eBox Platform: unified server for SMEs¶

Presentation¶

eBox Platform (<http://ebox-platform.com/>) is a unified network server that offers easy and efficient computer network management for small and medium enterprises (SMEs). eBox Platform can act as a Network Gateway, a Unified Threat Manager (UTM) [1], an Office Server, an Infrastructure Manager, a Unified Communications Server or a combination of them. This manual is written for the 1.4 version of eBox Platform.

[1]	UTM (Unified Threat Management): Term that groups a series of functionalities related to computer network security: firewall, intrusion detection, antivirus, etc.

All these functionalities are fully integrated and therefore automate most tasks, prevent manual errors and save time for system administrators. This wide range of network services is managed through an easy and intuitive web interface. As eBox Platform has a modular design, you can install in each server only the necessary modules and easily extend the functionality according to your needs. Besides, eBox Platform is released under a free software license (GPL) [2]. The main features are:

[2]	GPL (GNU General Public License): Software license that allows free redistribution, adaptation, use and creation of derivative works with the same license.

Unified and efficient management of the services:
- Task automation.
- Service integration.
Easy and intuitive interface.
Extensible and adaptable to specific needs.
Hardware independent.
Open source software.

The services currently offered are:

Network management:
- Firewall and router
  - Traffic filtering
  - NAT and port redirection
  - Virtual local networks (VLAN 802.1Q)
  - Support for multiple gateways, load balancing and self-adaptation in case of loss of connectivity
  - Traffic shaping (with application-level filtering support)
  - Traffic monitoring
  - Dynamic DNS support
- High-level network objects and services
- Network infrastructure
  - DHCP server
  - DNS server
  - NTP server
- Virtual private networks (VPN)
  - Dynamic auto-configuration of network paths
- HTTP proxy
  - Cache
  - User authentication
  - Content filtering (with categorized lists)
  - Transparent antivirus
- Mail server
  - Spam filtering and antivirus
  - Transparent POP3 filter
  - White-, black- and grey-listing
- Web server
  - Virtual domains
- Intrusion Detection System (IDS)
- Certification Authority
Groupware:
- Shared directory using LDAP (Windows/Linux/Mac)
  - Shared authentication (including Windows PDC)
- Shared storage as NAS (Network-attached storage)
- Shared printers
- Groupware server: calendars, address books, ...
- VoIP server
  - Voicemail
  - Meetings
  - Calls through outside vendor
- Instant messaging server (Jabber/XMPP)
  - Meetings
- User corner to allow users to modify their data
Reports and monitoring
- Dashboard to centralize the information
- Disk, memory, load, temperature and host CPU monitoring
- Software RAID status and information regarding the hard drive use
- Network service logs in databases, allowing you to have daily, weekly monthly and annual reports
- Event-based system monitoring
  - Notification via Jabber, mail and RSS
Host management:
- Configuration and data backup
- Updates
- Control Center to easily administer and monitor multiple eBox hosts from one central point [3]

[3]	For additional information regarding the Control Center, please visit: http://www.ebox-technologies.com/products/controlcenter/ the company behind eBox Platform development.

Installation¶

In principle, eBox Platform is designed to be installed exclusively on one (real or virtual) machine. This does not prevent you from installing other unmanaged services, but these must be manually configured.

eBox Platform runs on GNU/Linux operating system with the Long Term Support (LTS) release of Ubuntu Server Edition distribution [4]. The installation can be done in two different ways:

[4]	Ubuntu is a GNU/Linux distribution developed by Canonical and the community oriented to laptops, desktops and servers <http://www.ubuntu.com/>.

[5]	You get longer support than on the normal version. With the LTS version you get 5 years of support on the server.

Using the eBox Platform Installer (recommended).
Installing from an existing Ubuntu Server Edition installation.

In the second case, you need to add the official eBox Platform repositories and to install the packages you are interested in.

Nevertheless, the former one is easier since all the dependencies are in a single CD. Moreover, some pre-configuration is made during the installation process.

eBox Platform installer¶

The eBox Platform installer is based on the Ubuntu installer and therefore those who are already familiar with it will find the installation process very similar.

Installer language select

You can install using the default mode which deletes all disk content and creates the partitions needed by eBox using LVM and asking less questions or using the expert mode which allows you to make your own partitioning. Most people should choose the default option unless they are installing on a server with special requirements, for instance software RAID.

Installer menu

After installing the base system and rebooting, you can start installing eBox Platform. The first step will be create a user on the system. This user will be able to log on the system and will have sudo privileges.

Administration user

Then, you will be asked for a password for this user you just created. This password will be used to log on the eBox interface too.

Administration password

You have to enter this password twice.

Confirm administration password

Now it is time to select which features you want to include on your system. There are two methods for this selection:

Package selection method

Simple:: Depending on the task the server will be dedicated to, you can install a set of packages that provides several features.
Advanced:: You can select the packages individually. If a package has dependencies on other packages, these will be automatically selected later.

If you select the simple installation method, you get a list of available profiles. As shown in the figure eBox tasks to install, the mentioned list matches the following paragraphs of this manual.

eBox tasks to install

eBox Gateway:: eBox is the local network gateway that provides secure and controlled Internet access.
eBox Unified Threat Manager:: eBox protects the local network against external attacks, intrusions, internal security threats and enables secure interconnection between local networks via Internet or via other external networks.
eBox Infrastructure:: eBox manages the local network infrastructure including the following basic services: DHCP, DNS, NTP, HTTP server, etc.
eBox Office:: eBox is an office server that allows sharing the following resources through the local network: files, printers, calendars, contacts, authentication, users and groups profiles, etc.
eBox Unified Communications:: eBox becomes the unified communications server of your organization, including mail, instant messaging and voice over IP.

You can select several profiles to make eBox play different roles in your network.

However, if you select the advanced installation method, you get the complete list of eBox Platform modules and you can select individually the modules you are interested in.

eBox packages to install

Once you have completed the selection, the necessary additional packages will be installed. This selection is not final and you can install and remove packages according to your needs later.

After you have selected the components to install, the installation process will begin and you will be shown a progress bar with the installation status.

Installing eBox packages

The installer will try to preconfigure some important configuration parameters. First will have to select the type of the server for the Users and Groups mode. If we just have one server choose standalone. If we are deploying a master-slave infrastructure or if we want to syncronize the users with a Microsoft Windows Active Directory, choose advanced. This step will appear only if usersandgroups module is installed.

Type of the server

Also, it will ask if some of the network interfaces attached to the host are external (not within the local network, used to connect to the Internet or other external networks). Strict policies for all incoming traffic through external network interfaces will be applied. This step will appear only if network module was installed and the server has more than one network interface.

Select external interfaces

After that, you will do the mail configuration, defining the default virtual domain. This step will appear only if mail is installed.

Mail configuration

Once you have answered these questions, every module you installed will be preconfigured and ready to be used via the web interface.

Preconfiguring eBox packages

Once the eBox Platform installation process is completed, you get graphical interface with a browser to authenticate in the eBox web interface using the password given in the first steps of the installer.

eBox administration web interface

Administration web interface¶

Once you have installed eBox Platform, you can access the administration web interface at the following URL:

https://network_address/ebox/

Here network_address is the IP address or a host name that resolves to the address where eBox is running.

Warning

To access the web interface you should use Mozilla Firefox as they are some known issues with another browsers such as Microsoft Internet Explorer.

The first screen will ask for the administrator password:

After authentication you get the administration interface that is divided into three main sections:

Main screen

Left side menu:: Contains links to all services, separated by categories, that can be configured using eBox. When you select a service, you might get a submenu to configure specific details of the selected service.

Left side menu
Top menu:: Contains actions to save the changes made to the content, make the changes effective and close the session.

Top menu
Main content:: The main content is composed of one or several forms or tables with information about the service configuration and depends on the selection made in the left side menu and submenus. Sometimes you will get a tab bar at the top of the page: each tab represents a different subsection within the section you have accessed.

Web User Interface configuration forms

Dashboard¶

The dashboard is the initial screen of the web interface. It contains a number of configurable widgets. You can reorganize them at any moment simply by clicking and dragging the titles.

Dashboard

By clicking on Configure Widgets the interface changes, allowing you to remove and add new widgets. To add a new widget, you search for it in the top menu and drag it to the main part of the page.

Dashboard configuration

Module status¶

There is a very important widget within the dashboard which shows the status from all installed modules in eBox.

Module status widget

The figure depicts the current status for a service and action to apply on it. The available status are the following:

Running:: The service daemons are running to accept connections from the network clients. You can restart the service using Restart.
Running unmanaged:: If you haven’t configured the service yet, it is possible to find it running with the default configuration from the distribution. Therefore it is not managed by eBox yet.
Stopped:: Some problem has happened since the service has to be running but it is stopped for some reason. In order to find it out, you should check the log files for the service or eBox log file itself as How does eBox Platform work? section describes. You may try to start the service by clicking on Start.
Disabled:: The service has been disabled explicitly by the system administrator as it is explained in Modules status configuration.

Applying configuration changes¶

An important detail to take into account is the method eBox uses to apply the configuration changes made through the interface. First of all, you have to accept changes in the current form, but, once this is done, to make these changes effective and apply them on a permanent basis, you must click on Save Changes from the top menu. This button will change to red if there are unsaved changes. Failure to follow this procedure will result in the loss of all changes you have made throughout the session once you log out. There are some special cases when you don’t need to save the changes, but in these cases you will receive a notification.

Save changes

In addition to this, you can revert your changes. Hence if you have done something that you do not remember or you are unsure to do it, you can always discard them safely. Take into account, if you have made changes on the network interfaces configuration or the eBox Web administration port, then you may lose current connection to eBox, so you must rewrite the URL in the browser to reach administration interface again.

Modules status configuration¶

As it is discussed above, eBox is built up with modules. The majority of the modules are intended to manage network services that you must enable them through Module Status.

Module status configuration

Each module may have dependencies on others to work. For instance, DHCP service needs to have the network module enabled so that it can serve IP address leases through the configured network interfaces. Thus the dependencies are shown in Depends column.

Enabling a module for the first time in eBox jargon is called configure the module. Configuration is done once per module. By clicking on Status checkbox, you enable the module. If it is the first time, a dialog is presented to accept to carry out a set of actions and file modifications that enabling the service implies [5]. After that, you may save changes to apply these modifications. Likewise, you may disable a module by unchecking the Status column for this module.

Confirm dialog to configure a module

[6]	This process is mandatory to comply the Debian Policy http://www.debian.org/doc/debian-policy/

How does eBox Platform work?¶

eBox Platform is not just a simple web interface to manage the most common network services [6]. One of the main goals of eBox Platform is to unify a set of network services that otherwise would work independently.

[7]	In order to understand the magnitude of the project, you can visit the independent site ohloh.net, where you can find an extensive analysis of the eBox Platform code base <http://www.ohloh.net/p/ebox/analyses/latest>.

All configuration of individual services is handled automatically by eBox. To do this eBox uses a template system. This automation prevents manual errors and saves administrators from having to know the details of each configuration file format. As eBox manages automatically these configuration files, you must not edit the original files as these will be overwritten as soon you save any configuration changes.

Reports of events and possible errors of eBox are stored in the directory /var/log/ebox/ and are divided in the following files:

/var/log/ebox/ebox.log:: Errors related to eBox Platform.
/var/log/ebox/error.log:: Errors related to the web server.
/var/log/ebox/access.log:: Every access to the web server.

If you want more information about an error that has occurred, you can enable the debugging mode by selecting the debug option in the /etc/ebox/99ebox.conf file. Once you have enabled this option, you should restart the web server of the interface by using sudo /etc/init.d/ebox apache restart.

Location within the network¶

Local network configuration¶

eBox Platform can be used in two different ways:

Router and filter of the Internet connection.
Server of different network services.

Both functionalities can be combined in a single host or divided among several hosts.

The figure Different locations within the network displays the different locations eBox Platform server can take in the network, either as a link between networks or a server within the network.

Different locations within the network

Throughout this documentation you will find out how to configure eBox Platform as a router and gateway. You will also learn how to configure eBox Platform in the case it acts as just another server within the network.

Network configuration with eBox Platform¶

If you place a server within a network, you will most likely be assigned an IP address via DHCP protocol. Through Network ‣ Interfaces you can access each network card detected by the system and you can select between a static configuration (address configured manually), dynamic configuration (address configured via DHCP) or a Trunk 802.1Q to create VLANs.

Network interface configuration

If you configure a static interface, you can associate one or more Virtual Interfaces to this real interface to serve additional IP addresses. These can be used to serve different networks or the same network with different address.

Static configuration of network interfaces

If you don’t have a router with PPPoE support, eBox can also manage PPPoE connections just selecting PPPoE as Method and entering the User name and Password given by your DSL provider.

PPPoE configuration of network interfaces

To enable eBox to resolve domain names, you must indicate the address of one or several domain name servers in Network ‣ DNS.

Configuration of DNS servers

If your Internet connection has a dynamic IP address and you want to map a domain name to your eBox, a third party dynamic DNS provider is required. eBox supports the connection to some of the most popular dynamic DNS providers.

To configure dynamic DNS on eBox go to Network ‣ DynDNS and select your service provider and set up the user name, password and the domain name you want to update when your public address changes. Check the box Enable Dynamic DNS and Save changes.

Dynamic DNS configuration

eBox makes a connection to the provider getting your public IP address bypassing any NAT between you and Internet. If you are using this feature on a multigateway scenario [7], don’t forget to create a rule that makes the connections to your provider use always the same gateway.

[8]	Check Multigateway rules and load balancing section for details.

Network diagnosis¶

To check if you have configured the network correctly, you can use the tools available in Network ‣ Diagnosis.

Network diagnosis tools

Ping is a tool that uses the ICMP network diagnosis protocol to observe whether a particular remote host is reachable by means of a simple “echo request”.

Ping tool

Additionally you can use the traceroute tool that is used to determine the route taken by packages across different networks until reaching a given remote host. This tool allows to trace the route the packages follow in order to carry out more advanced diagnosis.

Traceroute tool

Besides, you can use the dig tool, which is used to verify the correct functioning of the name service resolution.

Dig tool

Practical example A¶

Let’s configure eBox so that it obtains the network configuration via DHCP.

Therefore:

Action: Access the eBox interface, go to Network ‣ Interfaces and, as network interface, select eth0. Then choose the DHCP method. Click on Change.

Effect:

You have enabled the button Save Changes and the network interface maintains the entered data.
Action: Go to Module status and enable the Network module, in order to do this, check the box in the Status column.

Effect:

eBox asks for permission to overwrite some files.
Action: Read the changes that are going to be made in each modified file and grant eBox the permission to overwrite them.

Effect: You have enabled the button Save Changes and you can enable some of the modules that depend on Network.
Action: Save the changes.

Effect:

eBox displays the progress while the changes are implemented. Once it has finished, you are notified.

Now eBox manages the network configuration.
Action: Access Network ‣ Diagnosis tools. Ping ebox-platform.com.

Effect:

As a result, you are shown three successful connection attempts to the Internet server.
Action: Access Network ‣ Diagnosis tools. Ping the eBox of a fellow classmate.

Effect:

As a result, you are shown three successful connection attempts to the host.
Action: Access Network ‣ Diagnosis tools. Run a traceroute to ebox-technologies.com.

Effect:

As a result, you are shown a route of all the intermediate routers a packet traverses until it reaches the destination host.

Practical example B¶

For the rest of the exercises of the manual, it is a good practice to enable the logs.

Therefore:

Action: Access the eBox interface, go to Module status and enable the Logs module. In order to do this, check the box in the Status column.

Effect:

eBox asks for permission to carry out a series of actions.
Action: Read the actions that are going to be made and accept them.

Effect:

You have enabled the button Save Changes.
Action: Save the changes.

Effect:

eBox displays the progress while the changes are implemented. Once it has finished, you are notified.

Now eBox has enabled the logs. You can check them at Logs ‣ Query logs in the section Logs.

eBox Platform: unified server for SMEs¶

Presentation¶