No network adapter available on CentOS 6 VMware installation

Problem

Following a clean installation of CentOS Linux 6 on the VMware platform, the network adatper is detected but not enabled.

Cause

The ifcfg-eth0 configuration file is not set to enable the network adapter on startup.

Resolution

Browse to /etc/sysconfig/networking/devices/

Edit the file ifcfg-eth0 and change value "on boot" from no to yes. Reboot.

Integrating Exchange 2007 Unified Messaging with Asterisk

The Unified Messaging server role of Exchange 2007 offers the ability of integrating your IP PBX with Exchange, so that voicemail messages are delivered directly to the user’s Exchange Inbox.

It should be noted at this stage that SIPtrix already has the ability to deliver voicemail messages to the user’s Inbox as a WAV sound file attachment, however the Exchange UM server offers other functionality over and above voicemail delivery: Outlook Voice Access (OVA) technology enables users to dial into their mailbox from any ordinary telephone and have email messages and calendar entries read back to them. Once dialled in users can also verbally manage their Inbox, with commands such as ‘delete message’ or ‘forward message’.

An auto-attendant can also be configured whereby callers can say the name of the person they wish to speak to, and are directed to that person based on the information held in the Global Address List.

This post will look at how to configure Exchange 2007 Unified Messaging with SIPtrix, the IP-based VoIP PBX developed by Brightpoint. For more information on the SIPtrix product, see the documents on the FTP site:

ftp://ftpaccess:Brightpoint1@ftp.brightpointuk.co.uk/Technical%20Support...

This post was written using a lot of reference to Ryan Newington’s post on the same subject:

http://blog.lithiumblue.com/2007/04/accessing-exchange-2007-unified_6743...

This guide assumes that the Unified Messaging role has been installed on the Exchange Server and that the SIPtrix server has been installed on the same local network and there are no firewall restrictions on the local network.

In addition to the Exchange Server and the SIPtrix server, it will also be necessary to download and install the free, open-source sipX product, available from www.sipfoundry.org

The one thing that SIPtrix is not able to do is handle SIP/TCP translation, so sipX can be used as a translation service. Although sipX is an IP PBX in its own right, it does not have the ability to connect to the PSTN, so we will use SIPtrix as the feature-rich PBX, and sipX as the SIP/TCP translation service. I will look at how to install and configure the sipX server in this post.

Servers

In this example, the internal domain is ‘domain.com’

The Exchange Server is ‘exchange.domain.com’ and has an IP address of 192.168.225.128

The SIPtrix server is ‘siptrix.domain.com’ and has an IP address of 192.168.225.129

The sipX server is ‘sipx.domain.com’ and has an IP address of 192.168.225.130

DNS must be configured correctly on all servers so that all servers resolve correctly to the correct IP address. On my network DNS is running on the Exchange server and A-record entries have been added manually for the siptrix and sipx servers. Both the sipx and siptrix server have the primary nameserver set to the address of the Exchange server.

It is necessary to do this rather than simply adding entries in the hosts file on the Linux servers as SIP behaves oddly in terms of name resolution and unless it can receive a response from a DNS query it doesn’t always work as expected.

Configure Dial Plan

The first step is to plan and configure the dial plan to be used internally within the organisation. In this example, internal user extensions on the SIPtrix system are assigned in the 2xx range. The receptionist extension is number 200.

Extensions configured for Outlook Voice Access are assigned in the 4xx range.

We will configure extension 400 as the extension users dial to access Outlook Voice Access, and extension 499 as the number dialled to access the Auto Attendant.

Outlook Voice Access needs to be configured on the Exchange Server for the 4xx extension range. This can be done either in the Exchange Management Console, or at the command line using the Exchange Management Shell.

To configure the dial plan within the Exchange Management Console, browse to Organisation Configuration --> Unified Messaging. Select the option to create a New UM Dial Plan. The following window will be displayed:

Enter a name for the dialplan, such as Outlook Web Access. Set the number of digits in extension number to 3. Click New to save the new Dial Plan.

Once created, edit the properties of the Dial Plan. Click on the Subscriber Access tab and add 400 as the access number:

Click OK.

To do this at the command line, launch the Exchange Management Shell and issue the following command:

new-UMDialPlan –Name:’Outlook Voice Access’ –NumberOfDigitsInExtension:’3’
 –AccessTelephoneNumbers 400

Configure Gateway

The Exchange Server must now be configured with the details of the Gateway server to use, in this case the sipX server.

To do this within the Exchange Management Console, browse to Organisation Configuration --> Unified Messaging and select the option to create a New UM IP Gateway, the following window will be displayed:

Enter a name for the Gateway and complete the FQDN of the sipX server. Use the FQDN rather than the IP address for the reasons mentioned earlier. Assign the dial plan you created earlier to the new gateway. Click New to save the changes.

To do this at the command line, launch the Exchange Management Shell and issue the following command:

new-UMIPGateway –Name:’sipX’ –Address:’sipx.domain.com’ –UMDialPlan:’Outlook Voice Access’

Configure Auto Attendant

Exchange can now be configured with the details of the Auto Attendant. To do this within the Exchange Management Console, browse to Organisation Configuration --> Unified Messaging. Select the option to create a New UM Auto Attendant, the following window will be displayed:

Enter a name for the Auto Attendant and select the Dial Plan you created earlier.

Add 499 as the extension number used to access the Auto Attendant.

Enable the Auto Attendant and Speech-enable the Auto Attendant.

Click New to save the changes.

To do this at the command line, launch the Exchange Management Shell and issue the following command:

new-UMAutoAttendant –Name:’Outlook Voice Access’ –UMDialPlan:’Outlook Voice 
Access’ –PilotIdentifierList:’499’ –Status:’Enabled’ –SpeechEnabled:$true

The Auto Attendant can now be further configured if required. The receptionist extension can be configured, time conditions can be specified determining when the auto attendant will run, and an address list within the Active Directory can be specified to which callers dialling the Auto Attendant will have access to. To do this within the Exchange Management Console, edit the properties of the Auto Attendant you created earlier. The Times tab allows you to specify when the Attendant will run:

The Features tab allows you to specify more advanced functionality:

To do this at the command line, launch the Exchange Management Shell and issue the following command:

set-UMAutoAttendant –Identity Auto Attendant –AfterHoursTransferToOperatorEnabled $true
 –AllowExtensions $true –BusinessHoursTransferToOperatorEnabled $true –CallSomeoneEnabled $true
 –NameLookupEnabled $true –SendVoiceMsgEnabled $true –OperatorExtension ‘200’ 
–ContactScope GlobalAddressList

Configure UM Server

The Dial Plan now needs to be associated with the UM Server to make it active. Launch the Exchange Management Console and browse to
Server Configuration --> Unified Messaging. Edit the properties of the Server and click on the UM Settings tab:

Allocate the Dial Plan you created earlier to the server.

Click on the System Settings tab, verify that the correct Domain Controller and Global Catalogue Servers are defined:

Click OK.

To do this at the command line, launch the Exchange Management Shell and issue the following command:

set-UMServer –Identity:’exchange.domain.com’ –DialPlans ‘Outlook Voice Access’

Enable Users

Now your users will need to be enabled for Unified Messaging and have an extension number associated with them. To do this within the Exchange Management Console, browse to Recipient Configuration --> Mailbox. Right click on a user and select the option to Enable Unified Messaging, the following window will be displayed:

Select the Dial Plan you created earlier and assign a PIN number to the account. Click Next.

Enter the user’s extension number. Click Next and then Enable to save the changes.

To do this at the command line, launch the Exchange Management Shell and issue the following command:

enable-UMMailbox –Identity:’DOMAIN\User’ -UMMailboxPolicy:’Outlook Voice Access’
  -Extensions 220 –Pin 9876 –PinExpired $false

Installing and configuring the sipX server

Install CentOS 5.x

During the installation, when prompted disable the firewall and SE Liinux. Ensure to set the hostname to the FQDN of the server.

Remember to set the primary nameserver address to that of the Exchange server (or the server on which the DNS service is running)

Set up the yum repository information for the sipX package with the following command:

wget –P /etc/yum.repos.d/ http://sipxecs.sipfoundry.org/pub/sipXecs/sipxecs-stable-centos.repo

Download and install the required sipX packages with the following command:

Yum –y install sipxpbx sipxconfig sipxproxy sipxregistry

Generate an SSL certificate for the server with the following command:

/usr/bin/ssl-cert/gen-ssl-keys.sh

You will be prompted for a number of pieces of information, including your city, state, country, etc. Be sure to complete the domain and FQDN information correctly.

Install the certificate once generated with the following command:

/usr/bin/ssl-cert/install-cert.sh sipx.domain.com

(where sipx.domain.com is the name of the server you entered during the certificate generation process earlier)

Download the XML flle defining the external gateway and mapping rules:

wget –P /etc/sipxpbx/ http://lithiumblue.com/config/external_mappingrules.xml

Once installed, edit the file with the details of your Exchange Server and number ranges:

 

<?xml version="1.0"
encoding="UTF-8"?>

<mappings
xmlns="http://www.sipfoundry.org/sipX/schema/xml/urlmap-00-00">

<hostMatch>

<hostPattern>${SIPXCHANGE_DOMAIN_NAME}</hostPattern>

<hostPattern>${MY_FULL_HOSTNAME}</hostPattern>

<hostPattern>${MY_HOSTNAME}</hostPattern>

<hostPattern>${MY_IP_ADDR}</hostPattern><userMatch>

<!--ExchangeDialRule-->

<userPattern>4xx</userPattern>

<permissionMatch>

<transform>

<host>exchange.domain.com</host>

<urlparams>transport=tcp</urlparams>

<fieldparams>q=0.9</fieldparams>

</transform>

</permissionMatch>

</userMatch>

<userMatch>

<!--ExchangeVoicemailRule-->

<!--Note this is only to handle diversions
for local sipX 3xx extentions-->

<userPattern>3xx</userPattern>

<permissionMatch>

<permission>Voicemail</permission>

<transform>

<user>400</user>

<host>exchange.domain.com</host>

<urlparams>transport=tcp</urlparams>

<headerparams>Diversion=&lt;tel:{digits}&gt;;reason=no-answer;screen=no;privacy=off</headerparams>

<fieldparams>q=0.9</fieldparams>

</transform>

</permissionMatch>

</userMatch>

</hostMatch>

</mappings>

 

The above rules define that calls for 4xx numbers are sent to the Exchange server, and that sipX will communicate with Exchange using SIP/TCP.

There is also a line defining 3xx extensions, these are local sipX extensions and can be used for troubleshooting purposes.

We now need to download and configure the authrules.xml file to tell sipX that it is responsible for routing calls to the 4xx number range. To download the file, type:

wget –P /etc/sipxpbx/ http://lithiumblue.com/config/external_authrules.xml

Once installed, edit the file with the details of your Exchange Server and number range:

 

<?xml version="1.0"
encoding="UTF-8"?>

<mappings
xmlns="http://www.sipfoundry.org/sipX/schema/xml/urlauth-00-00">

<hostMatch>

<!--ExchangeDialRule-->

<hostPattern>exchange.domain.com</hostPattern>

<userMatch>

<userPattern>4xx</userPattern>

<permissionMatch/>

</userMatch>

</hostMatch>

</mappings>

 

We now need to configure sipX to use these 2 configuration files. Edit the file

/etc/sipxpbx/sipxconfig.properties.in

Locate the line starting:

mappingRules.externalRulesFileName=

and add

/etc/sipxpbx/external_mappingrules.xml

so that the line reads

mappingRules.externalRulesFileName=/etc/sipxpbx/external_mappingrules.xml

Add a new line underneath reading:

authRules.externalRulesFileName=/etc/sipxpbx/external_authrules.xml

Save the file. Reboot the server.

Alternatively, if you are not comfortable installing Linux, you can download a preconfigured sipX virtual machine for use with VMWare from here:

http://downloads.voipjots.com/vms/sipX3.0.zip

and edit the above configuration settings.

Once the sipxpbx service has started, browse to the IP address of the sipx server from a web browser, if this is the first time you are connecting, you will be prompted to enter a PIN number for the superadmin account, you may then login as the superadmin account using that PIN.

Hopefully, the following window will be displayed:

Once logged in, we need to add a gateway to allow sipX to talk to the Exchange server.

Select Devices --> Gateways --> Add New Gateway --> SIP Trunk, the following will be displayed:

Enter a name for the Gateway, such as Exchange. Enter the FQDN of the Exchange server in the address field

Click OK.

Add another SIP trunk for the SIPtrix server, again using the FQDN name of the server in the address field.

Now we need to configure the Dial Plan. Select System --> Dial Plans --> Add New Rule --> Custom, the following will be displayed:

Enter a name for the Dial Plan, such as SIPtrixDialPlan and tick the option to Enable it.

In the Prefix field enter 2 followed by ‘And 2 Digits’ (depending on your internal numbering scheme on the SIPtrix server)

Scroll down to the Resulting Call section. Leave the Prefix field blank and select ‘Entire dialled number’ from the Append field.

In the Gateways section, drop down the menu and select SIPtrix as the Gateway to use.

The new Dial Plan will now be listed:

Move the new dial plan to the top of the list.

Click Activate and then OK to apply the configuration changes.

Now select System --> Domain and verify that the FQDN of the sipx server is displayed correctly. If not, set it. This needs to be same address as the one you specified as the UM Gateway on the Exchange server.

The sipx server is now configured. To test our configuration so far we need to create an extension on the sipx server.

Select Users --> Users --> Add User

Enter 300 as the extension number. Complete the First Name, Last Name, PIN and Password fields. Set the password field to something you will remember as you will need it in a moment.

Click OK.

We now need to verify access to the sipx server from a SIP client, preferably X-Lite from CounterPath: http://www.counterpath.com

Create a new SIP account with the following details:

The client will then hopefully register with the sipx server and indicate that it is ‘ready’:

Dial 300, you should see an incoming call on line 2. This indicates that the sipx server is working as far as SIP communications go.

Now dial 400, you should hopefully hear a recorded message saying “Welcome, you are connected to Microsoft Exchange’. This indicates that the route to the Exchange server for the 4xx number range is working and also that Exchange has recognised the request sent to it by the sipx server.

Because you are dialling from extension 300, and this is not assigned to any user, Exchange will ask you for your extension number followed by your PIN.

When set up properly, Exchange will identify that you are calling from a 2xx extension, match that number to a user account and just prompt for a PIN number.

Now dial 499, you should hopefully be directed to the Exchange Auto Attendant and hear a recorded message saying “Welcome to the Microsoft Exchange Auto Attendant. To reach a specific person, just tell me their name”. if you then speak the name of someone in the directory, Exchange will try to call them. As SIPtrix is not yet configured, we cannot test this yet.

Configuring SIPtrix

By default SIPtrix will use its own internal voicemail system, so the first thing to do is configure it to use the Exchange Server for voicemail. To do this, browse to the SIPtrix admin console from a web browser.

Select Tools --> Config Edit --> Extensions.conf

In the text file that is displayed, locate the section starting [macro-exten-vm]

The line above this section should read something along the lines of:

; ARGS: $VMBOX, $EXT

In this example, $VMBOX can be read in the below section as being $ARG1

Locate the line reading

exten => s,8,Macro(vm,${ARG1},${DIALSTATUS})

and comment it out by adding a ; at the front

Beneath the commented out line, add the following 2 lines:

exten => s,8,SIPAddHeader(Diversion: \;reason=no-answer\;screen=no\;privacy=off)

exten => s,8,Dial(SIP/400@sipx.domain.com|30)

Click Update and then Re-Read Configs

Now we need to configure a SIPtrix Trunk. Browse to Setup --> Trunks --> Add SIP Trunk

Leave all settings blank, apart from, enter a name for the Trunk, such as sipX.

In the Peer Details box, enter:

host=sipx.domain.com

type=peer

insecure=invite

context=from-internal

Click Submit and then Apply Changes.

Now we need to add an Outbound Route. Browse to Setup à Outbound Routes

Enter a name for the Route, such as sipXroute

Leave all settings blank, except, from the Trunk Sequence drop-down menu, select the Trunk you created earlier.

In the Dial Patterns box, type in:

4xx

Which tells SIPtrix to use this route for any numbers in the 4xx range.

Click Submit and Apply Changes.

Now create an extension on the SIPtrix server in the range 2xx and enable voicemail. You will be required to enter a password for the voicemail box, but this can be set to anything as it will not be used.

To verify that SIPtrix is working correctly, reconfigure the XLite client to connect to ‘siptrix.domain.com’ using the 2xx extension and password.

Provided that the client registers successfully, now try dialling 400 from SIPtrix and ensure that Exchange recognises that you are dialling from your 2xx extension (for this to work you will need to have defined your 2xx extension within the properties of your AD user account).

When prompted for a PIN, use the PIN code generated for you by the Exchange Server rather than any PIN you may have configured on the SIPtrix server. Your PIN will have been emailed to you automatically when your AD user account was enabled for Unified Messaging. When you log in for the first time you can then change your PIN. You can also change your PIN within the Voice Options page within Exchange 2007 Outlook Web Access.

Once logged in, you can select between Contacts, Calendar and Email folders by saying the word ‘contact’, ‘calendar’ or ‘email’.

Any unread messages in your Inbox will be read back to you – not the entire message, just the subject followed by the first 15 words or so of the beginning of the message body. You can then choose to ‘delete message’ or ‘forward message’ or move onto the ‘next message’ by saying those commands.

I admit I have only played with this feature briefly and was impressed, but did find that if there is any background noise the auto attendant got confused and there was a lot of "I'm sorry I don't understand that command" so I expect it's brilliant if you're in the car with all the windows shut and the radio off, but not so good if you're on a crowded platform!

OpenGoo

OpenGoo (http://www.opengoo.org) is an open source web-based collaboration 'portal', offering users access to Notes, Emails, Contacts, Calendar, Documents, Tasks and Events folders. More information can be found on the OpenGoo web site but for small businesses or even home users or students it is potentially a very nifty tool indeed.
'Workspaces' can be created, which can be private or shared, and users can be assigned permissions to other users' individual folders. It is very similar in functionality to a scaled-down version of Microsoft SharePoint.

The email component provides POP or IMAP access to your existing email infrastructure (this could be a GoogleMail account, or running locally in SquirrelMail or something similar), but can send email using SendMail installed locally.

Installation is quick and easy. The software requires PHP5, so if installing from scratch I would recommend CentOS 5.3 (http://www.centos.org): simply install a base configuration of the server software including the Web and MySQL roles.

The OpenGoo software itself is downloaded as a ZIP file which you can extract and put in the /var/www/html/ directory. Once extracted, make the subfolders writable with a 'chmod' command.

Create a MySQL database and database user for OpenGoo to use.

The installation is done via the web browser, simply browse to http://(opengoo_server)/public/install

Verify that all of the environment checks pass. Then enter the details of the MySQL database:

You're all set.

You will then be prompted to create an administrator account:

Once created, you will then be logged in to the main 'Workplace' as the administrator:

Users, Groups and Workplaces can be created by selecting the 'Administration' link in the top right hand corner.

Users can then create their own contact lists and edit their Calendar, Notes and Tasks folders in much the same way as any other PIM application:

Email accounts can be created quickly and easily by entering the details of the POP or IMAP server as well as the username and password of the email account:

Documents can be created directly in HTML with all the usual formatting tools available:

In short, a very nice tool and definitely worth a look for the Small Office, Home Office environment.

Scalix

In my article on 'Selling Mobile Email' (http://blog.brightpointuk.co.uk/selling-mobile-email) I explained the differences between the different protocols available for email retrieval and how they fit into the remote email marketplace and are supported by the different PDA devices available on the market today.

For those businesses who require remote access to email, but do not require the trappings of 'push' or additional device management features, and don't want to splash out on a 64-bit Exchange 2007 server there are open source solutions available. One of those solutions is Scalix...

Scalix (www.scalix.com) is open source software providing users access to email, contact, calendar and task information and is designed to be a low-cost alternative to Microsoft Exchange.

Running on Linux, supported platforms include:

• Red Hat Enterprise Linux 4 / 5
• Centos 4 / 5
• SuSE Linux Enterprise 9 / 10
• OpenSuSE 11
• Fedora 9

Users can access their email via a web browser using Scalix Web Access, any POP or IMAP client, or (and this is perhaps the key selling point) Microsoft Outlook with the installation of a small plug-in.

Scalix comes in two flavours: Community Edition and Enterprise Edition. The Community Edition is free to download and use with up to 10 “Premium” users and an unlimited number of standard users, if you require any more than 10 premium users then you need to purchase a license. A Premium user account can access email from Microsoft Outlook, a Standard user account cannot. Premium users can also access public folders and shared mailboxes whereas standard users cannot: so Scalix would only be completely free for a very small deployment, but would suit a branch office-type scenario as there is no reason why Scalix could not be deployed within an existing Exchange organisation.
There is also a Small Business Edition which is capped at 250 premium users.

The full list of features (lifted from the accompanying documentation) includes:

• Calendaring
• Scheduling (with real-time free/busy lookup)
• Contact Management
• Task Management
• Public Folders
• Access of email in a web browser and popular email applications
• Resource booking

Scalix also features an LDAP directory service providing contact search functionality.

The server installation itself is modular, allowing for different components to be housed on different physical machines – so you can house the mailbox database on the LAN and have the Internet-facing web site located in a DMZ environment, similar to an Exchange ‘front-end / back-end’ deployment. Scalix also supports clustering.

Installation

I used the free Linux distribution CentOS 4 for my installation (http://www.centos.org). According to the Scalix web site this platform is only supported for evaluation installations and should not be used for a production system.

Install CentOS selecting the following packages during the installation:

• Web Server
• PostgreSQL Server
• Sendmail

Once installed, download and install the elinks package using yum:

yum install elinks

Also download and install the compat-libstdc++-296 package, available from:

http://rpm.pbone.net/index.php3?stat=26&dist=56&size=180343&name=compat-...

The /etc/hosts file will need to be edited, by default it will probably look like this:

127.0.01 scalix.domain.com scalix localhost.localdomain localhost

Edit it so that it looks like this:

127.0.0.1 localhost.localdomain localhost
192.168.0.34 scalix.domain.com scalix

(where 192.168.0.34 is the IP address of the Scalix server)

You are now ready to install Scalix. The installation package is a self-extracting BIN package available for download from the Scalix web site.
Once downloaded, make the file executable:

chmod 755 scalix-x.x.x.bin

Then run it:

./scalix-x.x.x.bin

It is possible to install Scalix graphically (which requires that the X windowing component be installed on the server), but it is just as easy at the command line.

You will be prompted to read and agree to the terms of the license agreement.
Enter the name and domain of the server.
Specify your desired ‘Display Name’ format (ie, “James Liddiard” or “Liddiard, James”, etc)
Specify your desired email address format (ie James.Liddiard@domain.com, jamesl@domain.com, etc)
Enter a username and password for the default Scalix administrator account.
You will be prompted to enter a license key, or type in “None” to use the software without one.
Enter a password for the PostgreSQL server database.
Scalix will then install its own required components, including Tomcat and Java.

The installation is then complete.

Verify installation

Provided that everything has worked, you can verify the installation by browsing to the name or IP address of the Scalix server from a web browser. There are two web sites:

http://(scalix_server)/webmail displays the login screen to user webmail access:

NOTE – you will need to enable pop-ups from the web site.

You can log in using the details you specified for the administrator account (by default the username is ‘sxadmin’), the main webmail interface looks like this:

Users can read, forward, reply to and delete email messages, access calendar, contact and task folders, access public folders, manage their out of office status and all that good stuff.

http://(scalix_server)/sac displays the administrator console:

Administration

Within the administration console you can create, edit and delete users and groups and assign mailbox permissions.
The default naming and email address format can be changed.
Mailbox storage limits can be defined as can the warning thresholds.
The user password policy can be defined.
Additional domains can be added to the recipient policy.
Resources can be defined (such as meeting rooms) and if required mail-enabled.

Server resources and mail queues can be monitored and plugins can be enabled or disabled (such as anti-virus). Log files can also be viewed.

It is beyond the scope of this post to give a full run down of the administration process, for more information read the product documentation available from the Scalix web site.

Client Configuration

Microsoft Outlook

In order to use Microsoft Outlook with Scalix, firstly you need to have a Premium user account on the server. You also need to download and install the Outlook plugin available for download from the Scalix web site.

Outlook 2000 or later is required and Outlook 2007 is supported.

Installing the plugin is simply a matter of running an executable:

Once installed, when creating a new Email Account within the Outlook Startup wizard, Scalix will be listed as an option in the Other type of email account:

You will be prompted to enter the name of the Scalix server, your username and password:

NOTE - the name rather than the IP address of the Scalix server is required, so ensure either that DNS is configured correctly on the network or that the Windows client has an entry in its hosts file for the server.

Provided that the client can contact the server and the login credentials are accepted, your account will be set up:

Outlook will then need to be restarted, once re-launched you will be connected to the Scalix server:

The account can be configured within the Tools menu, where a new entry will be added for 'Scalix Properties':

Additional mailboxes can be added:

Out Of Office rules can be configured within the Tools menu by selecting 'Scalix Out Of Office':

Opening a new mail and selecting the To button will display the Scalix address book:

In short then, for the small business Scalix is a viable alternative to Exchange: for less than 10 users it can be installed free - and even for greater than 10 users, without the need for a Microsoft Server license, CALs, etc it would still be cheaper than the corresponding cost for an Exchange installation.
However, having said that, it is still a fairly "no-frills" solution: Exchange costs what it does because of the additional features it provides; Outlook Anywhere (RPC over HTTP), Server ActiveSync, Unified Messaging, etc - none of this is available in Scalix...yet!

Scalix BlackBerry Connector

Scalix have released a beta version of their connector software for the BlackBerry Enterprise Server solution. The Beta must be registered for before you will be able to download it, but registration is free and takes a few moments.

Prerequisites

• The Connector can be used with both BlackBerry Enterprise Server (BES) and the BlackBerry Professional Software (BPS), but both must be version 4.1
• Only the Exchange version of BES / BPS is supported. NOT the Lotus Domino or Novell Groupwise versions
• Version 5.0 of the BES is not currently supported
• In order to use the Connector, you must be running version 11.4.4 of Scalix or later
• Naturally, BES/BPS are Microsoft Windows server products, and as such cannot be installed on the Scalix server itself, but must be run on separate servers running a Microsoft Windows Server operating system (Server 2000 or 2003 - BES/BPS 4.1 does not support Server 2008). These can be virtual machines if desired. Although not officially supported, for small deployments a copy of Windows XP might be considered instead as a cost-saving measure
• The BES/BPS machine will also require a copy of Microsoft Outlook 2007 installed

Supported Functionality

Scalix Connect for BES Beta 1 supports the following aspects of the Blackberry solution:

• Push delivery of email messages
• Support for email sub-folder synchronisation
• Attachment viewing
• View, Create, Edit, Delete Contacts/Calendar Items and Tasks in Primary Contacts Folder
• Participate in Meeting Scheduling
• Contact lookup in LDAP Directory / Scalix GAL

The following functionality is currently not available and will be added in a later release:

• View Availability
• Out Of Office

All of the features that are available in the BES/BPS solution independently of the email system are available, including the extensive device management capabilities of the BlackBerry product (when used in conjunction with the BlackBerry handheld device, rather than a BlackBerry Connect device)

For a detailed setup guide on how to install the Scalix server, read this article - http://blog.brightpointuk.co.uk/scalix

Preparing the Scalix server

Create a service account for the BesAdmin user

Log into the Scalix server as the root user. At the command prompt issue the following command:

./opt/scalix/bin/omaddu -n "BESAdmin/company" -p bbpassword -c mboxadmin besadmin

Where "company" is the name of the primary mailnode you specified during the installation of the Scalix server. To verify this value, enter a command of:

./opt/scalix/bin/omshowmn

You should receive a response of:

omaddu: The user was added successfully

The new user account will now be listed in the Scalix admin web interface:

Preparing the BES / BPS server

Install Microsoft Server 2000, Server 2003 or Windows XP.
Run Windows Update and install all available critical updates.
Install the Microsoft Exchange MAPI CDO package, available for download from the Microsoft web site - http://www.microsoft.com/downloads/details.aspx?FamilyID=E17E7F31-079A-4...

You can install the BlackBerry software as the local administrator on the server. If you choose to create a local service account for the installation, you will need to assign the user account local administrative rights and also 'log on as a service' rights on the server within the local security policy.

If the Windows server is not able to resolve the IP address of the Scalix server via DNS, enter an entry for the Scalix server manually within the machine's hosts file in \Windows\System32\Drivers\Etc

Install the BES / BPS 4.1.x software. You will need a valid SRP key and CAL key in order to install the software. This guide assumes, based on the fact that you've managed to install Scalix already, that you don't need hand-holding through the BES installation process!
When prompted, select the option to install MSDE locally, unless you do have and wish to use an external Microsoft SQL server to host the BlackBerry database.
You will be warned during the installation that Microsoft Exchange cannot be detected, ignore the warning and proceed with the installation.
When prompted to specify the details of the Exchange server and service account mailbox, leave the details blank and click OK to continue with the installation.

Install Outlook 2007

Launch the Services MMC snap-in and stop the BlackBerry Controller Service:

Install the Scalix BES Connector by running the MSI installation file:

Once complete, click Finish:

Open the Control Panel and double click the Mail icon. Click on the option to Show Profiles:

If shown, delete any available profiles.

Create a new profile and name it "BlackBerryServer". When prompted, select the option to create the profile manually.
Select Scalix Server as the type of account to create:

Enter the name or address of the Scalix server as well as the BESAdmin account details you specified earlier:

The following window will be displayed:

Repeat the same procedure, this time creating a new profile named "BlackBerryManager"

Now return to the Services MMC snap-in and restart the BlackBerry Controller Service.

Adding Users

Now you can launch the BlackBerry Manager application and add users as you would normally. Select the entry for the BES server from the left-hand navigation menu and click on the option to Add Users, the Scalix GAL will be displayed:

Add users as required. Once listed within the BlackBerry Manager, right click on a user's entry and select the entry to "Generate and Email Activation Password".

The user will now receive an email from the BESAdmin user containing a random password. On their BlackBerry handheld device they should browse to Options --> Advanced Options --> Enterprise Activation.
They will now need to enter the full email address as well as the password they have been issued by the BESAdmin user in the email they received earlier.
If prompted to enter details of an Activation Server, just leave the field blank.

Press the menu button and select the option to Activate. After a few minutes, provided that the SIM card in the device is correctly enabled for BlackBerry service, the device will be registered and will start to receive email, contacts and calendar information from the user's Scalix mailbox.

For detailed information on how the Enterprise Activation process works and how to troubleshoot it, read this article - http://blog.brightpointuk.co.uk/how-does-bes-wireless-activation-process...

Zimbra

Zimbra Collaboration Suite (ZCS) (www.zimbra.com) is an open-source web-based collaboration suite providing messaging, calendaring and PIM functionality as well as document creation and sharing.

Running on Linux, the ZImbra installation package contains all of the pre-requisite components the solution requires, including PostFix, MySQL, Jetty web server and OpenLDAP. Supported Linux distributions include Red Hat Enterprise Linux 4 and 5 - I have had success with the CentOS variation of RHEL, using CentOS (www.centos.org) version 4.7 to create this article.

Zimbra supports standard email messaging protocols including SMTP, POP and IMAP. Anti-spam service is also built-in with the inclusion of SpamAssassin.

This article is designed to provide an overview of the ZImbra solution only, more detailed information can be found on the Zimbra web site - www.zimbra.com

Installation

Install a base installation of CentOS only - as mentioned above the ZImbra installation package contains all of the components it requires - having any web or email services running may lead to port conflicts which will generate errors during the installation.
If you intend to run Zimbra as a standalone machine then do install the DNS server role.

Zimbra requires at least 5GB of available hard disk space.

The /etc/hosts file will need to be edited, by default it will probably look like this:

127.0.01 zimbra.domain.com zimbra localhost.localdomain localhost

Edit it so that it looks like this:

127.0.0.1 localhost.localdomain localhost
192.168.0.10 zimbra.domain.com zimbra

(where 192.168.0.10 is the IP address of the Zimbra server)

To configure DNS (if required), you may want to install Webmin (www.webmin.com). Create a master zone for your domain as well as A and MX records for the ZImbra server. Also remember to set the server's primary DNS server to the localhost address.

On my Centos 4.7 installation there were a number of pre-requisites I had to install:

GCC can be installed via yum - issue 'yum install gcc' at the command prompt

Fetchmail can be installed via yum - issue 'yum install fetchmail' at the command prompt

LibTool can also be installed via yum - issue 'yum install libtool' at the command prompt

Three further components were required, which can be downloaded and installed as RPM packages:

compat-libstdc++-296 - available from:

http://rpm.pbone.net/index.php3/stat/4/idpl/8963867/com/compat-libstdc++...

compat-libstdc++-33 - available from:

http://rpm.pbone.net/index.php3/stat/26/dist/56/size/21536729/name/compa...

libstdc++.so.5 - available from:

http://rpm.pbone.net/index.php3/stat/4/idpl/8962252/com/compat-libstdc++...

Once all of the pre-requisites have been installed you are now ready to install Zimbra.
The installation package will have been downloaded as a TAR file, extract the contents with a 'tar -xvfz zcs-x.x.x.tar.gz'
Once exctracted, change to the created directory and issue the command:

./install.sh --platform-override

The platform override switch is required if you are using a non-RHEL Linux distribution, but I did not have any problems on CentOS.

The installer wizard will now launch, follow the on-screen prompts. This process may take a while (approximately 20 minutes on my virtual machine), but you can leave most of the options at their default values.

Verify Installation

Provided that everything went according to plan, you should be able to browse to the IP address of the Zimbra server from a web browser and will hopefully see the ZImbra login in page:

Login using the admin account with the password you specified during the installation wizard, the main ZImbra web interface will be displayed:

From here users can read, forward, reply to and delete email messages, access calendar, contact and task folders, etc.

The Documents feature adds an extra level of functionality to the solution, enabling users to create and share web documents:

Zimlets are optional plugin modules that can be downloaded and installed onto the Zimbra server to provide additional functionality to the default user web interface. By default a Yahoo! Zimlet is installed that provides one-click access to the Yahoo search engine. A wide range of Zimlets are available online including plugins for Yahoo Maps, Flickr, web-SMS tools, etc.

Administration

The ZImbra administration console is accessed via a web browser by browsing to https://(zimbra_server):7071

Hopefully you'll see the following:

From here the administrator can add, remove and edit user accounts, groups and domains as well as defining mailbox and security policies.

It is beyond the scope of this article to go into the administration of the solution in any depth.

Zimbra Desktop

Unlike Scalix (http://blog.brightpointuk.co.uk/node/134), another open source email platform, which has very shrewdly developed a plugin that enables the solution to be accessed from Microsoft Outlook, Zimbra (now owned by Yahoo!) have developed a client application for Windows. Not limited to accessing a Zimbra email server, the client can be used to access a wide range of POP or IMAP-based email service providers. Installation and configuration is quick and easy:

The client can be configured to access the Zimbra server either via POP or IMAP or equally via HTTP port 80, effectively acting as a web-based client.

Connect to a Unix / Linux server from a Symbian S60 handset

The popular PuTTy application for Windows, which allows administrators to connect to Unix or Linux hosts at the command line, has been ported to the Symbian Series 60 platform.

It is available for download from the SourceForge web site here: http://s2putty.sourceforge.net/download.html

It did not require any additional pre-requisite components to run on my Nokia E71. Simply copy the SIS file to the handset and run it, once installed it will be listed in the Installations folder:

Launch the application, and edit the Default profile that will be listed:

The following options will be available:

Under the General options you can define the hostname or IP address to connect to as well as the user to connect as:

Under the SSH options you can specify the port to connect using as well as the protocol version:

When connecting to the server for the first time you will be prompted to save the server's RSA key in the list of authorized hosts within the Symbian operating system:

You will then be prompted for the password of the user account you used to connect with:

You will then be connected to your remote server.

Connect to a VNC server from a Symbian S60 handset

VNC is a remote control application for a variety of platforms including Windows, MacOS X and Linux, similar to Microsoft’s own Terminal Services (or Remote Desktop as you may know it by):

http://en.wikipedia.org/wiki/VNC

In order to be able to remotely control a server via VNC, you must install the VNC server component onto the server.

The Windows version can be downloaded free of charge here:

http://www.realvnc.com/products/free/4.1/download.html

The MacOS X version can be downloaded here:

http://sourceforge.net/projects/osxvnc/

The VNC client for Symbian S60v3 can be downloaded from the SourceForge web site here:

http://sourceforge.net/projects/symvnc/

In this example I have used the Nokia E71.

The client requires that the OpenPIPS framework be installed on the S60 device before the VNC client can be used.

OpenPIPS is available for download as a plug-in to the Symbian S60 SDK available from the Nokia Developer web site. The SDK is only available for the Windows platform currently.

The SDK can be downloaded here:

http://www.forum.nokia.com/info/sw.nokia.com/id/4a7149a5-95a5-4726-913a-...

Before you can install the SDK, you must first install an instance of PERL onto the Windows PC, such as this one:

http://strawberryperl.com/

Install PERL, then install the S60 SDK.

The OpenPIPS plug-in can then be downloaded from the Nokia Developer site here:

http://www.forum.nokia.com/info/sw.nokia.com/id/91d89929-fb8c-4d66-bea0-...

Install the plug-in to the SDK.

Once installed, locate the file:

C:\Symbian\9.2\S60_3rd_FP1\nokia_plugin\openc\s60opencsis\pips_nokia_1_3_SS.sis

Copy this file to your S60 device and install it.

Now you can install the VNC Client. Once installed, it will be listed in the Installations folder:

Launching the client allows you to enter an IP address, port number and specify the access point to connect through (be it GPRS / 3G or WLAN):

When connecting, you will be prompted to enter the password for the connection as defined on the server:

Once connected, you will be displayed the contents of the machine you are controlling remotely:

The display resolution can be altered so that you are able to view the screen more clearly (but having to scroll horizontally and vertically). Key sequences (such as CTRL ALT DEL) can be sent to the remote machine via the Options menu:

Remote control-tastic!

Deploying an SSH-based VPN solution

Configuring and deploying VPN remote access solutions can be a complicated and time-consuming, not to mention expensive, exercise. For companies looking to provide a simple, inexpensive, secure remote access solution to staff, then an SSH-based VPN may be the answer.
I have blogged previously about the free OpenVPN software (http://blog.brightpointuk.co.uk/openvpn), which is able to provide SSL-based VPN access, but this solution can require some detailed knowledge of networking on behalf of the administrator, and also (as with most solutions) effectively makes the remote client a host on the local network, with all the security considerations that this entails.

The solution I'm going to look at today works differently: a terminal server is deployed at the office, or specific desktop machines can be deployed on a per-user basis if required. Remote users can remotely log into this Terminal Server and access desktop applications and LAN-based resources via Remote Desktop or VNC. The solution requires only that a single TCP port be opened on the firewall, and a key file be saved onto the user's remote PC.
Because the remote PC is not on the local network, rather a local machine is being remotely controlled, there is no concern of viruses or other malware gaining access to the network from the remote machine, and bandwidth requirements are low.
Although this solution does require that hardware be deployed in the office, it has the advantage of allowing users to use their personal home PCs if desired without undue security concerns - and can work across a wide range of client platforms including Windows, Mac and Linux.

Because this solution involves users remote controlling a LAN-based machine rather than being a virtual host on the remote network, files on the user's real machine cannot simply be transferred to network drives and applications cannot access LAN-based resources directly. But should your users require access to an intranet or a web-based application, and can open and edit files stored on the LAN from the remote desktop, then this should not be an issue. The type of access your users will require should be taken into consideration.

I shall now look at the steps involved in deploying this solution.

Deploy a Terminal Server

Each user that is going to be using the solution will need a machine to remotely control. This might be a Terminal Services machine with the appropriate number of CALs, a VMWare server with multiple virtual machines configured, or real machines (if users have office-based desktop PCs, these could be used - but this is not a very green solution).

Whatever the machine, any required users will need to be added to the Remote Desktop Users group:

Or you may prefer to simply add 'Domain Users' to the group for ease of administration.

Deploy the VPN Server

In this scenario the VPN server itself is only acting as an SSH server and router and as such does not need to be very powerful, or indeed even a physical machine - a virtualised host would be fine.
In this example I am using the free, open source CentOS Linux distribution (http://www.centos.org).
Install a base configuration of the server - SSH functionality will be installed automatically.
Create a non-root user account, let's call it 'vpn'.
Edit the SSH configuration file located in /etc/ssh/sshd_config
Edit the port that the SSH service will use from the default 22 to a port of your choosing. In this example I am using TCP port 8999, chosen entirely at random:

The server will need to be assigned an external, Internet-facing IP address, with a DNS entry if desired. The server can be located on the LAN, with the selected port open on the firewall from the Internet to the internal address of the SSH server. If this is not satisfactory, the server can be located in a DMZ or Core network segment, just ensure that the SSH server is accessible from the outside world on the target port, the SSH server 'knows' how to route incoming requests to the LAN subnet(s), and the desired ports are open between the SSH server and the LAN (3389 in the case of RDP or 5900 in the case of VNC).

Generate client SSH keys

Keys can be generated on a Mac or a Linux-based machine at the command line using the ssh-keygen command. The process is simpler on Windows machines using the free PuttyGen utility, available from http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe

Click on the Generate button, then move the mouse across the window to create 'randomness' with which to create the key"

Once complete the key will be displayed:

You may find it useful to edit the contents of the Comments field to enter the name of the user that the key was generated for. Copy the whole key:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBQxT0fyUIh1uGPoRRf4Rh8kh4Uq16
qYczeGxC+OrQkeCy0fjW7YO7HCeG5mtFxDyOEXTaBj5AAo4gE2rJQ+4bhGDmcqEmk
XhkjuDW01joBTYx1em+JUbiM3/qLLBAvefsqSL1LhrsiJovIAjvMJsKuH2k6//BlK/7vVr2Y
gZrDBQ== Generated for James Liddiard

On the SSH server, log in as the 'vpn' user, or as root and then issue 'su - vpn' to become that user.
You should be in the /home/vpn/ directory. Create a new directory called '.ssh'

mkdir .ssh

Create a new file called 'authorized_keys'

touch authorized_keys

Edit the file

view authorized_keys

Paste the whole key into the file and save it.

On the Windows client, select the option to save the private key, selecting Yes when prompted to save the key without a passphrase. They key will be saved as a .ppk file, keep it somewhere safe.

The key is now authorised for SSH access to the server. Repeat this process as often as required.

Configure the Windows client

Create a directory on the C drive, or somewhere suitable. Let's call it 'SSH'.
In the directory, save the .ppk file created earlier.

Download and save the file 'plink.exe' in the same directory, available from http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe

We will need to accept and store the key of the SSH server. Run the following at the command prompt:

c:\SSH\plink -v -ssh -2 -P 8999 -l vpn 62.189.60.226

Where c:\SSH is the path to the location of the plink.exe file, 8999 is the port number specified for access to the SSH server, where vpn is the name of the non-root user account created on the SSH server, and where 62.189.60.226 is the external IP address of the SSH server.

This command can be saved in a batch file which can be double clicked to make things simpler, you will be prompted to accept the key and store it:

You will then be prompted to enter the password for the vpn user:

At this stage just press CTRL-C to end the batch job, there is no need to authenticate once the key has been stored.

Create a VBS script file, let's call it 'connect_vpn.vbs', use the following text:

Dim WSHShell
Dim WSHShell2
Dim Message
Dim Title

Set WSHShell = WScript.CreateObject("WScript.Shell")

cmdLine = "%comspec% /c c:\ssh\plink -v -ssh -2 -P 8999 -batch -l vpn -C -i c:\ssh\jimbob.ppk -L
127.0.0.2:3389:172.16.196.131:3389 62.189.60.226"
WshShell.Run cmdLine, 2
WScript.Sleep(10000)
WshShell.Run "mstsc /v:127.0.0.2:3389 /f"

where 'jimbob.ppk' is the name of the key file we created earlier and where '172.16.196.131' is the IP address of the internal machine to be remotely accessed.

Double click, or invoke the VBS file. The client will authenticate with the SSH server and forward the RDP request to the internal IP address of the machine to be accessed. After a pause of 10000 counts (as defined by the 'sleep' command), the Windows Remote Desktop client will launch and initiate a connection to 127.0.0.2 (a localhost address which will be forwarded by the plink script).
The 10000 delay command is arbitrary, this is the length of time it should take the SSH client to connect and authenticate. The RDP client will launch after 10000 milliseconds regardless as to whether the connection is established or not, therefore you may need to adjust this value yourself. It may be too long for 3G or DSL-based connections in which case it can be reduced. Don't be afraid to experiment.

If you are using VNC-based connections, then simply substitute the entries for 3389 with 5900 instead, and substitute the entry for 'mstsc' with the appropriate command line path to the VNC Viewer executable you are using, and use suitable switches.

Configure the Mac client

The procedure for configuring a Mac client in terms of keys is slightly different, MacOS not knowing what a 'ppk' file is.
If your administrator has generated a PPK file for you, then you will need to either convert it to an OpenSSH key, or generate key file manually on your Mac using the ssh-keygen command within Terminal:

ssh-keygen -f jimbob -b 1024

This will create 2 files within the directory in which the command was executed: 'jimbob' and 'jimbob.pub'.
Open the file 'jimbob.pub' using a suitable text editor:

Copy the contents of the file and save the key to the authorized_keys file on the SSH server as before.

On the Mac client we will need to accept and store the key of the SSH server as before. Open the Terminal application and run the following at the command prompt:

ssh -p 8999 -l vpn -i jimbob -L 3389:172.16.196.131:3389 62.189.60.226

You will be prompted to accept the key of the SSH server, type in 'yes' and press Enter.

The key has now been stored on the local Mac client.

Create a text file (with no extension) on the Mac with the following command line:

ssh -p 8999 -l vpn -i jimbob -L 3389:172.16.196.131:3389 62.189.60.226

Let's call it 'ssh_vpn'.

Launch the Terminal application and invoke the command by browsing to the correct directory and issuing:

. ./ssh_vpn

You will be connected to the SSH server as the VPN user (excuse my welcome message, I chose it purely to prove that I was indeed connecting as the correct user):

You can now launch a suitable RDP client on the Mac and connect to an address of 172.0.0.1, which will be forwarded automatically. Again, if using a VNC client, substitute any entry for 3389 with 5900 as the port number instead.

If you need to convert a supplied PPK file to the OpenSSH format for Mac usage, you will need to install the "MacPorts" version of Putty on your Mac: browse to http://www.macports.org in your browser and install the relevant package for your platform:

Before you will be able to install MacPorts, you will need to install the XCode tools from your MacOS installation source.

Once installed, run the following commands:

sudo port install putty

The required packages will be downloaded and installed, this process may take a few minutes:

Once installed, browse to the directory where the PPK file has been saved and convert it with the following command:

puttygen jimbob.ppk -O private-openssh -o jimbob.ssh

Now create a text file as we did before, but this time with the new details of the private key file:

ssh -p 8999 -l vpn -i jimbob.ssh -L 3389:172.16.196.131:3389 62.189.60.226

and run the file with the command:

. ./ssh_vpn

Once connected you can launch either a Remote Desktop or VNC client:

VPN-tastic!

OpenVPN

OpenVPN (http://openvpn.net) is a fully-featured SSL VPN solution.
OpenVPN can be used to provide secure remote access to field workers, can provide site-to-site VPN links or can be used to secure a private wireless network: if you can think of an application for a VPN solution, OpenVPN can probably accommodate it.

The OpenVPN server software can be installed on Linux, Windows (2000 or later), Solaris or MacOS and there are clients available for an even wider range of platforms, including Windows Mobile.

In this article I shall describe how to install a VPN server and configure secure access to your private network from the Internet. This article is not necessarily reserved for IT admin staff: anyone who has a networked storage device at home and would like the ability to access their files while out and about – this is for you.
For those of you who are more comfortable with a Windows environment, there is an excellent article on The Register desribing how to install OpenVPN for Windows (http://www.theregister.co.uk/2008/09/01/openvpn_primer/). This article describes how to use OpenVPN to remotely access your corporate Internet connection.
I shall install and configure the server-side on the free Linux distribution CentOS (http://www.centos.org), version 4.7, and configure it to allow remote access to local network resources (file servers, intranet, etc).

Requirements

Before you install the server, it is important to consider how you intend to configure routing between your internal network and the outside world, and also the addressing scheme to use.

For your VPN solution to work, the client will need to recognise the remote resource being requested as residing on a network ‘behind’ the VPN server.
The vast majority of public WiFi services (and potentially cellular mobile network operators) will assign connected clients an IP address in the range 10.x.x.x , 172.16.x.x or 192.168.x.x (the addresses reserved for ‘internal’ networks) .
Therefore, if you have connected to a public WiFi service and have been assigned an address of, say, 192.168.0.42, you may be able to connect to your VPN server, but if you then request a connection to a server on the remote network with an address of 192.168.0.10 the client device will not know to route the request over the VPN link but will look for it on the local network.
Your internal network should therefore use an addressing scheme that is suitably unlikely to be in use elsewhere.

Once connected, the VPN client will be assigned an IP address on the remote network. Similarly, in order for the remote resource to be able to reply to requests from the VPN client, the address used by the client also needs to be ‘behind’ the VPN server so that local network resources know to route responses accordingly.
The necessary routes will need to be added to the local network resources: either each machine will need a route added to it to direct requests to the VPN network to the IP address of the OpenVPN server, or (preferably) add a route on the default gateway of the internal network.

The OpenVPN documentation suggests a network in the middle of the 10.x.x.x address block, such as 10.66.77.0/24 (so your VPN server might have an address of 10.66.77.1 with a subnet mask of 255.255.255.0).

For your VPN server to be accessible from the Internet, it will need a ‘routable’, or ‘real-world’ IP address. The majority of home broadband providers do not provide this unfortunately, so you may need to check with your provider what options are available. The external address of your server does not necessarily need to be ‘fixed’, but it will need to be routable. If you have a dynamic address, then you can create a free account with DynDNS (http://www.dyndns.org) which will enable you to connect to a ‘friendly name’ from your client device without having to worry about what the IP address might be at any given time.

In this example, my OpenVPN server will have a fixed external IP address. I shall be using an internal addressing scheme of 10.66.77.0/24 and I shall use a separate network range for the VPN: 10.66.78.0/24. The OpenVPN server will issue addresses to clients automatically via DHCP in this range.

Installation

Install a base (minimal) CentOS configuration.
During the installation assign the server an IP address on the local network (10.66.77.10, for example). Configure the default gateway with the internal address of your router (10.66.77.1, for example).
Install the GCC compiler via yum with the following command:

yum install gcc

The LZO compression library is also required. This is available from http://www.oberhumer.com/opensource/lzo/download/

The package will be in .tar.gz format. Extract the contents of the archive with the command:

tar xvfz lzo-x.x.x.tar.gz

now change to the directory created and run:

./configure
make
make install

OpenSSL is also required. This can be downloaded from http://rpm2html.osmirror.nl/openssl.html
The package will be in rpm format, install it with the command:

rpm –i openssl-x.x.x.rpm

Download the current OpenVPN installer package from http://openvpn.net
The package will be in .tar.gz format. Extract the contents of the archive with the command:

tar xvfz openvpn-x.x.x.tar.gz

now change to the directory created and run:

./configure
make
make install

OpenVPN is now installed but must now be configured.

Generate Master Certificate Authority (CA) key

Within the openvpn directory, switch to the easy-rsa directory.
Edit the ‘vars’ file.
Scroll down and update the contents of the following fields:

KEY_COUNTRY  (eg GB)
KEY_PROVINCE  (eg Dorset)
KEY_CITY  (eg Poole)
KEY_ORG  (eg MyCompany)
KEY_EMAIL  (eg root@mydomain.com)

Save the file.
Make the file executable with using chmod:

chmod 755 vars

Now run the following commands:

. ./vars
. ./clean-all
. ./build-ca

You will be prompted to enter the details for the CA key, but having edited the vars file you should be able to press Enter and have the default value accepted. You will need to enter the hostname of the server, ‘server’ will do.

Once complete the following files will have been created in a new directory called ‘keys’:

ca.crt
ca.key

Generate OpenVPN server key

Having created the root certificate for the certificate authority, we must now create a key for the OpenVPN server itself. Run the command

. ./build-key-server server

Again most of the fields will be completed for you, simply press Enter when prompted. You will need to enter the hostname of the server, again ‘server’ will do.

In the keys directory the following files will have been created:

server.crt
server.csr
server.key

Generate OpenVPN client key

Now we need to generate a key file for the client. Issue the following command:

. ./build-key client1

When prompted for the hostname, simply enter ‘client1’. Repeat this process for as many clients as you require.

Configure Diffie-Hellman key exchange

Now run the command:

. ./build-dh

This will configure the necessary key exchange parameters automatically and create a file named ‘dh1024.pem’ in the keys directory.

Configure Server

The default server configuration file now needs to be updated with the specific details of your network. An example server configuration file lives in /sample-config-files/server.conf. Make a copy of the file and save it to the openvpn directory.
Edit the file.

Locate the line beginning ‘port 1194’
Here you can specify which port the server will listen for connections on. The default is 1194 but this can be changed to any port you want. It is important that whatever port you choose, any firewalls that the VPN server sits behind are configured to allow this port through to the server from the Internet.

You can also specify the protocol used (UDP or TCP). The default is UDP.

Scroll down and locate the section beginning:
ca ca.crt
cert server.crt
key server.key

Specify the location of the server and ca key files (if not in the same directory as the conf file)

Scroll down and locate the line beginning ‘dh dh1024.pem’
Specify the location of the Diffie Hellman config file (if not in the same directory as the conf file)

Scroll down and locate the line beginning ‘server 192.168.0.0 255.255.255.0’
The details of the VPN subnet will need to be defined. The default value will need to be amended with the new details (10.66.78.0 255.255.255.0 in my example)

Scroll down and locate the section beginning ‘;push "route 192.168.10.0 255.255.255.0" ‘
Any routes that you wish to be pushed down to connected client devices will need to be configured here (remove the ‘ ; ‘ character at the beginning of the line to make it active. In my example I will add an entry to have a route for the 10.77.66.0 network pushed to the client.

Scroll down and uncomment out the lines ‘user nobody’ and ‘group nobody’ to reduce the privileges of the OpenVPN daemon.
Once complete save the file.

NOTE – there are also options within the server.conf file to define DNS and WINS server settings that can be pushed to the client device when it connects. If you are running a DNS server on your local network then this is advisable as it allows you to connect to ‘friendly names’ directly from the client, otherwise you will need to know the IP addresses of all local resources you want to access.

NOTE – if there are further networks that sit behind the VPN server other than the network that it sits on (such as a DMZ environment), then the necessary routes will also need to be defined to be pushed to the client. More information on this is available on the OpenVPN web site.

Start the OpenVPN server

Start the server with the command:

openvpn server.conf

Configure routing

On the local network resource – the internal router if one is being used, or on each host separately, add a route to direct traffic for the 10.66.78.0 network to the local IP address of the OpenVPN server. Use the following command to configure the host manually:

route add –net 10.66.78.0 –netmask 255.255.255.0 10.66.77.10 1

On a Netgear router, static routes are defined in the Advanced --> Static Routes section:

Configure the Windows Client

The OpenVPN client for Windows can be downloaded from http://openvpn.se/download.html
Be sure to choose the GUI and TAP driver package rather than just the GUI. The TAP driver is required to install the virtual network adapter.
Once installed, browse to C:\Program Files\OpenVPN. The are sample configuration files in the ‘sample-config’ directory. Copy the file ‘client.ovpn’ to the ‘config’ directory and then edit it with Notepad.
Enter the external name or IP address of the VPN server. An entry has been made for ‘remote my-server1 1194’. Replace my-server1 with the details of your server. If you specified an alternate port to use other than 1194 when configuring the server, substitute this here also.

Save the following files from the VPN server onto the client:

ca.crt
client.crt
client.key

The OpenVPN connection can be initiated by right clicking on the system tray icon and selecting Connect:

If all has gone well, you should be successfully connected and your local IP address will be displayed. You can now verify the connection by attempting to ping the local address of a resource on the remote network.

Configure the Mac Client

The setup procedure on the mac is a slightly more manual process. There are packages that can be purchased which include all of the required packages, such as Viscosity (http://www.viscosityvpn.com/), but with a little effort you can do it for free.

Firstly, install the XCode tools from the Apple OS DVD, if not installed already. These are required as they contain the GCC compiler which is required to install some of the prerequisite packages.

Next, you need to install a TUNTAP driver for the virtual network adapter, such as this one:
http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
This package is MPKG file, simply run it and follow the on-screen instructions.

Next download and install Fink from http://www.finkproject.org/ (Fink provides similar functionality to yum on Linux systems).
Once Fink has been installed, open a Terminal window and enter the following command:

fink install openssl097 openssl097-dev openssl097-shlibs

This will download and install the necessary OpenSSL libraries onto the Mac.

Download the LZO Compression library from http://www.oberhumer.com/opensource/lzo/download/

This will come down as an archive file. Extract the contents of the file, then open a Terminal window and change directory to the location of the extracted files. Run the following commands:

./configure --enable-shared
make
make test
sudo make install

Download the current version of OpenVPN from http://openvpn.net

Again this will be an archive file. Extract the contents of the file, then open a Terminal window and change directory to the location of the extracted files. Run the following commands:

./configure --with-ssl-lib=/sw/include/ --with-ssl-headers=/sw/include/ 
--with-lzo-lib=/usr/local/lib/ --with-lzo-headers=/usr/local/lib/
make
sudo make install

Now create a directory for OpenVPN:

sudo mkdir /etc/openvpn

Copy your certificate and key files into this directory:

ca.crt
client.crt
client.key

Now create an openvpn.conf text file containing the following script:

client
dev tun0
proto udp
remote (server address) 1194
resolv-retry infinite
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
comp-lzo
verb 3
mute 20

(where (server address) will need to be substituted for the external name or IP address of the VPN server.

Save the file to the /etc/openvpn directory

To initiate the connection, issue the following command:

sudo /usr/local/sbin/openvpn --config /etc/openvpn/openvpn.conf

There is a free GUI for OpenVPN that allows you to initiate connections from the menu bar without having to type the above command into Terminal every time. The GUI is called Tunnelblick and is available from the Google web site: http://code.google.com/p/tunnelblick/

Once installed, Tunnelblick adds an icon to the menu bar, shaped like a tunnel:

To configure Tunnelblick, simply click on Details and then ‘Edit Configuration’. Paste in the same script that you created above.

Configure the Pocket PC client

The Pocket PC client for the Windows Mobile platform can be downloaded from here - http://ovpnppc.ziggurat29.com/ovpnppc-files.htm

The client can be downloaded either as an executable package that must be installed onto the PDA from a PC via ActiveSync, or as a CAB file package that can be installed on the device locally.

Once installed, an icon for the client will be added to the Today screen and also to the Programs folder:

In order to configure the client, the required keys must be copied to the PDA as with the previous clients, to the \Program Files\OpenVPN\Config directory:

ca.crt
client.crt
client.key

However once on the device, the crt files must be renamed with a .pem extension, giving:

ca.pem
client.pem
client.key

In the /config directory on the PDA will be a file named 'sample.opvn'. Copy this file and rename it to the desired name of your configuration as you want it appear within the client.
The easiest way to do this is to copy the file to your PC, edit it, then copy it back again.
Enter the following text into the file:

client
dev tap
proto udp
remote (server address) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca "\\Program Files\\OpenVPN\\Config\\ca.pem"
cert "\\Program Files\\OpenVPN\\Config\\client.pem"
key "\\Program Files\\OpenVPN\\Config\\client.key"
comp-lzo
verb 3
mute 20

Once the configuration file has been saved to the PDA, it will be listed as an available connection within the OpenVPN client on the Today screen:

If desired, within the Settings of the client it is possible to specify which Internet connection the OpenVPN client should use to initiate the connection to the OpenVPN server: