Zimbra Talk/Configure Zimbra and Zimbra-Talk for NAT-Environments with 1 Public IP


Configure Zimbra and Zimbra-Talk for NAT-Environments with 1 Public IP

   KB 23034        Last updated on 09/22/2016  




0.00
(0 votes)

Incident description

Configure Zimbra and Zimbra-Talk for NAT-Environments with 1 Public IP

Resolution description

Firewall settings

  • Configure Firewall to forward all traffic for Zimbra and Zimbra-talk to the Zimbra-Talk server

Configure Zimbra-Talk server's nginx to handle Zimbra-related traffic

  • fetch Zimbra's nginx certificate and key-file from the Zimbra server
/opt/zimbra/conf/nginx.key 
/opt/zimbra/conf/nginx.crt
  • and copy it to talk server' zimbra-talk config directory
/etc/zimbra-talk/
  • create a new config file that provides access to the Zimbra server through the Talk-server's nginx (in this example the file is called zimbra)
vi /etc/nginx/sites-enabled/zimbra
  • with this content (Note: replace [zimbra-servername] and [local Zimbra-IP] by your actual values):
#HTTP Zimbra server

    server {
        listen 80 ;
        server_name [zimbra-servername];

        return 301 https://$host$request_uri;
    }

    #HTTPS Zimbra server

    server {
        listen 443; 

        server_name [zimbra-servername];

        ssl on;
        ssl_certificate    /etc/zimbra-talk/nginx.crt;
        ssl_certificate_key    /etc/zimbra-talk/nginx.key;
        ssl_session_timeout  5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

        add_header Strict-Transport-Security "max-age=31536000";

    location /
        {

            # Proxy to Zimbra Upstream
            proxy_pass          https://[local Zimbra-IP];

            # For audit
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # For Virtual Hosting
            set $virtual_host $http_host;
            if ($virtual_host = '') {
                set $virtual_host $server_addr:$server_port;
            }
            proxy_set_header Host            $virtual_host;
            proxy_redirect http://$http_host/ https://$http_host/;
        }
    }

    #Zimbra Admin-UI

    server {
        listen 7071; 

        server_name [zimbra-servername];

        ssl on;
        ssl_certificate    /etc/zimbra-talk/nginx.crt;
        ssl_certificate_key    /etc/zimbra-talk/nginx.key;
        ssl_session_timeout  5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

        add_header Strict-Transport-Security "max-age=31536000";

    location /
        {

            # Proxy to Zimbra Upstream
            proxy_pass          https://[local Zimbra-IP]:7071;

            # For audit
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # For Virtual Hosting
            set $virtual_host $http_host;
            if ($virtual_host = '') {
                set $virtual_host $server_addr:$server_port;
            }
            proxy_set_header Host            $virtual_host;
            proxy_redirect http://$http_host/ https://$http_host/;
        }
    }

    #Zimbra WSDL-Interface

    server {
        listen 8443; 

        server_name [zimbra-servername];

        ssl on;
        ssl_certificate    /etc/zimbra-talk/nginx.crt;
        ssl_certificate_key    /etc/zimbra-talk/nginx.key;
        ssl_session_timeout  5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

        add_header Strict-Transport-Security "max-age=31536000";

    location /
        {

            # Proxy to Zimbra Upstream
            proxy_pass          https://[local Zimbra-IP]:8443;

            # For audit
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # For Virtual Hosting
            set $virtual_host $http_host;
            if ($virtual_host = '') {
                set $virtual_host $server_addr:$server_port;
            }
            proxy_set_header Host            $virtual_host;
            proxy_redirect http://$http_host/ https://$http_host/;
        }
    }

Additional checks

Now check if the Zimbra-LDAP is configured with its local IP and not the servername for Zimbra-Talk:

  • Open the talk.defaults.cfg with root priviliges
vi /etc/zimbra-talk/talk.defaults.cfg
  • and check if the parameter LDAPHOST is set to the Zimbra-Server's IP not hostname:
LDAPHOST = [local Zimbra-IP]
  • Check all DOMAIN- vnc_hybrid_authenticator.cfg files in /etc/zimbra-talk/
    • as well and replace the Zimbra-hostname by its local IP in the LDAP section:
[LDAP]
# The LDAP server domain/IP
Server = [local Zimbra-IP]

Updade configuration and restart Talk-Server

  • execute
sudo /usr/share/ztalk/libexec/update-prosody-conf
  • reboot the talk server
sudo reboot

Symptoms

Only one Public IP available for Zimbra and Zimbra-Talk server behind NAT

Reasons and prerequisites

Ports 443 and 80 are already used by Zimbra


Zimbra Talk

zimbra-talk-logo.png

Latest Version: 2.3

Zimbra Talk Resources

Here you can find useful resources for your Zimbra Talk environment

Verified Against: Zimbra Collaboration Suite 8.7, 8.6 Date Created: 05/08/2016
Article ID: https://wiki.zimbra.com/index.php?title=Zimbra_Talk/Configure_Zimbra_and_Zimbra-Talk_for_NAT-Environments_with_1_Public_IP Date Modified: 09/22/2016



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by Jorge SME2 Copyeditor Last edit by Jorge de la Cruz
Jump to: navigation, search