Is it possible to configure UCS server with two network interfaces to work with two separated and different networks? For example, I’d like to have local network without access to Internet on eth0 and access only for UCS server to Internet on eth1.
Thanks in advance.
Yes, its possible, we are currently using the exact same setup. First define an external domain, then define another network (e.g. external) and link it to the external domain, and then simply assign a second network card to the host using the “external” network: This works completely without using the command line, simply by using the web interface…
From my experience, I would not build such a setup any more, because it also has disadvantages. In my opinion, the disadvantages of this setup outweigh the apparent advantages, so consider carefully.
Due to the dualhomed setup we have problems with the monitoring using Nagios/Icinga, with the standard routes and of course security issues, because a computer with external IP needs an additional external firewall. Due to some special constraints we have this under control, but today I would prefer to simply define different network zones and then assign the computers to exactly one zone. I would use a router to connect the different zones and use a firewall to allow only exactly the desired network traffic.
Of course, this proposal is a bit more complicated in the initial setup compared to a dual-homed setup, but it is much easier to maintain during operation and of course also safer.
Do you want to read more? This old but still excellent Linux Journal Article may be helpful.
Looking for an easy-to-use firewall at enterprise level? Then I recommend OPNsense.
Viel Spass (have fun)
Lutz
But how to define external domain in UCS? Can’t find the right place.
Hey,
log in to the UMC (“System and domain settings”), go to “System” → “Network settings” → click on the interface to edit if it’s already listen.
Kind regards,
mosu
I think I miss smth…
I do have two network interfaces eth0 and eth1 in my “UMC” → “System” → “Network settings”.
Eth0 is Dynamic (DHCP) and it takes address from router connected to Internet. Adress is from DHCP and it is 192.168.1.10 for example.
Eth1 is static (address is 10.0.0.10).
Global settings are:
Gateway is 10.0.0.200, Domain name server IP are 10.0.0.10 and 192.168.1.1.
Primary network interface is Eth1.
When I open AppCenter I get error: Name or service not known. This is probably due to the DNS settings of my server. This sure is because my UCS server cannot resolve internet addresses. My UCS server knows only one gateway in this configuration. Where in UCS can I route this?
I just would like to have intranet with no Internet connection while second network interfaces will be used only by server to manage updates and install applications. With no ip_forward it should be quite safe. What did I miss?
adjust your gateway: 10.0.0.200 is your internal net and will not work.
But I have also corporate intranet behind the local intranet gateway. When I switch gateway I will loose access to it.
in that case you have to set routes to the internal network, see Configuring static routes
Congrat: you faced one of the disadvantages of a dual-homed setup: you have to care regarding routes.
Hey Zusammen,
ich habe die Konfiguration bei mir soeben auch angewendet. Nun habe ich zwei netze
[öffentliche IPv4] - meinedomain.de
[interne IPv4 192.168.1.250] - meineinternedomain.intranet (möchte ich zumindest haben).
Nun habe ich folgendes Problem:
ich bekomme keinen DNS für das UCS Dashboard mit Windows AD Verbindung hin. Der Ausführende Terminal Server kann keine Verbindung zur Domäne herstellen.
Netzwerktechnisch hat er verbindung zum UCS mit der lokalen IPv4: 192.168.1.250. Aber die Eingerichtete Domäne auf das lokale Netz kann ich nicht im Browser noch in der Konfiguration von Windows AD erreichen.
Ich habe die Vermutung, dass ich das Interne Netzwerk mit dem öffentlichen routen muss, bin mir aber nicht sicher. Eigentlich muss es doch 7 Jahre später eine einfachere Möglichkeit geben.
Hier meine Netzwerkkonfig + DNS Settings:
Vielleicht kann mir da jemand weiterhelfen 
ENG:
Hey everyone,
I have just applied the configuration to my system. I now have two networks
[public IPv4] - mydomain.com
[internal IPv4 192.168.1.250] - myinternaldomain.intranet (at least that’s what I want).
Now I have the following problem:
I can’t get a DNS for the UCS Dashboard with Windows AD connection. The executing terminal server cannot connect to the domain.
Network-wise it has a connection to the UCS with the local IPv4: 192.168.1.250. But I can’t reach the configured domain on the local network in the browser or in the configuration of Windows AD.
I have a hunch that I need to route the internal network with the public one, but I’m not sure. Actually, there must be an easier way 7 years later.
Here is my network configuration + DNS settings: (see Top)
Maybe someone can help me
Hi floriangoetze
Please carefully consider your setup, as stated by Lutz this might not be the best configuration, especially if you are going to expose UCS directly to the Internet.
In you screenshots I see some issues. Look at the Netzwerke>default and the Netzwerk field, it ends with a .26.0 and a 24 mask. However, your Netzwerke>intern is .1.250/24 where it should be .1.0/24
I’m not sure if you need to specify the IP-Adressbereich as this can be controlled by the DHCP configuration.
Finally, in the same “window” have DNS Forward Lookup Zone set to FQDN .de.
Go to DNS>[FQDN].de and make sure you are pointing it at a working DNS server (in the “server name” and “IP addresses”)
Well, I have to say, I don’t like the configuration either. I did it because I want to control external software with LDAP and Open ID. For example, I have GitLab running externally and want to integrate LDAP. And if I only have the UCS server with the domain running internally, that doesn’t work. At least I haven’t found a way that works.
What would be the best way to do this?
I have an external IPv4 that is connected to the Internet: 123.123.123.123 - ucs.meinedomain.de
Then there is an internal IPv4: 192.168.1.250 - ucs.mydomain.intranet
Of course, I could also think about putting something like ZeroTier on all servers (internal and external). This option could perhaps still be selected. If Univention allows such a thing.
I’m having difficulty understanding what you are trying to achieve.
Are you after something like this?
If so, my question would be if you run your own external DNS or simply rely on your hosting company. Maybe you can just add a DNS entry to their global DNS (ldap.FQDN.de) and point it at your router. Do a port forward 389&636 to the UCS and you are done. NOW, this is very risky and you will have millions of login in attempts every day directly on your UCS domain controller.
I bet you know Integrate LDAP with GitLab | GitLab already, and looked at the Univention Corporate Server - Manual for users and administrators — Univention Corporate Server - Manual for users and administrators
I would suggest you search the forum for similar topics (i.e. external domain) and then start a new one if you still need help.
Cheers