CommuniGate Pro
Version 6.4
 

Network

CommuniGate Pro is a network server, and it needs to know the configuration of your network. Most of the settings are retrieved automatically from your OS setup, but you may want to change these settings and/or specify additional settings.

This section describes the CommuniGate Pro network settings.



Address Lists

Many CommuniGate Pro components use Network (IP) Address lists. These lists are specify Client and Blacklisted addresses, access restrictions for Listeners, etc.

Use the WebAdmin Interface to specify your Address Lists. Open the Network pages in the Settings realm, then open the Address Lists page.

LAN
 
 
New Address List Name:  

To create a new Address List enter the name of the List and click the "Create Address List" button.
The name may contain Latin letters, digits, symbols ._- (dot, underscore, minus).
Through this name, one Address List can refer to another. Letters are not case sensitive.

To edit an existing Address List, click on the link with the list name.

A Network Address List is specified as multi-line text data.

Each text line should contain one of the following:
  • one IP address
  • an address range - two IP addresses separated with the minus (-) symbol: a range includes both IP addresses and all addresses between them
  • an address and a numeric mask, separated with the slash (/) symbol.
    The mask value should be between 1 and 32 for IPv4 addresses and between 1 and 128 for IPv6 addresses. It specifies how many higher bits of the specified address are valid. The remaining lower bits of the address must be zero. The range includes all addresses with the specified higher bits.
  • a reference to other Address List - the # symbol followed by the list name.
  • a domain name search template - the #@ symbols followed by the template.
    The server tries to get the domain name for the IP address (if the IP address is aa.bb.cc.dd, the Server tries to retrieve the PTR record for the dd.cc.dd.aa.in-addr.arpa name). If the PTR domain name is retrieved, it is checked against the template. The template can include the wildcard (*) symbols.
    Note: when a domain search template is used the Server has to make an additional reverse-lookup DNS operation. This additional DNS operation can cause additional delays when processing incoming connections, so use templates only when really needed, and only when you cannot specify all IP addresses explicitly.
    Note: if the reverse-lookup DNS operation fails, the server places the DNR error code into the container used to keep the reverse-lookup DNS operation results (DNS names). The error code is enclosed in parenthesis. To include all network addresses that do not have reverse-DNS records, place the #@(host name is unknown) string into the list.

The line can be preceded with the exclamation point (!) symbol. In this case the specified content of the line is excluded from the list composed using the preceding lines.

A comment (separated with the semicolon (;) symbol or double-slash (//) symbols) the can be placed at the end of a line.
Lines starting with the semicolon symbol, and empty lines are comment lines.

Testing Address for inclusion in the List

To test an IP address for inclusion in the list of addresses, enter it in the "Address to Test:" field and click "Test".

Address to Test:     Included


The result of the test can be one of the following messages:

Included
The IP address is included in the List.
Not Included
The IP address is not included in the List.
Excluded
The IP address is excluded from the List via (!) symbol.
Error
Incorrect IP address, or a syntax error in the List.


LAN Addresses

If you use CommuniGate Pro in a corporate environment, most of your users will connect to the Server from the corporate LAN(s).

Use the WebAdmin Interface to specify your LAN Addresses. Open the Network pages in the Settings realm, then open the LAN IPs page.

LAN IP Addresses
Server LAN IP Address:

The LAN IP Addresses table initially contains the addresses the CommuniGate Pro software retrieved from the Server OS configuration. Correct this list to include all LAN (local networks) the CommuniGate Pro Server needs to serve.
The Network Address Lists section explains the list format.

The list of LAN IP Addresses is used to support Real-Time (voice, video, etc.) communications, so the CommuniGate Pro Server knows which addresses are belong to NAT'ed ("local") addresses, i.e. which addresses cannot be contacted directly from the Internet.

Use the "Server LAN IP Address" setting to select the Server's own IP Address the Server OS uses to communicate with computers on the LAN.

LAN Segments

If the Server is linked to several networks, and those networks do not have direct access to each other, then those networks must be additionally specified as Segments. This is needed to tell the Server whether clients from those networks can connect to each other directly, or they need to be proxyed through the Server.

LAN Segments
Server LAN IP Address:
Server LAN IP Address:

To specify the address for outgoing connections opened to a particular network Segment, use the "Server LAN IP Address" setting to select the Server's own IP address. The specified address must be within the address range of that Segment.


Client Addresses

Some addresses can be selected to give them a higher priority or special privileges compared to other addresses.

Use the WebAdmin Interface to open the Network pages inside the Settings section (realm), and click the "Client IP Addresses" link.

Enter the IP addresses on your client connect from, as well as the IP addresses of other systems that should be allowed to use your server:

Client IP Addresses

In a Cluster environment, the cluster-wide Client IP Addresses list is processed as extension of the server-wide list: an address is considered to be Client if it is included into either the server-wide or into the cluster-wide list.


Denied Addresses

You may want to deny access to your Server for all incoming TCP connections and UDP packets coming from certain IP Addresses.

Use the WebAdmin Interface to specify the Denied Addresses. Open the Network pages in the Settings realm, then open the Blacklisted IPs page.

Denied IP Addresses

The TCP and UDP Listeners consult with this IP Address list before they check their own restrictions settings.

In a Cluster environment, connections and packets from an IP Address are denied if that Address is included into either Server-wide or Cluster-wide Denied IP Addresses list.


UnBlacklistable (White Hole) IP Addresses

When using RBL Servers or DNS Names for blacklisting, you may want to avoid blacklisting certain sites.

Use the WebAdmin Interface to specify the UnBlacklistable Addresses. Open the Network pages in the Settings realm, then open the Blacklisted IPs page.

UnBlacklistable (White Hole) IP Addresses

In a Cluster environment, connections and packets from an IP Address are not blacklisted if that Address is included into either Server-wide or Cluster-wide UnBlacklistable IP Addresses list.


Debug Addresses

You may need to obtain a detailed Log of all communications with certain clients or remote servers.

Use the WebAdmin Interface to specify the Debug Addresses. Open the Network pages in the Settings realm, then open the Debug IPs page.

Debug IP Addresses
When the Server:
  • accepts a TCP connection from an address in this list
  • opens a TCP connection to an address in this list
  • receives a UDP packet from an address in this list
  • sends a UDP packet to an address in this list
the protocol Log Level for that connection or packet is set to All Info.

In a Cluster environment, both the Server-wide or Cluster-wide Debug Addresses lists are checked.


Port Allocation

CommuniGate Pro can let the OS select "ephemeral ports" for outgoing TCP connections, or it can allocate these ports itself.
The ports used for Media Proxies and active FTP data connections are always allocated by the CommuniGate Pro Server itself.

Use the WebAdmin Interface to specify the port allocation parameters. Open the Network pages in the Settings realm, then open the LAN IPs page.

Port Allocation
UDP: -   Round-Robin Allocation
TCP: - Reusage Delay: Use for Media Proxy only
UDP
This setting specifies the port number range to be used for UDP proxy operations. If the CommuniGate Pro Server is behind a NAT/Firewall, make sure that all UDP packets received by the NAT/Firewall for these ports are relayed to the CommuniGate Pro Server.
TCP Ports
This setting specifies the port number range to be used for outgoing TCP connections, including proxy operations. If the CommuniGate Pro server is behind a NAT/Firewall, make sure that all TCP connections received by the NAT/Firewall for these ports are relayed to the CommuniGate Pro Server.
Round-Robin Allocation
When this option is selected, UDP and TCP ports are allocated evenly using the entire port range.
When this option is not selected, UDP and TCP ports are allocated using the first (lowest) available port in the port range.
Reusage Delay
An explicitly allocated TCP port can be re-used after a pause, which should not be smaller than the OS TCP TIME_WAIT time period. Use this setting to specify the re-usage delay.
Use for Media Proxy only
When this option is selected, TCP ports are explicitly allocated for TCP media proxy and FTP data channels only.
When this option is not selected, TCP ports are explicitly allocated for all outoging TCP connections (SMTP, SMPP, RPOLL, etc.)

NATed Addresses

CommuniGate Pro can provide SIP and XIMSS signaling, and media communications for remote clients located behind NAT devices, implementing the far-end NAT traversal functionality.

See the NAT section for more details.


NAT/Firewall Parameters

There are two main types of LAN installations:
  • your CommuniGate Pro Server is installed behind a NAT/Firewall device;
    or
  • your CommuniGate Pro Server has at least two network interfaces, one connected to the LAN, and one - to the Internet (WAN).
Local NAT/Firewall/Load Balancer
WAN IPv4 Address: WAN IPv6 Address:
WAN IPv4 Address
If your CommuniGate Pro Server has several network interfaces, some connecting it to the LAN, and some - to the WAN (Internet), use this setting to specify the IP address the Server OS uses by default when connecting to remote hosts over the Internet:
Network Firewall 1

If your CommuniGate Pro Server is installed on a LAN behind a NAT/Firewall, the NAT/Firewall device should be configured to relay all connections on its communication (POP, SMTP, SIP, XMPP, etc.) ports to the CommuniGate Pro Server LAN address. Use this setting to specify the IP address your NAT/Firewall "relays" to CommuniGate Pro.

For example, if your CommuniGate Pro Server has the 10.0.1.12 IP address on your LAN, and the NAT/Firewall relays all incoming connections coming to the 77.77.77.77 IP address to the 10.0.1.12 address, specify the 77.77.77.77 IP address in this setting:

Network Firewall 2
WAN IPv6 Address
If your CommuniGate Pro Server is connected to the IPv6 network, specify the Server IP address the Server OS uses by default to connect to remote hosts over the IPv6 Internet.

Domain Name Resolver (DNR)

Use the WebAdmin Interface to configure the Resolver settings. Open the Network pages in the Settings realm, and follow the DNS Resolver link.

Domain Name Resolver
Log Level: Concurrent Requests:
DNS Servers Addresses: Source IP Address::
Balance Server Load: Use Supplementary Responses:
Initial Time-out: Retry Limit:
Log Level
Use this setting to specify what kind of information the Domain Name Resolver should put in the Server Log. Usually you should use the Major or Problems levels. In the later case you will see the information about all failed DNS lookups. If you use the RBL services, you may see a lot of failed lookups in the Log. When you experience problems with the Domain Name Resolver, you may want to set the Log Level setting to Low-Level or All Info: in this case protocol-level or link-level details will be recorded in the System Log as well.
The Resolver records in the System Log are marked with the DNR tag.
Concurrent Requests
This setting limits the number of concurrent requests the Resolver can send to Domain Name Servers. On a heavily-loaded Mail or Signal relay processing many thousand requests per second, this parameter should be selected after some testing: older DNS servers may crash if requested to process too many concurrent requests.
DNS Addresses
This setting specifies how the CommuniGate Pro Server selects the DNS servers to use. If the OS-specified option is selected, the Server reads the DNS server addresses from the Server host OS. To force the server to re-read those addresses, click the Refresh button on the General page in the Settings section.
If the Custom option is selected, the CommuniGate Pro Server will use the DNS servers addresses listed in the text field next to this pop-up menu.
If no DNS server address is specified, the CommuniGate Pro Server uses the 127.0.0.1 address, trying to connect to a DNS server that can be running on the same computer as the CommuniGate Pro Server.
Balance Server Load
If this option is disabled, then the initial request is always sent to the first DNS server in the list, and if there is no response from that server, the request is resent to the second DNS server, etc.
If this option is enabled, then initial requests are sent to different DNS servers: the first initial request is sent to the first DNS server (and if it fails - the request is resent to the second DNS server), the second initial request is sent to the second DNS server (and if it fails - the request is resent to the third DNS server), etc.
Enable this option if your Server performs a lot of DNR operations and it can use several equally effective DNS servers.
Use Supplementary Responses
If this option is enabled, then "supplementary" records in MX and SRV requests are processed. These records contain the IP addresses (A and AAAA records) for the domain names listed in an MX or SRV response, so no additional DNR request is needed to retrieve these IP addresses.
Initial Time-out
The Domain Name System uses the connectionless UDP protocol by default, and if there any network trouble, a UDP request or response can be lost (while the TCP protocol automatically resends lost packets).
The Domain Name Resolver waits for a response from a DNS server for the period of time specified with this option.
If a response is not received, the Resolver resends the request, and waits twice longer, if it times out again, it can resend the request again and wait three times longer.
If you have several Domain Name Servers specified, each time the resolver needs to repeat a request, it sends it to the next DNS server in the list.
Retry Limit
This option specifies how many time the Resolver should re-send the same request if it has not received any response from a DNS server.
Note: when a request is an RBL request, the Resolver sends the same request not more than twice, and both times it uses the same (Initial) response time-out.
Source IP Address
This option selects the source network address and port for UDP DNR requests send. If an IP address and/or a port is not specified, the address and/or port is selected using the Server host OS.

The Domain Name Resolver uses TCP connections if a DNS server sent a UDP response with the "Truncated" flag set. This feature allows the Resolver to retrieve very large records from DNS servers.

Dummy IP Addresses
Dummy IP Addresses
This Address List setting allows you to specify network (IP) addresses that should be considered as "non-existent".

Some DNS authorities may choose to "map" all non-existent names within their domains to some special IP address(es).

When a domain name is resolved into IP addresses, the Resolver checks the first address. If this address is listed in the Dummy IP Addresses list, the Resolver returns the "unknown host/domain name" error code.

The Domain Name Resolver caches responses to SRV-type DNS requests.

Cache
Limit: Cache Negative:
Limit
The maximum Cache size. When the number of items in the cache exceeds this limit, the oldest unused records are being removed from the cache.
Cache Negative
Use this setting to specify for how long negative (failure) DNS responses should be cached.

The Tester allows to test responses to some sorts of DNS requests.

Test Address:

The Tester can be used to check:

  • the true domain name in Punycode, if the domain name contains International characters
  • the Source and the target DNS Server IP addresses, and if the Balance Server Load setting works
  • the response time
  • the returned result
  • errors, if any.
Unlike the real Resolver the Tester tries only one time ignoring the Retry Limit setting.


IPv6 Support

The CommuniGate Pro Server provides full support for both IPv4 and IPv6 network protocols for the following Server Operating Systems:
  • Linux
  • FreeBSD
  • MacOS X
  • Windows (Vista and newer)
  • Solaris
  • AIX

If the Server runs on a platform with IPv6 support, and it detects any local IPv6 address, it assumes that the IPv6 networking is enabled.
In this case, the Server creates all network sockets as IPv6 sockets. These sockets communicate with IPv4 systems using the IPv4-mapped IPv6 address method.

Note: The IPv4-mapped IPv6 address method is disabled by default in FreeBSD system kernels. Use the
sysctl -w net.inet6.ip6.v6only=0
command in your OS startup scripts to enable this method.
You can explicitly instruct the Server to switch IPv6 networking support on or off by using the --IPv6 Command Line Option:
  • --IPv6 NO switches the IPv6 support off, even if some local IPv6 addresses are detected.
  • --IPv6 YES switches the IPv6 support on, even if no local IPv6 local address is detected, but the Server OS supports IPv6 networking.

CommuniGate Pro Guide. Copyright © 2020-2023, AO StalkerSoft