Dear both, my recommendation to this wouldn’t be a port forwarding. Instead I recommend to use a reverse proxy for the access provided to customers. Read this first: http://en.wikipedia.org/wiki/Reverse_proxy Bundled with a virtual IP address we setup very performant OTRS services. Cheers, Nils On 10.12.2010, at 14:21, Gerald Young wrote:

You don't have to fully DMZ it. Just port-forward the web port (80 or 8080->80 or something that makes sense). Note that if you use any port besides 80, you will likely want to change the signature/footer of outbound emails to reflect the port you're opening. You can add an additional Listen directive to the apache config to reflect the new port (requires restart of apache).

"For example, to make the server accept connections on both port 80 and port 8000, use: Listen 80 Listen 8000" You may also need to make specific changes to the config of otrs. Having otrs listen on both ports makes it really easy for you transition so that your internal users won't notice a change in how they connect. However, if you're using an internal name for your otrs server -- usually a LAN will reference by a single servername, not a FQDN -- you'll want to make sure that your otrs server is accessible internally by the FQDN and that the otrs config reflects that FQDN. In my case, I created a CNAME both on my AD DNS server and the external domain dns server: http://support.mydomain.tld would resolve to my external IP address for the world and my internal IP address for my LAN.

On Fri, Dec 10, 2010 at 3:10 AM, Lars Jørgensen wrote: Hi,

If you need to give external customers access to the customer frontend, the first solution that comes to mind is to place a server with the customer frontend in the DMZ and let it talk to the internal database. Is this the best practice and do any configuration guide exist for this?

Lars

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

— Nils Leideck Senior Consultant http://webint.cryptonode.de / a Fractal project

On 10.12.2010, at 14:21, Gerald Young wrote:

...

You don't have to fully DMZ it. Just port-forward the web port (80 or 8080->80 or something that makes sense). Note that if you use any port besides 80, you will likely want to change the signature/footer of outbound emails to reflect the port you're opening. You can add an additional Listen directive to the apache config to reflect the new port (requires restart of apache).

On 10.12.10 20:39, Nils Leideck wrote:

my recommendation to this wouldn’t be a port forwarding. Instead I recommend to use a reverse proxy for the access provided to customers.

Read this first: http://en.wikipedia.org/wiki/Reverse_proxy

Bundled with a virtual IP address we setup very performant OTRS services.

My question is, if you find reverse proxy or forwarding better than another server(s), and why. -- Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that.

On 15.12.2010, at 11:40, Matus UHLAR - fantomas wrote:

...

My question is, if you find reverse proxy or forwarding better than another server(s), and why.

On 24.12.10 15:12, Nils Leideck wrote:

because maintaining a single server is easier :-)

well, the security could result into maintaining two different servers, if it's more secure. Of course, if it's easy to split customer web interface from the OTRS core. Since OTRS seems to be monolithic (it was reported that it's very hard to build OTRS packages in SW distributions), this may not be true.

Of course, if there is nothing like a reverse proxy yet, you should consider to evaluate both in a more detailed way.

that's what I was curious about, I can only guess by now. -- Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.