We have recently undergone a network topology change and reduction of onsite equipment and infrastructure. What we have in place now:
- HPE switching: all L2, as most L3 is handed off to the Fortigates
- Fortigate: handles DHCP, some VLAN’s DNS, firewall, and L3 routing duties (for all VLAN’s). At our largest campus this is a 100E unit, at our other two campuses it’s 30E’s. Site to Site VPN is configured between sites. We have a consistent VLAN and subnetting strategy (10.campus.vlid.client in /24’s for ‘private’, and each campus has a 172.16.x.x/22 for guest)
- PBX: only at the main site. SIP phones at other sites use the site-to-site vpn
- Print Server: Each campus has a print server (Windows server 2019) that also runs the appropriate PaperCut roles: Print Provider & Mobility Print Server. The smaller campuses are ‘site servers’ in PaperCut terminology. The largest campus handles Appplication Server responsibilities and Web Print server responsibilities also
- Azure: There is a site-site VPN between the fortigate(s) and azure. It’s architected by our IT Services MSP.
- NVR server: Blue Iris for security cameras (all at the main campus)
- 87% of clients are ChromeOS, 12% are MacOS (MDM managed), and 1% are Windows (AzureAD + Intune managed)
Challenge I’m thinking through:
- We’re not running significant DNS server structures internally. What the fortigate is capable of is all we have (or really want at this point)
- I have some systems I trust (such as the PBX) to use standard port forwarding and NAT for providing access to the system when someone is offsite
- I would prefer that access to the PaperCut user portal “just works”. However, that (realistically) means exposing it in some way, shape or form externally.
- I’m not sure I trust the security of the PaperCut MF system as much as I would Fortigate/Windows/PBX. I believe it runs some version of java for it’s web server, but it only gets updated after our copiers are certified (which sometimes takes a long time.
- Is something like a basic reverse proxy an easy way to expose services (such as PaperCut MF) while not taking stupid risks? My googling says that Fortigates can often do this for you to a certain extent.
- Other suggestions on how to enable access for the PaperCut portal, but not make unnecessary security risks?
- I wouldn’t mind having a ‘better security’ solution I can throw in front of things that need some kind of external accessibility but are out of the norm (like PaperCut and the NVR server)
- We’re trying to do as many things as we can that are ZeroTrust/BeyondCorp style (reasonably)