Help needed with server setup at work
tedm at toybox.placo.com
Wed Apr 25 11:12:24 UTC 2007
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Rico Secada
> Sent: Monday, April 23, 2007 10:48 AM
> To: questions at freebsd.org
> Subject: Help needed with server setup at work
> At work we have a bunch of NFS servers. The servers provide the
> home directories for all the employees client machines.
> Most of the employees mount their home dirs manually, but some
> are mounted using scripts. Employee John knows he belongs to NFS
> server 1, and emplyoee Britney knows she belongs to NFS server 3
> and so on.
> Now due to new conditions
Without saying what these new conditions are, you aren't giving much
that anyone can give advice on.
> I have to set up a new system from
> which ALL employees are able to mount their home directories from
> their homes (where they live). Since I only have one IP address
> at my disposal, I need to set up some kind of union system in
> which all home directories apear as they live on just one server.
> Besides that I have to figure out what kind of security I need to
> use. I have been thinking about AFS.
> About the union thing I first thought of somehow union mouting
> all the different home directories on a single machine which then
> serves as the access point, but I am affraid if that particular
> machine crashes, then no one can get to their files.
Your going about it in exactly the wrong way and in a very insecure
manner, in my opinion.
If you have a situation going where the building that all these employees
are working in that contains them, their workstations, and their
servers, is going to be vacated, such as a kind of virtual company
scenario, then ASSUMING that the employees ALL have high-speed
connectivity (DSL, Cable, or whatever) of at least a megabit,
then the safest and most trouble-free way of doing it is to have
ALL employees setup with their ISP's to have static IP addresses,
amd then put hardware VPN firewalls at each employee's home and
setup dedicated lan2lan VPNs that are permanently up all of the
time. Linksys sells a very nice VPN firewall, the RV042, that is
fantastic for this job. This will allow you to manage all employee
computers just as if they were all in the now-missing building.
This is particularly important as you can install patches, monitor
for intrusion attempts, etc. It also moves the ickyness of the
VPN client software away from the employees computer, simplifying
that system. At the central hub where all the servers remain, you
can easily setup a firewall that only allows VPNs in from the
designated remote IP addresses.
If however the need is for only periodic access, then investigate
a remote control solution. I would recommend setting up a bastion
host that is on your single public IP address, and a VNC server
on it. Employees can use one of many VNC clients (there's even
one for palm OS I belive) and go from their homes to the bastion
host, then from the bastion host, xterm to their desktop systems.
Putting a union NFS server up is just asking for trouble, particularly
if you aren't restricting access to it via IP address.
More information about the freebsd-questions