Customers often ask what makes up the infrastructure that serves Kolab Now. This article outlines some of the high-level details about the current state of affairs.
Let’s start with a basic outline of the underlying infrastructure; Kolab Now, at the time of this writing, runs 22.9% Red Hat Enterprise Linux 6 and 77.1% Red Hat Enterprise Linux 7, both under support. Naturally, the number of RHEL 6 systems will decrease, and the number of RHEL 7 servers will increase over time. We’re not in the sentimental type of business.
This environment is largely made up of virtualized guests seated on fat IBM hardware as hypervisors — also under support. These hypervisors are “fat” in that they each have quite a few CPU sockets with multi-core CPUs, and are fully stuffed with RAM. These are some enterprise-grade systems — they even come with a chassis.
Kolab Now runs completely on Free Software, available as Kolab to the community, and supported by Kolab Systems. What makes the difference for Kolab Now is the perpetual and continuous attention of seniors employed by Kolab Systems, the patron of Kolab and proprietor of Kolab Now. It should be no surprise Kolab Systems employs its Kolab Enterprise Support and Services to Kolab Now (hence also this here).
External services — facing the Internet — are separated from internal services. To this end, there’s a few outer perimeter firewalls, some select perimeter networks and some groups of separate inner perimeter firewalls. Each of these firewalls is redundant, shares connection tracking tables and entertains back-end service high-availability through load-balancing with health checks. Both outer and inner perimeter firewalls perform traffic shaping in order to ensure fair and balanced network traffic for all customers alike. Note this is a scheduling matter, and not a bandwidth limitation.
Further network segmentation and separation, in combination with Policy Enforcement Points and the use of Split Horizon DNS allows systems and services to know as little as possible about the rest of the environment — in other words, they only know what they need to know, and are allowed only what they need to be allowed to — and allows very fine-grained control of traffic patterns.
It is worth noting Kolab Now does not ever terminate SSL/TLS. This means that the Web Client will connect to LDAP, MariaDB, IMAP and other such services under a secure transport layer — not only is it encrypted, it also entertains Perfect Forward Secrecy. This significantly increases computing costs, and increases latency, but ensures no unsecured traffic descends any wire (physical or virtual) anywhere throughout the network.