Network Share for MSL Servers over the internet? 1

[kwbMitel]

Has anyone successfully setup a network share that was accessible from the MSL servers to a remote location.

We have an FTP server at our office for remote backups frrom the 3300 servers that works perfectly.

I'd like to utilise the same server for the Network Share saves but I can't find anything relevant via google.

Thoughts?

**********************************************
Any intelligent fool can make things bigger and more complex… It takes a touch of genius – and a lot of courage to move in the opposite direction.

 

[sarond]

I have recently been thinking about this.

It appears the only options for MSL backups are SMB or SFTP.

I have been looking at the SFTP option but have no time to test or try anything out.

I don't believe anyone should open SMB over the internet. (Maybe you could with a restrictive firewall to only allow certain IP addresses)

What type of server are you using? Windows or Linux?

 

[kwbMitel]

Sarond, thanks for your response.

As mentioned, this is for the MSL servers so Linux.

Sftp would be fine but I have no idea how you would invoke that

**********************************************
Any intelligent fool can make things bigger and more complex… It takes a touch of genius – and a lot of courage to move in the opposite direction.

 

[sarond]

Sorry I meant what type of server are you using to take the FTP backups.

 

[kwbMitel]

Doh! Of course you did.

I honestly dont know what the OS is. it was Designed and delivered for FTP.

**********************************************
Any intelligent fool can make things bigger and more complex… It takes a touch of genius – and a lot of courage to move in the opposite direction.

 

[sarond]

OK,

I just confirmed this works with another MSL Server. I would think if you have another linux server that accepts SSH then you could potentially use that as well.
[tt]
IP Address: xx.xx.xx.xx (Address of another MSL Server)
Username: root
Password: <root password>
Domain or Workgroup Name: <blank> (otherwise it will try using SMB)
Sharename: <blank> (Otherwise it will try SMB)
Sub Dir: (can be blank to store in root dir, or set as required. Path should exist)
Number of backups: <whatever you want>[/tt]

 

[kwbMitel]

Sounds easy

Ill try tomorrow and report back

**********************************************
Any intelligent fool can make things bigger and more complex… It takes a touch of genius – and a lot of courage to move in the opposite direction.

 

[sarond]

I just confirmed this with a standard linux server as well.

You can create another user to use as your backups, it doesn't have to be 'root'.
I set the subdir as ~/ to store in the users home directory.

You could create a tree in there
[tt]~/mslBackups

|___ [tt]Customer1[/tt]​

|___ [tt]Customer2[/tt]​

|___ [tt]CustomerX[/tt]​

[/tt]

 

[TCSI17]

Yep, sarond this works as I have tried this as well.

One thing I have been looking in to but have not had the time to test or implement would be to chroot the user. Currently, if you connect with an SFTP client, I was able to back out of the home directory and start browsing the SFTP server - which is not good. I don't know Linux all that well so I have to do more research in to this.

Anyway, one way as a temp workaround, would be to only allow SSH from the MSL public IPs. At least this would limit your exposure at the moment. Locking the user into their own customer folder would be the best way. Or at least locking them into the parent folder 'mslBackups' in this case, would be a start and probably less a management headache too. Technically other customers could be browsing the backups of other customers, but if you encrypt the backups with a custom password per customer, then it shouldnt be an issue.

That being said, with R9, does the backup within MSL backup the MiVB database too? Or do we still need to be doing that separately?

 

[kwbMitel]

I can't test just yet as sftp is not currently enabled on the file server.

Very excited to see this work, it will be a huge advancement.

Correct me if I'm wrong but sftp uses TCP port 22 that is generally open to the internet for Mitel Deployments for License Syncs

**********************************************
Any intelligent fool can make things bigger and more complex… It takes a touch of genius – and a lot of courage to move in the opposite direction.

 

[TCSI17]

yep, SFTP uses the SSH port TCP 22.
This port needs to be opened outbound to Mitel for AMC license sync yes. Usually outbound is not an issue though. You don't and I would highly suggest not to port forward TCP 22 to the MiVB unless you feel it is absolutely necessary. If so, PLEASE be sure to have the necessary security in place for it. (good password, IP restriction maybe, etc). By default SSH access to MiVB is disabled, but if you have enabled it just be aware of that.

Also, if you are going to test this, and depending on what file server you are using; you can sometimes restrict SSH to only allow scp (SFTP) access and NOT SSH shell access. This would be a good idea to do. and IP restrict. You can do this based on the logged in user on the end file server/SFTP server. I've been doing my testing on FREENAS.

 

[kwbMitel]

Hey there TCSI17,

It looks like we share a common heritage. I live in Edmonton, You? (who knows, we might even know each other)

Your caution is noted but unnecessary in my case. I generally know my stuff.

Here are my Stats on this forum

[pre]Posts Replies Faqs Votes Votes Given
244 8,618 3 491 90[/pre]

**********************************************
Any intelligent fool can make things bigger and more complex… It takes a touch of genius – and a lot of courage to move in the opposite direction.

 

[TCSI17]

I'm from Calgary.

Yep, I know you are a long time member of this forum. I guess my response came off like that; not what I meant but I said it more for the fact that if anyone in the future reads it that may not be as up to speed as you are on the Mitel, at least it is a caution for them.

 

[kwbMitel]

Howdy neighbour!

Yes, I wasn't criticising the content of your note, I was going to mention that but got sidetracked when I noticed you were in Alberta



**********************************************
Any intelligent fool can make things bigger and more complex… It takes a touch of genius – and a lot of courage to move in the opposite direction.

 

[kwbMitel]

@Sarond - Success!

I tested with an MSL Server inside our Firewall and it was too easy.

Now we will be investigating inbound. Luckily we can dedicate an IP to this if we need to for security reasons.

**********************************************
Any intelligent fool can make things bigger and more complex… It takes a touch of genius – and a lot of courage to move in the opposite direction.

 

[AlphaMann]

I just set this up for backups of our service partner accounts:
The network backup uses tcp port 445 SMB service.
I have a nas behind our MBG that I just port forwarded through the MBG on 445 to, setup its own AD security and bam!
Can also lock down to the customer ip if they have a static.

Finally watch out with port 22. Most sites I work with all block inbound which is required for Mitel Licensing.
We never have the customer just open 22, but only allow it from the AMC IP.

 

[TCSI17]

@AlphaMann I'm not sure I would open up port 445 to the internet. I know if you do lock it down to the customer IP (like you mentioned) that would certainly help with that, but it just doesnt feel right opening up that port.
The Backup in Server Manager will fall back to (or default to, I don't remember) to port 22 if regular SMB doesnt go through. I have not wiresharked this to see what MSL is actually doing, but that's how I understand it to work.
How I did it is lock port 22 to customer IP, forward this through firewall to an SCP only jail that I have setup on my NAS.