер NLS не должен быть доступен снаружи корпоративной сети.

Далее укажем список DNS серверов для разрешения имен клиентами. Рекомендуется оставить опцию Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended).

Затем укажем DNS-суффиксы внутренних доменов в порядке приоритета их использования.

В окне настройки Management ничего указывать не будем.

Четвертый этап (Step 4: Application Servers)

Этап настройки серверов приложений. На этом этапе можно настроить дополнительную аутентификацию и шифрование трафика между внутренними серверами приложений и клиентами DA. Нам это не требуется, поэтому оставим опцию Do not extend authentication to application servers.

На этом мастер настройки роли Remote Access завершен, нам осталось сохранить изменения.

После окончания работы мастер создаст две новых групповых политик DirectAccess Client Settings и DirectAcess Server Settings, которые прикреплены к корню домена. Их можно оставить там, либо перелинковать на нужный OU.

Тестируем работу Direct Access на клиенте Windows 8

Чтобы протестировать работу Direct Access с клиента, добавим это компьютер (напомним, что это должен быть ПК с Windows 8.X Enterprise ) в группу DirecAccessCompurers, обновим на нем групповые политики (gpupdate /force).

Отключаем тесовую машину от корпоративной сети и подключаемся в интернету через Wi-Fi. Система автоматически подключается к корпоративной сети через DirectAccess, о чем свидетельствует статус Connected значка Workplace Connection (именно так мы назвали наше подключение при настройке сервера) в списке сетей.

Наличие подключения к сети через DirectAccess можно проверить с помощью PowerShell команды:

Если она возвращает ConnectedRemotely, значит подключение DA к корпоративной сети

Ссылка на основную публикацию
Adblock
detector