Zero License Costs? It is possible!

BACK

(by KMJ, Edition 2017-05, permission to publish the book at EURAFRI Project as of 2021-05)

CEO and CIO Coaching & Consulting

This book will show you that it is possible to run your IT without any license costs. A book for managers ready to take over responsibility and reduce the TCO (total cost of ownership). Descriptions of enterprise ready software plus checks to move services back from foreign servers on the Internet – aka Cloud – to your office and much more is inside this book.

Edition 2017-05

By Karl M. Joch

Copyright © 2017-2021

• Website: KMJ.at

The books and e-books page on Karl’s site:

• KMJ.at/buecher-und-e-books/

Exclusive distribution of this e-book by:

• CTS GMBH - A-5020 Austria

---

The author’s intellectual property rights are protected by international Copyright law. You are licensed to use this digital copy strictly for your personal enjoyment only. It must not be redistributed or offered for sale in any form.

Non of my book are “an advice” in any form. I describe my own experiences, which must not work for you. You should never try things out without asking an expert first.

---

Thank you for taking the time to read through my book. I will do my best to keep it short, explain complicated things the easy way, understandable for decision makers.

A lot of things has changed to operate a secure and stable IT environment. It looks like there are two common ways at the moment.

One is trying to get private people and companies to move their IT systems inside a “Cloud”. This sounds great in the first step. Lobbyists promises that you are able to delegate the responsibility for your IT infrastructure to service providers. Furthermore, you will be promised that you are able to reduce your IT staff, reduce the cost of employment and your stress with IT will be gone. For sure, “Cloud” providers have a lot of tools to help you to transfer your valuable data into the “Cloud” very easy. The funniest part of these solutions is, that, mostly poor educated, IT employees believes this can protect their job in the long run. Great for service providers to have help in getting valued data onto their Internet servers aka “Cloud”.

For managers and decision makers it is kinda hard to find the best way for their companies. Even the “Cloud” version is out the scope of this book I will ask you a very few questions and you should be able to decide very easy.

First of all you have to understand the definition “Cloud”. The “Cloud” simply is one or more servers on the Internet, operated by different people. There is not “one Cloud”! Everybody is able to setup a server on the Internet, offering space or services like e-mail or similar and name it “Cloud”. So there are millions of “Clouds” and marketing departments found a great name to get people used to save their data on foreign servers they do not control. Funny part of it, if you ask somebody to save data on Internet servers, mosts says, no, I would not do it!

The first question I ask customers if they come up with the idea of putting their data and services into the “Cloud” is always the same.

“Remember a few years ago. A new supplier visits your company and ask you to print out all of your customers data, contacts, CRM notices, sales and forecast reports and put everything in his car. He promises you that he will not read or use any of your data. He finally tells you, that it is for sure better he has all of your data, than they are in your company.”

If you agree with this new supplier, the “Cloud” is your way.

“As a CEO or CIO you prefer to delegate the responsibility for your business to people you don’t know? You reduce your employees because you think some people you don’t know will make the job cheaper and better than your educated and loyal staff? Better is not nessesary, cheap is your way?”

If you answer with no, continue reading.

I don’t want to go to deep into this “Cloud” thing, but for sure there is a huge risk for you and your job in case something happens.

As usual, operating an own IT infrastructure is more work, needs professional IT-people and a budget to run everything smoothly and safe. Before you stop reading here you should at least double check the following:

• Is this cheap price a special offer to get you on the boat and your costs increase if you moved everything?
• Is there a detailed plan to move out of the “Cloud” if you want to go back to own servers or move to another provider? Are you married with this service forever? Is this plan as detailed as the plan to move into it?
• Data you receive if canceling their service is usable with other programs or services? Data only usable inside this special “Cloud” can be worthless if you try to move out of the “Cloud”
• Do you have a backup and fail-over strategy?
• Is there a detailed plan what happens if your service providers shuts down the service without previous information? Imagine e.g. bankruptcy with immediate power down because nobody wants to pay the energy bill. How long do you need to continue in a case like this? Are you able to reestablish data and services within one week? Do you survive a one week outage?
• Backup is on the servers of the service provider or at a separated location, e.g. your office? In case the backup is at the service provider you are in the position of a possible 100% loss. Fully your responsibility, not the service providers.
• Have you tested the backup to work for setting up data and services using in-house servers in case of emergency?

At least the last point must work to be able to reestablish in-house IT and survive outages or service shutdown at the provider.

Reading the above, you already know that this is not the way I suggest.

Even after over 30 years in business I do believe in responsible managers and professional IT people. I have seen so many falling stars coming and leaving the business. My way to operate stable and secure IT environments with a low TCO was very successful. A part of this knowledge is written down in this book.

I have met so much great IT specialists and we have finalized impressive projects in over 15 countries. A lot of customers are at CTS since 10 or 20 years. The CTS way of implementing solutions is loved by them. If you continue reading this book will tell you a way to operate your IT infrastructure without license costs to reduce TOC while still operating secure and stable.

Every IT specialist with standard knowledge is able to implement the solutions for you. There is no excuse. And if things like – this looks a little bit different now – is a problem, the complaining ones doesn’t face the reality. Upgrading some software you use now, will let things look different too.

The solution works the same way for smallest offices up to mid-size businesses and TOP 500’s. For sure, depending on the companies size there will be need for proprietary software solutions, e.g. product development, CAD or similar. Hybrid IT infrastructure still can reduce the TCO a lot.

And just to make sure you understand why the argument – there is no support – is wrong I want to ask you:

• You ever was able to call at your proprietary operating system and software supplier for help for free?

I always have to laugh if people mentioning this, imaging them calling their operating system supplier.

The answer is easy. Most Open Source projects are actively maintained and developed. There are a lot of projects offering commercial support to companies too. Bug fixes are mostly available within hours using community support. In the worst case you still would be able to hire a programmer to fix your problem changing the source code (not available with propriety software). Decide at your own, I am sure you got the picture.

We will start with the basic systems.

Hardware and virtualization software

Meanwhile, hardware is too powerful to operate only one server or service on it. Virtualization is the way to go. Some years ago one needs to setup hardware for every server and operating systems was installed bare metal on these servers. As server power raised, some specialists developed virtualization software. Installing this software on the server one was able to create virtual machines on this hardware and run more than one – virtual – servers on it. We have some single hardware running 20 and more virtual servers on it. Imagine a box around the former server. They all run inside this hardware now.

To setup the server you need to select from one of the available virtualization software packages.

At the time of writing this book VMware is the leading virtualization platform. Even it is not open source and they offer different payed versions, the VMware vSphere Hypervisor 6.5 is available for free.

• https://my.vmware.com/de/web/vmware/evalcenter?p=free-esxi6

Depending on the size of your company you will setup one or more physical servers to operate as virtualized servers. Starting with 6.5 management can be done using your web browser. Setup is painless and straight forward. The free version will be enough for most companies.

Update 2021 Meanwhile I fully changed from VMWare to Proxmox, which is Open Source Virtualization. It includes Cluster, Backup and Restore and much more and made no Problems since years now. Their website is at https://proxmox.com

Currently I run 3 Proxmox 6 servers, each with 2 strong CPU’s , 128GB RAM, and 1 TB datastores in the private lab. Servers operates around 39 virtual machines running different Open Source operating systems.

I do think this would be the way to go for you too.

The setup of the software is very fast and needs only around one hour per server, including basic server settings and network setup.

The next step is to prepare a fully automated snapshot backup for the virtual machines on it.

Open Source Snapshot Backup

Operating virtual server’s means you are in need of backups for every virtual machine running on your hardware. Proxmox and other virtualization software offers the possibility for Snapshots. This means, at the time of creating the Snapshot this Snapshot freezes an image of the virtual machine, while it continues to run. The Snapshot can now be safely backed up without the risk of data being changed during the backup time. Users can continue to work as normal. After the backup is finished, the Snapshot is deleted. In case you need to restore the backup you will be able to continue to work with the data of the Snapshot.

Snapshot backups are full backups and do not handle file-by-file backup or restore. For sure, you can restore the snapshot on a different location and recover single files from it. Even, while the original virtual machine is still running.

You should have some NFS NAS system available to hold your backups and move them from there to some USB3 harddisks for offline storage too.

We have the basic setup done now and operate one or more virtualized servers with backup and restore possibilities.

Take a few minutes to think about backup times and offline storage. I suggest at least ten USB3 disks for 2 weeks offline backups and one additional disk per month. But backup strategy must be created by you, fitting your company. If you are in need of a NAS system you can setup the Open Source NAS system - FreeNAS – without any software costs on your hardware: http://www.freenas.org . Using this great software since years without any problems. Add a small rsync-to-USB3 script and you are done. There are a lot of other free and Open Source NAS projects available.

Your setup after these first steps should look like this:

Our next step is to protect ourself with a firewall. No system, server or workstation, should be connected to the Internet without a well designed firewall.

Firewall with failover and replication

A firewall is definitely a must to protect yourself and your data while being connected to the Internet. We are looking for a firewall with features like:

• Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
• Option to log or not log traffic matching each rule.
• Allow blocking based on GeoIPs to only allow countries you are working with.
• Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
• Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
• Network Address Translation (NAT) with incoming port forwardings, 1:1 NAT and Outbound NAT to reflect different IP’s in a setup with multiple public WAN IP’s.
• High Availability automatic failover configuration. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. The firewalls state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
• The software also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall.
• Multi-WAN load Balancing and failover for improved Internet availability and bandwidth usage distribution.
• Server Load Balancing
• Virtual Private Network (VPN) supporting IPsec and OpenVPN
• Report and Monitoring including graphical visualisation.
• Real time configuration
• DNS, DHCP and NTP Server
• Transparent layer 2 firewalling capable - can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall

After reading through all of these requirements you will think about a few ten-thousands for buying and maintaining these systems. But, as written in the title, you can have these impressive features for free.

Based on FreeBSD the pfSense firewall is fully Open Source and without any license cost.

• https://www.pfsense.org/

pfSense supports all of these features without any usage limit. Every IT administrator with knowledge in firewalls is able to setup everything pretty fast. For sure, managing a firewall needs deep understanding of the underlaying protocols. But I assume an educated administrator will definitely want to fully understand the traffic flowing through his firewall. If not, better don’t let these people touch a firewall.

Because some administrators do not cover 100% of these requirements companies like CTS are remote managing firewalls for customers. This way, the very special initial setup part is done by firewall professionals and the daily operation is managed in-house.

In all the years I never needed more functionality than pfSense offers meanwhile. In the past we sometimes build special FreeBSD or Linux Systems for the above features, but now, there is no need for it anymore. And definitely there was never a custom feature request, offered by payed solutions only. Open Source Solutions always had all needed features built in to roll-out safe and stable solutions. Just in case, most of the Open Source projects offer payed support to commercial customers too. There is no excuse against these great solutions. Assuming a small to mid size company you will setup two firewalls, preferred one on each of the two virtualized systems. That way you have great, fully high availability compliant, security.

The final setup will include four network interfaces on each firewall. One is used for the LAN traffic, one for the HA syncing traffic between the firewalls, one as a DMZ (a special network for public services like e-mail, web aso. See Wikipedia for further info.

Furthermore, a good network administrator never adds an “allow all from any to any” rule on any of the interfaces. It is a requirement that on each Interface every in and out traffic is blocked by default. Administrators enables traffic on the different interfaces as required by services.

After setting up the firewall(s) you already have a secure and professional setup. You can add virtual servers and services now. Full configuration can be exported to an XML file. If you want to recover a pfSense firewall, setup a fresh install and upload the XML file. Every setting is restored and you can not forget where you have clicked as with other systems.

Open Source software mostly does not ask you to fresh install and resetup everything. Configurations are mostly saved in files and you can restore or copy configuration while migrating things. A huge time saving compared to a lot of proprietary solutions.

Compared to other solutions we already saved a huge amount of money. Maintaining pfSense is easy. Updates can be invoked from the web interface and everything is fully automated and free. We are ready to add services to our installation now.

We are running with a High Availability automatic failover configuration for free!

Company network - Basic Services

We will need some basic services to operate our companies IT infrastructure. A few of them can be handled by the pfSense system:

Intranet DNS server

You are able to enable failover DNS servers for your LAN using the pfSense firewall. Even host and domain overrides are supported to maintain huge setups with reversed DNS zones on different DNS servers. If you use the DHCP server on this system too, you can register your dynamic and static mappings. Listening Interfaces can be set to listen on the LAN and DMZ side only.

All of your LAN and DMZ systems should use these local DNS servers and access to foreign DNS should be blocked in the firewall to increase security.

Intranet DHCP server

A DHCP server should be enabled on the LAN interface only. This service provides systems connected to your LAN with IP addresses and informations about default gateway, DNS servers, NTP time servers and much more. Pools handles clients without static mapping. You are able to set static LAN IP’s for different systems too. A basic rule is to static map systems offering services and printers. If you operate some WLAN or Guest WLAN special rules are required.

A general security rule is to never connect a system to your LAN which was connected to the Internet externally. Suppliers and customers should never be allowed to connect to the LAN.

Intranet NTP Server

The time server needed for your network can be provided by the pfSense firewall too. Fill out the NTP settings field in the DHCP settings and enable the time server on both firewalls. Enable the NTP server on LAN and DMZ interface only!

Intranet Proxy server with virus scanner

To be honest, users are not able to decide about the danger arriving from the Internet. Script Kiddies, Bots, Hackers and a lot of Phishing and Scam is going on in the net. To protect you as much as possible you should setup an Intranet proxy server for your LAN users. A proxy server handles all of the Internet requests for your users. Instead of loading the requested page direct from the foreign server the users browser forwards the request to the proxy server. The request will be handled by requesting the page, checking the domain and IP against a block list and virus checking the content received. If everything looks clean, the content is forwarded to the users browser. Firewall should be created in a way that users are only allowed to connect the proxy port and all other ports are closed in and out. This reduces security risks a lot.

Great proxy servers like Squid are available as Open Source Software.

• http://www.squid-cache.org/
• http://www.squidguard.org/Devel/

The above named pfSense Firewall includes a full setup for a Squid proxy server including SquidGuard and Virus protection. Easy to setup and maintain.

If you have a huge amount of clients simply setup one or more pfSense systems as proxy server and sync the configuration. That way you can even manage a proxy farm while making all settings on a main proxy server only. Using pfSense you are able to have a full automated failover for the proxy server too. By using GeoIP blocking you are able to block countries you are not working with. This enhances the security a lot. Especially some download and execute attacks loads additional software from servers you can block kinda easy.

In case some users needs to have special ports open you should static map their systems and create outbound rules to allow these services. Always try to use software through the proxy first. Most professional software is able to set a proxy server in their configuration.

Bad programmed software is a security risk by itself and these programs are often not able to use a proxy. The best thing is to replace software like this with well programed one.

VPN to access services or net-to-net

Do not public open services used by your users while traveling. NEVER!! NO EXCUSE!! If you check your firewall logs you will see a lot of traffic from bots checking as much IP addresses as possible for buggy software or possible attacks. And NO, in the first step they don’t care if you are a small business owner or a TOP 500. A bot is software often controlled by criminal bot networks, mostly running on compromised systems. So there is nobody you can make responsible depending on the actual law.

These bots acts on every IP, trying different ports and exploits. If you are running software which is exploitable your are open to be hacked by them. Most software had or has exploitable bugs in it. Opening software to the public is a huge risk.

That is why we have created a DMZ to reduce the risk of public available services. Public available services like e-mail will run in the DMZ network. This systems are available to the public and to your LAN users. But systems from the DMZ can not reach the LAN by themselves. If one of these DMZ systems is hacked, your LAN is still safe.

But we will open public available services only where it is really needed. All other services should be behind an VPN.

• https://en.wikipedia.org/wiki/Virtual_Private_Network

A full enterprise ready OpenVPN server can be enabled on the pfSense system to handle all certificates, users and possible connections. You should connect your clients assigning them IP addresses from a routed VPN network and filter access on the OpenVPN or Ipsec firewall interface very restrictive.

OpenVPN Client is available for Linux, Unix, Windows, Android and IOS. Your users will have their encrypted key and a password to be able to connect. If the VPN is established your firewall can allow access to different services. pfSense has a client export package where you can download all needed installers. (install it via package manager) OpenVPN Server can be installed on a different system too, but I really suggest you use pfSense. Pretty easy setup and management and no data are sent to somebody, nor does it “call home”.

You are able to setup more pfSense systems if you have a lot of VPN users. With configuration sync you work only on the master system.

You are able to connect networks of different physical locations using a net-to-net connection and route the networks inside the tunnel. Net-to-net enables you to create a single company network even they are physically on different locations. You should us a different net for each location, e.g. 192.168.1.0/24 for localtion 1 and 192.168.2.0/24 for location 2.

Route the networks through the tunnel while fine grading firewall rules on the OpenVPN and LAN interface. Only open required services between the networks to reduce the chances to be compromised by a client connected to the other location.

We are nearly ready to add users to our network. Till now every step was needed to harden the security or provide basic system services.

Using the above setup all named services are running with a High Availability automatic failover setup. If one system crashes the second one takes over without any human activity.

We are missing e-mail services with calendar and address book and an in-house Cloud system to exchange data. Let start with e-mail services.

E-Mail and Groupware server

A long time missed piece in the Open Source world made it hard to replace Microsoft Exchange in the past. With SOGo it is now possible to serve clients running Linux, Apple’s OSX or Microsoft Windows with e-mail, calendar, addressbook, tasks and more. Mobile clients running IOS or Android are fully supported too.

• https://sogo.nu/about.html#/features

SOGo is a free and modern scalable groupware server. It offers shared calendars, address books, and emails through your favorite Web browser and by using a native client such as Mozilla Thunderbird and Lightning. SOGo is standard-compliant. It supports CalDAV, CardDAV, GroupDAV, iMIP and iTIP and reuses existing IMAP, SMTP and database servers - making the solution easy to deploy and interoperable with many applications.

The SOGo features are:

• Scalable architecture suitable for deployments from dozens to many thousands of users
• Rich Web-based interface that shares the look and feel, the features and the data of Mozilla Thunderbird and Lightning
• Improved integration with Mozilla Thunderbird and Lightning by using the SOGo Connector and the SOGo Integrator
• Native compatibility for Microsoft Outlook 2003, 2007, 2010, 2013, 2016 and 2019
• Two-way synchronization support with any Microsoft ActiveSync-capable device, or Outlook 2013++

SOGo is developed by a community of developers located mainly in North America and Europe.

• More information

The project has a very good description including graphics here https://sogo.nu/about.html . SOGo is very easy to setup and you will have a great solution to handle all of your requirements.

As a manager you should read their website at: https://sogo.nu/about.html#/why and https://sogo.nu/about.html#/features . I will write a technical e-book describing a full SOGo setup for administrators soon.

If the SOGo setup is done, all of your data are on a safe place inside your company. Especially e-mails, contacts and calendars should never be available outside of your company. Outsourcing data able to destroy your business is not smart and too many services already have announced – we are so sorry, we was hacked, customers data was stolen – in the past.

I don’t say, your office servers can’t be hacked, but if you run recent versions and monitor everything, your Linux and FreeBSD servers are very safe places. A good admin will protect your data as much as possible and monitor your IT environment to be alerted if unusal things happens. Everybody who has access to your data will have enough informations to be able to take over your customers, suppliers or your whole business and you won’t even know it, at least till they won. Imagine you are able to check your competitions schedules, contacts and e-mails. The only place for these data is in-house on your servers, even there are costs. I am sure you agree.

For sure all your user connections to and from the server are encrypted and no plain text data transfer happens. Furthermore, if your communication partners servers supports encryption, server-to-server e-mail transmission is strong encrypted too.

You can add end-to-end encryption using S/MIME or PGP to make sure only the recipient is able to read your message. Message is transmitted and saved encrypted, so even admin is not able to read your e-mails. I met too much of these “I don’t care, I don’t have the time, it is to expensive, I have nothing to hide” people. They always cry louder than all other if something happens to them. Learning, one was not smart the hard way can hurt and most of the time its to late to recover something. Their decision, their responsibility, their fault and hopefully their money.

Read about Thunderbird with SOGo integrator as e-mail and groupware client. Great free and safe solution, working on Microsoft Windows, MAC and Linux.

E-Mail filter and virus scanner

You should add some Spam and virus e-mail filtering in front of the SOGo Server to protect you even more. I use a dedicated e-mail gateway to filter Spam and viruses. Incoming e-mails pass this gateway before they are forwarded to your local e-mail and groupware server. For sure outgoing e-mails are sent through this gateway too. If something happens on our network we do not affect partners this way.

The gateway is based on FreeBSD or Linux. All of the named packages are available for both operating systems. Setup is straight forward and pretty easy.

I suggest this software on the gateway

• Sendmail or Postfix with TLS/SSL enabled
• MailScanner

MailScanner is the number 1 Open Source e-mail filter. Totally free, with millions of downloads it is used at ten-thousands of sites around the world, protecting top government departments, commercial corporations and educational institutions. This technology has become the standard email solution at many ISP sites for virus protection and spam filtering.

• SpamAssassin

MailScanner supports using SpamAssassin, the number 1 Open source anti-spam plattform. It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. MailScanner invokes SpamAssassin on every scan. A powerful and reliable solution since a very long time.

• ClamAV Virus Scanner

ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. MailScanner supports using ClamAV as virus scanner for every incoming and outgoing e-mail.

Using the combination of MailScanner, SpamAssassin and ClamAV is the number 1 free solutions to protect your e-mail traffic.

• MailWatch

Adding MailWatch to the gateway you have a full featured web based front-end to your MailScanner gateway. Easy to install with a simple interface MailWatch produces awesome reports and can handle per domain and user filter. Quarantine management allows you to release, delete or run sa-learn across any quarantined messages. XML-RPC support that allows multiple MailScanner/MailWatch installations to act as one

We already have a great setup meanwhile. Heavily protected by firewalls and e-mail gateway, operating a full featured groupware server to handle all of our e-mail communication requirements, including calendar and address books, we are ready to add more needed services.

The e-mail and groupware server and the e-mail gateway should be placed inside the DMZ network. Firewall rules should be created depending on your requirement in regards of external access to your e-mail and groupware server. I know companies denying access without VPN and others denying access with mobile devices. But your company, your rules.

In-House Cloud System

In generally I suggest to block all proprietary attachments like text documents, spreadsheets and a lot more. These attachments often contains macros and script, executed by software assigned to this extension. MailScanner is able to identify attachments by content and not only by file naming.

Ignore complaints of people unable to decide the danger of it. Mostly they don’t want to add one extra step to their workflow, sometimes they have very bad IT knowledge and try to work as they always did. That’s the only thing they know about IT. And these people are the ones clicking on links, opening dangerous documents, executing programs even the operating system asked twice.

You are responsible to create the most secure workflow for your company. They have to follow your rules. Your are responsible for data, damages and costs in case something happens. Don’t give up fighting for security, even discussions can be pretty senseless with these people. Be smart and use your power to enforce security for your companies data.

People with IT knowledge will not complain. Others has to follow company policies. Do not get in the position that they tell you -“If you would have told me how danger this is, I would not have done it. It is not my fault, it is yours!” -

To securely exchange documents and files with known partners we will add an Open Source in-house Cloud server.

One of the best free and Open Source solutions to create some in-house Cloud service is

• ownCloud

ownCloud is a self-hosted file sync and share server. It provides access to your data through a web interface, sync clients or WebDAV while providing a platform to view, sync and share across devices easily — all under your control. ownCloud’s open architecture is extensible via a simple but powerful API for applications and plugins and it works with any storage.

Place the ownCloud service into the DMZ area of your network.

The full feature list of ownCloud can be found here:

• https://owncloud.org/features/

Native clients are available for all operating systems and mobile devices. For sure, you can use it with your browser too. Setup with heavy SSL encryption, using SSL v1.2 only, all communication is well protected against traffic sniffing.

You should read the ownCloud FAQ at https://owncloud.org/faq/ . They have very interesting sections there. One I want you to read here.

I can’t write it better:

(from the ownCloud FAQ)

• What is this ownCloud thing? Why would I care?

ownCloud is a file sharing server that puts the control and security of your own data back into your hands.

Today, most people have their digital life stored on online servers from various companies. Think Google, Apple, Facebook, Twitter, Dropbox, Instagram and many others. You uploaded your pictures, your music, your daily ramblings, happy and sad thoughts. You use these services to share with others, to send and receive emails, store address books, play music and video, have your files available on any device you want. All great features, no doubt! When your phone breaks, just having to log in to the new one to find all your pictures, contacts and other settings is an amazing and reassuring capability brought by these services, often (perhaps incorrectly) called ’the cloud'.

But you might wonder: “Where is this data? Who has access to it?”

These questions have become more pressing since the revelations that our own government is spying on us, and collecting and snooping into virtually all of our online communications. We know that foreign and our own governments have access. Criminals and large corporations, too. This knowledge about us can be used and abused in many ways, for financial gain, for control, for harmless and harmful fun.

Many people prefer to have more control over who gets to see the photos they send to their spouse or friends, who gets to read their bank account statements or determine their political allegiance. Or know where they are - as mobile phones track your location pretty much continuously…

This is where ownCloud and similar technologies come in. ownCloud offers you the option to take back your data. Once you install it on a server (or let somebody do that for you! Decentralization is an important tool to protect privacy) you can access your private data in an easy to use web interface or synchronize it with your devices like Android and iPhones. You can store your contacts and calendar as well as files on ownCloud and, through the many ownCloud apps, use it to store passwords, play music and movies and so on. It also allows you to securely share with other people and collaborate on documents. Learn more about ownCloud features here.

• https://owncloud.org/features/

All this is free, as ownCloud is available under an ‘open source license’, which gives you the right to examine, share and modify it. ownCloud is developed by an international community of both paid and volunteer contributors and you can get involved, too.

(end of FAQ)

Thanks to this great community you are able to put back your data under your control and you can securely exchange files with known people and companies to be as secure as possible.

You definitely want to install a service like this inside your DMZ area.

{#section-3 .western}

Encrypted Instant-Messaging server

To make communication as painless as possible you should add some instant messaging server, able to handle in-house communication and communication with other users, even they have no account on your server.

I suggest a self hosted Matrix Synapse Server ( https://matrix.org ) using the Element Matrix Messnger ( https://element.io ) on all devices and systems. Element MAtrix Messenger is a All-in-one secure chat app for teams, friends and organisations. Keeps conversations in your control, safe from data-mining and ads. Talk to everyone through the open global Matrix network, protected by proper end-to-end encryption. SUpports Text, Voice and Video, including Jitsi Open Source Video Conferencing Integration.

File Sharing

To be honest, there will be no Linux only, Windows only, or MAC only network. You always end up with some hybrid environment, serving file shares to different operating systems. Because of this we will setup controlling infrastructure to serve all of them.

Assuming you have some Microsoft Windows client systems or terminal servers running inside your LAN you will need an Active Directory Domain Controller for user authentication and group policy. Linux, Unix and MAC uses LDAP mostly for these tasks. LDAP is also used for authentication SOGo e-mail and groupware accounts. Other services are often able to use LDAP for authentication too. E.g. web applications, in-house Cloud services and more. In case your DMZ systems use the later described authentication, never let the DMZ access the LAN service. Always setup an second server inside the DMZ and replicate the entries from the LAN side to the DMZ side.

There is a great Open Source solution, named Samba, solving all of these requirements.

• https://www.samba.org/

Samba has millions of installations, most ready to use home and office NAS systems contains samba for file sharing, authentication or to be used as domain controller. Samba is the standard Windows interoperability suite of programs for Linux and Unix. Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.

To keep it technically simple you should know, that Samba can operate as Domain Controller which includes an LDAP server.

From the Microsoft side you can manage the domain with Windows Feature “Remote Server Administration Tools”. The Active Directory Users and Groups snap-in worked swimmingly. You can create users and groups, set permissions and ownership for files. Other services can use the integrated LDAP server. I suggest you setup a single virtual machine, running FreeBSD with Samba 4 as Domain controller. Let the system only handle the domain controller and authentication part. Setup a second system on a different virtualized server to have a full auto failover setup. Do not setup file shares on these systems.

In case of Microsoft Windows involved, manage all user and permission settings through the Microsoft tools, even a user only connects with his Linux system. The Linux Authentication will happen through the LDAP server containing the Active Directory data. Now add a FreeNAS system or virtual machine and let this one join the domain and run as domain member, able to use user and permission settings.

To have a failover system you are able to add another FreeNAS system on Server 2 and replicate the data from FreeNAS 1 to FreeNAS 2. This is kinda High Availability setup.

The FreeNAS project describes the features of it as follows:

(Begin)

File sharing is what FreeNAS does best. Every major operating system is supported with SMB/CIFS (Windows file shares), NFS (Unix file shares) and AFP (Apple File Shares) as well as FTP, iSCSI (block sharing), WebDAV and other methods of sharing data over the network are available. iSCSI also supports VMware VAAI, Microsoft ODX and Microsoft Windows Server 2008 and 2012 R2++ Clustering.

Most operating systems, including Windows, Mac OS X, many Linux distributions, and PC-BSD® can connect using SMB shares with little or no additional configuration needed on the client side. Most Unix-like operating systems support connecting with NFS out of the box, and free clients are widely available. AFP is primarily used by Mac OSX and is well suited for a network environment that only connects with Macintosh clients. FreeNAS® also supports Time Machine backups.

(End)

Using FreeNAS for file sharing let you grow your network easy. Authentication is done by two separated systems and you can add as much storage servers as needed. Even authentication through VPN, using a local NAS system works out.

The greatest thing is, you can authenticate and mount the same shares from Microsoft Windows (SMB), Linux (pam_mount, SMB, NFS) and Apples OS (NFS, AFP). This way all users of your network shares the same data on all operating systems. A perfect way to build up usable hybrid infrastructure.

Meanwhile, we have setup nearly everything a company needs to operate the daily business. All network services, e-mail, groupware, instant messaging and in-house Cloud, including full firewall protection with HA failover setup. User authentication, domain controller and fileshares, usable with different operating systems for painless working together, even not using the same operating systems.

Open Source VoIP telephone system

We already have enabled services to communicate though e-mail and instant messaging. To add the ability to also make phone calls you should take a look at the Asterisk VoIP software.

• http://www.asterisk.org/

Asterisk is the number 1 Open Source communications toolkit. Asterisk powers IP PBX systems, VoIP gateways, conference servers, and is used by SMBs, enterprises, call centers, carriers and governments worldwide. For small and mid sized companies ( -250 physical phones) I suggest the FreePBX appliance. Really easy to setup.

https://www.freepbx.org/

FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), an open source communication server. FreePBX is licensed under the GNU General Public License (GPL), an open source license. You can download their installation media for free and setup a virtual server within your virtualized hardware to operate as your PBX.

The easiest way to install FreePBX is to download one of their ISOs and boot your virtual machine off the ISO. Your system will then reformat the virtual machines disk, and upon completion, you will have a fully functioning FreePBX PBX ready to configure your phones and trunks.

Using a VoIP system has great advantages. I only want to name a few:

• Easy mix of hardware phones, wireless phones, softphones on PC’S and mobile devices.
• If used inside a VPN connected companies network, calls are encrypted by the VPN, so all calls are protected against listening or tapping by others.
• Using a VPN also mobile Phone are able to use the company nuber and extension using soft client like LinPhone
• More then one device connected to on extension is supported, means office and mobile phone rings at the same time
• Leased cost routing can be easy setup. For small companies you can safe costs by using GSM gateways and SIP/IAX2 telephony providers. In bigger setups you can route the call through the telephony connection of your branch in some other country. Imagine you sit in the US and in Italy. If you call an Italian number, the call would be routed fully encrypted through your VPN, using the Italian connection to call the number. This way you have a local call only.

For sure, you also reduce the cost a lot. There is no need to buy any PBX or hardware. Your servers will do a great job.

For example one Asterisk server installed at a client handles 9 branches connected with VPN, 8 land line connections, 150 phones and a lot of mobile SIP clients connected with dial-in OpenVPN. They do around 500.000 calls a year without any complaints. A lot of add-ons and extra software is available for Asterisk based systems.

I don’t want to dive to deep into Asterisk and VoIP but this is for sure another Open Source solution reducing your costs and TCO a lot. And it is another step to get your privacy back. Using Asterisk and VPN all your in-house calls are heavily protected against listening or tapping. This way you are able to operate protected telephony conferences for your employees. If you want video conferences to, you should add a Jitsi Instance to your setup.

Asterisk base setup of provider connections and routing is normally done by specialists, but the daily operation is managed in-house by your admin. Using it since years without any problems.

Monitoring and alerting

Successfully managing IT infrastructure depends a lot on extensive automatisation and professional monitoring. Most admins already have perfect tested fully automated jobs running. In general all recurring IT jobs without the need of human intervention should be fully automated. Jobs should send e-mails in cause of successful ending or errors. Admins should not send e-mails only in case of error because if the job never runs you would assume successful and this could be deadly for your companies data.

Admins should establish jobs on all operating systems and shell scripts or languages like Perl or PHP are very helpful. There are thousands of free scripts available on the net and it should be possible to handle most of the jobs with already tested scripts for free. Every administrator knows the basics of Perl and PHP, Unix and Linux admin’s are experienced in shell scripting too. One of the most important parts of IT administration is to be informed about different problems as soon as they appear, preferred faster than the user calls your IT helpdesk to complain.

Professional monitoring is available for free using the number 1 Open Source monitoring software Nagios:

• https://www.nagios.org/

With Nagios it is possible to establish full featured monitoring and alerting for free. The setup is pretty easy and adding additional free Open Source software like the web based configuration tool NagiosQL

• https://sourceforge.net/projects/nagiosql/

and Nagiosgraph for graphical visualization of performance data

• http://nagiosgraph.sourceforge.net/

your administrators are able to see all network and server problems in one view.

But Nagios is more. In general administrators should not be in need to stare on the screen waiting till events occurs. Administrators should be able to work as normal and get alerted if their intervention is needed. Nagios allows fine tuned alerts, depending on hour of day, workday, holiday, weekend in combination with urgency of the alert. Depending on the settings Nagios is able to send e-mails, SMS or other alerts.

Administrators are able to delegate systems and alerts to other users. E.g. somebody in your company is responsible for printers. Alerts in regard to the printers can be sent to this person.

Nagios is not only able to monitor IT systems, routers and IT devices. One is able to monitor temperature of rooms, phone systems, alerting systems during office hours and all of this upcoming IoT (Internet of things) devices. Using a well planed setup with scalable layout one Nagios server running as virtual machine handles up to thousands of hosts and services.

As a conclusion one will be happy if the Nagios system alerts the Administrator about harddisks filling up critical, connectivity problems, increasing system load or memory usage and a lot more. Professional monitoring with Nagios reduces your downtimes and increases productivity of your users. Monitoring and alerting is a must for small companies up to TOP 500. There is no excuse, except you don’t need your IT infrastructure that hard and downtimes are not a problem.

Workstations, PC’s and Laptops

Till now this book was about setting up a license free server infrastructure and you learned, that it is possible to setup all needed services for free. For sure, your Administrator must be willing to help you on your way to reduce the TCO. I met so much great administrators willing to learn, self educating themselves, doing their IT job because they love what’s inside. For sure, I too met some different ones. In the long run the first group always succeeded.

There is one simply rule - “The good ones loves to find a way to get the job done, the others complain and let the time pass without getting their jobs done.” - As with other things there is no black or white. The final solution will always be grey. In our case this will end up in a hybrid IT infrastructure.

At the time of buying new hardware you should ask yourself if it is possible to operate systems with Open Source software. You will reduce your investment in hardware if you buy systems without pre-configured operating system. As much as I prefer FreeBSD for server operations, I do prefer Debian Linux on Workstations and Laptops.

• https://www.debian.org/

Debian Linux is very safe and available for free. Download the CD/USB-ISO and setup as many systems as you like for free. There are many more Linux distributions out there, e.g. Ubuntu, CentOS, doing a great job too. Feel free to test some of them to find your preferred distribution. Open Source is freedom of choice.

There are different ISO’s ready for download:

https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/

I prefer the KDE Desktop for our standard users and XFCE fro Linux terminal server environments and technical oriented setups.

• https://www.kde.org/
• https://xfce.org/

At the time of writing this book I work on Linux Desktops only. Using two Debian Workstations, one Debian Sid XFCE with four 24" monitors, one Debian Sid XFCE with one 32" monitor. Furthermore, there is a Linux Terminal server running Debian 10, as mentioned later. I am able to get all of my jobs done without any problems. I will describe some of the used software later. My Laptop is running Debian Sid with XFCE too. It was a longer way to reach this point, but now everything if free and Open Source. Also at CTS.at we have no Microsoft Windows systems left. Everything is Linux Desktops and FreeBSD and Linux servers.

You should no try to switch everything in one step. Start slowly, change to user land software running on all operating systems to give users the same view on every client system. Change to Thunderbird as e-mail, calendar and contacts client (this works with every IMAP, WebDAV and CardDAV server, not only SOGo). Use LibreOffice for text and calculation, replacing proprietary and expensive software. Step by step users will like the new software and get used to it. Switching the operating system later will not change the handling for them.

In real life you will change software first and later the operating system. Take your time to get the full change done. Depending on your requirements there are things to learn and to test. There is no difference in rolling out proprietary software or Open Source software. Community support is very helpful to move on this path.

Linux Terminal Server

An even more interesting solution is to operate a Linux Terminal Server running xrdp on your favorite Linux distribution.

• http://www.xrdp.org/

You will find a good description to Remote Desktop Services, or Terminal Services here:

• https://en.wikipedia.org/wiki/Remote_Desktop_Services

In short, using Terminal Services you are able to use any device like tablet PC, thin clients or full featured PC’s to connect to the Terminal Server. The protocol lets you view to screen of the remote system and you can use your keyboard, touchscreen and mouse to work. This works because on the device only the display, the keyboard and the mouse are used. All work is done by the terminal server. Depending on the RAM and CPU up to 50 users are able to work on one server.

The xrdp project lets you use any available RDP client software or device to connect to an Linux Terminal Server and work with your favorite Linux distribution. You even can connect from a standard Microsoft Windows system using the included mstsc.exe software used for Microsoft Remote Desktop or Terminal Server access to.

In hybrid environments using a Linux Terminal Server can be very helpful, but it is far more. Smaller companies are able to run all of their client on the Terminal Server using different devices to connect. There are advantages and disadvantages between using full featured PC’s and a Terminal Server. The trues is probably in the mid. Some users, especially working with desktop publish or CAD software will use a single PC, others will write, calculate and use the companies ERP system on the Terminal Server. System maintenance is easier on the Terminal Server. One update and all users are using the updated software version. Pretty cool for administrators.

The coolest part for the users is that they are able to disconnect from the server while all applications are still open. If they reconnect from the same or another device the desktop is as they left it when disconnecting and they continue immediately at this point. Office staff will never want a PC back after using a Terminal Server.

A Linux Terminal Server definitely should be on your roadmap.

Suggested Open Source Software

Firewall Builder

Firewall Builder is a GUI firewall management application for iptables, PF, Cisco ASA/PIX/FWSM, Cisco router ACL and more. Firewall configuration data is stored in a central file that can scale to hundreds of firewalls managed from a single UI.

You can download the Linux, Microsoft Windows and MAC version here:

• https://sourceforge.net/projects/fwbuilder/files/Current_Packages/

A great tool to create firewall rules for your Linux Workstations and Terminal Servers.

LibreOffice the powerful office suite

LibreOffice is a powerful office suite – its clean interface and feature-rich tools help you unleash your creativity and enhance your productivity. LibreOffice includes several applications that make it the most powerful Free and Open Source office suite on the market: Writer (word processing), Calc (spreadsheets), Impress (presentations), Draw (vector graphics and flowcharts), Base (databases), and Math (formula editing).

• https://www.libreoffice.org/

Tens of millions of people around the world use LibreOffice every day, in homes, businesses, charities and government departments. Using LibreOffice will have a massive impact on your TCO. Because it is Open Source and able to read and write .doc, .docx, .xls and .xlsx files your users can work on the same documents within hybrid networks. For sure, some formatting differences exists, but a lot of them can be solved installing the needed fonts. Users heavily using macros and extensive spreadsheets should test in advance, but as I have learned, for most companies LibreOffice works pretty well.

It is possible to create and edit PDF documents which should be used as only e-mail attachments.

And do not listen to people telling you “this looks different”. Other Office Suites have different looks in different versions too. The only decision maker should be the compatibility and your requirements for compatibility. Do you really receive documents from others in these formats? Is there need to work and edit this documents? In general you should receive PDF documents only by e-mail. Proprietary documents should not be exchanged by e-mail because of different risks.

If you receive documents and spreadsheets you need to work with, test the compatibility. I assume in most cases everything is fine. If formatting is the problem, install the needed fonts and the look will be fine. Depending on the used macros spreadsheets should be double checked if extensive used.

In the real world people don’t want to test new solutionms, trying to stay with things they already know. It is your freedom to choose, but I do think the chance to reduce the TCO that much, it is worth a look at without giving up after 5 minutes.

Thunderbird e-mail/groupware client

Thunderbird is a free email application that’s easy to set up and customize - and it’s loaded with great features!

https://thunderbird.net/

Thunderbird has a built in calendar supporting CalDAV servers and supports global address books using the SOGo plugin. Using this plugin you are able to connect to every CardDAV server. Using the above named SOGo integrator you operate a full featured groupware client. Best of it, it is available for Microsoft Windows, Linux and MAC for free and administrators are able to have the same software and setting on all operating systems inside your network.

A lot of plugins are available to enhance Thunderbird if you are missing a feature. Check out the feature list

https://www.mozilla.org/en-US/thunderbird/features/

to see it works for you. Using it since a long time without any problems. It supports PGP e-mail encryption and a lot more. Heavy e-mail users will love this software to handle all of their accounts in one client. Thunderbird is part of the Mozilla project, the one the Firefox browser is from.

Firefox browser

Open Source browser Firefox is available for free at

https://www.mozilla.org/firefox/

The browser is heavily used by businesses and private individuals to keep their privacy. Firefox is available for Linux, Unix, MAC, Windows, Android and IOS.

A special version of Firefox is available as Tor Browser Bundle, which is a Tor enabled version to enter the Tor Net (also known as Darknet. See my Book DARKNET FOR JOURNALISTS).

Download is available here:

https://www.torproject.org/projects/torbrowser.html.en

xbrowswersync addon enables you to sync your bookmarks and keepass to sync your passwords between systems. Both via self hosted servers. No one has your data again!

Open Source CAD solutions

Depending on your needs there are a lot of free CAD solutions available. You will have to find out all of your requirements and check against the features list. I am not a CAD expert, but I want to show you that there is a solution available businesses are working with. The first suggestion is

• http://brlcad.org/

BRL-CAD is a powerful open source cross-platform solid modeling system that includes interactive geometry editing, high-performance ray-tracing for rendering and geometric analysis, a system performance analysis benchmark suite, geometry libraries for application developers, and more than 30 years of active development.

The project description:

Highlights

Cross platform

The package is intentionally designed to be extensively cross-platform and is actively developed on and maintained for many common operating system environments including for BSD, Linux, Solaris, Mac OS X, and Windows among others. BRL-CAD is distributed in binary and source code form.

Since 1979

Mike Muuss began the initial architecture and design of BRL-CAD back in 1979. Development as a unified package began in 1983. The first public release was made in 1984. BRL-CAD became an open source project on 21 December 2004.

Trusted by U.S Military

BRL-CAD is choice of U.S Military. For more than 20 years, BRL-CAD has been the primary tri-service solid modeling CAD system used by the U.S. military to model weapons systems for vulnerability and lethality analyses.

Free & Open

BRL-CAD respects your freedom so our code is open source under OSI approved license terms, which means you can customize it according to your needs. It also means that you will get this software Free of cost and we won’t charge you ever for any update or support.

Another one is available at

• https://www.freecadweb.org/

The project startet 2001 and describes itself as:

FreeCAD is a general purpose parametric 3D CAD modeler. The development is completely Open Source (LGPL License). FreeCAD is aimed directly at mechanical engineering and product design but also fits in a wider range of uses around engineering, such as architecture or other engineering specialties. FreeCAD is fully multi-platform, and currently runs flawlessly on Windows and Linux/Unix and Mac OSX systems, with the exact same look and functionality on all platforms.

For more information about FreeCAD’s capabilities, take a look at the Feature list on their website.

Another one is

• http://librecad.org

LibreCAD is a free Open Source CAD application for Windows, Apple and Linux. Support and documentation is free from our large, dedicated community of users, contributors and developers.

There are even more and a search for “Open Source CAD” will list you more solution than you can work with.

Image management and manipulation

Professional Open Source software is available for this task too and I am working heavily with this software products. A branch of my company CTS.at since 2008 operates a press image agency with 270 photographers in over 30 countries. I have huge experience in managing and manipulation images. We developed the web server software running at https://cts-photo.com/ by ourself, using Open Source tools only.

The backoffice works with DigiKam

• https://www.digikam.org/

for managing of images and their Meta tags (IPTC aso.).

all features on their website at

https://www.digikam.org/about/features

The best part is, it is available for Linux, Windows and MAC, so all users have the same frontend to work with, even they use different operating systems.

There is often need to manipulate images in different ways. With GIMP

• https://www.gimp.org/

the CTS staff is able to handle every job. Gimp is a highly professional software, available for Linux, MacOS X, Windows too. As seen in the past, most users will never need a feature not supported by GIMP.

If you are working with RAW files produced by professional cameras you should add RAW Therapee to your software list.

• http://rawtherapee.com/

Using this great and professional Open Source software you are able to manage and manipulate RAW images of all leading camera producers. One of the “must haves” for professionals. See the full feature list at:

• http://rawtherapee.com/blog/features

Using the above software the CTS photo professionals are able to complete their jobs without any additional license costs. For sure, there are a lot more software packages available, but these packages should be enough more mosts businesses and jobs.

Desktop Publishing

These jobs can be handled e.g. by Scribus:

https://www.scribus.net

The project describes itself as:

Scribus is page layout program for Linux, FreeBSD, PC-BSD, NetBSD, OpenBSD, Solaris, OpenIndiana, Debian GNU/Hurd, Mac OS X, OS/2 Warp 4, eComStation, Haiku and Windows. Since its humble beginning in the spring of 2001, Scribus has evolved into one of the premier Open Source desktop applications.

If you are not the heavily into desktop publishing LibreOffice provides outstanding design capabilities across several of its components. Combining Writer and Draw you will be able to create great looking layouts for brochures and newsletters.

CRM and Billing solutions

This is one of the key points for every company. CRM to turn leads to orders, ERP to handle to order processing workflow, production and finance management. Smaller companies will be satisfied with some CRM and billing solution to handle their business. As you already guess there is freedom to select the application fitting best to your company. Perfect customer relation management (CRM) is needed to be successful in the long run. I am very proud to be able to say – We at CTS are successful since 32 years – so I know what I am talking about.

My prefered CRM software is SuiteCRM:

• https://suitecrm.com/

They have a great description available online and you can try their free available demo too:

• https://suitecrm.com/demo

A lot of extensions are available to enhance the functionallity if you have special needs. SuiteCRM depends on some free Open Source LAMP (Linux, Apache, MySQL, PHP) server. There are more, like CiviCRM, Fat Free CRM, CiviCRX, Zurmo and others. I am very sure you will find the solution for your requirements.

Billing for smaller companies can be done easily with software like

• http://www.jbilling.com/

Their project description:

The way consumers and businesses are buying is changing fast, and that means real revenue opportunities in every industry. You may have noticed these shifts: services replacing assets, subscriptions replacing one-time sales, complex bundles replacing simple offerings.

jBilling supports all the complex billing scenarios required by this new economy. With jBilling you get to market quickly and you adapt quickly. Go ahead and innovate, enter new markets, disrupt the status quo. jBilling provides the features you need to tap the revenue revolution ahead! Others like OpenSourceBilling, Kill Bill (Subscriptions), OpenBRM (Telecom) may help you to get the jobs done too.

If possible use a web based solution to be successful in the long run. Web based solutions are central managed and does not relay on some operating system or client side software versions. Setup the billing server and access your data from every client using your browser only. Free yourself of being locked to one supplier. Browser based solutions are easy to update server side only. Client doesn’t need any update to work with the new version.

ERP solutions for the enterprise

When it comes to ERP solutions we are talking about real projects. Introducing a new ERP solutions needs time and people with experience in the software. Even more it is needed to understand users and department requirements and be able to talk to different levels of people in their own language. Not a lot of people are able to manage that.

Because of the complexity some managers decide to outsource the ERP needs and pay a lot to companies setting up their commercial solution for them. I have seen a lot of these decisions and finally the costs raised by 100-500% compared to the first calculation.

There are great Open Source solutions available too and using iDempiere for example will remove any license costs in regard of the ERP.

• http://www.idempiere.org/

But you should hire some good consulter to help you in setting up everything. Being able to reduce your license costs that much should be a good reason to invest in loyal employees. Starting with an Open Source solution lets you hire programmers to create plugins required by your company too. It is really worth to take a look at.

Other software

I only mentioned software needed in most businesses, but for sure there are thousands of Open Source packages available. Searching the Internet using well selected keywords will bring you up a solution to nearly every requirement. Webserver, Content Management Software, Online Shop System, Free SSL Certificates and a lot more will help you to solve your requirements.

Coaching and Consulting

There is much more but this e-book should get you started thinking about Open Source software to operate license costs free as much as possible. This e-book should be of help for managers and I reduced the pages to give you a fast overview without investing too much of your valuable time in reading. For detailed installation help I have a lot of other e-books available at https://digitalbooks24.com . You will need to prepare yourself for your own projects but with the help of this book it should be far easier.

As long as you do not listen to people complaining about everything, select people finding solutions for every problem and request, you will reduce your license costs a lot. You are not alone and there are so much happy people out there.

I am very interested in your feedback via Element Matrix Messenger.

Good luck with your project!

About The Author

Karl M. Joch

Find out more at

https://kmj.at/

Karl M. Joch is founder of CTS GMBH with more than 30 years experience in national and international projects. He worked in over 15 countries and is specialized in CEO & CIO Coaching, Corporate rehabilitation and insolvency consulting, M&A and Dirty Jobs as part of restructuring.

IT Skills, especially with Open Source Solutions:

• IT Infrastructure / Network
• IT Security – Firewalls, Virus protection
• Email Security, Appliances
• Home Automation Solutions, MQTT, aso.
• HA Solutions, Auto Failover
• VPN Solutions
• FreeBSD, Unix, Linux
• Asterisk VOIP (Voice over IP)
• Network Monitoring
• Webhosting, E-Commerce Solutions
• Virtualization

BACK