Email Campaigns/Trackers and Server Security

[sykes2810]

Hello,

I am relatively new to SugarCRM but have been very impressed so far and have recommended that it be implemented in our office. My only problem surrounds Email Campaigns and Email Trackers.

I have successfully run some test campaigns and the trackers all work fine, however, my understanding has been that you must have the SugarCRM server on a public web address in order for the trackers to work because the link they use is http://sugarserverurl/tackerurl

So I have put our server on a public domain so that this works. This however, leaves me a bit vulnerable to hackers and the like.

My question to the Sugar Community is what ways are there to protect against this. Can I....

1) Somehow make the trackers work but put the actual Sugar web interface behind a VPN
2) Or is there a way of configuring apache so that it allows the trackers to pass through but doesn't allow outside access to the Sugar website.

If my question is elementary I apologise but my understanding of the system is relatively limited.

Our system is...

Server Running Centos 5
Sugar 5.2.0a

[roblaus]

Sugar Admin manual page 68

If you are running Sugar on your internal network (for example, http:/
privatemachine/sugar/index.php), move Campaign_tracker2.php,
Removeme.php, and image.php files from the Sugar root directory to a directory
on your public Website (for example, http://mycompany.com) so that you can
track the responses of your campaign targets. To specify the location of these
campaign tracking files, select User Defined and enter the path in the field below.
When a target opens the campaign email or clicks an embedded image, the action
is logged in the Campaign_tracker2.php file or the image.php file respectively.
When a target opts out of the campaign, the action is logged in the Removeme.php
file.

There are other ways too...

[goko]

Sugar Admin manual page 68

If you are running Sugar on your internal network (for example, http:/
privatemachine/sugar/index.php), move Campaign_tracker2.php,
Removeme.php, and image.php files from the Sugar root directory to a directory
on your public Website (for example, http://mycompany.com) so that you can
track the responses of your campaign targets. To specify the location of these
campaign tracking files, select User Defined and enter the path in the field below.
When a target opens the campaign email or clicks an embedded image, the action
is logged in the Campaign_tracker2.php file or the image.php file respectively.
When a target opts out of the campaign, the action is logged in the Removeme.php
file.

There are other ways too...

Is this really working?

If you look at the code in image.php, removeme.php and campaign_trackerv2.php
they all do a local redirect to index.php.
Since you will not have Sugars index.php on the public website how can this work?!

If you have a php based public Website, there is a chance/risk you _do_ have an index.php there but that index.php will not behave as Sugars...