Mac OS X Server Network Services Administration
Contents
1. range 19 255 255 224 0 8192 20 255 255 240 0 4096 21 255 255 248 0 2048 22 255 255 252 0 1024 23 255 255 254 0 512 24 255 255 255 0 256 25 255 255 255 128 128 26 255 255 255 192 64 27 255 255 255 224 32 28 255 255 255 240 16 29 255 255 255 248 8 30 255 255 255 252 4 31 255 255 255 254 2 32 255 255 255 255 1 Rule Mechanism and Precedence The rules in the Firewall Settings Services pane operate with the rules shown in the Advanced pane Usually the broad rules in the Advanced pane block access for all ports These are lower priority higher numbered rules and are applied after the rules in the Services pane The rules created with the Services pane open access to specific services and are higher priority They take precedence over those created in the Advanced pane If you create multiple rules in the Advanced pane the precedence for a rule is determined by the rule number This number corresponds to the order of the rule in the Advanced pane Rules can be reordered by dragging them in the list in the Firewall Settings Advanced pane For most normal uses opening access to designated services in the Advanced pane is sufficient If necessary you can add more rules using the Advanced pane Chapter 4 Working with Firewall Service 89 90 Multiple IP Addresses A server can support multiple homed IP addresses but Firewall service applies one set of rules to all server IP addresses If you2. For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Setting WINS Options for a Subnet You can give more information to computers running Windows on a subnet by adding Windows specific settings to the DHCP supplied network configuration data These Windows specific settings permit Windows clients to browse Network Neighborhood You must know the domain name or IP address of the Windows Internet Naming Service NetBlIOS Name Server WINS NBNS primary and secondary servers usually the IP address of the DHCP server and the NetBIOS over TCP IP NBT node type Chapter 2 Working with DHCP Service 37 N A wu A W foe The following are possible node types e Hybrid h node Checks the WINS server and then broadcasts e Peer p node Checks the WINS server for name resolution Broadcast b node Broadcasts for name resolution most commonly used e Mixed m node Broadcasts for name resolution and then checks the WINS server The NetBIOS Datagram Distribution NBDD server works with NBNS to route datagrams to computers on a different subnet The NetBIOS Scope ID isolates NetBIOS communication on a network The NetBIOS Scope ID is appended to the NetBIOS name of the computer Computers that have the same NetBIOS Scope ID can communicate NBDD Server and the NetBIOS Scope ID are typically not used but you might need to use them d
3. To set up a VLAN Log in to your server as an administrator Open the Network pane of System Preferences Click the Action pop up menu and select Manage Virtual Interfaces Click the Add button and select New VLAN In the VLAN Name field enter a name for the VLAN In the Tag field enter a tag a number between 1 and 4094 This VLAN tag designates the VLAN ID VID Each logical network has a unique VID Interfaces configured with the same VID are on the same virtual network 7 Select the Interface 8 Click Create 9 Click Done Where to Find More Information About VLANs See www ieee org The VLAN standard is defined by IEEE A reference document provides an overview of a protocol and includes details about how the protocol should behave If you re a novice server administrator you ll probably find some of the background information in a reference document helpful If you re an experienced server administrator you can find out technical details about a protocol in its reference document The reference document is available at standards ieee org getieee802 download 802 1Q 1998 pdf Chapter 10 Supporting a VLAN Supporting IPv6 Use this chapter to learn about Internet Protocol Version IPv6 enabled services used by Mac OS X Server guidelines for using the IPv6 addresses in those services and IPv6 address types and notation IPv6 is the Internet s next generation protocol designed to replace the current I
4. Contents 151 151 153 153 155 155 156 157 157 158 158 159 159 159 161 162 162 166 167 168 168 169 169 169 171 171 172 172 173 174 175 175 175 175 176 176 177 178 178 179 179 Stopping VPN Service Configuring VPN Network Routing Definitions Limiting VPN Access to Specific Users or Groups Limiting VPN Access to Specific Incoming IP Addresses Supplementary Configuration Instructions Enabling VPN PPTP Access for Users in an LDAP Domain Offering SecurlD Authentication with VPN Server Monitoring VPN Service Viewing a VPN Status Overview Changing the Log Detail Level for VPN Service Viewing the VPN Log Viewing VPN Client Connections Common Network Administration Tasks That Use VPN Linking a Computer at Home with a Remote Network Accessing a Computing Asset Behind a Remote Network Firewall Linking Remote Network Sites About the Site To Site VPN Administration Tool Setting up a VPN Connection on a Client Where to Find More Information About L2TP IPSec Chapter 7 Working with RADIUS RADIUS Setup Overview Turning RADIUS On Setting Up RADIUS Configuring RADIUS Using the Configuration Assistant Adding AirPort Base Stations to a RADIUS Server Adding Bonjour Enabled AirPort Base Stations to a RADIUS Server Remotely Configuring AirPort Base Stations Configuring RADIUS to Use Certificates Archiving RADIUS Service Logs Starting or Stopping RADIUS Service Managing RADIUS Checking RADIUS Status Viewing
5. If the service type for the service you are providing is not listed you can enter the name in the Service Type field The service your are providing should use a syntax similar to _application protocol name _tcp _udp In the Host field enter the DNS name of the server that is providing the service If you want to to use the fully qualified domain name of the domain server select the Fully Qualified checkbox In the Port field enter the port number for the service your are providing For example if you are providing http service you would use port 80 In the Priority field enter priority number The priority number is used when multiple hosts are configured for the same service The priority determines which host is tried first In the Weight field enter a weight number The weight number is used as a relative weight for records with the same priority In the TXT field enter additional information about the service This creates a TXT record for the service Click Save Changing a Record in a DNS Zone If you change the namespace for the domain you must update DNS records as often as that namespace changes Upgrading hardware or adding to a domain name might also require updating DNS records You can duplicate a record and then edit it saving configuration time To change a record Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expa
6. Preventing Denial of Service DoS Attacks When the server receives a TCP connection request from a client that is denied access by default the server sends a reply rejecting the connection This stops the denied client from resending over and over again Chapter 4 Working with Firewall Service CoN AU A UW However a malicious user can generate a series of TCP connection requests from a denied IP address and force the server to keep replying locking out others who are trying to connect to the server This is one type of DoS attack Important DoS attacks are rare so make these settings only if you think your server might be vulnerable to an attack If you deny ICMP echo replies services that use ping to locate network services can t detect your server To prevent ping DoS attacks Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Click Settings then click Services Select the any address group Select Allow only traffic to these ports Deselect ICMP Echo reply message replies to outgoing pings Click Save Controlling or Enabling Peer to Peer Network Usage Sometimes network administrators must control the use of Peer to Peer P2P file sharing applications Such applications might use network bandwidth and resources improperly or disproportionately P2P file sharing might also pose
7. 12tp 12tp 12tp 2tp 2tp 12tp Lebo L2tps 21Z2hps eh Zt sLZtp IPv4 DestAddressRanges array index 0 IPv4 DestAddressRanges array index 1 Server LoadBalancingEnabled value Server LoadBalancingAddress value PPP AuthenticatorProtocol array_ PPP AuthenticatorPlugins array index 0 Radius Server array index 0 Address Radius Server array_ Radius Server array index 1 Address Radius Server array_ TPSec AuthenticationMethod value L2TP IPSecSharedSecretValue value IPSec LocalCertifiate value Parameter vpn Servers com apple ppp 1 l2tp enabled Description Default no com apple ppp IPv4 DestAddressRanges l2tp Default empty array com apple ppp 1 Server LoadBalancingEnabled L2tp Default 0 com apple ppp Server LoadBalancingAddress Ztp Default 1 2 3 4 com apple ppp 1 PPP AuthenticatorProtocol array_ index n L2tp Default MSCHAP2 com apple ppp 12tp PPP AuthenticatorPlugins array_ index n Default DSAuth Chapter 6 Working with VPN Service 145 146 Parameter vpn Servers Description com apple ppp 12tp Default 1 1 1 1 Radius Server array_ index 0 Address com apple ppp 12tp Default 1 Radius Server array_ index 0 SharedSecret com apple ppp 12tp Default 2 2 2 2 Radius Server array_ index 0 Address com apple ppp 12tp Default
8. 56 un AeA U N Turning DNS Service On Before you can configure DNS settings turn on DNS service in Server Admin To turn DNS service on Open Server Admin and connect to the server Click Settings Click Services Select the DNS checkbox Click Save Upgrading DNS Configuration Mac OS X Server v10 6 has been modified to manage DNS entries more efficiently To take advantage of this DNS records created on versions prior to Mac OS X Server v10 5 must be upgraded After you upgrade to Mac OS X Server v10 6 and turn on DNS in Server Admin the upgrade pane appears the first time you click DNS The upgrade pane appears only if you upgraded to Mac OS X Server v10 6 from a version prior to Mac OS X Server v10 5 It does not appear if Mac OS X Server v10 6 was newly installed The upgrade pane has two options e Don t Upgrade If you choose to not upgrade your configuration you cannot use Server Admin to automatically configure DNS You can manually configure files using the etc named conf file for DNS configuration and the var named file for Zone configuration Upgrade The Upgrade option converts DNS file records and then allows access to the DNS panes of Server Admin When upgrading backup files are created If the files must be restored they can be restored manually Backup files are saved in the same folders where the original files are located Setting Up DNS Service Set up DNS service by configuring the
9. Working with DHCP Service Enabling NAT also creates a divert rule in the firewall configuration Server Admin permits NAT service and Firewall service to be enabled and disabled independently However for NAT service to function NAT service and Firewall service must be enabled This is because an essential part of NAT is the packet divert rule That rule is added to the firewall when NAT service is enabled but Firewall service must be turned on for the packet divert rule or any firewall rule to have any effect NAT LAN Configuration Overview To configure a network segment as a NAT LAN you must complete several steps Each is necessary to create a functioning private network behind a NAT gateway A detailed example of the setup is found in Linking a LAN to the Internet Through One IP Address on page 133 You can also configure NAT using Gateway Setup Assistant which configures each of these services and starts NAT For more information see About Gateway Setup Assistant on page 16 The following provides an overview of the configuration process Step 1 Choose your NAT gateway and interface functions You must locate the NAT gateway on a Mac OS X Server computer with at least two network interfaces one to connect to the Internet the WAN port and one to connect to your private network segment the LAN port Step 2 Decide how NAT LAN clients will get IP addresses You can assign your own static IP address in the app
10. 17 254 0 3 example only your IP number is provided by your ISP Internet or public DNS IP address 17 254 1 6 example only your IP number is provided by your ISP e Private network IP address range and netmask 192 168 0 2 192 168 0 254 also expressed as192 168 0 0 24 or 192 168 0 0 255 255 255 0 e Server s private network IP address 192 168 0 1 LAN client IP address settings Configure IPv4 Using DHCP This last setting is not required because NAT can be used with static IP addresses instead of DHCP However configuring this setting makes it easier to configure computers To configure your NAT LAN On the gateway server open the Network pane of System Preferences In the active Network screen make sure the interface Built in Ethernet is at the top of the list of interfaces if not drag it to the top of the list This sets the default gateway in the routing table The top interface is always configured for the Internet or WAN Make sure the IP address and settings for Ethernet 1 are your public address settings from your ISP In this example they are e IP address 17 254 0 3 e Netmask 255 255 252 0 DNS 17 254 1 6 Chapter 5 Working with NAT Service 133 134 Make sure the IP address and settings for Ethernet 2 or PCI Ethernet Slot 1 are your local address settings In this example they are e IP address 192 168 0 1 e Netmask 255 255 255 0 DNS 17 254 1 6 If necessary cl
11. 2 Radius Server array_ index 0 SharedSecret com apple ppp 12tp Default SharedSecret IPSec AuthenticationMethod com apple ppp 12tp Default L2TP I1PSecSharedSecretValue com apple ppp 12tp Default IPSec LocalCertificate For more information about command line parameters for VPN see VPN Service Settings on page 206 For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Configuring PPTP Settings Use Server Admin to designate PPTP as the transport protocol If you enable this protocol you must also configure connection settings You should designate an encryption key length 40 bit or 128 bit the IP address allocation range to be given to your clients and the group that will use the VPN service if needed If you use L2TP and PPTP each protocol should have a separate nonoverlapping address range When configuring VPN make sure the firewall allows VPN traffic on needed ports with the following settings e For the any address group enable GRE ESP VPN L2TP port 1701 and IKE port 500 e For the 192 168 net address group choose to allow all traffic For more information see Configuring Services Settings on page 94 Chapter 6 Working with VPN Service ao uu A W To configure PPTP settings Open Server Admin and connect to the server Click the triangle at the le
12. If your LDAP master server is another computer you must know the domain name or IP address of the LDAP database that you want to use and you must know the LDAP search base To set LDAP options for a subnet Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears Chapter 2 Working with DHCP Service 3 4 wn Oo ON OO From the expanded Servers list select DHCP Click Subnets Select a subnet Click LDAP Enter the domain name or IP address of the LDAP server for this subnet Enter the search base for LDAP searches If you re using a nonstandard port enter the LDAP port number If necessary select LDAP over SSL Use this option to secure LDAP communication Click Save If DHCP is running you are prompted to restart DHCP for your change to take effect Otherwise your changes take effect the next time you start DHCP From the command line You must use the same subnet rp that was used to create the subnet To set LDAP options for a subnet sudo serveradmin settings dhcp subnets array id subnetID dhcp ldap_url array _index 0 ldap server Control D Parameter Description subnetID A unique number that identifies the subnet Can be any number not assigned to another subnet on the server Can include embedded hyphens Other parameters The standard subnet settings described in Command Line Parameters for Network Services
13. In refers to the packets coming into the server Click OK Click the Add button From the Action pop up menu choose Allow From the Protocol pop up menu choose a protocol or Other If you are adding GRE or ESP choose Other and enter any in the field e If you are adding VPN ISAKMP IKE choose UDP From the Service pop up menu choose a service Chapter 6 Working with VPN Service 18 19 20 21 22 23 24 25 _ e If you are adding GRE choose GRE Generic Routing Encapsulation protocol e If you are adding ESP choose ESP Encapsulating Security Payload protocol e Ifyou are adding VPN ISAKMP IKE choose VPN ISAKMP IKE Destination port 500 is added to the Port field From the Address pop up menu of the Source section choose any In the Port field of the Source section enter any From the Address pop up menu of the Destination section choose any In the Port field of the Destination section enter a port number If you are adding VPN ISAKMP IKE enter 500 if it is not shown From the Interface pop up menu choose Other and enter any in the Other field of the Interface section Click OK Repeat steps 14 through 23 for GRE ESP and VPN ISAKMP IKE Click Save to apply the filter immediately Supplementary Configuration Instructions This section describes procedures for optional scenarios They require integration with an existing directory s
14. Initial setup information appears in Setting Up DNS Service on page 56 More advanced features require configuring BIND from the command line and are not covered here You might want to monitor DNS status to e Troubleshoot name resolution problems e Verify how often DNS service is used e Look for unauthorized or malicious DNS service use Checking DNS Service Status You can use Server Admin to check the status of DNS service To check DNS service status Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Chapter 3 Working with DNS Service Click Overview to see whether the service is running when it was started and the number of zones allocated Click Log to review the service log Use the Filter field above the log to search for specific entries From the command line To see summary status of the service sudo serveradmin status dns To see detailed status of the service sudo serveradmin fullstatus dns For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Viewing DNS Service Logs DNS service creates entries in the system log for error and alert messages The log file is named log You can filter the log to narrow the number of viewable log entries and make it easier to find those you want to see
15. Kerberos authentication is not supported To configure Mobile Access service iCal settings Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Mobile Access Click Settings Select the Forward iCal traffic to internal server checkbox In the Forward iCal traffic to internal server field enter the fully qualified host name of the iCal server This is the fully qualified domain name of your internal iCal server 7 Click Advanced 10 11 12 186 In the Incoming Port field enter the incoming port number This is the port number used by the external request to access the Mobile Access server The default port is 8443 From the Certificate pop up menu choose your certificate To create a self signed certificate click Manage Certificates from the Certificate pop up menu For more information about creating certificates see Advanced Server Administration In the iCal Host Port field enter the port used by your internal iCal server The default is 8443 If your internal iCal server uses SSL select the Use SSL checkbox Click OK then click Save Chapter 9 Working with Mobile Access Service ao uu A WwW Configuring Mobile Access Service Mail Settings You use Server Admin to indicate the internal mail origin server set the external and internal ports and to configure the SSL settings for t
16. etc bootpd plist file to add multiple LDAP server URLs After you create a subnet using DHCP in Server Admin and specify a single LDAP server URL you can inspect and modify settings by editing the etc bootpd plist file Open the etc bootpd plist file in an editor Locate the tag lt string gt between the tag lt array gt of the dhcp ldap url key lt key gt dhcp_ldap_url lt key gt lt array gt lt string gt ldap server example com dc server dc example dc com lt string gt lt array gt Add another LDAP server URL by inserting a lt string gt tag below the existing lt string gt tag and entering your LDAP server URL between the open lt string gt and closed lt string gt tags lt key gt dhcp_ldap_url lt key gt lt array gt lt string gt ldap server example com dc server dc example dc com lt string gt lt string gt ldap server2 example com dc server2 dc example dc com lt string gt lt array gt Save the bootpd plist file and exit your editor 5 If DHCP is running restart DHCP service so it can pick up the revised configuration Using Terminal you would enter sudo serveradmin stop DHCP sudo serveradmin start DHCP Using serveradmin to add multiple LDAP server URLs After you create a subnet using Server Admin DHCP and specify a single LDAP server URL you can inspect and modify settings using serveradmin Do the following Inspect DHCP subnet settings in Terminal by entering sudo serveradmin
17. getconfigxml Displays configuration data stored in the radiusd conf and eap conf files in xml plist format nascount Displays the number of RADIUS clients naslist Displays the list of RADIUS clients formatted for the clients conf file naslistxml Displays the list of RADIUS clients in xml plist format ver Displays a specific build version help Displays usage information q Suppresses prompts Transport Level Security You can enable or disable Transport Level Security TLS by modifying the TLS section of the eap conf file Enabling and disabling TLS To enable TLS sudo radiusconfig enable tls To disable TLS sudo radiusconfig disable tls Radius Clients Use the radiusconfig tool to add import remove and configure RADIUS clients Managing Radius Clients To add Radius clients sudo radiusconfig addclient nas name shortname type To import Radius clients sudo radiusconfig importclients xml plist file To remove Radius clients sudo radiusconfig removeclient nas name nas name To assign an access control group to a client of the RADIUS service sudo radiusconfig setgroup nas name group name Appendix Command Line Parameters for Network Services 211 212 nas name The name of the client shortname The shortname of the client type Optional The type of the client xml plist file The name of the file including the path to import clients from
18. subnet created and enabled To start DHCP service Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click the Start DHCP button below the Servers list If the Firewall service is running a warning appears asking you to verify that all ports used by DHCP are open Click OK The service runs until you stop it It restarts when your server is restarted From the command line To start DHCP service sudo serveradmin start dhcp For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Managing DHCP Service This section describes how to set up and manage DHCP service on Mac OS X Server It includes starting the service creating subnets and setting optional settings such as LDAP or DNS for a subnet Stopping DHCP Service When starting or stopping DHCP you must have at least one subnet created and enabled To stop DHCP service Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click the Stop DHCP button below the Servers list Click Stop Now Chapter 2 Working with DHCP Service an uu A W From the command line To stop DHCP service sudo serveradmin stop dhcp For information about server
19. DNS as the domain for Bonjour browsing You can then add SRV records to the designated Bonjour browsing domain for each service type These services appear on computers that have the Bonjour browsing domain entered as a search domain in Network Preferences You can add the designated Bonjour browsing domain to the search domain of each computer manually or through DHCP For mobile clients its recommended to enter the search domain manually so they have Bonjour browsing access from anywhere For more information about adding SRV records see Adding a Service Record to a DNS Zone on page 72 To configure DNS service Bonjour settings Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Bonjour Select the Enable automatic client Bonjour browsing for domain checkbox and enter the Fully Qualified Domain Name FQDN of the domain used for Bonjour browsing for example bonjour company com This sets a default Bonjour browsing domain for primary zones Click Save Configuring DNS Service Settings You use the Settings pane in DNS to set the detail level of the DNS service log You might want a highly detailed log for debugging or a less detailed log that only shows critical warnings You set recursive queries which the DNS server fully answers or gives an error If the query is unanswered it is forwarded to
20. FB WN Limiting VPN Access to Specific Users or Groups By default all users on the server or in the master directory have access to the VPN when it is enabled You can limit VPN access to specific users for security or ease of administration You limit access to the VPN by using Mac OS X Server s Access Control List ACL feature ACLs allow you to designate service access to users or groups on an individual basis For example you can use an ACL to permit a user to access a specific file server or shell login while denying access to all other users on the server To limit VPN access using ACLs Open Server Admin and connect to the server Click Access Click Services Select For selected services below In the service access list select VPN Select Allow only users and group below To reveal the Users amp Groups window click the Add button Drag users or groups to the access list Click Save Limiting VPN Access to Specific Incoming IP Addresses You limit access to the VPN by using Firewall service When configuring the firewall for L2TP and PPTP you must configure GRE ESP and IKE to permit VPN access through the firewall By default Firewall service blocks incoming VPN connections but you can provide limited VPN access to specific IP addresses for security or ease of administration Chapter 6 Working with VPN Service 153 154 N OO Ww A W 10 11 17 To limit VPN access by IP address Ope
21. Firewall service you can use Server Admin to perform day to day management tasks Stopping Firewall Service You use Server Admin to stop Firewall service To stop Firewall service Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Firewall Click Stop Firewall 5 Click Stop Now From the command line To stop the service sudo serveradmin stop ipfilter For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Disabling Firewall Service You can disable Firewall service using Terminal To disable Firewall service In Terminal enter the following at the command line sudo usr sbin sysctl w net inet ip fw enable 0 For the basics of command line tool usage see Introduction to Command Line Administration Chapter 4 Working with Firewall Service 97 98 N AO wu A W Creating an Address Group Use Server Admin to create address groups for Firewall service To create an address group Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Click Settings then click Address Groups Below the IP Address Groups list click the Add button In the Group name field enter a group name Use the
22. Firewall service 95 97 101 106 107 LDAP options 37 46 NAT 126 131 132 static map 40 41 42 subnets 30 33 VPN 144 146 150 151 157 158 210 WINS 38 servers Apple file server 112 DNS 28 35 location of 28 multiple DHCP 28 name server 51 53 NBDD 38 NBNS 38 resetting 105 securing DNS 74 75 time server 179 virtual 135 Service Configuration Assistant 17 service SRV record See SRV service record shared files See file sharing shared secret files 19 21 23 140 141 162 site to site VPN admin 162 SMTP Simple Mail Transfer Protocol 111 spam See junk mail screening spoofing DNS 74 SRV service record 51 72 stateful packet inspection 85 static IP addresses 25 27 39 40 48 static map IDs 202 stealth mode Firewall service 104 Stratum servers 178 student lab configuration 44 subdomains 53 subnet mask 86 87 Index subnets creating 29 deleting 34 DHCP 26 29 33 34 47 200 disabling 34 47 DNS server setting 35 LDAP options 36 lease time settings 35 server location 28 WINS 37 sudo tool 127 synchronization time 178 179 sysctl tool 85 T tail tool 63 132 TCP Transmission Control Protocol 84 94 112 time server 179 See also NTP time synchronization 178 179 time to live attribute TTL 53 80 TLS Transport Layer Security protocol 211 Transmission Control Protocol See TCP troubleshooting Firewall service rules 103 TTL attribute See time to live attribute TXT record 51
23. ISP gt e Static mapping web lt web server s Ethernet address gt mapped to 192 168 0 2 e Static mapping mail lt mail server s Ethernet address gt mapped to 192 168 0 3 For more information see Creating Subnets on page 26 and Assigning Static IP Addresses Using DHCP on page 39 To start DHCP service click the Start DHCP button below the Servers list 6 In Server Admin choose NAT from the expanded Servers list 7 Configure NAT using the following setting e External network interface en0 e Port forwarding TCP port 80 web to 192 168 0 2 e Port forwarding TCP port 25 mail to 192 168 0 3 For more information about configuring port forwards see Configuring Port Forwarding on page 127 8 Click Save 9 To start NAT service click the Start NAT button below the Servers list 10 11 14 15 In Server Admin choose Firewall from the expanded Servers list Create Firewall rules to permit access to your private network For more information see Creating an Address Group on page 98 Enable the two services you want the Internet to access on your private LAN web and SMTP mail using the any address group For more information see Configuring Services Settings on page 94 Click Save To start Firewall service click the Start Firewall button below the Servers list Contact your DNS provider usually your ISP to add two aliases to your gateway server s DNS record Request
24. Introduction to Command Line Administration Configuring Log Settings for DHCP Service You can choose the level of detail you want for DHCP service logs e Low errors only Indicates conditions where you must take immediate action for example if the DHCP server can t start up This level corresponds to bootpd reporting in quiet mode with the q flag e Medium errors and warnings Alerts you to conditions where data is inconsistent but the DHCP server can still operate This level corresponds to default bootpd reporting e High all events Records activity by DHCP service including routine functions This level corresponds to bootpd reporting in verbose mode with the v flag To set up the log detail level Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Settings From the Log Level pop up menu choose the logging option you want Click Save From the command line The value can be Low MEDIUM HIGH To set up the log detail level sudo serveradmin set dhcp logging level value For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Chapter 2 Working with DHCP Service 31 32 Starting DHCP Service You start DHCP service to provide IP addresses to users You must have at least one
25. LogFile com lt name gt ppp pptp Default 0 PPP MPPEKeySize40 com lt name gt ppp pptp Default 1 PPP MPPEKeySizel128 com lt name gt ppp 12tp Default 1 PPP VerboseLogging com lt name gt ppp pptp Default 1 PPP VerboseLogging com lt name gt ppp 12tp Default var log ppp vpnd log Server LogFile com lt name gt ppp pptp Default var log ppp vpnd log Server LogFile com lt name gt ppp 12tp Default 128 Server MaximumSessions com lt name gt ppp pptp Default 128 Server MaximumSessions com lt name gt ppp 12tp Default Server VerboseLogging com lt name gt ppp pptp Default Server VerboseLogging VPN serveradmin Commands To manage VPN service use the following commands with the serveradmin tool Command vpn command Description getLogPaths Find the location of the VPN service log writeSettings Equivalent to the standard serveradmin settings command but also returns a setting indicating whether the service must be restarted RADIUS Settings To change settings for RADIUS use the following parameters with the radiusconfig tool 210 Appendix Command Line Parameters for Network Services Command Option Description appleversion Displays the version of the toll including the build version getconfig Displays configuration data stored in the radiusd conf and eap conf files in an abbreviated user friendly format
26. N Mobile Access Service Configuration Overview To configure Mobile Access service proxies you must complete several steps Not every step is necessary for every network environment The following section provides an overview of the configuration process Step 1 Decide which servers will use Mobile Access service You must determine which servers will use Mobile Access service Step 2 Obtain a certificate Purchase a certificate from a certificate authority CA This certificate is used by Mobile Access service to ensure secure communication Step 3 Turn Mobile Access service on Before configuring Mobile Access service you must enable Mobile Access service for configuration See Turning Mobile Access Service On on page 184 Step 4 Configure Mobile Access service proxies Use the Mobile Access service settings to configure the proxies See Setting Up Mobile Access Service on page 185 Step 5 Grant access to Mobile Access proxies You assign users or groups access to Mobile Access service proxies See Granting Access to Mobile Access Service Proxies on page 189 Step 6 Start Mobile Access After you configure NAT start Mobile Access service to make it available See Starting Mobile Access Service on page 190 Turning Mobile Access Service On Before you can configure Mobile Access service settings you must turn on Mobile Access service in Server Admin To turn Mobile Access service on Open Server Admin
27. Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Clients To sort the list by different criteria click a column heading Chapter 2 Working with DHCP Service Common Network Configurations That Use DHCP The following section contains example DHCP configurations for network uses These include a workgroup configuration a student lab configuration and a coffee shop configuration When you set up a private network you choose IP addresses from the blocks of IP addresses reserved by the Internet Assigned Numbers Authority IANA for private intranets e 10 0 0 0 10 255 255 255 10 8 prefix e 172 16 0 0 172 31 255 255 172 16 12 prefix e 192 168 0 0 192 168 255 255 192 168 16 prefix Using DHCP to Provide IP Addresses Behind a NAT Gateway You use DHCP to provide IP addresses to computers behind a Network Address Translation NAT gateway Although not strictly necessary because NAT can be used with static IP addresses instead of DHCP this enables easy configuration of computers For more information see Linking a LAN to the Internet Through One IP Address on page 133 Workgroup Configuration Imagine you have a small workgroup with its own DHCP address group You can have an IP connected printer a file server and an Open Directory server on or off the subnet for user management purposes T
28. RADIUS Logs Editing RADIUS Access Deleting AirPort Base Stations Editing an AirPort Base Station Record Saving an AirPort Base Station Internet Connect File Chapter 8 Working with NTP Service How NTP Works Using NTP on Your Network Setting Up NTP Service Contents 179 180 181 181 182 182 183 184 184 185 185 186 187 188 189 190 190 190 191 191 191 192 193 193 194 194 195 196 196 196 196 197 197 197 198 198 199 199 200 Configuring NTP Service on Clients Where to Find More Information About NTP Chapter 9 Working with Mobile Access Service About Mobile Access Server Using SSL with Mobile Access Server About Proxied Authentication Mechanisms About Split DNS Mobile Access Service Configuration Overview Turning Mobile Access Service On Setting Up Mobile Access Service Configuring Mobile Access Service Address Book Settings Configuring Mobile Access Service iCal Settings Configuring Mobile Access Service Mail Settings Configuring Mobile Access Service Web Settings Granting Access to Mobile Access Service Proxies Starting Mobile Access Service Monitoring Mobile Access Service Checking Mobile Access Service Status Viewing Mobile Access Service Logs Stopping Mobile Access Service Optional HTTP Configurable Items Where to Find More Information Chapter 10 Supporting a VLAN What a VLAN Is Setting Up Client Membership for a VLAN Where to Find More Information About VLANs Chapter 11
29. Reverse lookup zones translate IP addresses to domain names Compare with normal lookups which translate domain names to IP addresses Use Server Admin to add records to your zone Create an Address record for every computer or device such as a printer or file server that has a static IP address and needs a name Various DNS zone records are created from DNS machine entries Step 5 Configure secondary zones If necessary use Server Admin to configure secondary zones See Configuring DNS Service Secondary Zone Settings on page 59 Step 6 Configure Bonjour Use Server Admin to configure Bonjour settings See Configuring DNS Service Bonjour Settings on page 59 Step 7 Configure logging Use Server Admin to specify the information that gets logged by DNS service and to specify the location of the log file See Changing DNS Log Detail Levels on page 64 Step 8 Optional Set up a mail exchange MX record If you provide mail service over the Internet set up an MX record for your server See Configuring DNS for Mail Service on page 77 Step 9 Configure your firewall Configure your firewall to make sure DNS service is protected from attack and accessible to your clients See Chapter 4 Working with Firewall Service Step 10 Start DNS service Mac OS X Server includes a simple interface for starting and stopping DNS service See Starting DNS Service on page 62 Chapter 3 Working with DNS Service 55
30. Service Managing DHCP Service Stopping DHCP Service Changing Subnet Settings in DHCP Service Deleting Subnets from DHCP Service Disabling Subnets Temporarily Changing IP Address Lease Times for a Subnet Setting the DNS Server for a DHCP Subnet Setting LDAP Options for a Subnet Setting WINS Options for a Subnet Assigning Static IP Addresses Using DHCP Removing or Changing Static Address Maps Monitoring DHCP Service Checking DHCP Service Status Viewing DHCP Log Entries Viewing the DHCP Client List Common Network Configurations That Use DHCP Using DHCP to Provide IP Addresses Behind a NAT Gateway Workgroup Configuration Student Lab Configuration Coffee Shop Configuration Configuring DHCP to Use an Extra LDAP Server URL DHCP Service for Mac OS X Clients Using DHCP with a Manual Address Configuring DHCP on Clients Configuring a Static IP Address on a Client Where to Find More Information Chapter 3 Working with DNS Service DNS Zones Primary Zones Secondary Zones Forward Zones DNS Machine Records Bonjour and Link Local Addressing Before You Set Up DNS Service Setting Up DNS Service for the First Time Turning DNS Service On Upgrading DNS Configuration Setting Up DNS Service Configuring DNS Service Primary Zone Settings Configuring DNS Service Secondary Zone Settings Configuring DNS Service Bonjour Settings Configuring DNS Service Settings Contents 62 62 63 64 64 65 65 66 67 67 68 68 69 69 70 70 71 71 72 7
31. Service 149 150 an un fb WwW Configuring VPN Logging Settings You can choose from two levels of detail for VPN service logs e Nonverbose logs Describe conditions where you must take immediate action for example if the VPN service can t start up e Verbose logs Record all activity by the VPN service including routine functions By default nonverbose logging is enabled To change logging settings to verbose Open Server Admin and connect to the server Click the triangle at the left of the server The list of servers appears From the expanded Servers list select VPN Click Settings then click Logging Select Verbose logging to enable verbose logging Click Save Starting VPN Service You use Server Admin to start VPN service To start VPN service Open Server Admin and connect to the server Click the triangle at the left of the server The list of servers appears From the expanded Servers list select VPN Click the Start VPN button below the Servers list From the command line To start VPN service sudo serveradmin start vpn For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Chapter 6 Working with VPN Service Managing VPN Service This section describes tasks associated with managing VPN service It includes starting stopping and configuring the service Stopping VPN Service You use Se
32. U UCE unsolicited commercial email See junk mail screening UDP User Datagram Protocol 84 92 universal time coordinated See UTC unsolicited mail See junk mail screening upgrading DNS configuration 56 User Datagram Protocol See UDP users mobile 139 VPN access 153 wireless access 168 See also clients RADIUS UTC universal time coordinated 178 Vv virtual local area network See VLAN Virtual Private Network See VPN virtual servers NAT gateway 135 136 virus screening 114 VLAN virtual local area network 193 194 VPN Virtual Private Network access control 153 161 authentication 140 clients 141 149 159 161 166 command list 210 connections 19 21 23 159 166 default configuration 213 Internet sharing 16 introduction 139 IP address assignment 27 142 L2TP settings 143 LDAP 141 155 logs 150 158 management of 151 159 monitoring 157 network linking 162 PPTP settings 146 protocol support by platform 141 routing definitions 151 security 139 140 142 162 settings 206 setup 141 142 143 site to site 162 starting 143 150 status checking 157 stopping 151 supplementary configurations 155 156 WwW WAN wide area network 139 web services access control 109 110 188 wide area network See WAN wildcards in IP addresses 87 WINS Windows Internet Naming Service 37 wireless service See AirPort Base Station RADIUS WLAN wireless local area network 21 23 workgroups configuration
33. X Clients Using DHCP with a Manual Address The DHCP section of Server Admin permits each subnet address range to be enabled or disabled When the subnet is enabled the DHCP server allocates addresses in its range and dispenses other network information to clients that are configured as Using DHCP When the subnet is disabled the DHCP server does not allocate addresses from the subnet address range pool but it does dispense other network information such as DNS and LDAP server addresses to clients that are configured as Using DHCP with manual address static maps as long as the client address is in the subnet range Enabling and disabling the subnet disables automatic address allocation for the address range but it does not disable DHCP server responses to a client whose address is in the subnet range Chapter 2 Working with DHCP Service 47 48 _ _ Configuring DHCP on Clients You can configure clients to use DHCP to obtain IP addresses To configure DHCP on clients Choose Apple gt System Preferences and then click Network Select the network connection service for your account such as Built in Ethernet from the Services list Select Using DHCP from the Configure pop up menu Configuring a Static IP Address on a Client You can configure clients to use static IP addresses To configure static IP addresses on a client Choose Apple gt System Preferences and then click Network Select the netwo
34. Zone then choose Add Primary Zone Master Select the new zone In the Primary Zone Name field enter the zone name This is the fully qualified domain name of the primary server Enter the mail address of the zone s administrator 9 Select Allows zone transfer to permit secondary zones to get copies of the primary 10 11 zone data Add name servers for this zone by clicking the Add button and entering the name in the Name Servers field Add mail exchangers for this zone by clicking the Add button and entering the name in the Mail Exchangers field This field is the basis for the computer s MX record Specify a mail server precedence number in the Priority field Delivering mail servers try to deliver mail at lower numbered mail servers first For more information see Configuring DNS for Mail Service on page 77 Click Expiration and enter the number of hours for each setting Chapter 3 Working with DNS Service 57 58 14 15 16 17 18 19 Enter the amount of time the zone is valid This is the zone s time to live TTL value It determines how long query response information can remain cached in remote DNS systems before requerying the authoritative server e Enter the interval of time that the secondary zones should refresh from the primary zone e Enter the interval of time between each retry if the refresh of the secondary zone fails e Enter the amount of time after
35. a recently created user click the Refresh button below the Servers list If you want to remove users from the Allow only users and groups below list select the users or groups of users and click the Delete button Only users in the list can use RADIUS service Deleting AirPort Base Stations You can use Server Admin to delete AirPort Base Stations from the RADIUS server When you delete AirPort Base Stations make sure the stations are disconnected from the network Otherwise unauthorized users might be able to access your network To delete AirPort Base Stations Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select RADIUS Click Base Stations In the AirPort Base Station list highlight a Base Station and click Remove Verify you want to remove the Base Station by clicking Remove again Editing an AirPort Base Station Record You can use Server Admin to edit an AirPort Base Station record on your RADIUS server To edit an AirPort Base Station record Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select RADIUS Click Base Stations In the AirPort Base Station list highlight the Base Station you want to modify and click the Edit button Modify the Base Station information and click Save Cha
36. a security or intellectual property risk for a business You can disable P2P networking by blocking incoming and outgoing traffic on the port number used by the P2P application You must determine the port used for each P2P network in question By default Mac OS X Server s firewall blocks all ports not specifically opened You can limit P2P network usage to IP addresses behind the firewall To do so open the P2P port for your LAN interface but continue to block the port on the interface connected to the Internet the WAN interface To learn how to make a firewall rule see Configuring Advanced Firewall Rules on page 100 Chapter 4 Working with Firewall Service 113 114 Controlling or Enabling Network Game Usage Sometimes network administrators must control the use of network games The games might use network bandwidth and resources improperly or disproportionately You can disable network gaming by blocking traffic incoming and outgoing on the port number used by the game You must determine the port used for each network game in question By default Mac OS X Server s firewall blocks all ports not specifically opened You can limit network game usage to IP addresses behind the firewall To do so open the relevant port on your LAN interface but continue to block the port on the interface connected to the Internet the WAN interface Some games require a connection to a gaming service for play so this might not be effective To
37. a setting indicating whether the service must be restarted VPN Service Settings To change settings for VPN service use the following parameters with the serveradmin tool Parameter vpn Servers Description com lt name gt ppp 12tp Default empty array DNS O0fferedSearchDomains com lt name gt ppp pptp Default empty array DNS OfferedSearchDomains com lt name gt ppp 12tp Default empty array DNS OfferedServerAddresses 206 Appendix Command Line Parameters for Network Services Parameter vpn Servers Description com lt name gt ppp pptp DNS OfferedServerAddresses com lt name gt ppp 12tp nterface SubType com lt name gt ppp pptp nterface SubType Default empty array Default L2TP Default PPTP com lt name gt ppp 12tp nterface Type Default Pppp com lt name gt ppp pptp nterface Type Default Ppp com lt name gt ppp 12tp PSec AuthenticationMethod Default SharedSecret com lt name gt ppp 12tp PSec IdentifierVerification Default None com lt name gt ppp 12tp PSec IPSecSharedSecretEncryption Default Keychain PSec RemoteIdentifier com lt name gt ppp 12tp Default PSec LocalCertificate com lt name gt ppp 12tp Default PSec LocallIdentifier com lt name gt ppp 12tp Default com lt name gt ppp 12tp PSec SharedSecret Default com apple pp
38. addition you can set up rules for restricting Internet Control Message Protocol ICMP or Internet Group Management Protocol IGMP using advanced rule creation Important When you start Firewall service the first time only ports essential to remote administration of the server are open including secure shell 22 and several others Other ports are dynamically opened to permit specific responses to queries initiated from the server To permit remote access to other services on your computer open more ports using the Services section of the Settings pane If you plan to share data over the Internet and you don t have a dedicated router or firewall to protect your data from unauthorized access you must use Firewall service This service works well for small to medium businesses schools and small or home offices Chapter 4 Working with Firewall Service Large organizations with a firewall can use Firewall service to exercise a greater degree of control over their servers For example workgroups in a large business or schools in a school system can use Firewall service to control access to their own servers Firewall service also provides stateful packet inspection which determines whether an incoming packet is a legitimate response to an outgoing request or part of an ongoing session This permits packets that would otherwise be denied Basic Firewall Practices By default Mac OS X Server uses a simple model for a useful secure fire
39. an A record with the name www example com to the IP address 17100 01 Request an MX record with the name mail example com to the same IP address These records are in addition to existing A and CNAME records for your domain Chapter 5 Working with NAT Service 137 138 Where to Find More Information The nata daemon process controls NAT service For information about how to access natd features and implement them see the nata man page Request for Comments RFC documents provide an overview of a protocol or service and details about how the protocol should behave If you re a novice server administrator you ll probably find some of the background information in an RFC helpful If you re an experienced server administrator you can find the technical details about a protocol in its RFC document You can search for RFC documents by number at www ietf org rfc html For NAT descriptions see e RFC 1631 e RFC 3022 Chapter 5 Working with NAT Service Working with VPN Service Use this chapter to set up and manage VPN service in Mac OS X Server By configuring a virtual private network VPN on your server you can give users a more secure way of remotely communicating with computers on your network This chapter describes the VPN authentication method and transport protocols and explains how to configure manage and monitor VPN service It does not include information for configuring VPN clients to use your VPN server A V
40. and connect to the server Click Settings Click Services Select the Mobile Access checkbox Click Save Chapter 9 Working with Mobile Access Service ao un A UW Setting Up Mobile Access Service Set up Mobile Access service by configuring the following settings in Server Admin e Forward Address Book traffic to internal server Use to configure where address book requests are forwarded e Forward iCal traffic to internal server Use to configure where iCal requests are forwarded e Forward mail traffic to internal server Use to configure where mail requests are forwarded e Forward web traffic to internal servers Use to configure where web requests are forwarded The following sections describe how to configure these settings and explain how to start Mobile Access service when you finish Note The proxy server gracefully restarts when you save certain changes If the changes require a full restart you are prompted to approve the full restart Configuring Mobile Access Service Address Book Settings You use Server Admin to indicate the internal Address Book origin server set the external and internal ports and to configure the SSL settings for the Mobile Access server When configuring Mobile Access server to proxy Address Book you must use basic or digest as the method of authentication Kerberos authentication is not supported To configure Mobile Access Service Address Book settings Open Server Admin and conn
41. and date stamps such as Mail service or Web service with timed cookies send wrong time and date stamps and are out of synchronization with other computers across the Internet For example a mail message could arrive minutes or years before it was sent according to the time stamp and a reply to that message could come before the original was sent How NTP Works NTP uses Universal Time Coordinated UTC as its reference time UTC is based on an atomic resonance and clocks that run according to UTC are often referred to as atomic clocks On the Internet authoritative NTP servers known as Stratum 1 servers keep track of the current UTC time Other subordinate servers known as Stratum 2 and 3 servers regularly query the Stratum 1 servers and estimate the time taken to send and receive the query They then factor this estimate with the query result to set the Stratum 2 or 3 servers time The estimates are correct to the nanosecond N DO Ww A UN Your LAN can then query Stratum 3 servers for the time An NTP client computer on your network then takes the UTC time reference and converts it using its own time zone setting to local time and sets its internal clock accordingly Using NTP on Your Network Mac OS X Server can act as an NTP client receiving authoritative time from an Internet time server and as an authoritative time server for a network Your local clients can query your server to set their clocks If you set your serve
42. and these instructions This example uses the following settings e Desired VPN type L2TP e Authentication Using shared secret e Shared secret prDwkj49fd 254 e Internet or public IP address of the VPN main LAN gateway Site 1 A B C D Internet or public IP address of the VPN remote LAN gateway Site 2 W X Y Z Private IP address of site 1 192 168 0 1 Private IP address of site 2 192 168 20 1 Private network IP address range and netmask for site 1 192 168 0 0 192 168 0 255 also expressed as192 168 0 0 16 or 192 168 0 0 255 255 0 0 e Private network IP address range and netmask for site 2 192 168 20 0 192 168 20 255 also expressed as192 168 20 0 24 or 192 168 0 0 255 255 0 0 e Organization s DNS IP address 192 168 0 2 Chapter 6 Working with VPN Service 10 11 12 13 14 The result of this configuration is an auxiliary remote LAN connected to a main LAN using L2TP Step 1 Run s2svpnadmin on both site gateways Open Terminal and start s2svpnadmin by entering sudo s2svpnadmin Enter the relevant number for Configure a new site to site server Enter an identifying configuration name no spaces permitted For this example you could enter site_1 on site 1 s gateway and so on Enter the gateway s public IP address For this example enter A B C D on site 1 s gateway and W X Y Z on site 2 s gateway Enter the other site s public IP address For this example enter W
43. computer make sure the routers that connect your subnets can forward client broadcasts and DHCP server responses A relay agent or router on your network that can relay BootP communications will work for DHCP If you don t have a means to relay BootP communications place the DHCP server on the same subnet as your client Interacting with Other DHCP Servers You might already have DHCP servers on your network such as AirPort Base Stations Mac OS X Server can coexist with other DHCP servers as long as each DHCP server uses a unique pool of IP addresses However you might want your DHCP server to provide an LDAP server address for client autoconfiguration in managed environments Because AirPort Base Stations can t provide an LDAP server address if you want to use the autoconfiguration feature you must set up AirPort Base Stations in Ethernet bridging mode and have Mac OS X Server provide DHCP service If AirPort Base Stations are on separate subnets configure your routers to forward client broadcasts and DHCP server responses as described previously To provide DHCP service with AirPort Base Stations you must manually enter LDAP server addresses of computers You can t use the client autoconfiguration feature Using Multiple DHCP Servers on a Network You can have multiple DHCP servers on the same network However they must be configured properly to prevent interference with each other Each server needs a unique pool of IP addr
44. configure AirPort Base Stations See Remotely Configuring AirPort Base Stations on page 172 Step 4 Configure RADIUS to use certificates Use Server Admin to configure RADIUS to use certificates to trust Base Stations See Configuring RADIUS to Use Certificates on page 172 Step 5 Start RADIUS To start RADIUS see Starting or Stopping RADIUS Service on page 174 Turning RADIUS On Before you can configure RADIUS settings you must turn on RADIUS service in Server Admin To turn RADIUS on Open Server Admin and connect to the server Click Settings then click Services Select the RADIUS checkbox Click Save Setting Up RADIUS This section describes how to add AirPort Base Stations to your RADIUS server configure AirPort Base Stations remotely and configure RADIUS to use certificates to trust AirPort Base Stations Configuring RADIUS Using the Configuration Assistant Mac OS X Server v10 6 offers a configuration assistant for RADIUS The configuration assistant guides you through the RADIUS configuration process and lets you start RADIUS To configure RADIUS using the configuration assistant Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select RADIUS Click Overview Click Configure RADIUS Service In the RADIUS Server Certificate pane select one of the following Chapter 7 Working with RAD
45. denied packets checkbox Chapter 4 Working with Firewall Service In the Maximum number of packets to log field enter the maximum number of packets that you want to be logged The default is 1000 Click Save 8 Click Logging 9 Select the Enable logging checkbox 10 Select Log all allowed packets The logs are visible in the Log pane Blocking Junk Mail This section describes how to reject mail from a junk mail sender with an IP address of 17128 100 0 for example and accept all other Internet mail Important To block incoming SMTP mail set up specific address ranges in rules you create For example if you set a rule on port 25 to deny mail from all addresses you prevent mail from being delivered to users To prevent junk mail from being delivered to users Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Select Address Groups To create an address range click the Add button and enter a name for the address group in the Group name field To indicate the junk mail sender s address enter 17128 100 0 in the Addresses in group list by clicking the Add button and entering the address 7 Click OK 8 Click Services 9 From the Editing Services for pop up menu choose the newly created address group 10 11 Select Allow only traffic from to the
46. file sharing and printing by providing dynamic discoverability of file servers and Bonjour enabled network printers Bonjour begins by simplifying the otherwise complex process of configuring devices for a network To communicate with other devices using IP a device needs special information like an IP address a subnet mask DNS addresses a DNS name and preconfigured search paths Understanding these cryptic details and performing the subsequent configuration can be daunting for the average user When a new computer or device is added to a network by means of autoconfiguration like a DHCP server Bonjour configures the device using a technique called link local addressing If a DHCP server is available Bonjour uses the assigned IP address With link local addressing the computer randomly selects an IP address from a predefined range of addresses set aside by the Internet Assigned Numbers Authority IANA for link local addressing and assigns that address to itself Addresses are in the range 169 254 xxx xXxx The device then sends a message over the network to determine whether another device is using the address If the address is in use the device randomly selects addresses until it finds one that is available When the device has assigned itself an IP address it can send and receive IP traffic on the network Mac OS X Server v10 5 or later supports Wide Area Bonjour browsing that allows computers and devices that support Bonjour to c
47. for 43 X xinetd daemon 23 Xserve 193 Z zones DNS adding 67 68 alias records 71 BIND zone file 70 changing 69 deleting 69 disabling transfers 65 enabling transfers 65 forward 68 introduction 50 machine records 51 71 records management 70 72 73 74 security 74 setup 57 59 Index 219
48. function Other DNS servers that query your DNS servers don t need to perform the recursion To prevent malicious users from changing the primary zone s records referred to as cache poisoning and to prevent unauthorized use of the server for DNS service you can restrict recursion However if you restrict your private network from recursion your users can t use your DNS service to look up names outside of your zones Disable recursion only if e No clients are using this DNS server for name resolution e No servers are using it for forwarding To enable recursion Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select DNS Click Settings 5 Click the Add button below the Accept recursive queries from the following networks list Enter the IP addresses for the servers that DNS will accept recursive queries from You can also enter IP address ranges Click Save Chapter 3 Working with DNS Service N OAU A W foe If you enable recursion consider disabling it for external IP addresses but enabling it for LAN IP addresses by editing BIND s named conf file However edits you make to named conf will not show up in the DNS section of Server Admin You can completely disable recursion by removing all entries from the network list For more information about BIND see www isc org sw bind Managing D
49. include embedded hyphens Other parameters The standard subnet settings described in Command Line Parameters for Network Services For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Assigning Static IP Addresses Using DHCP You can always assign the same address to specific computers This helps simplify configuration when using DHCP and lets you have static servers or services To keep the same IP address for a computer you must know the computer s Ethernet address also known as the MAC or hardware address Each network interface has its own Ethernet address If a computer is connected to a wired network and a wireless network it uses a different Ethernet address for each network connection To assign static IP addresses Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Static Maps Click Add Computer Enter the name of the computer In the Network Interfaces list click the column to enter the following information e MAC address of the computer that needs a static address IP address you want to assign to the computer If your computer has other network interfaces that require static IP addresses click the Add button and enter the IP address you want to assign for each interface Cha
50. is entirely IPv6 you might want to use this rule and use the ip6fw tool to create override rules for IPv6 and create a script that reapplies the rules when Firewall service or the server restarts Chapter 4 Working with Firewall Service The IPv6Control key allows you to set a Boolean value that determines if ip6fw starts or stops when ipfw starts or stops If the value is set to true ip fw starts and stops when ipfw start or stops If the value is set to false only ipfw starts or stops By default the value is set to true Firewall Setup Overview After you decide the types of rules to configure use the following steps to set up Firewall service If you need more help to perform these steps see Setting Up Firewall Service on page 93 and the other topics referred to in the steps Step 1 Learn and plan If you re new to working with Firewall service learn and understand firewall concepts tools and features of Mac OS X Server and BIND For more information see About Firewall Rules on page 86 Then determine which services you want to provide access to Mail Web and FTP services generally require access from computers on the Internet File and Print services are more likely to be restricted to your local subnet After you decide the services to protect using Firewall service determine the IP addresses you want to permit access to your server and the IP addresses you want to deny access to your server Then configure th
51. mail you must notify potential senders of a new address for your users or you can create an MX record for each domain you want handled by your mail server and direct the mail to the correct computer When you set up an MX record include a list of potential computers that can receive mail for a domain That way if the server is busy or down mail is sent to another computer Each computer on the list is assigned a precedence number its priority The one with the lowest number is tried first If that computer isn t available the computer with the next lowest number is tried and so on When a computer receives the mail it holds the mail and sends it to the main mail server when the main server becomes available and then the main mail server delivers the mail Chapter 3 Working with DNS Service 77 78 nO uu A UW Following is an example of an MX record that includes three computers that can receive mail for the example com domain example com 10 reliable example com 20 our backup example com 30 last resort example com MX records are used for outgoing mail too When your mail server sends mail it looks at the MX records to see whether the destination is local or somewhere else on the Internet then the process above happens in reverse If the main server at the destination is not available your mail server tries every available computer on that destination s MX record list until it finds one that accepts the mail C
52. of the DHCP service sudo serveradmin fullstatus dhcp For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Chapter 2 Working with DHCP Service 41 42 Viewing DHCP Log Entries If you ve enabled logging for DHCP service you can check the system log for DHCP errors The log view is the system log file filtered for bootpa Use the Filter field to search for specific entries To view DHCP log entries Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Log To search for specific entries use the Filter field upper right corner From the command line To view DHCP log entries tail log file For information about viewing DHCP logs see Connecting a Wired LAN to the Internet on page 18 For information about tail see its man page For the basics of command line tool usage see Introduction to Command Line Administration Viewing the DHCP Client List The DHCP Clients window gives the following information for each client e The IP address served to the client The number of days of lease time left or the number of hours and minutes if less than 24 hours e The DHCP client ID usually the same as the hardware address e The computer name e The hardware address To view the DHCP client list
53. on page 27 and Configuring DHCP on Clients on page 48 Where to Find More DNS Information For more information about DNS and BIND see the following DNS and BIND 5th edition by Paul Albitz and Cricket Liu O Reilly and Associates 2006 e The International Software Consortium website www isc org and www isc org sw bind The DNS Resources Directory www dns net dnsrd Request for Comments RFC documents provide an overview of a protocol or service and explain how the protocol should behave If you re a novice server administrator you ll probably find some of the background information in an RFC helpful If you re an experienced server administrator you can find technical details about a protocol in its RFC document You can search for RFC documents by number at www ietf org rfc html A PTR CNAME MX For more information see RFC 1035 e AAAA For more information see RFC 1886 Chapter 3 Working with DNS Service Working with Firewall Service Use this chapter to set up and manage Firewall service in Mac OS X Server Firewall service is software that protects network applications running on your Mac OS X Server computer Turning on Firewall service is similar to erecting a wall to limit access to your network Firewall service scans incoming IP packets and rejects or accepts these packets based on rules you use to configure Firewall service You can restrict access to any IP service running on t
54. other as if they were on the same LAN Benefits include more efficient network bandwidth use and greater security because broadcast or multicast traffic is only sent to computers on the common network segment Mac OS X Server provides 802 1q VLAN support on Ethernet ports and secondary PCI gigabit Ethernet cards available or included with Xserves and Mac Pro systems VLAN support conforms to the IEEE standard 802 1q What a VLAN Is VLANs enable multiple computers on different physical LANs to communicate with each other as if they were on the same LAN Benefits include more efficient network bandwidth use and greater security because broadcast or multicast traffic is only sent to computers on the common network segment Mac OS X Server provides 802 1q VLAN support on the Ethernet ports and secondary PCI gigabit Ethernet cards available or included with Xserves and Mac Pro systems VLAN support conforms to the IEEE standard 802 1q 193 194 AO uu A WwW N Setting Up Client Membership for a VLAN To set up and manage VLANs you use the VLAN area of the Network pane of System Preferences Be sure that ports used by non VLAN devices non 802 1q compliant are configured to transmit untagged frames If a noncompliant Ethernet device receives a tagged frame it cannot understand the VLAN tag and drops the frame Note The VLAN area of the Network pane is visible only if your hardware such as an Xserve G5 system supports this feature
55. outside the firewall and not accessible from the 17x x x LAN As an example to use addresses in the range 17100 100 x enter an extra routing definition as follows 17 100 100 0 255 255 255 0 Public Because the address definition is more specific than 17 x x x this rule takes precedence over the broader more general rule and traffic heading to any address in the 17100 100 x range is sent through the client computer s Internet connection In summary if you add routes any routes you specify as private go over the VPN connection and any declared as public do not go over the VPN connection All others not specified also do not go over the VPN connection Setting Routing Definitions Use Server Admin to set your routing definitions To set routing definitions Open Server Admin and connect to the server Click the triangle at the left of the server The list of servers appears 3 From the expanded Servers list select VPN Click Settings then click Client Information 5 Click the Add button Chapter 6 Working with VPN Service Enter a destination address range of the packets to be routed by specifying A base address for example 192 168 0 0 e A network mask for example 255 255 0 0 From the Type pop up menu select the routing destination e Private means to route client traffic through the VPN tunnel e Public means to use the normal interface with no tunnel 8 Click OK 9 Click Save _ O AON DA UH
56. refreshing before the zone data expires Click Add Record then choose Add Alias CNAME To see a list of records for a zone click the triangle at the left of the zone Select newAlias listed under the primary zone You can add as many aliases as you want In the Alias Name field enter the alternate name for your computer If you want to use the fully qualified name for the Alias select the Fully Qualified checkbox and enter the fully qualified domain name This field is the basis for CNAME records of the computer Reverse lookup Pointer records are created for the computer In the Destination field enter the computer name you are creating the alias for If you want to use the fully qualified name for the Destination select the Fully Qualified checkbox and enter the fully qualified domain name Click Add Record then choose Add Machines A Select newMachine listed under the primary zone then enter the following machine information e In the Machine Name field enter the hostname of the computer This field is the basis for the A record of the computer Reverse lookup Pointer records are created for the computer e Click the Add button then enter the IP address of the computer e Enter information about the hardware and software of the computer in the relevant text boxes These are the basis for the HINFO record of the computer e Enter comments about the computer in the Comments text box This field is t
57. server they typically request it by domain name such as www example com rather than by IP address such as 192 168 12 12 The Domain Name System DNS is a distributed database that maps IP addresses to domain names so users can find the resources by name rather than by numerical address A DNS server keeps a list of domain names and the IP addresses associated with each name When a computer needs to find the IP address for a name it sends a message to the DNS server which is also known as a name server The name server looks up the IP address and sends it back to the computer If the name server doesn t have the IP address locally it sends messages to other name servers on the Internet until the IP address is found Setting up and maintaining a DNS server is a complex process Therefore many administrators rely on their Internet Service Provider ISP for DNS service In this case you only need to configure your network preferences with the IP address of the name server which is provided by your ISP If you don t have an ISP to handle DNS requests for your network and any of the following are true you must set up your own DNS service e You can t use DNS from your ISP or other source e You plan on making frequent changes to the name space and want to maintain it yourself e You have a mail server on your network and you have difficulties coordinating with the ISP that maintains your domain e You have security concerns
58. settings dhcp subnets Example result excerpt dhcp subnets array id 498D8R6D 88A8 4048 8B3C 14D96F317447 dhcp_ ldap_ url array _index 0 http ldapxxx 123 basenamel Prepare a file with the serveradmin commands to add a second LDAP Server URL Chapter 2 Working with DHCP Service Because the individual elements of the dhcp_Idap_url array are not individually accessible you cannot use the serveradmin create delete idiom Example file contents dhcp subnets array id 498D8R6D 88A8 4048 8B3C 14D96F317447 dhcp_ ldap_ url array _index 0 http ldapxxx 123 basenamel dhcp subnets array id 498D8R6D 88A8 4048 8B3C 14D96F317447 dhcp_ ldap_ url array _index 1 http ldapyyy 234 basename2 Note The array indexes start with 0 The old URL entry must be present even though you are just adding a second one The entries must be in order Use the serveradmin tool to apply the settings from the file by entering sudo serveradmin settings lt filename Example result the settings are confirmed dhcp subnets array id 498D8R6D 88A8 4048 8B3C 14D96F317447 dhcp_ ldap_ url array index 0 http ldapxxx 123 basenamel dhcp subnets array id 498D8E6D 88A8 4048 8B3C 14D96F317447 dhcp ldap _ url array index 1 http ldapyyy 234 basename2 If DHCP is running restart DHCP service so it can pick up the revised configuration by entering sudo serveradmin stop DHCP sudo serveradmin start DHCP DHCP Service for Mac OS
59. subnet Corresponds to the Network Interface pop up menu in the General pane of the subnet settings in Server Admin WINS_NBDD_ server The NetBIOS datagram distribution server IPv4 address Corresponds to the NBDD Server field in the WINS pane of the subnet settings in Server Admin Appendix Command Line Parameters for Network Services 201 202 Subnet Parameter subnets array_ Description id lt subnetID gt WINS node_type The WINS node type Can be set to wm not set default BROADCAST B NODE PEER P NODE MIXED M NODE HYBRID H NODE Corresponds to the NBT Node Type field in the WINS pane of the subnet settings in Server Admin WINS primary server The primary WINS server used by clients Corresponds to the WINS NBNS Primary Server field in the WINS pane of the subnet settings in Server Admin WINS _scope_id A domain name such as apple com Default Corresponds to the NetBIOS Scope ID field in the WINS pane of the subnet settings in Server Admin WINS_secondary_ server The secondary WINS server used by clients Corresponds to the WINS NBNS Secondary Server field in the WINS pane of the subnet settings in Server Admin About Static Map IDs In a list of settings maprp is replaced with a unique ID code for the map entry The IDs generated by the server are random numbers The only requirement for this ID is that it must be unique among the static maps defined on the serve
60. that uses a Kerberos Key Distribution Server as a trusted third party to authenticate a client to a server MS CHAPv2 authentication encodes passwords when they re sent over the network and stores them in a scrambled form on the server This method offers good security during network transmission It is also the standard Windows authentication scheme for VPN Chapter 6 Working with VPN Service A Mac OS X Server PPTP VPN can also use other authentication methods Each method has its own strengths and requirements These other authentication methods for PPTP are not available in Server Admin If you want to use an alternative authentication scheme for example to use RSA Security s SecurlD authentication you must edit the VPN configuration file manually The configuration file is located at Library Preferences SystemConfiguration com apple RemoteAccessServers plist For more information see Offering SecurlD Authentication with VPN Server on page 156 Using VPN Service with Users in a Third Party LDAP Domain To use VPN service for users in a third party LDAP domain an Active Directory or Linux OpenLDAP domain you must be able to use Kerberos authentication If you need to use MSCHAPv2 to authenticate users you can t offer VPN service for users in a third party LDAP domain Before You Set Up VPN Service Before setting up VPN service determine which transport protocol you re going to use The following table shows which p
61. the IP addresses you add in the Forwarder IP Addresses list To configure DNS settings Open Server Admin and connect to the server Click the triangle at the left of the server Chapter 3 Working with DNS Service The list of services appears 3 From the expanded Servers list select DNS Click Settings 5 From the Log Level pop up menu choose the detail level as follows e Choose Critical to record only critical errors such as hardware errors e Choose Error to record errors not including warning messages e Choose Warning to record warnings and errors e Choose Notice to record only important messages warnings and errors e Choose Information to record most messages Choose Debug to record all messages The log location is Library Logs Below the Accept recursive queries from the following networks list click the Add button to add networks that recursive queries are accepted from then enter the network address in the list Below the Forwarder IP Addresses list click the Add button to add networks that unauthorized queries get forwarded to then enter the network address in the list Click Save From the command line To view a setting sudo serveradmin settings dns setting To view a group of settings sudo serveradmin settings dns zone _array_id localhost Enter as much of the name as you want stopping at a colon and then entering an asterisk as a wildcard for the r
62. the VPN log Open Server Admin and connect to the server Click the triangle at the left of the server The list of servers appears From the expanded Servers list select VPN Click Log To search for specific entries use the Filter field above the log From the command line To view the VPN log tail log file To view the log path sudo serveradmin command vpn command getLogPaths For information about tail see its man page For the basics of command line tool usage see Introduction to Command Line Administration Chapter 6 Working with VPN Service Viewing VPN Client Connections You can monitor VPN client connections to maintain secure access to the VPN By viewing the client connection screen you can see e Users connected e IP address users are connecting from e IP address your network assigned to users Type and duration of connections You can sort the list by clicking the column headers To view client connections Open Server Admin and connect to the server Click the triangle at the left of the server The list of servers appears From the expanded Servers list select VPN Click Connections Common Network Administration Tasks That Use VPN This section describes common network administration tasks that use VPN service Linking a Computer at Home with a Remote Network You can use VPN service to link a computer to a remote network giving you access to it as if it were physically connected to the
63. the firewall is created by default Firewall Startup Although the firewall is treated as a service by Server Admin it is not implemented by a running process like other services It is simply a set of behaviors in the kernel controlled by the ipfw and sysct1 tools To start and stop the firewall Server Admin sets a switch using the sysct1 tool Chapter 4 Working with Firewall Service 85 86 When the computer starts a startup item named IPFilter checks the etc hostconfig file for the IPFILTER flag If it is set use the sysct1 tool to enable the firewall as follows sysctl w net inet ip fw enable 1 Otherwise disable the firewall as follows sysctl w net inet ip fw enable 0 The rules loaded in the firewall remain regardless of this setting They are ignored when the firewall is disabled Like most startup items the IPFilter startup item opens in a predetermined order and only after prerequisite startup items have completed In Mac OS X Server the login window is presented while startup items can still be running It is therefore feasible to log in before the firewall has activated its configured settings The startup item that sets up the firewall should generally finish a few minutes after starting the system About Firewall Rules When you start Firewall service the default configuration denies access to incoming packets from remote computers except through ports for remote configuration This provides a high leve
64. the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select RADIUS Click Overview to see whether the service is running the number of client base stations and when it was started Viewing RADIUS Logs RADIUS creates entries in the system log for error and alert messages You can filter the log to narrow the number of viewable log entries and make it easier to find the entry you want to see To view logs Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select RADIUS Click Logs Choose a log to view radiusconfig or radiusd Editing RADIUS Access You can restrict access to RADIUS by creating a group of users and adding them to the service access control list SACL of RADIUS To edit RADIUS access Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select RADIUS Click Settings then click Edit Allowed Users Select For selected services below then select RADIUS Click Services Chapter 7 Working with RADIUS 175 176 Select Allow only users and groups below Click the Add button 9 From the Users amp Groups window drag users or groups to the Allow only users and an un A U groups below list If you don t see
65. use it with To use it with PPTP enter these two commands in Terminal each only one line Chapter 6 Working with VPN Service sudo serveradmin settings vpn Servers com apple ppp pptp PPP Authentica torEAPPlugins array index 0 EAP RSA sudo serveradmin settings vpn Servers com apple ppp pptp PPP AuthenticatorProtocol array index 0 EAP To use it with L2TP enter these two commands in Terminal each only one line sudo serveradmin settings vpn Servers com apple ppp 12tp PPP Authentica torEAPPlugins array index 0 EAP RSA sudo serveradmin settings vpn Servers com apple ppp 12tp PPP AuthenticatorProtocol array_index 0 EAP Complete the remaining VPN service configuration tasks using Server Admin Monitoring VPN Service This section describes tasks associated with monitoring a functioning VPN service It includes accessing status reports setting logging options viewing logs and monitoring connections Viewing a VPN Status Overview The VPN Overview gives you a quick status report for enabled VPN services It tells you how many L2TP and PPTP clients are connected which authentication method is selected and when the service was started To view the VPN Status overview Open Server Admin and connect to the server Click the triangle at the left of the server The list of servers appears From the expanded Servers list select VPN Click Overview to see whether the service is running when it wa
66. very secure passphrase not a password of a user or administrator on the gateway server To set a very secure passphrase use Password Assistant in Account Preferences For more information see Mac OS X Server Security Configuration For more information about VPN see Chapter 6 Working with VPN Service Inspect and confirm the changes Options You can fine tune the settings of this base configuration but you perform additional configuration in Server Admin For example you can use Server Admin to assign IP addresses to specific computers To do this add static address mappings in the DHCP section s Settings tab For more information see Chapter 2 Working with DHCP Service You can also change firewall settings to permit connections from the Internet to the LAN To do this change the firewall settings opening up IP ports as needed and configure port forwarding in the NAT pane to designate which computer on the LAN is to accept incoming traffic Connecting a Wireless LAN to the Internet Connecting wireless clients to the Internet through a Mac OS X Server gateway provides the following advantages over using AirPort Base Station built in functions e Advanced firewall control e DHCP allocation of static IP addresses e DNS caching e Incoming VPN connections to the LAN If you do not need these advanced functions use the AirPort Base Station to connect your wireless clients to the Internet without using Mac OS
67. 127 128 3 4 uw o N lt string gt tcp or udp lt string gt A key gt targetIP lt key gt lt string gt LAN_ip lt string gt A key gt targetPortRange lt key gt lt string gt LAN ip range lt string gt lt key gt aliasIP lt key gt lt string gt WAN_ip lt string gt lt key gt aliasPortRange lt key gt lt string gt WAN_port_range lt string gt lt dict gt lt array gt Save your file changes Enter the following commands in Terminal sudo systemstarter stop nat sudo systemstarter start nat Verify that your changes remain by inspecting the etc nat natd conf apple file The changes made except for comments and those settings that Server Admin can change are used by server configuration tools Server Admin Gateway Setup Assistant and serveradmin Configure NAT service in Server Admin as needed For more information see Configuring NAT Service on page 126 Click Save Start NAT service Port Forwarding Examples You can forward ports to an IP address The ports on the WAN side do not need to be the same as the ports on the LAN side but they must correspond For example if you forward 10 consecutive ports from the WAN side you must forward them to 10 consecutive ports on the LAN side but they don t need to be the same 10 Single Port Forwarding This example shows the setting to forward TCP port 80 web service connections on the WAN address 17128 128 128 to TCP port 80 w
68. 192 168 12 12 660 out via 100 This entry shows the NAT divert rule applied to an outbound packet In this case it diverts the rule to service port 660 which is the port the NAT daemon uses Viewing Denied Packets Viewing denied packets can help you identify problems and troubleshoot Firewall service To view denied packets Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Firewall Click Settings then click Logging 5 Make sure Log all denied packets is selected If you have not turned on logging for a rule see Editing or Deleting Advanced Firewall Rules on page 102 To view log entries click Log In the text filter box enter the word unreach Chapter 4 Working with Firewall Service Viewing Packets Logged by Firewall Rules Viewing the packets filtered by firewall rules can help you identify problems and troubleshoot Firewall service To view filtered packets Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Click Settings then click Logging Make sure Log all allowed packets is selected If you have not turned on logging for a rule see Editing or Deleting Advanced Firewall Rules on page 102 To view log entries click Log 7 Enter the word A
69. 3 74 74 74 75 76 76 76 77 77 79 80 81 81 82 82 83 83 85 85 86 86 Starting DNS Service Managing DNS Service Checking DNS Service Status Viewing DNS Service Logs Changing DNS Log Detail Levels Viewing DNS Service Statistics Stopping DNS Service Enabling or Disabling Zone Transfers Enabling Recursion Managing DNS Zones Adding a Primary Zone Adding a Secondary Zone Adding a Forward Zone Changing a Zone Deleting a Zone Importing a BIND Zone File Managing DNS Records Adding an Alias Record to a DNS Zone Adding a Machine Record to a DNS Zone Adding a Service Record to a DNS Zone Changing a Record in a DNS Zone Deleting a Record from a DNS Zone Securing the DNS Server DNS Spoofing Server Mining DNS Service Profiling Denial of Service DoS Service Piggybacking Common Network Administration Tasks That Use DNS Service Configuring DNS for Mail Service Setting Up Namespace Behind a NAT Gateway Network Load Distribution Round Robin Hosting Several Internet Services with a Single IP Address Hosting Multiple Domains on the Same Server Configuring a Client to use Your DNS Server Where to Find More DNS Information Chapter 4 Working with Firewall Service About Firewall Service Basic Firewall Practices Firewall Startup About Firewall Rules What a Firewall Rule Is Contents 87 89 90 90 91 92 93 93 94 96 96 96 97 97 97 98 98 99 99 100 100 102 103 103 104 104 105 105 105 106 107 108 10
70. 85 186 187 188 189 starting 190 status checking 190 stopping 191 mobile accounts 139 MS CHAPv2 authentication 140 MX mail exchanger 51 77 N name server 51 53 See also DNS NAT Network Address Translation configuration 79 124 126 127 128 130 133 135 default configuration 212 DHCP 43 Firewall service 109 124 gaming setup 135 gateway without NAT 131 Internet sharing 17 introduction 124 IPv6 protocol 195 linking to LAN 133 logs 132 management of 133 monitoring of 132 namespace setup 79 settings 205 206 starting 126 130 status checking 132 stopping 130 virtual servers setup 135 natd daemon 138 NBDD NetBios Datagram Distribution Server 38 NBNS NetBios Name Server 37 NetBios Scope ID 38 NetBoot service 44 Network Address Translation See NAT network services introduction 11 management of 23 See also DHCP DNS Firewall service IP addresses NAT VPN NTP network time protocol 178 179 o Open Directory 168 Open Directory Password Server 168 P P2P Peer to Peer file sharing 113 packets data 102 passwords VPN 140 Peer to Peer P2P file sharing See P2P piggybacking service 76 plist files 127 pointer record See PTR record Point to Point Tunneling Protocol PPTP See PPTP Index port forwarding 127 128 130 portable computers 139 See also Mobile Access service ports Firewall service 84 114 NAT LAN 124 VLAN 193 VPN 142 143 146 PPP Point to Point Protocol service 212
71. 9 109 109 109 110 111 112 112 112 113 114 Using Address Ranges Rule Mechanism and Precedence Multiple IP Addresses Editing IPv6 Firewall Rules Firewall Setup Overview Turning Firewall Service On Setting Up Firewall Service Configuring Address Groups Settings Configuring Services Settings Configuring Firewall Logging Settings Configuring Advanced Settings Starting Firewall Service Managing Firewall Service Stopping Firewall Service Disabling Firewall Service Creating an Address Group Editing or Deleting an Address Group Duplicating an Address Group Adding to the Services List Editing or Deleting Items in the Services List Configuring Advanced Firewall Rules Editing or Deleting Advanced Firewall Rules Changing the Order of Advanced Firewall Rules Troubleshooting Advanced Firewall Rules Enabling Stealth Mode Adaptive Firewall Resetting the Firewall to the Default Setting Monitoring Firewall Service Checking the Status of Firewall Service Viewing Firewall Active Rules Viewing the Firewall Service Log Viewing Denied Packets Viewing Packets Logged by Firewall Rules Practical Firewall Examples Using Firewall with NAT Blocking Web Access to Internet Users Logging Internet Access by Local Network Users Blocking Junk Mail Permitting a Customer to Access the Apple File Server Common Network Administration Tasks That Use Firewall Service Preventing Denial of Service DoS Attacks Controlling or Enabling Peer to Peer Network Usage Con
72. 95 TCP UDP Mail POP3 over SSL 25 TCP UDP Mail SMTP 587 TCP Mail SMTP submission 445 TCP Microsoft Domain Server 2336 TCP Mobile account sync 5353 UDP Multicast DNS Bonjour mDNSResponder 3306 TCP MySQL 985 TCP NetInfo static port 532 TCP NetNews 2049 TCP UDP Network File System NFS 119 TCP Network News Transfer Protocol NNTP 123 TCP UDP Network Time Protocol 3659 TCP UDP 106 TCP UDP Open Directory Password Server with 106 Open Directory Password Server with 3659 3031 TCP UDP Program linking remote AppleEvents 1220 TCP QTSS administration 8000 8001 TCP QTSS MP3 streaming 6970 6999 UDP QTSS RTP streaming 7070 TCP UDP QTSS RTSP Automatic Router Configuration Protocol ARCP 554 TCP UDP QTSS RTSP streaming 625 TCP Remote directory access 111 TCP UDP Remote procedure call RPC Chapter 4 Working with Firewall Service 121 122 1099 8043 TCP Remote RMI and RMI IIOP access to JBoss 22 TCP UDP Secure shell SSH Open Directory replica setup 626 UDP Serial number support for Mac OS X Server 311 TCP Server Admin over SSL AppleShare IP remote web administration Server Monitor Server Admin servermgrd Workgroup Manager DirectoryService 687 TCP Server administration using Server Admin 660 TCP Server administration using Server Settings 514 TCP Shell syslog 115 TCP Simpl
73. Add and Delete buttons to enter the addresses and subnet mask you want the rules to affect To indicate any IP address use the word any 8 Click OK 9 Click Save ao uu A U Editing or Deleting an Address Group You can edit address groups to change the range of IP addresses affected The default address group is for all addresses You can remove address groups from your firewall rule list The rules associated with those addresses are also deleted Addresses can be listed as individual addresses 192 168 2 2 IP address and network mask in CIDR notation 192 168 2 0 24 or IP address and network mask in netmask notation 192 168 2 0 255 255 255 0 To edit or delete an address group Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Click Settings then click Address Groups From the IP Address Groups list select the group name Choose from the following e To edit an IP address group click the Edit button below the list e To delete an IP address group click the Delete button below the list 7 Edit the Group name or addresses as needed and click OK Click Save Chapter 4 Working with Firewall Service CoN AU A UW o N AU A UW 10 Duplicating an Address Group You can duplicate address groups from your firewall rule list This can help speed configuration of similar a
74. Base Station password if necessary Click Internet in the toolbar then click Internet Connection From the Connect Using pop up menu choose Ethernet From the Configure IPv4 pop up menu choose Using DHCP From the Connection Sharing pop up menu choose Off Bridge Mode To change Base Station settings click Update Open Server Admin and connect to the server Click Settings then click Services Select the NAT checkbox Click Save Click the triangle at the left of the server The list of services appears From the expanded Servers list select NAT Click Overview then click Gateway Setup Assistant Click Continue For your WAN Internet interface designate Built In Ethernet 1 For your LAN sharing interface designate Built In Ethernet 2 Chapter 1 Linking Your Network to the Internet 21 22 Your LAN interface is the one connected to your local network Computers on the LAN share the server s Internet connection through the server s WAN interface If your server has more than one interface available Ethernet port 2 Ethernet port 3 and so on choose those you want to enable Choose whether to make this gateway a VPN entry point to your LAN If you enable VPN you need a shared secret A shared secret is a passphrase that users must provide to securely connect to the VPN gateway It should be a very secure passphrase not a password of a user or administrator on the gateway server To set a ve
75. IP lt key gt lt string gt 192 168 1 1 lt string gt lt key gt targetPortRange lt key gt Chapter 5 Working with NAT Service 129 130 lt string gt 600 1023 lt string gt lt key gt aliasIP lt key gt lt string gt 17 128 128 128 lt string gt lt key gt aliasPortRange lt key gt lt string gt 60 1023 lt string gt lt dict gt lt array gt Testing Port Forwarding Rules After you configure port forwarding rules you can test them by accessing the service from the public IP address of your NAT router If you successfully access the services you have properly configured and tested your port forwarding rule For example if you have a website hosted on a computer with the private IP address of 192 168 1 10 and your NAT router has a public IP address of 219 156 13 13 and a port forwarding rule that forwards port 80 to IP address 192 168 1 10 you would access the website by entering the public IP address http 219 156 13 13 into your web browser If your port forwarding rules are correct your port is forwarded to the computer that is hosting the website 192 168 1 10 Starting and Stopping NAT Service You use Server Admin to start and stop NAT service on your default network interface Starting NAT service does not start DHCP on the NAT interface so you must manage LAN addressing separately Starting NAT service is not the same as configuring a network segment as a NAT LAN For NAT service to operate y
76. IPSec L2TP IPSec uses strong IPSec encryption to tunnel data to and from network nodes It is based on Cisco s L2F protocol IPSec requires security certificates self signed or signed by a certificate authority such as Verisign or a predefined shared secret between connecting nodes The shared secret must be entered on the server and the client The shared secret is not a password for authentication nor does it generate encryption keys to establish secure tunnels between nodes It is a token that the key management systems use to trust each other L2TP is Mac OS X Server s preferred VPN protocol because it has superior transport encryption and can be authenticated using Kerberos PPTP PPTP is a commonly used Windows standard VPN protocol PPTP offers good encryption if strong passwords are used and supports a number of authentication schemes It uses the user provided password to produce an encryption key By default PPTP supports 128 bit strong encryption PPTP also supports the 40 bit weak security encryption PPTP is necessary if you have Windows clients with versions earlier than Windows XP or if you have Mac OS X v10 2 x clients or earlier Authentication Method Mac OS X Server L2TP VPN uses Kerberos v5 or Microsoft s Challenge Handshake Authentication Protocol version 2 MS CHAPv2 for authentication Mac OS X Server PPTP VPN exclusively uses MS CHAPv2 for authentication Kerberos is a secure authentication protocol
77. IUS 169 170 e If you select Choose an existing certificate choose the certificate you want to use from the pop up menu and click Continue e If you want to create a self signed certificate use Certificate Assistant For more information see Advanced Server Administration From the Available Base Stations list select the Base Station you want and click Add Enter the password of the Base Station in the Base Station Password field then click Add If you want to remove a Base Station from the Selected Base Stations list select it and click Remove 8 Click Continue 10 11 12 In the RADIUS Allow Users pane you can restrict user access e If you select the Allow all users all users will have access to the Base Stations you selected e If you select Restrict to members of group only users of a group can access the Base Stations you selected Click Continue In the RADIUS setting confirmation pane verify your settings are correct You can also print or save you RADIUS configuration settings Click Confirm From the command line To view RADIUS settings sudo radiusconfig appleversion getconfig getconfigxml nascount naslist naslistxml ver help q To configure RADIUS parameters sudo radiusconfig setconfig key value key value Parameter Description key The name of the key to configure in the radiusd conf or eap conf files value The value of the key For info
78. LAN The following is an example of a linked computer configuration e User authentication The user can authenticate with a name and password e Desired VPN type L2TP e Shared secret prDwkj49fd 254 Internet or public IP address of the VPN gateway gateway example com e Private network IP address range and netmask 192 168 0 0 192 168 0 255 also expressed as192 168 0 0 24 or 192 168 0 0 255 255 255 0 e DHCP starting and ending addresses 192 168 0 3 192 168 0 127 Private network s DNS IP address 192 168 0 2 The result of this configuration is a VPN client that can connect to a remote LAN using L2TP with full access rights Step 1 Configure VPN Open Server Admin and connect to the server Click the triangle at the left of the server Chapter 6 Working with VPN Service 159 160 AO uu A WwW 10 11 _ _ The list of servers appears From the expanded Servers list select VPN Click Settings then click L2TP Select the Enable L2TP over IPsec checkbox In the Starting IP address field set the beginning IP address of the VPN allocation range It can t overlap the DHCP allocation range so enter 192 168 0 128 In the Ending IP address field set the ending IP address of the VPN allocation range It can t overlap the DHCP allocation range so enter 192 168 0 255 In the IPSec Authentication section enter the shared secret prDwkj49fd 254 The shared secret is a common password th
79. Mac OS X Server Network Services Administration Version 10 6 Snow Leopard Apple Inc 2009 Apple Inc All rights reserved The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software No part of this publication may be reproduced or transmitted for commercial purposes such as selling copies of this publication or for providing paid for support services Every effort has been made to ensure that the information in this manual is accurate Apple Inc is not responsible for printing or clerical errors Apple 1 Infinite Loop Cupertino CA 95014 2084 408 996 1010 www apple com Use of the keyboard Apple logo Option Shift K for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws Apple the Apple logo AirPort AppleScript AppleShare AppleTalk Bonjour Firewire iCal iChat iTunes Snow Leopard Mac Macintosh Mac OS QuickTime Xgrid Xsan and Xserve are trademarks of Apple Inc registered in the U S and other countries Finder is a trademark of Apple Inc Java and all Java based trademarks and logos are trademarks or registered trademarks of Sun Microsystems Inc in the U S and other countries UNIX is a registered trademark of The Open Group Other company and product names mentioned herein are t
80. N e QTSS media streaming e iTunes Music Sharing Important If you add or change a rule after starting Firewall service the new rule affects connections established with the server For example if you deny all access to your FTP server after starting firewall service computers connected to your FTP server are disconnected To configure firewall standard services Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears Chapter 4 Working with Firewall Service a uu A UW From the expanded Servers list select Firewall Click Settings then click Services From the Editing Services for pop up menu select an address group For the address group choose to permit all traffic from any port or to permit traffic on designated ports For each service you want the address group to use select Allow If you don t see the service you need add a port and description to the services list To create a custom rule see Configuring Advanced Settings on page 96 Click Save From the command line To view a setting sudo serveradmin settings ipfilter setting To view a group of settings sudo serveradmin settings ipfilter ipAddressGroups Enter as much of the name as you want stopping at a colon and then entering an asterisk as a wildcard for the remaining parts of the name To view all service configuration settings sudo serveradmin se
81. NS Zones DNS zones are managed using Server Admin The following sections describe how to manage and modify DNS zones Adding a Primary Zone Use Server Admin to add a primary zone to your DNS server To add a primary zone Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Zones Click Add Zone then choose Add Primary Zone Master Select the new zone In the Primary Zone Name field enter the zone name This is the fully qualified domain name of the primary server Enter the mail address of the zone s administrator 9 Select Allows zone transfer to permit secondary zones to get copies of the primary 10 11 zone data Add nameservers for this zone by clicking the Add button and entering the name in the Nameservers field Add mail exchangers for this zone by clicking the Add button and entering the name in the Mail Exchangers field This field is the basis for the computer s MX record In the Priority field specify a mail server precedence number Delivering mail servers try to deliver mail at lower numbered mail servers first For more information see Configuring DNS for Mail Service on page 77 Click Expiration and enter the number of hours for each setting Chapter 3 Working with DNS Service 67 68 14 w oo N AU A 10 11 e Enter the amount of time
82. PN consists of computers or networks nodes connected by a private link of encrypted data This link simulates a local connection as if the remote computer were attached to the local area network LAN VPNs securely connect users working away from the office for example at home to the LAN through a connection such as the Internet From the user s perspective the VPN connection appears as a dedicated private link VPN technology can also connect an organization to branch offices over the Internet while maintaining secure communications The VPN connection across the Internet acts as a wide area network WAN link between the sites VPNs have several advantages for organizations whose computer resources are physically separated For example each remote user or node uses the network resources of its Internet Service Provider ISP rather than having a direct wired link to the main location VPN and Security VPNs stress security by requiring strong authentication of identity and encrypted data transport between the nodes for data privacy and dependability The following sections contain information about each supported transport and authentication method 139 140 Transport Protocols There are two encrypted transport protocols Layer Two Tunneling Protocol Secure Internet Protocol L2TP IPSec and Point to Point Tunneling Protocol PPTP You can enable either or both protocols Each has its own strengths and requirements L2TP
83. Parameters for Network Services For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Deleting Subnets from DHCP Service You can delete subnets and subnet IP address ranges so they are no longer distributed to computers To delete subnets or address ranges Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Subnets Select a subnet Click the Delete button Click Save If DHCP is running you are prompted to restart DHCP for your change to take effect Otherwise your changes take effect the next time you start DHCP Disabling Subnets Temporarily You can temporarily shut down a subnet without losing its settings No IP addresses from the subnet s range are distributed on the selected interface to any computer until you reenable the subnet To disable a subnet Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Subnets Deselect the Enable checkbox next to the subnet you want to disable Click Save Chapter 2 Working with DHCP Service an uu A W N If DHCP is running you are prompted to restart DHCP for your change to take effect Otherwise your changes take effect the next t
84. S Any service or device that supports Multicast DNS permits the use of user defined namespace on your local subnet without setting up and configuring DNS Network Load Distribution Round Robin BIND permits simple load distribution using an address shuffling method known as round robin You set up a pool of IP addresses for several hosts mirroring the same content and BIND cycles the order of these addresses as it responds to queries Round robin can t monitor current server load or processing power It only cycles the order of an address list for a given host name You enable round robin by adding multiple IP address entries for a given hostname For example suppose you want to distribute web server traffic between three servers on your network that all mirror the same content The servers have the IP addresses 192 168 12 12 192 168 12 13 and 192 168 12 14 You would add three machine records with three IP addresses each with the same domain name When DNS service encounters multiple entries for one host its default behavior is to answer queries by sending this list in a cycled order The first request gets the addresses in the order A B C The next request gets the order B C A then C A B and so on To mitigate the effects of local caching you might want the zone s time to live TTL number to be fairly short Chapter 3 Working with DNS Service Hosting Several Internet Services with a Single IP Address You can have o
85. Supporting IPv6 IPv6 Enabled Services Support for IPv6 Addresses in Server Admin IPv6 Addresses IPv6 Notation IPv6 Reserved Addresses IPv6 Addressing Model IPv6 Address Types Creating an IPv4 to IPv6 Gateway Where to Find More Information About IPv6 Appendix Command Line Parameters for Network Services DHCP Service Settings DHCP Subnet Settings Array Contents 200 202 203 203 203 204 204 205 205 206 206 210 210 211 211 212 212 214 About Subnet IDs About Static Map IDs Viewing the Location of the DHCP Service Log DNS serveradmin Commands Firewall Service Settings Firewall serveradmin Commands Using ipfilter Groups with the Rules Array ipfilter Rules Array NAT Service Settings NAT serveradmin Commands VPN Service Settings VPN serveradmin Commands RADIUS Settings Transport Level Security Radius Clients Enabling PPP Dial In Service Restoring the Default Configuration for Server Services Index Contents About This Guide Preface This guide explains how to configure and administer Mac OS X Server network services Mac OS X Server version 10 6 includes several network services that help you manage and maintain your network What s New in Network Services Network services offers the ability to configure a Mobile Access Server for your Address Book Mail Web and iCal servers What s in This Guide This guide includes the following sections e Chapter 1 Linking Your Network to the Int
86. To view logs Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select DNS Click Log and use the Filter field above the log to search for specific entries From the command line To view the latest entries in a log tail log file To display the log path sudo serveradmin command dns command getLogPaths The default log path is Library Logs named log For information about tail and serveradmin see their man pages For the basics of command line tool usage see ntroduction to Command Line Administration Chapter 3 Working with DNS Service 63 64 Changing DNS Log Detail Levels You can change the detail level of the DNS service log You might want a highly detailed log for debugging or a less detailed log that only shows critical warnings To change the log detail level Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Settings Choose the detail level from the Log Level pop up menu as follows e Choose Critical to record only critical errors such as hardware errors e Choose Error to record errors not including warning messages e Choose Warning to record warnings and errors e Choose Notice to record only important messages warnings and errors e Choose Information to record most mess
87. X Server between the Base Station and the Internet To take advantage of the gateway s features you use the Base Station as a bridge between your wireless clients and the gateway Each client connects to the Base Station and the Base Station sends network traffic through the gateway Chapter 1 Linking Your Network to the Internet 21 22 _ 16 i 18 19 20 Wireless clients must be able to connect to the AirPort Base Station s wireless network to be linked to the gateway After this process computers connected to the AirPort Base Station Can get IP addresses and network settings configured using DHCP Can access the Internet if the gateway is connected to the Internet Can t be accessed by unauthorized network connections originating from the wired connection to the Internet Can be accessed over the Internet by authorized VPN clients if VPN is configured Can benefit from DNS lookup caching in the gateway which speeds DNS resolution To connect a wired LAN and wireless clients to the Internet Plug the connection to the Internet into the Ethernet 1 en0 port Connect the AirPort Base Station port the WAN port if there are two to the Ethernet 2 en1 port Using AirPort Utility configure the Base Station to connect using Ethernet and to get its address using DHCP You can open it from the Applications Utilities folder Select a Base Station and then choose Manual Setup from the Base Station menu Enter the
88. X Y Z on site 1 s gateway and A B C D on site 2 s gateway Uo Enter s for shared secret authentication and enter the shared secret prDwkj49fd 254 If you are using certificate authentication enter c and choose the installed certificate that you want to use Enter at least one addressing policy for the configuration Enter a local subnet network address for example 192 168 0 0 for site 1 and 192 168 20 0 for site 2 For the address range enter the prefix bits in CIDR notation In this example the CIDR notation for the subnet range is 192 168 2 0 24 for site 1 so you would enter 24 Enter a remote subnet network address for example 192 168 20 0 for site 1 and 192 168 0 0 for site 2 For the address range enter the prefix bits in CIDR notation In this example the CIDR notation for the subnet range is 192 168 2 0 24 for site 1 so you would enter 24 If you want to make more policies indicate it now otherwise press Return If you had more sites to connect or a more complex address setup linking only parts of your main LAN and the remote LAN you would make more policies for this configuration now Repeat steps 7 through 12 for the new policies wy Press y to enable the site configuration You can verify your settings by choosing to show the configuration details of the server and entering the configuration name in this example site_1 Exit s2svpnadmin Chapter 6 Wor
89. a specific IP address behind the NAT gateway This is called port forwarding Port forwarding lets you set up computers on the internal network that handle incoming connections without exposing other computers to outside connections For example you could set up a web server behind NAT service and forward incoming TCP connection requests on port 80 to the designated web server You can t forward the same port to multiple computers but you can forward many ports to one computer Enabling port forwarding requires the use of the Terminal application and administrator access to root privileges through sudo You must also create a plist file The contents of the plist file are used to generate etc nat natd conf apple which is passed to the NAT daemon when it is started Do not try to edit etc nat natd conf apple directly If you use a plist editor instead of a command line text editor alter the following procedure to suit To forward port traffic If the file etc nat natd plist doesn t exist make a copy of the default NAT daemon plist sudo cp etc nat natd plist default etc nat natd plist Using a Terminal editor add the following block of XML text to etc nat natd plist before the two lines at the end the file lt dict gt and lt plist gt substituting your settings where indicated by italics lt key gt redirect_port lt key gt lt array gt lt dict gt lt key gt proto lt key gt Chapter 5 Working with NAT Service
90. admin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Changing Subnet Settings in DHCP Service Use Server Admin to change DHCP subnet settings You can change IP address range subnet mask network interface router or lease time To change subnet settings Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Subnets Select a subnet Make the changes you want These changes can include adding DNS LDAP or WINS information You can also redefine address ranges or redirect the network interface that responds to DHCP requests Click Save If DHCP is running you are prompted to restart DHCP for your change to take effect Otherwise your changes take effect the next time you start DHCP From the command line To change a DHCP setting sudo serveradmin settings dhcp setting value To change several DHCP settings sudo serveradmin settings dhcp setting value dhcp setting value dhcp setting value Lesat Control D To view all DHCP settings sudo serveradmin settings dhcp Chapter 2 Working with DHCP Service 33 34 N QO Ww A W ao uu A WwW Parameter Description setting A DHCP service setting value A relevant value for the setting For information about setting DHCP subnet parameters see Command Line
91. ages Choose Debug to record all messages Click Save Viewing DNS Service Statistics To view a summary of the DNS service workload use the serveradmin getStatistics command To view statistics Enter the following from the command line in Terminal sudo serveradmin command dns command getStatistics The computer responds with output similar to the following dns queriesArray array _index 0 name NS QUERIES dns queriesArray array _index 0 value dns queriesArray array _index 1 name A QUERIES dns queriesArray array _index l value dns queriesArray array index 2 name CNAME QUERIES dns queriesArray array _index 2 value dns queriesArray array index 3 name PTR QUERIES dns queriesArray array _index 3 value dns queriesArray array_index 4 name MX QUERIES dns queriesArray array _index 4 value dns queriesArray array _index 5 name SOA QUERIES dns queriesArray array _index 5 value Chapter 3 Working with DNS Service dns queriesArray array_index 6 name TXT_QUERIES dns queriesArray array_index 6 value 1 dns nxdomain 0 dns nxrrset 0 dns reloadedTime dns success 0 dns failure 0 dns recursion 0 dns startedTime 2003 09 10 11 24 03 0700 dns referral 0 For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Stopping DNS Service Use Server A
92. ail or web for several domain names For example the domain name www example com can resolve to the same IP address as www server org This domain appears as servers but they are all one server at one IP address Setting up DNS records for this service is easy add a DNS zone and then add host names and server information to that zone Setting up DNS names for these services does not enable or configure the service for the domain names This configuration is used with virtual domain hosting in mail and web services Chapter 3 Working with DNS Service 81 82 _ Configuring a Client to use Your DNS Server You can configure clients to use a DNS server to convert internet names to IP addresses so you don t to know the IP address of a server you are trying to reach To configure a DNS server on a client Choose Apple gt System Preferences and then click Network Select the network connection services you use to connect to the Internet such as Ethernet from the services list Enter the IP address for the primary DNS server you want to use in the DNS Server field You can enter addresses for several servers by entering a comma between the addresses To find out which DNS server you should be using check with your network administrator DNS server addresses are provided automatically by DHCP service For more information about DHCP service see Setting Up DHCP Service on page 29 Assigning IP Addresses Dynamically
93. all Service Settings To change settings for the ipfilter service use the following parameters with the serveradmin tool Parameter ipfilter Description ipAddressGroupsWithRules array_ An array of settings describing the services id lt group gt allowed for specific IP address groups rules array _id lt rule gt Arrays of rule settings one array per defined rule logAllDenied A parameter that specifies whether to log all denials Default no Appendix Command Line Parameters for Network Services 203 204 Parameter ipfilter ipAddressGroups array id n address Description The address of a defined IP address group the first element of an array that defines an IP address group ipAddressGroups array id n name The name of a defined IP address group the second element of an array that defines an IP address group logAl1lAllowed Whether to log access allowed by rules Default no Firewall serveradmin Commands To manage Firewall service use the following commands with the serveradmin tool Command ipfilter command getLogPaths Description Find the location of the log used by the service Default var log system log getStandardServices Retrieve a list of standard services as they appear on the General pane of Firewall service settings in Server Admin writeSettings Equivalent to the standard serveradmin settings command but also returns a set
94. allcerts private key certificate trusted ca list yes no common name private key The file path to the client s private key to use in the certificate certificate The file path to the certificate trusted ca list The file path to the trusted CA list yes A request to check a certificate revocation list no A request to not check a certificate revocation list common name The common name This command changes eap conf to contain an active TLS section and configures the certificates This command also replaces the random file and creates the dh file if absent For information about radiusconfig see its man page For the basics of command line tool usage see Introduction to Command Line Administration Archiving RADIUS Service Logs RADIUS service creates entries in the system log for error and alert messages You can archive these log entries To archive logs 1 Open Server Admin and connect to the server 2 Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select RADIUS 4 Click Settings 5 Select the Archive radiusd log for the past __ days checkbox and enter the number of days you want to archive 6 Click Save Chapter 7 Working with RADIUS 173 174 From the command line To configure the rotation of RADIUS service logs sudo radiusconfig rotatelog n file count base file To configure the automatic rotation of RADIUS service lo
95. amed folder remove the separate files for each reverse zone named similar to db 10 1 0 Do not remove the localhost zone named ca or named local files To restore VPN service to its default Rename the com apple RemoteAccessServers plist file in the Library Preferences SystemConfiguration folder To restore SERVERMGR_MAIL service to its default Rename these files e etc MailServicesOther plist e var mailman data listinfo plist Appendix Command Line Parameters for Network Services 213 Index A certificates 140 141 162 172 access CIDR Classless InterDomain Routing notation 87 ACLs 153 clients Firewall service 109 110 112 DHCP list of 42 LDAP 36 46 141 155 home to network connections 159 RADIUS 175 IP addresses for 47 48 VPN 153 161 NTP configuration 179 web service 109 110 RADIUS 211 wireless users 168 VPN 141 149 159 161 166 ACLs access control lists 153 wireless 19 21 175 177 See also access See also users adaptive firewall 104 CNAME Canonical Name 51 Address Book 185 coffee shop configuration 45 addresses See IP addresses command line tools AirPort Base Station DHCP 46 199 DHCP 28 DNS 203 Internet connection 19 Firewall service 95 97 101 106 107 203 RADIUS 168 169 171 172 175 176 177 IP forwarding 85 106 Index See also RADIUS aliases IPv6 support 196 197 email 53 NAT 126 131 132 205 zone record 71 RADIUS 170 173 174 210 antivirus tools See virus screeni
96. angle at the left of the server The list of services appears From the expanded Servers list select DNS Click Zones Click Add Zone then choose Add Secondary Zone Slave Select the new zone In the Secondary Zone Name field enter a zone name The zone name is the same as the primary zone defined on the primary name server Below the Primary DNS Servers list click the Add button 9 Enter the IP addresses for each primary server in this secondary zone 10 Click Save Configuring DNS Service Bonjour Settings With Bonjour you can easily connect a computer or other device to an existing wired or wireless Ethernet network or you can create instant networks of multiple devices without additional network configuration If your computer or devices supports Bonjour it broadcasts and discovers services from other computers or devices using Bonjour You can quickly and easily network computers and devices that support Bonjour Chapter 3 Working with DNS Service 59 60 Bonjour requires no configuration for computers or devices on your local subnet All devices that are on the same subnet that support Bonjour and have it turned on find each other However to provide Bonjour browsing across subnets or on the Internet you must set up a dedicated Bonjour browse domain that allows Bonjour supported devices to locate services from anywhere on the Internet Using Server Admin you can designate any domain you set up in
97. asis for the TXT record of the computer You can store up to 255 ASCII characters in the comments text box You can include the physical location of the computer for example Upstairs server closet B the computer s owner for example John s Computer or any other information about the computer Click Save To add other names that you want this computer to have click Add Record and choose Add Alias CNAME Add as many aliases as you want for your server In the Alias Name field enter the alternate name for your computer If you want to use the fully qualified name for the Alias select the Fully Qualified checkbox and enter the fully qualified domain name This field is the basis for the CNAME records of the computer Reverse lookup pointer records are created for the computer In the Destination field enter the computer name you are creating the alias for If you want to use the fully qualified name for the Destination select the Fully Qualified checkbox and enter the fully qualified domain name Click Save From the expanded Servers list select Mail Click Settings then click Advanced Click Hosting Click the Add button next to the Local Host Aliases Field In the Local Host Alias field enter the alias name you created earlier Click OK then click Save Repeat Steps 7 through 22 for each mail server Setting Up Namespace Behind a NAT Gateway If you re behind a NAT gateway you have a set of IP address
98. at authenticates members of the cluster IPSec uses the shared secret as a preshared key to establish secure tunnels between the cluster nodes Click Save Click Client Information In the DNS Server field enter the IP address of the internal LAN DNS server 192 168 0 2 Leave routing definitions empty All traffic from the client will go through the VPN tunnel Click Save Click Start VPN below the Servers list Step 2 Configure the firewall Create an address group for the VPN allocation range For more information see Creating an Address Group on page 98 Open the firewall to external VPN connections by enabling L2TP connections in the any address group For more information see Configuring Services Settings on page 94 Configure the firewall for the VPN address group permitting or denying ports and services as needed Save your changes Start or restart the firewall Step 3 Configure the client This example is of a Mac OS X client using Network preferences Open System Preferences then click Network Chapter 6 Working with VPN Service 3 4 5 foe Click the Add button at the bottom of the network connection services list and then choose VPN from the Interface pop up menu From the VPN Type pop up menu choose L2TP over IPSec In the Service Name field enter a VPN service name then click Create In the Server Address field enter the DNS name or IP address e Server Ad
99. ata over the internet and can provide a checkpoint for extra security measures including a more restrictive password policy aggressive firewall rules signed certificates and application layer content filtering Using SSL with Mobile Access Server When configuring your proxy server you must use a certificate to ensure that your data transfers are encrypted using SSL SSL uses a Public Key Infrastructure PKI to create and manage certificates used by SSL enabled services There are two methods to use certificates for proxied services The first is to have unique certificates for each proxied service The second is to have a single wildcard certificate shared by all proxied services On the origin server you also have two methods for implementing certificates The first method is to use the same certificate used for the proxied service on the proxy server If the proxy server uses a wildcard certificate for all proxied services you can also use the wildcard certificate on the origin server The second method is to use a unique certificate for your origin server For more information about creating and using certificate see Advanced Server Administration About Proxied Authentication Mechanisms When determining which types of authentication you should used for your Mobile Access server make sure the origin server and the Mobile Access server use the same authentication mechanisms Mobile Access server does not support Kerberos authentica
100. because your network s computer names and addresses are accessible to an outside organization your ISP 49 50 Mac OS X Server uses Berkeley Internet Name Domain BIND v9 4 1 for its implementation of DNS protocols BIND is an open source implementation and is used by most name servers on the Internet DNS Zones Zones are the basic organizational unit of DNS Zones contain records and are defined by how they acquire those records and how they respond to DNS requests There are three basic zones e Primary e Secondary Forward Other kinds of zones are not covered here Primary Zones A primary zone has the master copy of the zone s records and provides authoritative answers to lookup requests Secondary Zones A secondary zone is a copy of a primary zone and is stored on a secondary name server It has the following characteristics e Each secondary zone has a list of primary servers that it contacts for updates to records in the primary zone Secondaries must be configured to request the copy of the primary zone data Secondary zones use zone transfers to get copies of the primary zone data e Secondary name servers can take lookup requests like primary servers By using several secondary zones linked to one primary you can distribute DNS query loads across several computers and make sure that lookup requests are answered if the primary name server is down Secondary zones also have a refresh interval This i
101. c attacks based on those services This is reconnaissance before another attack To defend against this attack specify which IP addresses have permission to request zone transfers your secondary zone servers and deny all others Zone transfers are accomplished over TCP on port 53 To limit zone transfers block zone transfer requests from anyone but your secondary DNS servers To specify zone transfer IP addresses Create a firewall filter that permits only IP addresses that are inside your firewall to access TCP port 53 Follow the instructions in Configuring Advanced Firewall Rules in Chapter 4 Working with Firewall Service using the following settings e Packet Allow e Port 53 e Protocol TCP e Source IP the IP address of your secondary DNS server e Destination IP the IP address of your primary DNS server Chapter 3 Working with DNS Service 75 76 DNS Service Profiling Another common reconnaissance technique used by malicious users is to profile your DNS service First a hacker makes a BIND version request The server reports what version of BIND is running Then the hacker compares the response to known exploits and vulnerabilities for that version of BIND To defend against this attack configure BIND to respond with something other than what it is To alter BIND s version response Open a command line text editor for example vi emacs or pico Open named conf for editing To the options brac
102. ccept in the text filter box Practical Firewall Examples The firewall rules you set up work together to provide security for your network The examples that follow show how to use rules to achieve specific goals Using Firewall with NAT You must enable the firewall to use NAT Enabling NAT creates a divert rule in the firewall configuration Although Server Admin permits NAT service and Firewall service to be enabled and disabled independently NAT service can operate only if both NAT and Firewall services are enabled An essential part of NAT is the packet divert rule used in the firewall The firewall rule you set up instructs the firewall how to route network traffic coming from the network behind the NAT gateway When you have a LAN behind a NAT gateway you must create or know the address group that corresponds to the LAN For detailed information about setting up a NAT LAN see Linking a LAN to the Internet Through One IP Address on page 133 Blocking Web Access to Internet Users This section describes how you can permit users on your subnet to access your server s Web service and deny access to the general public on the Internet For this example the local network has a private IP address range of 10 0 1 1 to 10 0 1 254 and the server Web service is at 10 0 2 1 on the server en2 port Chapter 4 Working with Firewall Service 109 110 _ _ ao uu A WwW N To block web access using an advanced rule In Serve
103. ce 87 groups 93 98 99 Internet sharing 80 81 IPv6 protocol 195 196 197 198 lease times 27 35 multiple 90 NAT 79 133 port forwarding 127 128 130 ranges of 87 recursion 66 round robin 80 static 25 27 39 40 48 VPN 27 142 wildcards in 87 Index IP forwarding 85 106 IP masquerading See NAT IPFilter service See Firewall service ipfw tool 85 105 106 ipfw conf file 102 IPSec IP security 140 143 162 IPv6 protocol 90 195 196 197 198 ISP Internet service provider 49 53 139 J junk mail screening 111 K Kerberos 140 141 L L2TP IPSec Layer Two Tunneling Protocol Secure Internet Protocol 140 141 143 162 LANs local area networks 18 19 139 162 194 See also NAT Layer Two Tunneling Protocol Secure Internet protocol L2TP IPSec See L2TP IPSec LDAP Lightweight Directory Access Protocol service 36 46 141 155 lease times DHCP 27 35 link local addressing 52 load distribution 80 local area networks See LANs logs DHCP 31 42 203 DNS 61 63 64 Firewall service 96 107 108 109 110 Mobile Access service 191 NAT service 132 RADIUS 173 175 VPN 150 158 M MAC address 39 Mac OS X Server configuration file changes 54 57 machine records 51 71 mail exchanger See MX mail service aliases email 53 default configuration 213 DNS 77 78 junk mail screening 111 Mobile Access 187 virus management 114 Mobile Access service introduction 181 logs 191 monitoring 190 setup 184 1
104. computers on the network can be managed with an LDAP or Open Directory server getting their network configuration information from DHCP The computing environment is also centrally configured for all computers New computers can be added or swapped out with minimal effort Chapter 2 Working with DHCP Service Coffee Shop Configuration The coffee shop configuration is an example configuration for a dynamic addressing environment one that requires no user management and provides no services other than web access DNS access or other service This example is characterized by lots of mobile users who pass through use the Internet access and move on This configuration can easily be used in situations like a college commons wireless network or a wired courtesy office for visiting consultants WARNING If you host temporary unauthenticated users make sure sensitive information on your LAN is protected behind a firewall on another network To use DHCP in this setting you must have a working firewall configured for web access outbound traffic and DNS outbound lookups only You might need to place this network outside your firewall and make sure the DHCP allocated IP addresses network traffic is strictly controlled and monitored For more information see Chapter 4 Working with Firewall Service In this example you might want to configure DHCP service like this e Make networking configuration automatic Set DHCP clients t
105. create multiple alias IP addresses the rules you create apply to all of those IP addresses Editing IPv6 Firewall Rules When you configure and use Firewall service in Server Admin by default ipfw and ip6fw are started However all IPv6 traffic except for local traffic is blocked You can override the IPv6 rules by using the ip6 w tool but after Firewall service or the server is restarted your rules are overwritten Using Server Admin you can control how a firewall manages the IPv6 firewall with the following two keys in the etc ipfilter ip_address_groups plist file lt key gt IPv 6 Mode lt key gt lt string gt DenyAllExceptLocal lt string gt lt key gt IPv 6 Control lt key gt lt true gt The IPv6Mode key allows you to control which IPv6 rules are applied There are three possible settings for the IPv6Mode string e DenyAllExceptLocal e DenyAll e NoRules By default the IPV6Mode key has the string set to DenyAllExceptLocal This setting applies the following rules which denies all IPv6 trafic but permits local network traffic add 1 allow udp from any to any 626 add 1000 allow all from any to any via 100 add 1100 allow all from any to ff02 16 65000 deny ipv from any to any If you set the IPv6Mode string to DenyAll only the following rule is applied blocking all IPv6 traffic 65000 deny ipv from any to any If you set the IPv6Mode string to NoRules no rules are created for IPv6 If your network
106. d in order to fully configure your network services to your specifications You can get these guides in PDF format from the Mac OS X Server Resources website at www apple com server macosx resources Getting Started Covers basic installation setup and management of network services using Server Preferences Server Information Preferences Help Technologies Provides onscreen Dictionary instructions and answers when you re using Server Preferences to manage network services Provides onscreen definitions of server and network services terminology Introduction to Command Line Administration Explains how to use UNIX shell commands to configure and manage servers and services User Management Describes using Workgroup Manager to add users to Open Directory Network Services Administration Describes advanced options for setting up configuring and managing DNS DHCP firewall NAT NFS NTP Radius VPN and Mobile Access services Open Directory Administration Explains how to set up Open Directory to authenticate users of network services Preface About This Guide Advanced Server Administration Describes using Server Admin to install configure and administer server software and services Includes best practices and advice for system planning security backing up and monitoring Server Admin Help Provides onscreen instructions and answers when you re using Server Admin to se
107. d A record for a bank could point a computer user s browser to a different IP address that is controlled by the hacker A duplicate website could fool users into giving their bank account numbers and passwords to the hacker Chapter 3 Working with DNS Service Also a falsified mail record could enable a hacker to intercept mail sent to or from a domain If the hacker then forwards that mail to the correct mail server after copying the mail this can go undetected e Prevent proper domain name resolution and access to the Internet This is the most benign of DNS spoof attacks It merely makes a DNS server appear to be malfunctioning The most effective method to guard against these attacks is vigilance This includes maintaining up to date software and auditing DNS records regularly If exploits are found in the current version of BIND the exploits are patched and a security update is made available for Mac OS X Server Apply all such security patches Regular audits of your DNS records can help prevent these attacks Server Mining Server mining is the practice of getting a copy of a complete primary zone by requesting a zone transfer In this case a hacker pretends to be a secondary zone to another primary zone and requests a copy of the primary zone s records With a copy of your primary zone the hacker can see what kinds of services a domain offers and the IP addresses of the servers that offer them He or she can then try specifi
108. ddress groups To duplicate an address group Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Click Settings then click Address Groups From the IP Address Groups list select the group name Below the IP Address Groups list click the Duplicate button Make the required modifications and click OK Click Save Adding to the Services List You can add custom ports to the Services list This enables you to open specific ports to address groups without creating an advanced IP rule To add to the Services list Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Click Settings then click Services Below the services list click the Add button Enter a rule name for the service Enter a single port for example 22 or a port range for example 650 750 Choose a protocol If you want a protocol other than TCP or UDP use the Advanced settings to create a custom rule Click OK Click Save Chapter 4 Working with Firewall Service 99 100 Editing or Deleting Items in the Services List You can remove or edit the ports the Services list This enables you to customize service choices for ease of configuration To change the Services list Open Server Admin and connect to the serve
109. destination of traffic governed by the rule rules array _id lt rule gt action The action to be taken rules array _id lt rule gt enabled Whether the rule is enabled rules array _id lt rule gt log Whether activation of the rule is logged rules array id lt rule gt readOnly Whether read only is set rules array _id lt rule gt source port The source port of traffic governed by the rule NAT Service Settings To change settings for NAT service use the following parameters with the serveradmin tool deny incoming yes no Default no log_denied yes no Default no clamp_mss yes no Default yes reverse yes no Default no log yes no Default yes proxy_only yes no Default no Appendix Command Line Parameters for Network Services 205 Parameter nat Description dynamic yes no Default yes use_sockets yes no Default yes interface The network port Default eno unregistered only yes no Default no same ports yes no Default yes NAT serveradmin Commands To manage NAT service use the following commands with the serveradmin tool Command nat command Description getLogPaths Find the location of the log used by NAT service updateNATRuleInIpfw Update the firewall rules defined in the ipfilter service to reflect changes in NAT settings writeSettings Equivalent to the standard serveradmin settings command but also returns
110. dmin to stop DNS service To stop DNS service Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select DNS Click Stop DNS below the Servers list 5 Click Stop Now The service might take a few seconds to stop From the command line To stop the service sudo serveradmin stop dns For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Enabling or Disabling Zone Transfers In DNS zone data is replicated among authoritative DNS servers by means of zone transfers Secondary DNS servers secondaries use zone transfers to acquire their data from primary DNS servers primaries You must enable zone transfers if you want to use secondaries To enable or disable zone transfers Open Server Admin and connect to the server Click the triangle at the left of the server Chapter 3 Working with DNS Service 65 66 N OO Ww A W The list of services appears From the expanded Servers list select DNS Click Zones Select the primary zone you want to change Click General Select or deselect Allows zone transfer to permit secondary zones to get copies of the primary zone data Click Save Enabling Recursion Recursion fully resolves domain names into IP addresses Applications depend on the DNS server to perform this
111. dress gateway example com Account Name lt the user s short name gt Click Authentication Settings and enter the following configuration information e User Authentication Use Password lt user s password gt e Machine Authentication Use Shared Secret lt prDwkj49fd 254 gt Click OK The user can now connect Click Apply Accessing a Computing Asset Behind a Remote Network Firewall Accessing a single computing asset behind a firewall differs from permitting a client computer to become a node on the remote network In the previous example the VPN user s computer becomes a full participant in the remote LAN In this scenario the asset to be accessed is a single file server with the VPN user s computer having no other contact with the remote LAN This scenario assumes information in the section Linking a Computer at Home with a Remote Network on page 159 and adds e File server IP address 192 168 0 15 e File server type Apple File Sharing For this scenario the procedure is similar to that use for Linking a Computer at Home with a Remote Network on page 159 with these exceptions e In Step 1 part 12 don t leave the routing definitions empty e Create a Private route with the IP number of the file server 192 168 0 15 255 255 255 255 e In Step 2 part 3 configure the firewall to only accept Apple File Sharing Protocol connections and DNS from the VPN address group VPN users who are now logged in
112. e e Canonical Name CNAME Stores an alias in connection with the real name of a server For example mail apple com might be an alias for a computer with a real canonical name of MailSrv473 apple com e Mail Exchanger MX Stores the domain name of the computer used for mail in a zone Name Server NS Stores the authoritative name server for a zone e Pointer PTR Stores the domain name of an IP address reverse lookup e Text TXT Stores a text string as a response to a DNS query e Service SRV Stores information about the services a computer provides e Hardware Info HINFO Stores information about a computer s hardware and software Mac OS X Server simplifies the creation of these records by focusing on the computer being added to the zone rather than the records themselves When you add a computer record to a zone Mac OS X Server creates the zone records that resolve to a computer address With this model you can focus on what your computers do in your domain rather than which record types apply to its functions If you need access to other kinds of records you must edit the BIND configuration files manually For details see the BIND documentation Chapter 3 Working with DNS Service 51 52 Bonjour and Link Local Addressing With Bonjour you can share nearly anything including files media printers and other devices in innovative and easier ways It simplifies traditional network based activities like
113. e File Transfer Protocol SFTP 161 UDP Simple Network Management Protocol SNMP 427 TCP UDP SLP Service Location Protocol 8088 TCP Software Update server 3690 TCP Subversion version control 514 UDP Syslog 23 TCP UDP Telnet 407 TCP UDP Timbuktu 8005 TCP Tomcat remote shutdown 9007 TCP Tomcat remote web server access to AIP port 8080 8443 9006 TCP Tomcat standalone and JBoss 69 UDP Trivial File Transfer Protocol TFTP 5900 TCP UDP VNC Mac OS X screen sharing Apple Remote Desktop 2 0 4500 UDP VPN IKE NAT traversal 500 UDP VPN ISAKMP IKE 1701 UDP VPN L2TP 1723 TCP VPN PPTP 8000 8999 TCP Web service 513 UDP Who 139 TCP Windows file and print service SMB CIFS 137 TCP UDP Windows Name Service WINS 138 TCP UDP Windows NETBIOS browsing 3632 TCP XCode distributed compiler 4111 TCP XGrid Chapter 4 Working with Firewall Service Where to Find More Information For more information about accessing and implementing the features of ipfw the tool that controls Firewall service see the ipfw man page Request for Comments RFC documents provide an overview of a protocol or service and describe how the protocol should behave If you re a novice server administrator you ll probably find the background information in an RFC helpful If you re an experienced server administrator you can find all technical details about a protocol in its RFC document The RFC s
114. e Mobile Access service runs on a server accessible from the public Internet and provides access to services on one or more other servers also called origin servers residing on the private Intranet The Mobile Access service can provide proxy access to Address Book iCal Mail and Web services hosted on other servers Note Mobile Access does not provide proxy access to the Mac OS X v10 6 Wiki The Mobile Access service provides security and convenience When properly configured it is more secure than creating an opening through the firewall to the origin server and it provides more granular control of access than a VPN connection It is also more convenient than a VPN connection For example when a user authenticates the Mobile Access server checks the user s authorization and redirects the user to the origin server the server that provides the service A proxy server has few services on the system and no direct access to sensitive data making it less vulnerable to exploits If a security breach occurs it is limited when compared to a breach of a destination server By using a Mobile Access server you provide a single location where user access to services is controlled unlike VPN which allows access to every machine and network service behind the firewall 181 A Mobile Access server can limit which users can authenticate and which services each user can access Through the use of SSL a Mobile Access server hides sensitive d
115. e of your internal IMAP server In the Forward SMTP traffic to internal server field enter the fully qualified host name of your SMTP server Chapter 9 Working with Mobile Access Service 187 188 This is the fully qualified domain name of your internal SMTP server 8 Click Advanced 9 Inthe Incoming IMAP Port field enter the incoming port number 10 11 14 15 16 N AO wu A W This is the port number used by the external request to enter the Mobile Access server The default port is 993 From the IMAP Certificate pop up menu choose your certificate In the Incoming SMTP Port field enter the incoming port number This is the port number used by the external request to access the Mobile Access server The default port is 587 From the SMTP Certificate pop up menu choose your certificate In the IMAP Host Port field enter the port used by your internal IMAP server The default is 143 If your internal IMAP server uses SSL select the Use SSL checkbox In the SMTP Host Port field enter the port used by your internal SMTP server The default is 25 Click OK then click Save Configuring Mobile Access Service Web Settings You use Server Admin to indicate the internal web origin server set the external and internal ports and to configure the SSL settings for the Mobile Access server When configuring Mobile Access server to proxy Web service you must use basic digest or session based as the method of aut
116. e suitable rules Step 2 Turn Firewall service on In Server Admin select Firewall and click Start Firewall By default this blocks all incoming ports except those used to configure the server remotely If you re configuring the server locally turn off external access immediately Important If you add or change a rule after starting Firewall service the new rule affects connections established with the server For example if you deny access to your FTP server after starting Firewall service computers connected to your FTP server are disconnected Step 3 Configure Firewall Address Groups settings Create an IP address group that the firewall rules will apply to By default an IP address group is created for all incoming IP addresses Rules applied to this group affect all incoming network traffic See Configuring Address Groups Settings on page 93 Step 4 Configure Firewall Services settings Activate service rules for each address group In the Services pane you can activate rules based on address groups as destination IP numbers See Configuring Services Settings on page 94 Chapter 4 Working with Firewall Service 91 92 un AeA WwW N Step 5 Configure Firewall Logging settings Use logging settings to enable Firewall service event logging You can also set what types and how many packets get logged See Configuring Firewall Logging Settings on page 96 Step 6 Configure Firewall Advanced settings Config
117. e tools installed with Mac OS X Server support IPv6 for example ping6 and traceroute6 Support for IPv6 Addresses in Server Admin The services above support IPv6 addresses but not in Server Admin IPv6 addresses fail if entered in IP address fields in Server Admin You can configure IPv6 addresses for these services with command line tools and by editing configuration files IPv6 Addresses IPv6 addresses are different from IPv4 addresses There are changes in address notation reserved addresses the address model and address types IPv6 Notation IPv4 addresses are 4 bytes long and are expressed in decimals but IPv6 addresses are 16 bytes long and can be expressed a number of ways IPv6 addresses are generally written in the following form XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX The address is split into pairs of bytes separated by colons Each byte is represented as a pair of hexadecimal numbers The following address is in IPv6 format 2001 DB8 0000 0000 0000 4AC8 C0A8 6420 This can be abbreviated as follows 2001 DB8 0 0 0 4AC8 CO0A8 6420 IPv6 addresses often contain bytes with a zero value so a shorthand notation is available The shorthand notation removes the zero values from the text representation and puts the colons next to each other as follows Chapter 11 Supporting IPv6 2001 DB8 4AC8 C0A8 6420 Because many IPv6 addresses are extensions of IPv4 addresses the right most 4 bytes of an IPv6 address the righ
118. eb SSH file sharing and so on using the Private LAN group For more information see Configuring Services Settings on page 94 Start any services you want the Internet to access on your private LAN web SSH file sharing and so on using the any address group For more information see Configuring Services Settings on page 94 Click Save Setting Up a LAN Party for Gaming Some Internet enabled games allow multiple players to connect online over a LAN This is known as a LAN party Setting up a LAN party is essentially the same as the process found in Linking a LAN to the Internet Through One IP Address on page 133 Special considerations e Open only the ports necessary to play an Internet enabled game If the game is played only inside the LAN don t open the firewall to game ports e If you have computers joining and leaving the LAN use DHCP for client address configuration Setting Up Virtual Servers A virtual server is a gateway server that sends services behind a NAT firewall to real servers on a port by port basis For example suppose you have a NAT gateway called domain example com with an address of 17100 0 1 that is set to forward web traffic port 80 to 10 0 0 5 port 80 behind the firewall and that sends packet requests for ssh traffic port 22 to 10 0 0 15 port 22 In this example the NAT gateway is not really serving the web content The server at 10 0 0 5 is but it is invis
119. eb service on the private LAN address 192 168 1 1 Add the following to the etc nat natd plist file lt key gt redirect_port lt key gt lt array gt lt dict gt Chapter 5 Working with NAT Service lt key gt proto lt key gt lt string gt tcp lt string gt lt key gt targetIP lt key gt lt string gt 192 168 1 1 lt string gt lt key gt targetPortRange lt key gt lt string gt 80 lt string gt lt key gt aliasIP lt key gt lt string gt 17 128 128 128 lt string gt lt key gt aliasPortRange lt key gt lt string gt 80 lt string gt lt dict gt lt array gt Multiple Port Forwarding This example shows the setting to forward TCP and UDP ports 600 1023 NetInfo full range connections on the WAN address 17128 128 128 to corresponding ports on the private LAN address 192 168 1 1 Add the following to the etc nat natd plist file lt key gt redirect_port lt key gt lt array gt lt dict gt lt key gt proto lt key gt lt string gt tcp lt string gt lt key gt targetIP lt key gt lt string gt 192 168 1 1 lt string gt A key gt targetPortRange lt key gt lt string gt 600 1023 lt string gt A key gt aliasIP lt key gt A string gt 17 128 128 128 lt string gt A key gt aliasPortRange lt key gt lt string gt 600 1023 lt string gt lt dict gt lt array gt lt array gt lt dict gt lt key gt proto lt key gt lt string gt udp lt string gt lt key gt target
120. ect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Mobile Access Click Settings Select the Forward Address Book traffic to internal server checkbox In the Forward Address Book traffic to internal server field enter the fully qualified host name of the Address Book server This must be the fully qualified domain name of your internal Address Book server Click Advanced In the Incoming Port field enter the incoming port number This is the port number that the external request enters the Mobile Access server The default port is 8843 From the Certificate pop up menu choose your certificate Chapter 9 Working with Mobile Access Service 185 10 11 12 AO un A WwW For more information about obtaining signed certificates from a Certificate Authority see Advanced Server Administration In the Address Book Host Port field enter the port used by your internal Address Book server The default is 8554 If your internal Address Book server uses SSL select the Use SSL checkbox Click OK then click Save Configuring Mobile Access Service iCal Settings You use Server Admin to indicate the internal iCal origin server set the external and internal ports and to configure the SSL settings for the Mobile Access server When configuring Mobile Access server to proxy iCal you must use basic or digest as the method of authentication
121. ection of the following website contains several RFC numbers for various protocols www ietf org rfc html The Internet Assigned Number Authority IANA maintains a list of well known ports and TCP and UDP ports that have been assigned by the organization for various protocols The list can be found at www iana org assignments port numbers Also important multicast addresses are documented in the most recent Assigned Numbers RFC currently RFC 1700 Chapter 4 Working with Firewall Service 123 124 Working with NAT Service Use this chapter to set up and manage NAT service in Mac OS X Server Network Address Translation NAT is a protocol you use to give multiple computers access to the Internet using only one assigned public or external IP address NAT permits you to create a private network that accesses the Internet through a NAT router or gateway NAT is sometimes referred to as IP masquerading The NAT router takes traffic from your private network and remembers internal addresses that have made requests When the NAT router receives a response to a request it forwards it to the originating computer Traffic that originates from the Internet does not reach computers behind the NAT router unless port forwarding is enabled Using NAT with Other Network Services Enabling NAT on Mac OS X Server often requires detailed control over DHCP so DHCP is configured separately in Server Admin To learn more about DHCP see Chapter 2
122. ed working zone folder Restart the DNS service using Server Admin Managing DNS Records Each zone contains a number of records that are requested when a client computer translates a domain name like www example com to an IP number Web browsers mail clients and other network applications rely on a zone s records to contact the correct server The following sections describe how to add modify and delete DNS records Chapter 3 Working with DNS Service AO uu A WwW Adding an Alias Record to a DNS Zone You must add records for each computer the DNS primary zone has responsibility for Do not add records for computers the zone doesn t control An alias record or canonical name CNAME record is used to create aliases that point to other names If you want this computer to have more than one name add alias records to the zone To add a DNS alias record Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Zones Select the zone this record is to be added to Click Add Record then choose Add Alias CNAME This adds the alias record to the zone Select newAlias listed under the primary zone then enter the alias information In the Alias Name field enter the alternate name for your computer If you want to use the fully qualified name for the Alias select the Fully Qualified checkbox and enter the
123. ee Configuring PPTP Settings on page 146 Chapter 6 Working with VPN Service AA U N Step 5 Configure VPN Logging settings Use the Logging settings to enable VPN verbose logging See Configuring VPN Logging Settings on page 150 Step 6 Configure VPN Client Information settings Use Server Admin to configure network settings for VPN clients See Configuring Client Information Settings on page 149 Turning VPN Service On Before you can configure VPN service you must turn VPN service on in Server Admin To turn VPN service on Open Server Admin and connect to the server Click Settings then click Services Select the VPN checkbox Click Save Setting Up VPN Service There are two groups of settings for VPN service in Server Admin e Connections Shows you information about users who are connected using VPN Settings Configures and manages L2TP and PPTP VPN service connections The following sections describe how to configure these settings and how to start VPN service after you set up VPN Configuring L2TP Settings Use Server Admin to designate L2TP as the transport protocol If you enable this protocol you must also configure the connection settings You must designate an IPSec shared secret if you don t use a signed security certificate the IP address allocation range to be given to users and the group that will use the VPN service if needed If L2TP and PPTP are used each protocol shou
124. eing sent from the server If you select Other enter the interface name en0 en1 fw1 and so on Click OK Click Save to apply the rule immediately From the command line To add a rule sudo serveradmin settings ipfilter rules array id rule create ipfilter rules array id rule source source ipfilter rules array id rule protocol protocol ipfilter rules array id rule destination destination ipfilter rules array id rule action action ipfilter rules array id rule enableLocked yes no ipfilter rules array _id rule enabled yes no ipfilter rules array id rule log yes no ipfilter rules array id rule readOnly yes no ipfilter rules array id rule source port port Chapter 4 Working with Firewall Service 101 Control D Parameter Description rule A unique rule number Other parameters The standard rule settings described under Command Line Parameters for Network Services Adding Rules by Modifying ipfw conf An ipfw configuration or ruleset is made of a list of rules numbered from 1 to 65535 The file where you can define your rules is etc ipfilter ipfw conf Firewall service reads this file but doesn t modify it Its contents are annotated and include commented out rules you can use as models Packets are passed to ipfw from a number of places in the protocol stack Depending on the source and destination of the packet ipfw can be invoked multiple times on the same pac
125. emaining parts of the name To view all service configuration settings sudo serveradmin settings dns To modify your server s DNS configuration use serveradmin However you ll probably find it more straightforward to work with DNS and BIND using the standard tools and techniques described in the many books on the subject For an example see DNS and BIND by Paul Albitz and Cricket Liu For information about DNS serveradmin commands see DNS serveradmin Commands on page 203 For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Chapter 3 Working with DNS Service 61 62 Starting DNS Service Use Server Admin to start DNS service Remember to restart DNS service when you make changes to DNS service in Server Admin To start DNS service Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select DNS Click Start DNS below the Servers list The service can take a few seconds to start From the command line To start the service sudo serveradmin start dns For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Managing DNS Service This section describes typical tasks you might perform after you set up DNS service on your server
126. enable stealth mode Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Click Settings then click Advanced Select Enable for TCP Enable for UDP or both as needed Click Save Adaptive Firewall Mac OS X v10 6 uses an adaptive firewall that dynamically generates a firewall rule if a user has 10 consecutive failed login attempts The generated rule blocks the user s computer for 15 minutes preventing the user from attempting to log in The adaptive firewall helps to prevent your computer from being attacked by unauthorized users The adaptive firewall does not require configuration and is active when you turn on your firewall Chapter 4 Working with Firewall Service Resetting the Firewall to the Default Setting A server can become unreachable for remote administration due to an error with the firewall configuration In such a case you must reset the firewall to its default state so Server Admin can access the server This recovery procedure requires you to use the command line interface and must be done by an administrator who has physical access to the server To reset the firewall to its default setting Disconnect the server from the Internet Restart the server in single user mode by holding down the Command s keys during startup Remove or rename the address groups file found at etc ipfilt
127. epending on your Windows clients configuration and Windows network infrastructure To set WINS options for a subnet Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Subnets Select a subnet Click WINS Enter the domain name or IP address of the WINS NBNS primary and secondary servers for this subnet Enter the domain name or IP address of the NBDD server for this subnet 9 From the pop up menu choose the NBT node type 10 11 38 Enter the NetBIOS Scope ID Click Save If DHCP is running you are prompted to restart DHCP for your change to take effect Otherwise your changes take effect the next time you start DHCP From the command line You must use the same subnet rp that was used to create the subnet To set WINS options for a subnet sudo serveradmin settings dhcp subnets array id subnetID WINS_ secondary server wins server 2 Chapter 2 Working with DHCP Service N OAU A W dhcp subnets array id subnetID WINS primary server wins server 1 dhcp subnets array id subnetID WINS NBDD server nbdd server dhcp subnets array id subnetID WINS node type node type dhcp subnets array id subnetID WINS scope id scope ID Control D Parameter Description subnetID A unique number that identifies the subnet Can be any number not assigned to another subnet on the server Can
128. er ip_address_groups plist Remove or rename the ipfw configuration file found at etc ipfilter ipfw conf 5 Force flush the firewall rules by entering the following in Terminal ipfw f flush Edit the etc hostconfig file and set IPFILTER YES Complete the startup sequence in the login window by entering exit The computer starts up with the default firewall rules and firewall enabled Use Server Admin to refine the firewall configuration Log in to your server s local administrator account to confirm that the firewall is restored to its default configuration Reconnect your host to the Internet Monitoring Firewall Service Firewalls are a network s first line of defense against malicious computer users hackers To maintain the security of your computers and user information you must monitor firewall activity and deter potential threats This section explains how to log and monitor your firewall Checking the Status of Firewall Service Use Server Admin to check the status of Firewall service To check Firewall service status Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Chapter 4 Working with Firewall Service 105 106 4 Click Overview to see whether the service is running the number of active static and dynamic rules configured the number of matching packets and the number of bytes i
129. er the VPN connection regardless of the routes that are set e Definitions are unordered They only apply the description that most closely matches the packet being routed Chapter 6 Working with VPN Service 151 152 Example Suppose your LAN s IP addresses are 17x x x addresses If you make no routing definitions all VPN client network traffic such as web browser URL requests LPR printer queue print jobs and file server browsing is routed from the client computer through the VPN tunnel to the 17x x x LAN You decide that you don t want to manage all traffic to web sites or file servers that aren t located on your network You can specify what traffic gets sent to the 17 x x x network and what goes through the client computer s normal Internet connection To limit the traffic the VPN tunnel handles enter a routing definition designating traffic to the 17x x x network as private which sends it through the VPN tunnel In the routing definition table you d enter 17 0 0 0 255 0 0 0 Private Traffic to the LAN is now sent over the VPN connection and by default all other addresses not in the definitions table are sent over the client computer s unencrypted Internet connection You then decide that there are a few IP addresses in the 17x x x range that you don t want accessed over the VPN connection You want the traffic to go through the client computer s Internet connection and not pass through the VPN tunnel The addresses might be
130. er the host name of your time server Your host name can be a domain name such as time example com or an IP address 6 Close System Preferences Where to Find More Information About NTP The working group documentation and FAQ for NTP can be found at www ntp org Listings of publicly accessible NTP servers and their use policies can be found at support ntp org bin view Servers WebHome Request for Comments RFC documents provide an overview of a protocol or service and details about how the protocol should behave If you re a novice server administrator you ll probably find some of the background information in an RFC helpful If you re an experienced server administrator you can find all technical details about a protocol in its RFC document You can search for RFC documents by number at www ietf org rfc html The official specification of NTP version 3 is RFC 1305 Chapter 8 Working with NTP Service Working with Mobile Access Service Use this chapter to set up and manage a Mobile Access server on your network A Mobile Access server provides a way through a corporate firewall for IMAP SMTP and for HTTP protocols such as Web service and CalDAV without using VPN Mobile Access service allows an administrator to enable secure and convenient access to Mail Web and iCal services in the Mac OS X Server environment by sending requests though a layer of increased security and control About Mobile Access Server Th
131. ered packets 109 game usage control 114 nternet sharing 16 introduction 83 junk mail blocking 111 ogs 96 107 108 109 110 management of 97 105 AT 109 124 P2P file sharing 113 ports 84 114 resetting server 105 rules overview 84 86 87 89 90 settings 93 94 95 96 99 100 203 204 205 setup overview 91 starting 85 92 96 status checking 105 stealth mode 104 stopping 97 troubleshooting rules 103 viewing active rules 106 virus management 114 VPN 142 firewalls 104 136 153 161 See also Firewall service forward zone DNS 50 68 215 G gaming 114 135 Gateway Setup Assistant 16 17 18 gateways networking 18 19 21 131 198 See also NAT groups VPN access 153 H help using 12 HINFO Hardware Info record 51 home to network VPN connections 159 l IANA Internet Assigned Numbers Authority 52 53 iCal service 186 importing zone files 70 inetd daemon 23 Internet Assigned Numbers Authority See IANA Internet Protocol See IP addresses Internet service provider See ISP Internet sharing access control 109 110 AirPort wireless clients 19 21 175 177 Gateway Setup Assistant 16 17 IPv6 195 196 multiple domains 81 NAT 124 single IP address method 81 wired LAN connection 18 19 80 WLAN connection 21 23 intranets 43 IP addresses access control for VPN 153 assigning 28 Bonjour 52 BootP 28 client 47 48 components of 87 DHCP setup 35 39 40 DNS service 49 53 75 dynamic 25 27 Firewall servi
132. ernet tells you how to use Gateway Setup Assistant to link your network to the Internet e Chapter 2 Working with DHCP Service tells you how to configure and use DHCP to assign IP addresses on your network e Chapter 3 Working with DNS Service tells you how to use Mac OS X Server as a domain name server e Chapter 4 Working with Firewall Service tells you how to maintain network security using a firewall e Chapter 5 Working with NAT Service tells you how to configure and use NAT to connect many computers to the Internet with only one public IP address e Chapter 6 Working with VPN Service tells you how to configure and use VPN to allow remote users to access your private LAN securely e Chapter 7 Working with RADIUS tells you how to configure and use RADIUS Service to authorize Open Directory users and groups so they can access AirPort Base Stations on a network e Chapter 8 Working with NTP Service tells you how to enable your server as a time server 12 e Chapter 9 Working with Mobile Access Service tells you how to enable your server as a Mobile Access Server e Chapter 10 Supporting a VLAN tells you about VLAN support for some server hardware configurations e Chapter 11 Supporting IPv6 tells you about IPv6 and the services that support IPv6 addressing e Command Line Parameters for Network Services describes command line parameters for specific netw
133. ers Computers in Getting Started To connect to a VPN enter configuration settings into Network preferences To set up a VPN connection Choose Apple gt System Preferences and then click Network Click Add at the bottom of the network connection services list and then choose VPN from the pop up menu Choose what kind of VPN connection you want to set up from the VPN Type pop up menu depending on the network you are connecting to and give the VPN service a name Enter the server address and the account name for the VPN connection Click Authentication Settings and enter the user authentication information you were given by the network administrator After entering the user authentication information click OK and then click Connect Select Show VPN status in menu bar to use the VPN status icon to connect to the network and switch between VPN services To remove the VPN configuration select the VPN network connection service in the list and click Delete For client computers running an earlier versions of Mac OS X or any version of Windows they need the following VPN connection information VPN server or host your server s DNS name or public IP address e VPN type L2TP over IPSec e Shared secret key for IPSec shown in the VPN pane of Server Preferences when you click Edit and select Show shared secret Chapter 6 Working with VPN Service e Account name the short name of the user s acco
134. ers and Mac OS X Servers Use these ports when you set up access rules To view the RFCs referenced in the tables see www faqs org rfcs Chapter 4 Working with Firewall Service 1 499 Port Description Reference 7 TCP UDP Echo RFC 792 20 TCP FTP data RFC 959 21 TCP FTP control RFC 959 22 TCP UDP Secure Shell SSH Open Para Directory replica setup 23 TCP UDP Telnet RFC 854 25 TCP UDP Mail SMTP RFC 821 53 TCP UDP DNS RFC 1034 67 UDP DHCP server BootP NetBoot server 68 UDP DHCP client 69 UDP Trivial File Transfer Protocol TFTP 79 TCP UDP Finger RFC 1288 80 TCP HTTP web RFC 2068 88 TCP UDP Kerberos V5 KDC RFC 1510 106 TCP UDP Open Directory Password Server with 3659 110 TCP UDP Mail POP3 RFC 1081 111 TCP UDP Remote Procedure Call RPC RFC 1057 113 TCP UDP Authentication service RFC 931 115 TCP Simple File Transfer Protocol SFTP 119 TCP Network News Transfer Protocol RFC 977 NNTP 123 TCP UDP Network Time Protocol RFC 1305 137 TCP UDP Windows Name Service WINS 138 TCP UDP Windows NETBIOS browsing 139 TCP Windows file and print service RFC 100 SMB CIFS 143 TCP Mail IMAP RFC 2060 161 UDP Simple Network Management Protocol SNMP Chapter 4 Working with Firewall Service 115 Port Description Reference 192 UDP AirPort administration 201 208 TCP AppleTalk 311 TCP Server Admin over SSL AppleShare IP remote web administra
135. ervers list select NAT Click Overview Click Gateway Setup Assistant Follow the directions in the assistant click Continue after each page read the final configuration summary carefully and make sure you approve of the settings before finalizing the configuration WARNING Although you can use the Gateway Setup Assistant to configure remote servers you can accidentally cut off your administrator access to the remote server Chapter 1 Linking Your Network to the Internet 17 N AO UW A W N ee Connecting a Wired LAN to the Internet You can use Gateway Setup Assistant to connect a wired LAN to the Internet Your LAN can consist of any number of computers connected to each other through Ethernet hubs and switches but the LAN must have one point of contact with the Internet the gateway Your gateway has one connection to the Internet and one connection to the LAN All other computers access the Internet through your gateway You can configure your Mac OS X server to be a gateway to the Internet which requires that your server have two Ethernet ports en0 and en1 Port en0 should be connected to the Internet and en1 should be connected to your LAN After this process computers on the LAN e Can get IP addresses and network settings that were configured using DHCP e Can access the Internet if the gateway is connected to the Internet e Can t be accessed by unauthorized network connections originating from the Inte
136. ervice or with third party authentication services Enabling VPN PPTP Access for Users in an LDAP Domain In Mac OS X v10 5 and later you can use a command line tool to enable PPTP VPN connections for users in an LDAP domain This resolves a situation where users can establish a VPN connection using PPTP to a Mac OS X Server that when established is not used by network traffic This situation affects Mac OS X Server v10 3 v10 4 and v10 5 To enable VPN PPTP access for users in an LDAP domain Run the tool usr sbin vpnaddkeyagentuser as root with the LDAP node directory where users are present name as the argument For example if the server running VPN service is the LDAP master enter the following command in Terminal sudo usr sbin vpnaddkeyagentuser LDAPv3 127 0 0 1 If the server running VPN service is not an LDAP master and the LDAP directory is on a different computer use the IP address of the LDAP server in the command For example if the LDAP server address is 17 221 67 87 enter the following command in Terminal sudo usr sbin vpnaddkeyagentuser LDAPv3 17 221 67 87 Chapter 6 Working with VPN Service 155 156 2 When prompted enter the username and password _ e If the VPN server is the LDAP master enter the administrator name and password of the server If the LDAP directory is on a different server enter the administrator name and password of the server that hosts the LDAP directory or the admin
137. es how you can determine which rule is invalid To determine which rule is invalid Read the error message in the log Wait a few minutes for Server Admin to show the active rules in the Firewall Overview pane Chapter 4 Working with Firewall Service 103 104 3 aA uu A WwW Compare the list of active rules in the Firewall Overview pane with the rule list in the Settings section Inspect the contents of etc ipfilter ipfw conf apple file to see which rules Server Admin tried to load in the firewall The first rule in the file that is not present in the Firewall Overview pane is likely the invalid one However there might be more invalid rules after that one If the rule corresponds to one from the Advanced Settings pane disable it or correct it Disabled rules appear in the etc ipfilter ipfw conf apple file preceded by a comment character so they are not processed by the ipfw tool Enabling Stealth Mode You can hide your firewall by choosing not to send a connection failure notification to any connection that is blocked by the firewall This is called stealth mode and it effectively hides your server s closed ports For example if a network intruder tries to connect to your server even if the port is blocked he or she knows that there is a server and can find other ways to intrude If stealth mode is enabled instead of being rejected the hacker won t receive notification that an attempted connection took place To
138. es that are usable only in the NAT environment If you were to assign a domain name to these addresses outside the NAT gateway none of the domain names would resolve to the correct computer For more information about NAT see Chapter 5 Working with NAT Service Chapter 3 Working with DNS Service 79 80 However you can run DNS service behind the gateway assigning host names to NAT IP addresses This way if you re behind the NAT gateway you can enter domain names rather than IP addresses to access servers services and workstations Your DNS server should also have a Forwarding zone to send DNS requests outside of the NAT gateway to permit resolution of names outside the routed area Your client networking settings should specify the DNS server behind the NAT gateway The process of setting up one of these networks is the same as setting up a private network For more information see Linking a LAN to the Internet Through One IP Address on page 133 If you set up namespace behind the NAT gateway names entered by users outside the gateway won t resolve to addresses behind it Set the DNS records outside the NAT routed area to point to the NAT gateway and use NAT port forwarding to access computers behind the NAT gateway For more information see Configuring Port Forwarding on page 127 Mac OS X s Multicast DNS feature permits you to use hostnames on your local subnet that end with the local suffix without enabling DN
139. esses to distribute Assigning Reserved IP Addresses Some IP addresses can t be assigned including addresses reserved for loopback and for broadcasting Your ISP won t assign these addresses to you If you try to configure DHCP to use these addresses you re warned that the addresses are invalid and you must enter valid addresses Getting More Information About the DHCP Process Mac OS X Server uses a daemon process named bootpa that is responsible for the DHCP service s address allocation For more information about bootpa and its advanced configuration options see the bootpd man page Chapter 2 Working with DHCP Service un AeA U N N OAU A W o Turning DHCP Service On Before you can configure DHCP settings you must turn on DHCP service in Server Admin To turn DHCP service on Open Server Admin and connect to the server Click Settings Click Services Select the DHCP checkbox Click Save Setting Up DHCP Service Set up DHCP service by configuring the following items in Server Admin e Subnet Create a pool of IP addresses that are shared by computers on your network e Log Level Configure the DHCP event log level The following sections describe the tasks for configuring these settings and how to start DHCP service when you finish Creating Subnets in DHCP Service Subnets are groupings of computers on the same network that can be organized by location for example different floors of a building o
140. etworking gives companies greater network flexibility seamlessly connecting laptop users to the network and giving them the freedom to move within the company while staying connected to the network You use RADIUS to authorize Open Directory users and groups so they can access AirPort Base Stations on a network By configuring RADIUS and Open Directory you can control who has access to your wireless network RADIUS works with Open Directory and Password Server to grant authorized users access to the network through an AirPort Base Station When a user attempts to access an AirPort Base Station AirPort communicates with the RADIUS server using Extensible Authentication Protocol EAP to authenticate and authorize the user Users are given access to the network if their user credentials are valid and they are authorized to use the AirPort Base Station If a user is not authorized he or she cannot access the network through the AirPort Base Station RADIUS Setup Overview If you re setting up your own RADIUS server follow the steps in this section Step 1 Turn RADIUS on Before configuring service turn on RADIUS See Turning RADIUS On on page 169 Step 2 Add AirPort Base Stations to a RADIUS server Decide which AirPort Base Stations you want to add to the RADIUS server See Adding AirPort Base Stations to a RADIUS Server on page 171 A U N On A WwW Step 3 Remotely configure an AirPort Base Station Use Server Admin to
141. following three groups of settings in Server Admin e Zones Use to configure a primary zone and computers that are part of the zone and to configure a copy of a primary zone stored on a secondary name server This also sets information that determines if you permit zone transfers e Bonjour Use to configure Wide Area Bonjour browsing which allows you to extend Bonjour browsing to function beyond the local subnet and across the Internet Chapter 3 Working with DNS Service N A wu A W ee e Settings Use to configure and manage logs for DNS service and to set recursion for DNS service The following sections describe how to configure these settings and how to start DNS service when you finish Configuring DNS Service Primary Zone Settings Use Server Admin to create a local DNS zone file and add records to it Important In Mac OS X Server v10 6 the configuration and zone files used by Server Admin have changed If you edit the named conf and zone files manually from Terminal the information is used by DNS However the information does not appear in the DNS zones pane of Server Admin Also changes made in Server Admin are not made to the named conf file It is recommended that you use Server Admin To configure DNS service zone settings Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Zones Click Add
142. from the command line Chapter 9 Working with Mobile Access Service 191 192 Configurable items include e Strings displayed in authentication pages e The path to the logo image displayed in authentication pages e The DNS domain used in authentication cookies e The duration of authentication cookies Where to Find More Information For more information about proxies see the following e RFC2616 Hypertext Transfer Protocol HTTP 1 1 at www faqs org rfcs rfc2616 html e RFC3040 Internet Web Replication and Caching Taxonomy at www faqs org rfcs rfc3040 html e RFC3143 Known HTTP Proxy Caching Problems at www faqs org rfcs rfc3143 html Request for Comments RFC documents provide an overview of a protocol or service and explain how the protocol should behave If you re a novice server administrator you ll probably find some of the background information in an RFC helpful If you re an experienced server administrator you can find technical details about a protocol in its RFC document You can search for RFC documents by number at www ietf org rfc html Chapter 9 Working with Mobile Access Service Supporting a VLAN Use this chapter to set up and manage a virtual local area network VLAN Using a virtual local area network VLAN can prevent delays and data loss in environments with extremely high amounts of network traffic VLANs enable multiple computers on different physical LANs to communicate with each
143. ft of the server The list of servers appears From the expanded Servers list select VPN Click Settings then click PPTP Select Enable PPTP In the Starting IP address field set the beginning IP address of the VPN allocation range It can t overlap the DHCP allocation range so enter 192 168 0 128 In the Ending IP address field set the ending IP address of the VPN allocation range It can t overlap the DHCP allocation range so enter 192 168 0 255 If needed select Allow 40 bit encryption keys in addition to 128 bit to permit 40 bit and 128 bit key encryption access to VPN WARNING 40 bit encryption keys are much less secure but can be necessary for some VPN client applications 10 Choose a PPP authentication type If you choose Directory Service and your computer is bound to a Kerberos authentication server from the Authentication pop up menu select Kerberos Otherwise choose MS CHAPv2 If you choose RADIUS enter the following information Primary IP Address Enter the IP address of the primary RADIUS server e Shared Secret Enter a shared secret for the primary RADIUS server e Secondary IP Address Enter the IP address of the secondary RADIUS server Shared Secret Enter a shared secret for the secondary RADIUS server Click Save From the command line To configure PPTP Settings sudo serveradmin settings vpn vpn Servers com apple ppp pptp enabled yes vpn vpn Ser
144. fully qualified domain name This field is the basis for CNAME records of the computer Reverse lookup Pointer records are created for the computer Add as many aliases as you want In the Destination field enter the computer name you are creating the alias for If you want to use the fully qualified name for the Destination select the Fully Qualified checkbox and enter the fully qualified domain name Click Save Add as many aliases as you want by adding additional alias records Adding a Machine Record to a DNS Zone You must add records for each computer the DNS primary zone has responsibility for Do not add records for computers the zone doesn t control A machine record or address A record is used to associate a domain name with an IP address Therefore there can be only one machine for each IP address because there can t be duplicate IP addresses in a zone Chapter 3 Working with DNS Service 71 72 a un A W To add a DNS machine record Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Zones Select the zone this record is to be added to Click Add Record then choose Add Machine A This adds the machine record to the zone Select newMachine listed under the zone then enter the following machine information e In the Machine Name field enter the hostname of the computer This field
145. group name The name of the access control group Enabling PPP Dial In Service To set up Point to Point Protocol PPP Dial In service use the pppa daemon For more information see the pppd man page The Examples section of the man page shows an example of setting up PPP Dial In service Restoring the Default Configuration for Server Services When you use applications such as Server Admin to configure a Mac OS X Server service your settings are stored in places such as a configuration file conf a preference list plist an XML file or the local directory database In some cases you might want to reset a service to its default settings which you can do by renaming or deleting a service s configuration file Mac OS X Server then creates a default copy of the file To restore NAT service to its default Rename or delete the natd plist file in the etc nat folder To restore Firewall service to its default Rename or delete the ip_address_groups plist standard_services plist and ipfw conf files in the etc ipfilter folder To restore DHCP service to its default Remove the subnet configuration from the config dhcp folder in the local directory database by using the dsci tool sudo dscl delete config dhcp Remove the static Ethernet IP address static maps from the machines folder in the local directory database The easiest way to do this is to delete the folder sudo dscl delete machines Recreate t
146. gs sudo radiusconfig autorotatelog on off n file count file count The number of log files to preserve base file The name of the log file on Enables automatic log rotation off Disables automatic log rotation For information about radiusconfig see its man page For the basics of command line tool usage see Introduction to Command Line Administration Starting or Stopping RADIUS Service You use Server Admin to start or stop RADIUS When you stop RADIUS make sure no users are connected to AirPort Base Stations your RADIUS server manages To start or stop RADIUS Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select RADIUS Click Start RADIUS or Stop RADIUS below the Servers list The service can take a few seconds to start or stop From the command line To start the RADIUS server sudo radiusconfig start To stop the RADIUS server sudo radiusconfig stop For information about radiusconfig see its man page For the basics of command line tool usage see Introduction to Command Line Administration Chapter 7 Working with RADIUS a uu A U Managing RADIUS This section describes tasks you might perform after you set up RADIUS on your server Checking RADIUS Status You can use Server Admin to check the status of RADIUS To check RADIUS status Open Server Admin and connect to
147. guring your server to connect to the Internet You make further changes to the service configuration using Server Admin For network services see the relevant section in this book for instructions About Gateway Setup Assistant Gateway Setup Assistant helps you quickly and easily set up Mac OS X Server v10 6 to share your Internet connection with your local network After you configure a few settings the assistant can start sharing the server connection Depending on your configuration choices the assistant performs the following when it sets up the server e Assigns the server a static IP address for each internal network interface The address assigned is 192 168 x 1 The value used for x is determined by the network interface s order in the Network System Preference pane For example for the first interface on the list x is 0 for the second interface x is 1 Enables DHCP to allocate addresses on the internal network removing existing DHCP subnets e Sets aside specific internal 192 168 x x addresses for DHCP use Without VPN started each interface can allocate addresses from 192 168 x 2 to 192 168 x 254 Optional Enables VPN to permit authorized external clients to connect to the local network VPN L2TP is enabled so you must enter a shared secret a passphrase for client connections to use e Sets aside specific internal addresses 192 168 x x for VPN use A WN N QA U If VPN is selected half of the al
148. hat announce themselves using Bonjour you can use the Base Stations pane of RADIUS in Server Admin to add them to your RADIUS server You can add up to 64 Base Stations to RADIUS To browse and add Bonjour enabled AirPort Base Stations to a RADIUS server On the management computer open Server Admin Click the triangle at the left of the server The list of services appears In the expanded Servers list click RADIUS Click Base Stations Below the AirPort Base Stations list click Browse A list of AirPort Base Stations found through Bonjour appears The list shows all AirPort Base Stations on the local subnet of the server and in all Wide Area Bonjour domain known to the server This includes search domains listed in Network Preferences that have AirPort Base Stations and AirPort Base Stations you added to a MobileMe account as a Back to My Mac BTMM enabled server Chapter 7 Working with RADIUS 171 172 From the list of AirPort Base Stations choose an AirPort Base Station you want to add to your RADIUS server 7 Inthe Base station password field enter the password for the AirPort Base Station 8 Click Add When the base station is added it is configured to use WPA2 Enterprise for client authentication through TTLS It also sets a random shared secret for communication between the Base Station and RADIUS on the server The shared secret is not a password for authentication nor does it generate encryption keys to estab
149. he Edit button or the Remove button Chapter 2 Working with DHCP Service If you are editing the mapping make changes you want then click OK Click Save If DHCP is running you are prompted to restart DHCP for your change to take effect Otherwise your changes take effect the next time you start DHCP Monitoring DHCP Service You can use the following methods to monitor and troubleshoot DHCP service e Monitor the computers that are using the service by viewing the client list e Monitor the log files generated by the service e Use service logs to troubleshoot network problems The following sections discuss these aspects of DHCP service Checking DHCP Service Status The status overview shows the following summary of DHCP service e Whether the service is running e How many clients it has e When the service was started e How many IP addresses are statically assigned from your subnets e The last time the client database was updated To view DHCP service status Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select DHCP Click Overview to view whether the service is running when it started the number of static maps the number of clients connected and when the last database update occurred From the command line To see summary status of DHCP service sudo serveradmin status dhcp To see detailed status
150. he Mobile Access server When configuring your mail proxy your Mobile Access server and origin mail server must have a unique DNS name You cannot use the same DNS name for both servers When configuring Mobile Access server to proxy a mail service SMTP and IMAP clients accessing the Mobile Access server must use PLAIN or PLAIN Clear clear text password authentication over an SSL session as the method of authentication For example in the Mail application settings the user must be SSL enabled and Password also referred to as PLAIN must be selected as the method of authentication for SMTP and IMAP The table below shows the methods of authentication that are attempted and supported by the proxy when the Mobile Access server attempts to access the origin Mail server using SMTP or IMAP Mail Protocol Authenticaiton Methods SMTP None PLAIN LOGIN CRAM MD5 SSL Using STARTTLS on configurable port 25 IMAP CLEAR PLAIN LOGIN e CRAM MD5 SSL Configurable port 993 To configure Mobile Access service mail settings Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Mobile Access Click Settings Select the Forward mail traffic checkbox In the Forward IMAP traffic to internal server field enter the fully qualified host name of your IMAP server This is the fully qualified domain nam
151. he basis for the TXT record of the computer You can store almost any text string in the comments text box up to 255 ASCII characters For example you can include the physical location of the computer Upstairs server closet B or the computer s owner John s Computer or any other information about the computer Chapter 3 Working with DNS Service 20 21 22 N AO wu A W Click Add Record then choose Add Service SRV The DNS SRV record is an entry that informs client computers that a service is on a domain These records help computers with the location of a service on a domain For more information see Adding a Service Record to a DNS Zone on page 72 Under the primary zone select a service type and then enter the service information Click Save Configuring DNS Service Secondary Zone Settings A secondary zone is a copy of a primary zone stored on a secondary name server Each secondary zone keeps a list of primary servers that it contacts for updates to records in the primary zone Secondary zones must be configured to request the copy of the primary zone data Secondary zones use zone transfers to get copies of the primary zone data Secondary name servers can take lookup requests like primary servers To add a secondary zone Make sure the primary server is correctly configured and that zone transfers are enabled on the primary server then open Server Admin and connect to the server Click the tri
152. he server and you can customize rules for incoming clients or for a range of client IP addresses About Firewall Service You configure Firewall service using Server Admin You can also configure some settings by manually editing configuration files 83 84 The illustration below shows an example firewall process x 7 No Locate the Any Port rule with the most Is there a rule for port 80 specific range Yes that includes A computer with IP The server begins the address address 10 221 41 33 looking for rules 10 221 41 33 Is there a rule containing IP address 10 221 41 33 l Yes What does the rule specify l Allow Connection Connection attempts to connect to the server over the Internet port 80 Deny is made is refused Services such as Web and FTP are identified on your server by a Transmission Control Protocol TCP or User Datagram Protocol UDP port number When a computer tries to connect to a service Firewall service scans the rule list for a matching port number When a packet arrives at a network interface and the firewall is enabled the packet is compared to each rule starting with the lowest numbered highest priority rule When a rule matches the packet the action specified in the rule such as permit or deny is taken Then depending on the action more rules can be applied The rules you set are applied to TCP packets and to UDP packets In
153. he two default records Appendix Command Line Parameters for Network Services sudo dscl create machines localhost sudo dscl append machines localhost ip address 127 0 0 1 sudo dscl append machines localhost serves local sudo dscl create machines broadcasthost sudo dscl append machines broadcasthost ip address 255 255 255 255 sudo dscl append machines broadcasthost serves network To restore QTSS Publisher service to its default Rename or delete these files e Library Application Support Apple QTSS Publisher Links plist e Library Application Support Apple QTSS Publisher Poster Images plist e Library Caches com apple qtsspublisher plist The libraries and templates are in the Library Application Support Apple QTSS Publisher folder The content varies based on what s been uploaded To restore QTSS service to its default Rename or delete these files e Library QuickTimeStreaming Config streamingserver xml e Library QuickTimeStreaming Config relayconfig xml To delete QTSS qtusers and qtgroups You can also rename or delete the qtusers and qtgroups files which should then be recreated using qtpasswa e Library QuickTimeStreaming Config qtusers e Library QuickTimeStreaming Config qtgroups To restore DNS service to its default From the etc named conf var named folder remove the files for each forward zone named similar to my domain com zone From the etc named conf var n
154. hentication Kerberos authentication is not supported To configure Mobile Access service web settings Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Mobile Access Click Settings Select the Forward web traffic to internal servers checkbox Click the Add button below the Forward web traffic to internal servers list Enter the fully qualified host name of your internal web server This is the fully qualified domain name of the internal web server If more than one web server hosts your site repeat step 6 to add web servers to the list Chapter 9 Working with Mobile Access Service 8 Click OK then click Save The web proxy of the Mobile Access server works with most web sites Some web application and links might require more configuration to function Consider the following when setting up your web site or web application to be proxied e If your web application requires the addresses of the remote client your application must obtain the client address through the X Forwarded For header If possible keep web links relative because your scheme might be HTTP internally but will be HTTPS externally e Ifyou have links to different hosts within your Intranet that are not proxied the links do not function through the proxy Mac OS X Server v10 6 uses Name based virtual hosts to simplify the conf
155. ible to the clients browsing the web site Viewed from the Internet you have one server but viewed from behind the NAT barrier you have as many or as few as you need You can use this setup for load balancing or as an organizational scheme for the network s topography Virtual servers also enable you to easily reroute network traffic to other computers on the LAN by reconfiguring the gateway Virtual servers require three service configurations e NAT NAT service must be configured with port forwarding of the virtual port e DNS The DNS record for the server should accept a few aliases of common services and resolve them to the same IP address Chapter 5 Working with NAT Service 135 136 e Firewall The firewall must permit traffic on specific ports to have access to the NAT LAN In this example you set up a NAT gateway and route two domain names and services to different computers behind the gateway firewall Assume the following configuration details Ethernet interface names and functions Ethernet Built in connected to Internet PCI Ethernet Slot 1 connected to internal network e Internet or public IP address 17100 0 1 example only your IP number and netmask information will be provided by your ISP e Private network IP address range and netmask 192 168 0 0 192 168 0 255 also expressed as 192 168 0 0 24 or 192 168 0 0 255 255 255 0 e Gateway server s private network IP address 192 168 0 1 e Web server s
156. ice 8000 8001 TCP QTSS MP3 streaming 8005 TCP Tomcat remote shutdown 8008 8443 TCP iCal Server and iCal Server SSL 8080 TCP HTTP web service alternative Apache 2 default 8088 TCP Software Update server Chapter 4 Working with Firewall Service Port Description 8080 8443 9006 TCP Tomcat standalone and JBoss 8800 8843 TCP Address Book Server and Address Book Server SSL 9007 TCP Tomcat remote web server access to AIP port 16384 16403 UDP iChat audio video RTP and RTCP 42000 42999 TCP iTunes radio streams 49152 65535 TCP FTP service PASV port range 50003 TCP UDP FileMaker Server service Windows or daemon Mac OS X 50006 TCP UDP FileMaker Server Helper service Windows or daemon Mac OS A Z by Service 548 TCP AFP Apple Filing Protocol 192 UDP AirPort administration 3283 TCP UDP Apple Remote Desktop with 5900 5988 5989 TCP Apple Remote Desktop 2 0 CIM OpenWBEM 5432 TCP Apple Remote Desktop 2 0 database 201 208 TCP AppleTalk 113 TCP UDP Authentication service 5100 TCP Camera and scanner sharing 497 TCP UDP Dantz Retrospect 68 UDP DHCP client 67 UDP DHCP server BootP NetBoot server 53 TCP UDP DNS 7 TCP UDP Echo 2399 TCP FileMaker data access layer 5003 TCP UDP FileMaker name binding and transport 50006 TCP UDP FileMaker Server Helper service Windows or daemon Mac OS Chapter 4 Working w
157. ick Apply Now Open Server Admin and connect to the server 7 Click the triangle at the left of the server The list of services appears 8 From the expanded Servers list select DHCP 9 Click Subnets and create a subnet for the internal LAN with the following 17 configuration parameters e Subnet name lt whatever you want gt e Starting IP address 192 168 0 2 e Ending IP address 192 168 0 254 e Subnet mask 255 255 255 0 e Network interface en1 e Router 192 168 0 1 e Lease time lt whatever you want gt DNS 17 254 1 6 For detailed information about configuring DHCP see Creating Subnets on page 26 To start DHCP service click the Start DHCP button below the Servers list In Server Admin choose NAT from the expanded Servers list Configure NAT using the following setting External network interface en0 If necessary click Save To start NAT service click the Start NAT button below the Servers list In Server Admin choose Firewall from the expanded Servers list Create firewall rules to permit access to and from your private network For example create an IP address group named Private LAN for the addresses 192 168 0 0 16 For more information see Creating an Address Group on page 98 To start Firewall service click the Start Firewall button below the Servers list Chapter 5 Working with NAT Service 18 19 20 Start any services you want the private LAN to access w
158. iguration and management of the virtual host Name based virtual hosts and SSL are not compatible because SSL requires an P specific virtual host If you use a virtual host you can continue using SSL through one of the following methods e Use port based virtual hosts designating separate ports for each proxied web site e Use a single wild card SSL certificate for proxied web sites Granting Access to Mobile Access Service Proxies Use Server Admin to grant access to Mobile Access service proxies To grant access to Mobile Access service proxies 1 Open Server Admin and connect to the server 2 Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Mobile Access 4 Click Access 5 Select the level of access for the Mobile Access service proxies To permit everyone to access all proxies select Allow access to Address Book iCal Mail and Web proxies for everyone To permit users or groups to access specific Mobile Access service proxies select Allow access to the selected proxies for these users and groups click the Add button to open the Users amp Groups windows and then drag users and groups to the list 6 Inthe list of users and groups select which Mobile Access Server proxies the users or groups can access 7 Click Save Chapter 9 Working with Mobile Access Service 189 190 Starting Mobile Access Service Use Server Admin to start Mob
159. ile Access service To start Mobile Access service Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Mobile Access Click Start Mobile Access below the Servers list 5 Click Start Now The service can take a few seconds to start Monitoring Mobile Access Service This section describes typical tasks you might perform after you set up Mobile Access service on your server Initial setup information appears in Setting Up Mobile Access Service on page 185 You might want to monitor Mobile Access service status to Troubleshoot name forwarding problems e Verify how often the Mobile Access Service is used e Look for unauthorized or malicious Mobile Access service use This section discusses the following common monitoring tasks for Mobile Access service Checking Mobile Access Service Status You can use Server Admin to check the status of Mobile Access service To check Mobile Access service status Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Mobile Access Click Overview to see which proxy services are running and the number of requests made on each proxy service Chapter 9 Working with Mobile Access Service Viewing Mobile Access Service Logs Mobile Access service creates entrie
160. ime you start DHCP Changing IP Address Lease Times for a Subnet You can change how long IP addresses on a subnet are available to computers To change the lease time for a subnet Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Subnets Select a subnet From the Lease Time pop up menu choose a time scale hours days weeks or months In the Lease Time field enter a number 8 Click Save N AO WW A W If DHCP is running you are prompted to restart DHCP for your change to take effect Otherwise your changes take effect the next time you start DHCP Setting the DNS Server for a DHCP Subnet You can determine the DNS servers and default domain name a subnet should use DHCP service provides this information to computers in the subnet To set DNS options for a subnet Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Subnets Select a subnet Click DNS Enter the primary and secondary name server IP addresses you want DHCP clients to use Enter the default domain of the subnet 9 Click Save Chapter 2 Working with DHCP Service 35 36 If DHCP is running you are prompted to restart DHCP for your change to take effect Otherwise your changes take effect the
161. implements DNS One of those programs is the name daemon or named To set up and configure BIND you must change the configuration file and the zone file The configuration file is etc named conf The zone file name is based on the name of the zone For example the zone file example com is var named example com zone If you edit named conf to configure BIND don t change the inet settings of the controls statement Otherwise Server Admin can t retrieve status information for DNS The inet settings should look like this controls inet 127 0 0 1 port 54 allow any keys rndc key i Chapter 3 Working with DNS Service Important In Mac OS X Server v10 6 the configuration and zone files used by Server Admin have changed If you edit named conf and zone files manually from Terminal the information is used by DNS However the information does not appear in the DNS zones pane of Server Admin Also changes made in Server Admin are not made to named conf Step 3 Turn DNS service on Before configuring DNS service turn on DNS See Turning DNS Service On on page 56 Step 4 Create a DNS zone and add machine records Use Server Admin to set up DNS zones See Configuring DNS Service Primary Zone Settings on page 57 After adding a primary zone Server Admin creates a name server record with the same name as the Source of Authority SOA For each zone you create Mac OS X Server creates a reverse lookup zone
162. in Server Admin dhcp enabled Whether DHCP is enabled for this subnet Corresponds to the Enable checkbox in the list of subnets in the Subnets pane of the DHCP settings in Server Admin 200 Appendix Command Line Parameters for Network Services Subnet Parameter subnets array_ id lt subnetID gt Description dhcp ldap url array index n The URL of the LDAP folder to be used by clients Corresponds to the Lease URL field in the LDAP pane of the subnet settings in Server Admin dhcp router The IPv4 address of the subnet s router Corresponds to the Router field in the General pane of the subnet settings in Server Admin lease time secs Lease time in seconds Default 3600 Corresponds to the Lease Time pop up menu and field in the General pane of the subnet settings in Server Admin net_address The IPv4 network address for the subnet net_mask The subnet mask for the subnet Corresponds to the Subnet Mask field in the General pane of the subnet settings in Server Admin net_range_end net_range_start The highest available IPv4 address for the subnet Corresponds to the Ending IP Address field in the General pane of the subnet settings in Server Admin The lowest available IPv4 address for the subnet Corresponds to the Starting IP Address field in the General pane of the subnet settings in Server Admin selected_port_name The network port for the
163. in name on the internal DNS Server Users outside the internal network are directed to IP address 172 113 112 97 and users on the internal network are directed to IP address 192 168 99 10 With split DNS bookmarks to the origin servers the server providing the service that the user creates on the internal network also function when the user is outside the network To configure split DNS you must submit a DNS record request to your ISP indicating that you want to assign the public IP address of your proxy servers to your domain name Then you must add a DNS record on your internal DNS server assigning the private IP address of the origin server to the domain name For information about creating DNS records see Setting Up DNS Service on page 56 You must use split DNS to proxy Address Book iCal and Web servers with Mobile Access server Mobile Access server is based on a reverse proxy server It provides access from the Internet to an Intranet which is different from a forward proxy that provides access from the Intranet to the Internet A Mobile Access server provides a layer of security by providing a strict granular control of access to your network If a user authenticates with the Mobile Access server and has authorization to use a service it is attempting to access the Mobile Access server directs the user to the origin server that also requires authentication Chapter 9 Working with Mobile Access Service 183 184 un A W
164. ion Address Site 1 Action Allow Protocol Other enter gre Source Address Site 1 Destination Address Site 2 Action Allow Protocol Other enter gre Source Address Site 2 Destination Address Site 1 For more information about creating advanced rules see Configuring Advanced Firewall Rules on page 100 These rules permit the encrypted traffic to be passed to both hosts Save your changes Start or restart the firewall as needed Step 3 Start VPN service on both site gateways For both VPN gateways open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears Chapter 6 Working with VPN Service 165 166 3 _ Select VPN from the expanded Servers list If you used s2svpnadmin correctly the Start button should be enabled and ready to use Click Start VPN You should now be able to access a computer on the remote LAN from the local LAN To verify the link use ping or some other means Setting up a VPN Connection on a Client You can use Network preferences to connect to a VPN using Point to Point Tunneling Protocol PPTP or Layer Two Tunneling Protocol L2TP over IPSec on an existing Internet connection You can also create a VPN L2TP configuration file for client computers running Mac OS X v10 5 or later by using the Remote Access pane of Server Preferences For more information see Chapter 7 Managing Us
165. is the basis for the A record of the computer Reverse lookup Pointer records are created for the computer Click the Add button then enter the IP address of the computer e Enter any information about the hardware and software of the computer in the relevant text boxes These are the basis for the HINFO record of the computer e Enter any comments about the computer in the Comment text box This field is the basis for the TXT record of the computer You can store up to 255 ASCII characters in the comments text box You can include the physical location of the computer for example Upstairs server closet B the computer s owner for example John s Computer or other information about the computer Click Save Adding a Service Record to a DNS Zone Service SRV records are used to define services available on a domain These records help computers with the location of a service on a domain To add a DNS service record Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Zones Select the zone this record is to be added to Chapter 3 Working with DNS Service Click Add Record then choose Add Service SRV This adds the service record to the zone 7 Inthe Service Name field enter the well known name of the service 10 11 14 15 From the Service Type pop up menu select a service type
166. istrator name and password used to add users to the LDAP directory in Workgroup Manager The tool adds a user to the LDAP directory and sets up configuration elements in the VPN server so it can support PPTP In the VPN Service Settings pane of Server Admin configure PPTP Start VPN service Offering SecurlD Authentication with VPN Server RSA Security provides strong authentication It uses hardware and software tokens to verify user identity SecurlD authentication is available for L2TP and PPTP transports For details and product offerings see www rsasecurity com VPN service supports SecurlD authentication but it cannot be set up from Server Admin If you choose this authentication tool you must change the VPN configuration manually Set up SecurlD From your SecurlD server copy the sdconf rec file to a new folder on your Mac OS X Server named var ace There are several ways to do this The following illustrates one method a Open Terminal Applications Utilities b Enter sudo mkdir var ace c Enter your administrator password d In the Dock click Finder From the Go menu choose Go gt Go to Folder D Enter var ace g Click Go h From your SecurlD server copy the sdconf rec file into the ace folder i If you see a dialog indicating that the ace folder cannot be modified click Authenticate to permit the copy Enable EAP SecurlD authentication on VPN service for the protocols you want to
167. ith Firewall Service 119 120 50003 TCP UDP FileMaker Server service Windows or daemon Mac OS X 591 TCP FileMaker web access 79 TCP UDP Finger 21 TCP FTP control 20 TCP FTP data 49152 65535 TCP FTP service PASV port range 443 TCP HTTPS secure web over SSL 80 TCP HTTP web 8080 TCP HTTP web service alternative Apache 2 default 16384 16403 UDP iChat audio video RTP and RTCP 5678 UDP iChat AV behind NAT 5297 UDP iChat local subnet 5298 TCP UDP iChat local subnet 5222 TCP iChat Server Jabber XMPP 5223 TCP iChat Server Jabber XMPP over SSL 5269 TCP iChat Server to server Jabber XMPP 7777 TCP iChat Server file transfer proxy 5060 UDP iChat session initiation 5190 TCP UDP iChat AOL Instant Messenger and iChat file transfer 1694 TCP IP failover 631 TCP UDP IPP printer sharing 3004 TCP iSync 3689 TCP iTunes music sharing 42000 42999 TCP iTunes radio streams 749 TCP UDP Kerberos administration and changepw using the kadmind command line tool 88 TCP UDP Kerberos V5 KDC 389 TCP LDAP directory 636 TCP LDAP over SSL Chapter 4 Working with Firewall Service 515 TCP LPR print spooling 600 1023 TCP UDP Mac OS X RPC based services 2000 TCP Mail Custom filtering sieve 143 TCP Mail IMAP 993 TCP Mail IMAP over SSL 110 TCP UDP Mail POP3 9
168. k When you indicate a range of potential values for any segment of an address that segment is called a wildcard The following table gives examples of address ranges created to achieve specific goals Goal Example IP address Enter this in the Address range address field affected Create a rule that 10 221 41 33 10 221 41 33 or 10 221 41 33 specifies a single IP 10 221 41 33 32 single address address Create a rule that leaves 10 221 41 33 10 221 41 33 24 10 221 41 0 to the fourth segment as 10 221 41 255 a wildcard Create a rule that 10 221 41 33 10 221 41 33 22 10 221 40 0 to leaves part of the third 10 221 43 255 segment and all of the fourth segment as a wildcard Create a rule that Select Any All IP addresses applies to all incoming addresses IP Address IP addresses consist of four segments with values between 0 and 255 the range of an 8 bit number separated by dots for example 192 168 12 12 The segments in IP addresses go from general to specific For example the first segment might belong to all computers in a company and the last segment might belong to a specific computer on one floor of a building Subnet Mask A subnet mask indicates the segments in the specified IP address that can vary on a network and by how much The subnet mask is given in Classless InterDomain Routing CIDR notation It consists of the IP address followed by a slash and a number from 1 to 32 called the IP
169. ket The packet passed to the firewall is compared with each rule in the firewall ruleset When a match is found the action corresponding to the matching rule is performed Important Misconfiguring the firewall can put your computer in an unusable state possibly shutting down network services and requiring console access to regain control of it You can configure ipfw with a variety of commands For information about command line parameters see Command Line Parameters for Network Services For information about serveradmin and ipfw see their man pages For the basics of command line tool usage see Introduction to Command Line Administration Editing or Deleting Advanced Firewall Rules You can remove or edit advanced firewall rules If you think you ll use a rule again and only want to disable it you can deselect the rule rather than deleting it If you edit a rule after turning on Firewall service your changes affect connections established with the server For example if computers are connected to your web server and you change the rule to deny all access to the server connected computers are disconnected To change an advanced firewall rule 1 Open Server Admin and connect to the server 2 Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Firewall 102 Chapter 4 Working with Firewall Service Click Settings then click Advanced 5 Select the rule
170. kets of the configuration file add the following version your text maybe we re not telling Save named conf Denial of Service DoS This kind of attack is common and easy A hacker sends so many service requests and queries that a server uses all its processing power and network bandwidth trying to respond The hacker prevents legitimate use of the service by overloading it It is difficult to prevent this type of attack before it begins Constant monitoring of the DNS service and server load enables an administrator to catch the attack early and mitigate its damaging effect The easiest way to guard against this attack is to block the offending IP address with your firewall See Configuring Advanced Firewall Rules on page 100 Unfortunately this means the attack is already underway and the hacker s queries are being answered and the activity logged Service Piggybacking This attack is done not so much by malicious intruders but by common Internet users who learn the trick from other users They might feel that the DNS response time with their own ISP is too slow so they configure their computer to query another DNS server instead of their own ISP s DNS servers Effectively there are more users accessing the DNS server than were planned for You can guard against this type of attack by limiting or disabling DNS recursion If you plan to offer DNS service to your own LAN users they need recursion to resolve domain name
171. king with Firewall Service AO un A WwW From the command line To start the service sudo serveradmin start ipfilter For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Setting Up Firewall Service You set up Firewall service by configuring the following settings on the Settings pane for Firewall service in Server Admin e Address Groups Use to configure groups of IP addresses that firewall rules are applied to e Services Use to configure which services are permitted to send and receive information through the firewall e Logging Use to enable Firewall service event logging and set the type and number of packets that are recorded e Advanced Optional Use to configure advanced rules and set rule precedence The following sections describe the tasks for configuring these settings and how to start Firewall service after you configure it Configuring Address Groups Settings You can define groups of IP addresses for firewall rules Then you can use these groups to organize and target the rules The any address group is for all addresses Two other IP address groups are present by default intended for the entire 10 net range of private addresses and the entire 192 168 net range of private addresses Addresses can be listed as individual addresses 192 168 2 2 IP addresses and subnet mask in CIDR notation 192 168 2 0 24 o
172. king with VPN Service 163 164 Step 2 Configure the firewall on both site gateways Create an address group for each server with only the server s public IP address In this example name the first group Site 1 and enter the public IP address of the server Then name the second group Site 2 and enter the public IP address of the other server For more information see Creating an Address Group on page 98 Open the firewall to external VPN connections by enabling L2TP port 1701 connections and IKE NAT Traversal port 4500 in the any address group For more information see Configuring Services Settings on page 94 Create the following Advanced IP filter rules on both site gateways Action Allow Protocol UDP Source Address Site 1 Destination Address Site 2 Interface Other enter isakmp Action Allow Protocol UDP Source Address Site 2 Destination Address Site 1 Interface Other enter isakmp Action Allow Protocol Other enter esp Source Address Site 1 Destination Address Site 2 Action Allow Protocol Other enter esp Source Address Site 2 Destination Address Site 1 Chapter 6 Working with VPN Service Action Allow Protocol Other enter ipencap Source Address Site 1 Destination Address Site 2 Action Allow Protocol Other enter ipencap Source Address Site 2 Destinat
173. l of security Stateful rules are in place as well so responses to outgoing queries initiated by your computer are also permitted You can then add IP rules to permit server access to those clients who require access to services To learn how IP rules work read the following section To learn how to create IP rules see Managing Firewall Service on page 97 What a Firewall Rule Is A firewall rule is a set of characteristics for an IP packet coupled with an action to be taken for each packet that matches the characteristics The characteristics might include the protocol source or destination address source or destination port or network interface Addresses might be expressed as a single IP address or might include a range of addresses A service port might be expressed as a single value a list of values or a range of values The IP address and subnet mask together determine the range of IP addresses the rule applies to and can be set to apply to all addresses Chapter 4 Working with Firewall Service Using Address Ranges When you create an address group using Server Admin you enter an IP address and a subnet mask The three types of address notations permitted are A single address 192 168 2 1 e A range expressed with CIDR notation 192 168 2 1 24 e A range expressed with netmask notation 192 168 2 1 255 255 255 0 Server Admin shows the resulting address range You can change the range by changing the subnet mas
174. ld have a separate nonoverlapping address range When configuring VPN make sure the firewall allows VPN traffic on needed ports with the following settings e For the any address group enable GRE ESP VPN L2TP port 1701 and VPN ISAKMP IKE port 500 e For the 192 168 net address group choose to allow all traffic Chapter 6 Working with VPN Service 143 144 Oo uu A WwW 10 11 For more information see Configuring Services Settings on page 94 To configure L2TP settings Open Server Admin and connect to the server Click the triangle at the left of the server The list of servers appears From the expanded Servers list select VPN Click Settings then click L2TP Select the Enable L2TP over IPSec checkbox In the Starting IP address field set the beginning IP address of the VPN allocation range It can t overlap the DHCP allocation range so enter 192 168 0 128 In the Ending IP address field set the ending IP address of the VPN allocation range It can t overlap the DHCP allocation range so enter 192 168 0 255 Optional You can load balance VPN by selecting the Enable Load Balancing checkbox and entering an IP address in the Cluster IP address field Choose a PPP authentication type If you choose Directory Service and your computer is bound to a Kerberos authentication server from the Authentication pop up menu select Kerberos Otherwise choose MS CHAPv2 If y
175. le System NFS 2336 TCP Mobile account sync 2399 TCP FileMaker data access layer 3004 TCP iSync 3031 TCP UDP Program Linking remote AppleEvents 3283 TCP UDP Apple Remote Desktop with 5900 3306 TCP MySQL 3632 TCP XCode distributed compiler 3659 TCP UDP Open Directory Password Server with 106 3689 TCP iTunes music sharing 3690 TCP Subversion version control Chapter 4 Working with Firewall Service 117 118 4000 50999 Port Description 4111 TCP XGrid 4500 UDP VPN IKE NAT traversal 5003 TCP UDP FileMaker name binding and transport 5060 UDP iChat session initiation 5100 TCP Camera and scanner sharing 5190 TCP UDP iChat AOL Instant Messenger and iChat file transfer 5222 TCP iChat Server Jabber XMPP 5223 TCP iChat Server Jabber XMPP over SSL 5269 TCP iChat Server to server Jabber XMPP 5297 UDP iChat local subnet 5298 TCP UDP iChat local subnet 5678 UDP iChat AV behind NAT 5353 UDP Multicast DNS Bonjour mDNSResponder 5432 TCP Apple Remote Desktop 2 0 database 5900 TCP UDP VNC Mac OS X screen sharing Apple Remote Desktop 2 0 5988 5989 TCP Apple Remote Desktop 2 0 CIM OpenWBEM 6970 6999 UDP QTSS RTP streaming 7070 TCP UDP QTSS RTSP Automatic Router Configuration Protocol ARCP 7777 TCP iChat Server file transfer proxy 8000 8999 TCP Web serv
176. learn how to make a firewall rule see Configuring Advanced Firewall Rules on page 100 You can open the firewall to specific games permitting network games to connect to other players and game services outside the firewall To do this open up the relevant port on your LAN and WAN interface Some games require more than one port to be open For networking details consult the game s documentation To learn how to make a firewall rule see Configuring Advanced Firewall Rules on page 100 Preventing Network Virus Propagation A virus can quickly propagate through your network and infect your computers For example if a computer on your network becomes infected with a virus that computer can propagate the virus through your entire network One common avenue that a virus uses to propagate through your network is by mail You can prevent a virus from propagating through mail by scanning mail with clamav and keeping your virus definitions updated You can prevent other avenues of propagation by only running services that you need using good network topology and good passwords The most important method is to keep your network computers up to date Your computer should be set to check for updates once or twice a week For more information about preventing network viruses see Mac OS X Server Security Configuration TCP and UDP Port Reference The following tables show the TCP and UDP port numbers commonly used by Mac OS X comput
177. les that include a keep state clause stateful rules The Active Rules pane shows the rule number of the stateful rule that was triggered to create the dynamic rule To view active firewall rules Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears Chapter 4 Working with Firewall Service 3 From the expanded Servers list select Firewall 4 Click Active Rules A list of the rules appears with a description of each rule in ipfw code format the priority packet count and total bytes handled Viewing the Firewall Service Log Each rule you set up in Server Admin corresponds to rules in the underlying firewall software Log entries show you when the rule was applied the IP address of the client and server and other information The log view shows the contents of var log ipfw log You can refine the view using the text filter box To view the Firewall service log 1 Open Server Admin and connect to the server 2 Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Firewall 4 Click Log To search for specific entries use the Filter field above the log From the command line To view the latest entries in the log tail log file To see where the ipfiiter service log is located use the serveradmin getLogPaths command To view the log path sudo serveradmin command ipfilter command ge
178. lish secure tunnels between nodes It is a token that the key management systems use to trust each other Remotely Configuring AirPort Base Stations You can remotely configure AirPort Base Stations to use a RADIUS server in Server Admin To remotely configure AirPort Base Stations to use a RADIUS server Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select RADIUS Click Base Stations In the AirPort Base Stations list highlight the AirPort Base Station and then click Edit If prompted for a password enter the AirPort administrator password Click OK Configuring RADIUS to Use Certificates You can use Server Admin to configure RADIUS to use custom certificates Using a certificate increases the security and manageability of AirPort Base Stations To use a custom certificate Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select RADIUS Click Settings Chapter 7 Working with RADIUS 5 From the RADIUS Certificate pop up menu choose a certificate If you don t have a certificate and want to create one click Manage Certificates For more information about creating certificates see Advanced Server Administration 6 Click Save From the command line To configure RADIUS certificates sudo radiusconfig inst
179. lotted IP addresses in the DHCP range are reserved for VPN connections The addresses 192 168 x 128 192 168 x 254 are allotted to VPN connections e Enables the firewall to help secure the internal network Address groups are added for each internal network interface with all traffic permitted from the newly created DHCP address ranges to any destination address Enables network address translation NAT on the internal network and adds a NAT divert rule to the IP firewall to direct network traffic to the correct computer This also protects the internal network from unsolicited external connections e Enables DNS on the server configured to cache lookups to improve DNS response for internal clients When configuring these settings you can review the proposed changes before committing to them and overwriting existing settings You can make further changes to the service configuration using Server Admin For network services see the relevant section in this book for information If you run the Gateway Setup Assistant again it overwrites manual settings you made Running Gateway Setup Assistant You run Gateway Setup Assistant from the NAT Service Overview pane in Server Admin To run Gateway Setup Assistant Open Server Admin and connect to the server Click Settings then click Services Select the NAT checkbox then click Save Click the triangle at the left of the server The list of services appears From the expanded S
180. me addresses unallocated by DHCP for use by VPN To learn more about VPN see Chapter 6 Working with VPN Service Using Static IP Addresses Static IP addresses are assigned to a computer or device once and then don t change You can assign static IP addresses to computers that must have a continuous Internet presence such as web servers Other devices that must be continuously available to network users such as printers can also benefit from static IP addresses Static IP addresses can be set up manually by entering the IP address on the computer or other device that is assigned the address or by configuring DHCP to provide the same address to a specific computer or device on each request Manually configured static IP addresses avoid potential issues that some services can have with DHCP assigned addresses and they don t suffer from the delay that DHCP requires to assign an address DHCP assigned addresses permit address configuration changes at the DHCP server rather than at each client Don t include manually assigned static IP address ranges in the range distributed by DHCP You can set up DHCP to always serve the same address to the same computer For more information see Assigning Static IP Addresses Using DHCP on page 39 Chapter 2 Working with DHCP Service 27 28 Locating the DHCP Server When a computer looks for a DHCP server it broadcasts a message If your DHCP server is on a different subnet from the
181. mes are stored for later use DNS information is usually cached on your name server for a set time referred to as a time to live TTL value When the TTL value for a domain name IP address pair has expired the entry is deleted from the name server s cache and your server requests the information as needed Setting Up DNS Service for the First Time If you re using an external DNS name server and you entered its IP address in the Gateway Setup Assistant you don t need to do anything else If you re setting up your own DNS server follow the steps in this section Step 1 Register your domain name Domain name registration is managed by IANA IANA registration makes sure that domain names are unique across the Internet For more information see www iana org If you don t register your domain name your network can t communicate over the Internet After you register a domain name you can create subdomains as long as you set up a DNS server on your network to track the subdomain names and IP addresses For example if you register the domain name example com you could create subdomains such as host1 example com mail example com or www example com A server in a subdomain could be named primary www example com or backup www example com The DNS server for example com tracks information for its subdomains such as host computer names static IP addresses aliases and mail exchangers If your ISP handles your DNS service you mu
182. n Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Click Settings Select Advanced then click the Add button From the Action pop up menu choose Allow From the Protocol pop up menu choose an option e If you use L2TP for VPN access choose UDP e If you use PPTP for VPN access choose TCP From the Service pop up menu choose VPN L2TP or VPN PPTP The relevant destination port is added to the Port field Optional Select the Log all packets matching this rule checkbox From the address pop up menu of the Source section choose Other and enter the source IP address range using CIDR notation that you want to give access to the VPN You can also specify a port in the Port field of the Source section Computers that have an IP address in the IP address range that you specified in the source IP address field communicating on the source port you specified can connect to the VPN service From the Destination Address pop up menu choose the address group that contains the VPN server for the destination of filtered traffic If you don t want to use an existing address group select Other and enter the destination IP address range with CIDR notation You can also specify a port in the Port field of the Source section From the Interface pop up menu that this rule applies to choose In
183. n benefit from using Dynamic Host Configuration Protocol DHCP service IP addresses are assigned as needed and when they re not needed they can be used by other clients You can use a combination of static and dynamic IP addresses for your network DHCP service lets you administer and distribute IP addresses to computers from your server When you configure the DHCP server you assign a block of IP addresses that can be made available to clients Each time a computer configured to use DHCP starts up it looks for a DHCP server on your network If it finds a DHCP server the client computer then requests an IP address The DHCP server checks for an available IP address and sends it to the computer with a lease period the length of time the client computer can use the address and configuration information For more information about static and dynamic allocation of IP addresses see Before Setting Up DHCP Service on page 26 Organizations can benefit from the features of DHCP service such as the ability to set Domain Name System DNS and Lightweight Directory Access Protocol LDAP options for computers without needing to configure each client You can use the DHCP module in Server Admin to e Configure and administer DHCP service e Create and administer subnets e Configure DNS LDAP and Windows Internet Naming Service WINS options for client computers e View DHCP address leases 25 26 DHCP Setup Overview Here i
184. n matching packets handled by the firewall Click Log to review the Firewall service log To search for specific entries use the Filter field above the log To view a list of active firewall rules click Active Rules A list of rules appears with a description of each rule in ipfw code format the priority packet count and total bytes handled From the command line To see summary status of the service sudo serveradmin status ipfilter To see detailed status of the service including rules sudo serveradmin fullstatus ipfilter For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Viewing Firewall Active Rules Use Server Admin to view a simple summary of active firewall rules The Active Rules pane shows the number of packets and bytes associated with each rule When a change is made to the configuration of the firewall using Server Admin the old firewall rules are flushed new rules are generated and saved in a file and the ipfw command is invoked to load the rules into service As part of the flush operation the number of packets and bytes associated with each rule are cleared The Active Rules pane provides a snapshot of the state of the firewall When viewing this pane dynamic rules might be shown with static rules Dynamic rules come and go in a matter of seconds in response to network activity They are the result of ru
185. n pop up menu select whether this rule permits or denies access If you choose Other enter the action desired for example log From the Protocol pop up menu choose a protocol Chapter 4 Working with Firewall Service 10 11 12 13 14 15 16 17 If you choose Other enter the protocol desired for example icmp esp ipencap From the Service pop up menu choose a service To select a nonstandard service port choose Other If desired choose to log all packets that match the rule For the source of filtered traffic choose an address group from the Source Address pop up menu If you don t want to use an existing address group choose Other and enter the source IP address range using CIDR notation you want to filter If you want it to apply to any address choose any from the pop up menu If you selected a nonstandard service port enter the source port number For the destination of filtered traffic choose an address group from the Destination Address pop up menu If you don t want to use an existing address group choose Other and enter the destination IP address range using CIDR notation If you want it to apply to any address choose any from the pop up menu If you selected a nonstandard service port enter the destination port number From the Interface pop up menu that this rule will apply to choose In or Out In refers to the packets being sent to the server Out refers to the packets b
186. nd services to specific interfaces The configuration files for xinetd provide a mapping of services to the executable that should be run to service a request for a given service Chapter 1 Linking Your Network to the Internet 23 24 For example if you enable FTP file sharing the ftpa process is not started immediately Instead the configuration file is updated to reflect that xinetd should listen for ftp requests and when it receives one it should launch ftpa to service the request When the first ftp request comes in to the computer xinetd receives the request and then launches ftpa to handle it In this way xineta can keep the number of services running on a computer lower by launching only those that are requested by a client inetd and xinetd have their own configuration files ineta uses one file inetd conf to map a service to its executable Standard services that inetd handles are listed in the file xineta uses a different configuration file for each service it provides In the etc xinetd d folder there are configuration files for each service that xineta handles If you enable FTP sharing Mac OS X modifies the configuration file etc xinetd d ftp For more information about xineta see www xinetd org Chapter 1 Linking Your Network to the Internet Working with DHCP Service Use this chapter to set up and manage DHCP service in Mac OS X Server If your organization has more clients than IP addresses you ca
187. nded Servers list select DNS Click Zones Click the triangle at the left of the zone that has the computer record to be edited The list of records appears Chapter 3 Working with DNS Service 73 6 Select the record to be edited and make changes in the fields below the list 7 Click Save Deleting a Record from a DNS Zone When a computer is no longer associated with a domain name or usable address delete the associated records To delete a record Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Zones Click the triangle at the left of the zone that has the computer record to be deleted The list of records appears Select the record to be deleted and click Remove below the list Click Save Securing the DNS Server DNS servers are targeted by malicious computer users hackers DNS servers are susceptible to several kinds of attacks By taking extra precautions you can prevent the problems and downtime associated with hackers Several kinds of security attacks are associated with DNS service e DNS spoofing e Server mining e DNS service profiling e Denial of service DoS attacks e Service piggybacking DNS Spoofing DNS spoofing is adding false data to the DNS server s cache This enables hackers to e Redirect real domain name queries to alternative IP addresses For example a falsifie
188. ne server that supplies all Internet services such as mail or web These services can run on one computer with a single IP address You can have multiple host names in the same zone for a single server For example you might want to have the domain name www example com resolve to the same IP address as ftp example com or mail example com This domain appears to be several servers to anyone accessing the services but they are all one server at one IP address Setting up DNS records for this service is easy add aliases to the machine DNS record Setting up DNS names for these services does not enable or configure the services It provides names that are easy to remember for each service offered This can simplify setup and configuration of the client software for each service For example for every service you want to show do the following e Create mail example com to enter on mail clients Be sure to select the mail server checkbox on the machine pane e Create www example com to enter on web browsers e Create afp example com for Apple File Sharing in the Finder e Create ftp example com to enter on FTP clients As your needs grow you can add computers to the network to handle these services Then remove the alias from the machine s DNS record and create a record for the new machine and your client s settings can remain the same Hosting Multiple Domains on the Same Server One server can supply all Internet services such as m
189. net _defaults selected port key An array of available ports list _array_index n subnet_defaults dhcp_domain_name Default The last portion of the server s host name for example example com subnet_defaults dhcp domain _name_ Default The DNS server addresses provided server array index n during server setup as listed in the Network pane of the server s System Preferences subnets array id lt subnetID gt An array of settings for a subnet lt subnetID gt is a unique identifier for each subnet DHCP Subnet Settings Array An array of settings listed in the following table is included in DHCP service settings for each subnet you define You can add a subnet to the DHCP configuration by using serveradmin to add an array of these settings About Subnet IDs In an actual list of settings lt subnetip gt is replaced with a unique ID code for the subnet The IDs generated by the server are random numbers The only requirement for the ID is that it must be unique among the subnets defined on the server Subnet Parameter subnets array_ Description id lt subnetID gt dhcp_domain_name The default domain for DNS searches for example example com Corresponds to the Default Domain field in the DNS pane of the subnet settings in Server Admin dhcp domain name server array The primary WINS server to be used by clients index n Corresponds to the Name Servers field in the DNS pane of the subnet settings
190. next time you start DHCP From the command line You must use the same subnet 1p that was used to create the subnet To set DNS options for a subnet sudo serveradmin settings dhcp subnets array id subnetID dhcp domain name server array index 0 dns server 1 dhcp subnets array id subnetID dhcp domain name server array index 1 dns server 2 dhcp subnets array id subnetID dhcp domain name domain Control D Parameter Description subnetID A unique number that identifies the subnet Can be any number not assigned to another subnet on the server Can include embedded hyphens dns server n To specify additional DNS servers add dhcp _ name_server settings incrementing array_ index n for each additional value Other parameters The standard subnet settings described in Command Line Parameters for Network Services For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Setting LDAP Options for a Subnet You can use DHCP to automatically provide your clients with LDAP server information rather than manually configuring each client s LDAP information The order in which the LDAP servers appear in the list determines their search order in the automatic Open Directory search policy If you are using this Mac OS X Server as an LDAP master LDAP options are populated with the necessary configuration information
191. ng sudo 127 Apple file server 112 sysctl 85 Apple Filing Protocol service See AFP VPN 144 146 150 151 157 158 162 206 authentication See also serveradmin tool EAP 168 configuration Kerberos 140 141 Firewall service 91 93 94 96 100 102 103 104 SecurlD 156 105 VPN 140 141 Mac OS X Server file changes 54 57 NAT 79 124 126 128 130 133 135 NTP clients 179 B RADIUS 168 169 171 172 173 backups DNS upgrade 56 restoring service defaults 212 BIND Berkeley Internet Name Domain 50 51 54 VPN 141 142 143 146 151 155 156 67 70 76 workgroups 43 Bonjour browsing service 52 59 See also DHCP DNS BootP Bootstrap Protocol 28 bootpd daemon 28 D Bootstrap Protocol See BootP denial of service attack See DoS attack browsers network 52 59 denied packets 108 DHCP Dynamic Host Configuration Protocol C service Canonical Name See CNAME client list 42 214 configuration examples 43 44 45 default configuration 212 DNS server setting 35 Internet sharing 16 introduction 25 IP addresses 35 39 40 48 LDAP options 36 46 lease times 27 35 logs 31 42 203 management of 32 41 NAT 43 server interactions 28 server location 28 settings 199 setup 26 27 28 29 starting 29 32 static address maps 39 40 202 status checking 41 stopping 32 subnets 29 33 34 35 47 200 VPN 142 WINS options 37 dial in service PPP 212 directories See domains directory directory services Open Direct
192. nt to make your gateway server a VPN entry point to your LAN select the Enable VPN for this server checkbox If you enable VPN you need a shared secret A shared secret is a passphrase that users provide to connect to the VPN gateway It should be a very secure passphrase not the password of a user or administrator on the gateway server To set a very secure passphrase use Password Assistant in Account Preferences For more information see Mac OS X Server Security Configuration For more information see Chapter 6 Working with VPN Service Click Continue Inspect and confirm your setup Click Continue NAT and all dependent services will be configured and started Click Close Options You can fine tune the settings of this base configuration but you perform additional configuration in Server Admin For example you can use Server Admin to assign IP addresses to specific computers To do this add static address mappings in DHCP Service settings For more information see Chapter 2 Working with DHCP Service You can also change firewall settings to permit connections from the Internet to the LAN To do this change the firewall settings open up IP ports as needed and configure port forwarding by editing UNIX files from the command line to designate which computer on the LAN is to accept incoming traffic Connecting a Wired LAN and Wireless Clients to the Internet You can use Gateway Setup Assistant to connect a wi
193. nter paper In the Print dialog or Page Setup dialog try changing Scale to 115 155 for Getting Started which has CD size pages Getting Documentation Updates Periodically Apple posts revised help pages and new editions of guides Some revised help pages update the latest editions of the guides e To view new onscreen help topics for a server application make sure your server or administrator computer is connected to the Internet and click Latest help topics or Staying current in the main help page for the application To download the latest guides in PDF format go to the Mac OS X Server documentation website at www apple com server resources Preface About This Guide An RSS feed listing the latest updates to Mac OS X Server documentation and onscreen help is available To view the feed use an RSS reader application such as Safari or Mail and go to feed helposx apple com rss snowleopard serverdocupdates xml Getting Additional Information For more information consult these resources Read Me documents get important updates and special information Look for them on the server discs Mac OS X Server website www apple com server macosx enter the gateway to extensive product and technology information Mac OS X Server Support website www apple com support macosxserver access hundreds of articles from Apple s support organization Apple Discussions website discussions apple com share questi
194. nternet protocol The current Internet protocol IP version 4 IPv4 or just IP has problems coping with the growth and popularity of the Internet The main problems for IPv4 are e Limited IP addressing IPv4 addresses use 32 bits meaning there can be only 4 300 000 000 network addresses Increased routing and configuration burden The amount of network overhead memory and time required to route IPv4 information is rapidly increasing as more computers connect to the Internet at an increasing rate e End to end communication that s routinely circumvented This problem is an outgrowth of the IPv4 addressing problem As the number of computers increased and address shortages became more acute another addressing and routing service was developed Network Address Translation NAT NAT mediates and separates two network end points However this frustrates a number of network services and is limiting IPv6 fixes some of these problems and helps prevents others It improves routing and network autoconfiguration it increases the number of network addresses to over 3x10 8 and it eliminates the need for NAT IPv6 is expected to gradually replace IPv4 over a number of years with the two coexisting during the transition 195 196 IPv6 Enabled Services The following services in Mac OS X Server support IPv6 addressing e DNS BIND e Firewall e Mail POP IMAP SMTP e Windows SMB CIFS e Web Apache 2 A number of command lin
195. nterval determines how often the secondary zone checks for changes from the primary zone You can change the zone refresh interval by using BIND s configuration file For more information see the BIND documentation Forward Zones A forward zone directs lookup requests for that zone to other DNS servers Forward zones don t do zone transfers Chapter 3 Working with DNS Service Often forward zone servers are used to provide DNS service to a private network behind a firewall In this case the DNS server must have access to the Internet and a DNS server outside the firewall Forward zones also cache responses to queries they pass on This can improve the performance of lookups by clients that use the forward zone Server Admin does not support creation or modification of a forward zone To create a forward zone you must configure BIND manually at the command line For details see the BIND documentation DNS Machine Records Each zone contains a number of records These records are requested when a computer translates a domain name like www example com to an IP number Web browsers mail clients and other network applications rely on zone records to contact the correct server Primary zone records are queried by others across the Internet so they can connect to your network services There are several kinds of DNS records available for configuration by Server Admin e Address A Stores the IP address associated with a domain nam
196. o Parameter vpn Servers Description com apple ppp pptp Default 2 2 2 2 Radius Server array_ index 0 Address com apple ppp pptp Default 2 Radius Server array_ index 0 SharedSecret com apple ppp pptp Default 0 PPP MPPEKeysize40 com apple ppp pptp Default 0 PPP MPPEKeysizel28 For more information about command line parameters for VPN see VPN Service Settings on page 206 For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Configuring Client Information Settings When a user connects to your server through a VPN that user is given an IP address from your allocated range This range is not served by a DHCP server so you must configure the network mask DNS address and search domains To configure Client Information settings Open Server Admin and connect to the server Click the triangle at the left of the server The list of servers appears From the expanded Servers list select VPN Click Settings then click Client Information Enter the IP address of the DNS server Add the gateway computer s internal IP address usually something like 192 168 x 1 Enter search domains as needed Add network routing definitions as needed For more information about network routing definitions see Configuring VPN Network Routing Definitions on page 151 Click Save Chapter 6 Working with VPN
197. o get network configuration through DHCP Don t set options that clients shouldn t have Don t give DHCP clients more information about your organization than necessary using LDAP You might want to configure Windows clients to have more network options For more information see Setting WINS Options for a Subnet on page 37 e Limit resource use Having many users on a subnet can lead to a lot of bandwidth use so reduce the number of DHCP clients that can be connected simultaneously by restricting the number of addresses to be allocated For more information see Creating Subnets in DHCP Service on page 29 e Keep address turnover high Make the lease times on addresses as short as practical This way as users come and go the addresses can be quickly reallocated For more information see Creating Subnets in DHCP Service on page 29 e Monitor your traffic Keep a close eye on DHCP connections and clients firewall rule packet logging or other monitoring tools Open access points can be a liability if they are not guarded vigilantly Chapter 2 Working with DHCP Service 45 46 Configuring DHCP to Use an Extra LDAP Server URL The Server Admin application s DHCP module enables administrators to specify a single LDAP server URL for each subnet If you want to specify multiple LDAP server URLs you can edit the etc bootpd plist file or use the serveradmin command line tool from a Terminal window Editing the
198. o use DHCP in this setting you must already have e A working configured firewall that permits LDAP and printer IP printing connections For more information see Chapter 4 Working with Firewall Service e A working configured Open Directory or LDAP server with users defined For more information see Open Directory Administration and User Management For this example configuring DHCP involves static IP address mapping and additional client network settings You could configure it like this e Fora printer that must be given a static IP address make sure the allocated DHCP address range does not include the truly static IP address of the printer If the printer can be configured to accept an address using DHCP don t worry about an overlap For more information see Using Static IP Addresses on page 27 Chapter 2 Working with DHCP Service 43 44 e Fora file server that must always be assigned the same address use Mac OS X Server s static IP mapping to always assign the same IP address to its Ethernet address For more information see Assigning Static IP Addresses Using DHCP on page 39 e For DHCP configuration set the LDAP options for DHCP clients This gives computers their needed directory information For more information see Setting LDAP Options for a Subnet on page 36 e For client configuration on Mac OS X client computers make sure the IPv4 configuration method in the Network pane of Sy
199. ommunicate across LANs subnets and the Internet Before You Set Up DNS Service This section contains information to consider before setting up DNS on your network Because the issues involved with DNS administration are complex and numerous do not set up DNS service on your network unless you re an experienced DNS administrator A good source of information about DNS is DNS and BIND 5th edition by Paul Albitz and Cricket Liu O Reilly and Associates 2006 Note Apple can help you locate a network consultant to implement DNS service You can contact Apple Professional Services and Apple Consultants Network on the web at www apple com services or consultants apple com Chapter 3 Working with DNS Service Consider creating a mail alias such as hostmaster that receives mail and delivers it to the person that runs the DNS server at your site This permits users and other DNS administrators to contact you regarding DNS problems You should set up at least one primary and one secondary name server That way if the primary name server shuts down the secondary name server can continue to provide service A secondary server gets its information from the primary server by periodically copying all domain information from the primary server After a name server is provided with the name address pair of a host in another domain outside the domain it serves the information is cached ensuring that IP addresses for recently resolved na
200. on Open Server Admin and connect to the server Click Settings Click Services Select the NAT checkbox Click Save Configuring NAT Service You use Server Admin to indicate which network interface is connected to the Internet or other external network Configuring NAT service is not the same as configuring a network segment as a NAT LAN To configure NAT service Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select NAT Click Settings Select IP Forwarding and Network Address Translation NAT From the External network interface pop up menu choose the network interface that connects to the Internet or external network Click Save From the command line To configure NAT service sudo serveradmin settings nat enable natportmap value nat interface value Control D To view all settings sudo serveradmin settings nat Chapter 5 Working with NAT Service enable natportmap yes no Default yes interface The network port Default en0 For more information about command line parameters for NAT see Command Line Parameters for Network Services For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Configuring Port Forwarding You can direct traffic coming in to your NAT network to
201. onfiguring DNS for mail service involves creating MX records in DNS for your mail servers If your ISP provides DNS service contact the ISP so they can enable your MX records Follow these steps only if you provide your own DNS service You might want to set up multiple servers for redundancy If so create an MX record for each auxiliary server To enable MX records for your mail server Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Zones Select the zone this record is to be added to Click the triangle at the left of the zone The list of records appear Click Add Record then choose Add Machine A This adds a machine record to the zone In the Machine Name field enter the hostname of the computer If you want to use the fully qualified name of the computer select the Fully Qualified checkbox and enter the fully qualified domain name of the computer This field is the basis for the A record of the computer Reverse lookup pointer records are created for the computer Chapter 3 Working with DNS Service 10 11 14 15 16 17 18 19 20 21 22 23 Click the Add button and enter the IP addresses for the computer In the relevant text boxes enter information about the hardware and software of the computer In the Comment text box enter comments about the computer This field is the b
202. ons knowledge and advice with other administrators Apple Mailing Lists website www lists apple com subscribe to mailing lists so you can communicate with other administrators using email Apple Training and Certification website www apple com training hone your server administration skills with instructor led or self paced training and differentiate yourself with certification OpenLDAP website www openldap org learn about the open source software that Open Directory uses to provide LDAP directory service MIT Kerberos website web mit edu kerberos www get background information and specifications for the protocol that Open Directory uses to provide robust single sign on authentication Berkeley DB website www oracle com database berkeley db investigate feature descriptions and technical documentation for the open source database that Open Directory uses to store LDAP directory data RFC3377 Lightweight Directory Access Protocol v3 Technical Specification www rfc editor org rfc rfc3377txt lists a set of eight other Request for Comment RFC documents with overview information and detailed specifications for the LDAP v3 protocol Preface About This Guide 15 Linking Your Network to the Internet Use Gateway Setup Assistant to guide you through the initial setup of your server to serve as a gateway between your private network and the Internet Gateway Setup Assistant guides you through confi
203. org rfc html There are over 29 IPv6 related RFC documents A list can be found at www ipv6 org specs html Chapter 11 Supporting IPv6 Command Line Parameters for Network Services Appendix Use this appendix to find descriptions of undocumented command parameters for specific network services Mac OS X Server administrators can use the command line to manage and maintain Mac OS X Server This appendix further describes command line parameters for services available with Mac OS X Server DHCP Service Settings To change settings for DHCP service use the following parameters with the serveradmin tool Parameter dhcp Description descriptive name A textual description of the subnet Corresponds to the Subnet Name field in the General pane of the subnet settings in Server Admin logging level LOW MEDIUM HIGH Default MEDIUM Corresponds to the Log Detail Level pop up menu in the Logging pane of DHCP service settings in the Server Admin application subnet _status Default 0 subnet_defaults logVerbosity LOW MEDIUM HIGH Default MEDIUM subnet _defaults logVerbosityList Available values for the logVerbosity setting array index n Default LOW MEDIUM and HIGH subnet _defaults WINS node_ type Default NOT_SET 199 Parameter dhcp Description subnet_defaults routers Default empty dictionary subnet_defaults selected_port_key Default end sub
204. ork services Note Because Apple periodically releases new versions and updates to its software images shown in this book may be different from what you see on your screen Using Onscreen Help You can get task instructions onscreen in Help Viewer while you re managing Mac OS X Server You can view help on a server or on an administrator computer An administrator computer is a Mac OS X computer with Mac OS X Server administrator software installed on it To get the most recent onscreen help for Mac OS X Server Open Server Admin or Workgroup Manager and then e Use the Help menu to search for a task you want to perform e Choose Help gt Server Admin Help or Help gt Workgroup Manager Help to browse and search the help topics The onscreen help contains instructions taken from Advanced Server Administration and other advanced administration guides To see the most recent server help topics Make sure the server or administrator computer is connected to the Internet while you re getting help Help Viewer automatically retrieves and caches the most recent server help topics from the Internet When not connected to the Internet Help Viewer displays cached help topics Preface About This Guide Documentation Map Mac OS X Server has a suite of guides that cover management of individual services Each service may depend on other services for maximum utility The documentation map below shows some related guides that you may nee
205. ory 168 DNS Domain Name System service backups for upgrades 56 BIND 50 51 54 70 76 Bonjour 52 59 default configuration 213 DHCP subnet options 35 email aliases 53 Internet sharing 17 introduction 49 IP addresses 49 53 75 load distribution 80 logs 61 63 64 machine records 51 mail service 77 78 management of 62 multiple domain hosting 81 multiple service hosting 81 NAT gateway 79 recursion 61 66 76 securing server 74 75 76 settings 60 203 setup 52 53 54 starting 56 62 statistics 64 status checking 62 stopping 65 virtual server setup 135 See also zones DNS documentation 13 14 domain name registration 53 Domain Name System See DNS Index domains directory LDAP 36 46 141 155 DoS attack denial of service 76 112 dscl tool 46 Dynamic Host Configuration Protocol See DHCP dynamic IP addresses 25 27 E EAP Extensible Authentication Protocol 168 email aliases DNS setup 53 encryption VPN protocols 140 error messages See troubleshooting Ethernet ID 39 Ethernet VLAN connections 193 Extensible Authentication Protocol See EAP F file sharing P2P 113 filters IP address 109 Firewall service access control 109 110 112 adaptive firewall 104 address groups 93 98 99 advanced rules setup 100 102 103 104 105 best practices 85 changing settings 95 configuration file 102 default configuration 212 denied packets 108 disabling 97 DoS attack prevention 112 filt
206. ou choose RADIUS enter the following information e Primary IP Address Enter the IP address of the primary RADIUS server e Shared Secret Enter a shared secret for the primary RADIUS server e Secondary IP Address Enter the IP address of the secondary RADIUS server e Shared Secret Enter a shared secret for the secondary RADIUS server Enter the shared secret or select the certificate to use in the IPSec Authentication section The shared secret is a common password that authenticates members of the cluster IPSec uses the shared secret as a preshared key to establish secure tunnels between cluster nodes Click Save From the command line To configure L2TP settings sudo serveradmin settings vpn vpn Servers com apple ppp 12tp enabled yes Chapter 6 Working with VPN Service vpn vpn vpn vpn vpn vpn vpn vpn vpn vpn vpn vpn vpn vpn Server value vpn Server value vpn Server vpn Server vpn Server index 0 vpn Server value vpn Server value vpn Server com apple ppp value index 0 SharedSecret vpn Server com apple ppp value vpn Server com apple ppp index 1 SharedSecret vpn Server com apple ppp vpn Server com apple ppp Control D ivpn Server com apple ppp com apple ppp 1 com apple ppp 1 com apple ppp com apple ppp com apple ppp com apple ppp 1 com apple ppp 1 value value 2p 2tp
207. ou must enable NAT service and Firewall service For more information see Starting Firewall Service on page 96 To start NAT service Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select NAT Click the Start NAT button below the Servers list When the service is running the Stop NAT button is available Chapter 5 Working with NAT Service _ 3 4 5 6 From the command line To start NAT service sudo serveradmin start nat To stop NAT service sudo serveradmin stop nat For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Creating a Gateway Without NAT You can use a computer as a gateway between network segments without translating IP addresses between public and private ranges This is called P address forwarding Mac OS X Server supports IP address forwarding and can be configured using Server Admin You can have various network configurations that would use a gateway without NAT For example a server might be translating private IP addresses to public addresses using NAT but your Mac OS X Server gateway might be routing information between private address subnets Likewise you might want to run a firewall between network segments in your own LAN Any condition in which you d want to route network traffic th
208. p 12tp com lt name gt ppp 12tp Pv4 ConfigMethod Default Manual com lt name gt ppp pptp Pv4 ConfigMethod Default Manual com lt name gt ppp 12tp Pv4 DestAddressRanges Default empty array Appendix Command Line Parameters for Network Services 207 Parameter vpn Servers Description com lt name gt ppp pptp Default empty array Pv4 DestAddressRanges com lt name gt ppp 12tp Default empty array Pv4 0fferedRouteAddresses com lt name gt ppp pptp Default empty array Pv4 0fferedRouteAddresses com lt name gt ppp 12tp Default empty array Pv4 0fferedRouteMasks com lt name gt ppp pptp Default empty array Pv4 0fferedRouteMasks com lt name gt ppp 12tp Default empty array Pv4 O0fferedRouteTypes com lt name gt ppp pptp Default empty array Pv4 0fferedRouteTypes com lt name gt ppp 12tp Default IPSec L2TP Transport com lt name gt ppp 12tp Default 1 PPP ACSPEnabled com lt name gt ppp pptp Default 1 PPP ACSPEnabled com lt name gt ppp 12tp Default DSACL PPP AuthenticatorACLPlugins com lt name gt ppp pptp Default DSACL PPP AuthenticatorACLPlugins com lt name gt ppp 12tp Default EAP KRB PPP AuthenticatorEAPPlugins com lt name gt ppp pptp Default EAP RSA PPP AuthenticatorEAPPlugins com lt name gt ppp 12tp Default DSAuth PPP Authenticato
209. pppd daemon 212 PPTP Point to Point Tunneling Protocol 140 141 146 155 162 primary zone DNS 50 57 67 75 private network 43 See also VPN problems See troubleshooting profiling DNS service 76 protocols BootP 28 EAP 168 IPv6 195 196 197 198 LDAP 36 46 141 155 NTP 178 179 SMTP 111 TCP 84 94 112 UDP 84 92 VPN 140 141 143 146 155 162 See also DHCP proxy server settings 181 189 PTR record pointer record 51 Q QTSS Publisher 213 R RADIUS Remote Authentication Dial In User Service access control 175 AirPort Base Station 169 171 172 175 176 177 introduction 168 logs 173 175 management of 175 settings 210 211 setup 168 169 171 172 173 starting 169 174 status checking 175 stopping 174 radiusconfig tool 170 173 174 records managing zone 70 73 74 recursion DNS 61 66 76 registration domain name 53 Remote Authentication Dial In User Service RADIUS See RADIUS remote networks 162 172 reverse proxy 181 round robin IP address method 80 217 218 routing definitions VPN 151 RSA Security 156 S s2svpnadmin tool 162 secondary zone DNS 50 59 68 SecurlD authentication 156 security DNS 74 75 IPSec 140 143 162 Mobile Access service 181 RADIUS 172 VLAN 193 VPN 139 140 141 142 162 See also access authentication Firewall service Server Admin 33 54 60 141 184 196 server mining 75 serveradmin tool DHCP 31 32 33 DNS 36 61 62 63 64 65
210. prefix Chapter 4 Working with Firewall Service 87 88 An IP prefix identifies the number of significant bits used to identify a network For example 192 168 2 1 16 means that the first 16 bits the first two sets of numbers separated by periods are used to represent the network so every machine on the network begins with 192 168 and the remaining 16 bits the last two numbers separated by periods are used to identify hosts Each machine has a unique set of trailing numbers Subnet masks can be given in another notation which is the IP address followed by a colon and the netmask A netmask is a group of 4 numbers each from 0 to 255 separated by periods equivalent to the slash in CIDR notation Addresses with subnet masks in CIDR notation correspond to address notation subnet masks CIDR Corresponds to netmask Number of addresses in the range 1 128 0 0 0 4 29x10 2 192 0 0 0 2 14x10 3 224 0 0 0 1 07x10 4 240 0 0 0 5 36x108 5 248 0 0 0 1 34x108 6 252 0 0 0 6 71x107 7 254 0 0 0 3 35x107 8 255 0 0 0 1 67x107 9 255 128 0 0 8 38x10 10 255 192 0 0 419x106 m 255 224 0 0 2 09x106 12 255 240 0 0 1 04x106 13 255 248 0 0 5 24x10 14 255 252 0 0 2 62x10 15 255 254 0 0 131x105 16 255 255 0 0 65536 17 255 255 128 0 32768 18 255 255 192 0 16384 Chapter 4 Working with Firewall Service CIDR Corresponds to netmask Number of addresses in the
211. private network IP address 192 168 0 2 e Mail server s private network IP address 192 168 0 3 e Web and mail server s IP address settings Configure IPv4 Using DHCP This last setting is not required because NAT can be used with static IP addresses instead of DHCP However configuring this setting makes it easier to configure computers Now all web traffic to www example com is forwarded to the internal server at 192 168 0 2 and incoming mail traffic sent to mail example com is delivered to the internal server at 192 168 0 3 To change the servers behind the NAT for example to perform a hardware upgrade change the DHCP static IP address to the Ethernet addresses of the new servers The new servers are assigned the existing internal IP addresses designated for web and mail and the gateway forwards the traffic to the new servers seamlessly To configure virtual servers Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Subnets and create an address group for the internal LAN with the following configuration parameters e Subnet name lt whatever you want gt e Starting IP address 192 168 0 2 e Ending IP address 192 168 0 254 e Subnet mask 255 255 255 0 Chapter 5 Working with NAT Service e Network interface en1 Router 192 168 0 1 e Lease time lt whatever you want gt e DNS lt provided by
212. pter 2 Working with DHCP Service 39 40 9 10 ao wu A W Click OK Click Save If DHCP is running you are prompted to restart DHCP for your change to take effect Otherwise your changes take effect the next time you start DHCP From the command line To assign a static map sudo serveradmin settings dhcep static_maps array id examplehost mapID create dhcp static_maps array id examplehost mapID ip address 1 2 3 4 dhcp static_maps array id examplehost mapID name examplehost dhcp static_maps array _id examplehost mapID en_address OOTs0teliazials23 Control D Static Map Parameter Description mapID A unique ID code for the map entry The ID must be unique for each static map defined on the server ip address IP address of host name Host s DNS name en_address Host s Ethernet address For information about static map IDs see Command Line Parameters for Network Services For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Removing or Changing Static Address Maps You can change static mappings or remove them as needed To change a static address map Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Static Maps Select a mapping to Edit or Remove Click t
213. pter 7 Working with RADIUS Saving an AirPort Base Station Internet Connect File You can use Server Admin to save an AirPort Base Station internet connect file To save an AirPort Base Station Internet connect file Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select RADIUS Click Base Stations In the AirPort Base Station list highlight the base station Click Save Internet Connect File In the Save As field enter the name From the Where pop up menu choose the location to save the file In the Wireless Network Name SSID field enter the wireless network name Click Save Chapter 7 Working with RADIUS 177 178 Working with NTP Service Use this chapter to learn how to set up configure and manage Network Time Protocol NTP service for time synchronization on your network Using NTP service for time synchronization is important for reducing confusion that can be caused if time stamps are out of sync From shared file systems to billing services correct timekeeping is a necessity However clocks on computers throughout a network can have widely different time stamps NTP synchronizes the clocks in networked computers to a reference clock NTP helps make sure that all computers on a network report the same time If an isolated network or even a single computer is unsynchronized services that use time
214. r The mapiIp parameter is used by administrative software It is ignored by the bootpa process that provides DHCP service For more information about bootpda see its man page Note Include the special first setting ending with create This is how you instruct serveradmin to create the settings array with the specified map ID The static map for a host is identified with the host name followed by a slash followed by a unique ID To add maps to your DHCP configuration use the serveradmin settings command The following is the syntax for creating a static map sudo serveradmin settings dhcp static_maps array id host name mapID static map parameter Appendix Command Line Parameters for Network Services Viewing the Location of the DHCP Service Log To view the location of the DHCP service log use the following command with the serveradmin tool Command dhcp command Description getLogPaths Display the location of the DHCP service log Value Description system log The location of the DHCP service log Default var logs system log To view the log path sudo serveradmin command dhcp command getLogPaths dhep systemLog system log DNS serveradmin Commands Use the following commands with the serveradmin tool to obtain information about DNS service Command dns command Description getLogPaths Find the location of the DNS service log getStatistics Retrieve DNS service statistics Firew
215. r Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Firewall Click Settings then click Services 5 Select the service you want to change then do the following e To edit the service list click the Edit button below the services list e To delete the service list click the Delete button below the services list Edit the name port or protocol as needed and click OK Click Save Configuring Advanced Firewall Rules You use the Advanced Settings pane in Server Admin to configure specific rules for Firewall service Firewall rules contain originating and destination IP addresses with subnet masks They also specify what to do with incoming network traffic You can apply a rule to all IP addresses a specific IP address or a range of IP addresses Addresses can be listed as individual addresses 192 168 2 2 IP address and subnet mask in CIDR notation 192 168 2 0 24 or IP address and subnet mask in netmask notation 192 168 2 0 255 255 255 0 To set up an advanced firewall rule Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Firewall Click Settings then click Advanced 5 Click the Add button Alternatively you can select a rule similar to the one you want to create click Duplicate and then click Edit In the Actio
216. r Admin create an address group named LAN with the address range10 0 11 24 This includes all addresses in the 10 0 1 x subnet range For more information see Creating an Address Group on page 98 Create an advanced rule with the following settings e Action Allow e Protocol TCP e Service Web e Source address group LAN e Destination address Other 10 0 2 1 e Interface en2 For more information see Configuring Advanced Firewall Rules on page 100 To block web access using standard rules In Server Admin create an address group named Web Server with the address 10 0 2 1 For more information see Creating an Address Group on page 98 Click Settings then click Services From the Editing Services for pop up menu choose the Web Server address group Select Allow only traffic to these ports Select the HTTP web service checkbox Click Save Logging Internet Access by Local Network Users This section describes how you can log allow and deny packets To log Internet access by local network users Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Click Settings then click Logging Select the Enable Logging checkbox To log all allowed packets select the Log all allowed packets checkbox To log all deny packets select the Log all
217. r IP addresses and subnet mask in netmask notation 192 168 2 0 255 255 255 0 To configure address group settings Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Click Settings then click Address Groups Below the Address Group pane click the Add button In the Group name field enter a group name Chapter 4 Working with Firewall Service 93 94 7 Use the Add and Delete buttons to the enter the IP addresses you want the rules to affect To indicate any IP address use the word any Click OK 9 Click Save Configuring Services Settings By default Firewall service permits all UDP connections and blocks incoming TCP connections on ports that are not essential for remote administration of the server Also by default stateful rules are in place that permit specific responses to outgoing requests Before you turn on Firewall service make sure you ve set up rules permitting access from IP addresses you choose otherwise no one can access your server You can easily permit standard services through the firewall without advanced and extensive configuration Standard services include e SSH access e Web service e Apple File service e Windows File service e FTP service e Printer Sharing e DNS Multicast DNS ICMP Echo Reply incoming pings e IGMP e PPTP VPN e L2TP VP
218. r by usage for example all eighth grade students Each subnet has at least one range of IP addresses assigned to it To create a subnet Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DHCP Click Subnets Click the Add button Enter a descriptive name for the new subnet Enter a starting and ending IP address for this subnet range Addresses must be contiguous and they can t overlap with other subnet ranges Enter the subnet mask for the network address range 9 From the pop up menu choose the network interface that will host DHCP service Chapter 2 Working with DHCP Service 29 30 10 11 12 13 14 15 Enter the IP address of the router for this subnet If the server you re configuring is the router for the subnet enter this server s internal LAN IP address as the router s address Define a lease time in hours days weeks or months If you want to set DNS LDAP or WINS information for this subnet enter these now For more information see Setting the DNS Server for a DHCP Subnet on page 35 Setting LDAP Options for a Subnet on page 36 and Setting WINS Options for a Subnet on page 37 Click Save To enable the subnet select the Enable checkbox Click Save From the command line The subnetrIp parameter is a unique number that identifies the subnet It can be any n
219. r to answer time queries set it to also query an authoritative time server on the Internet Setting Up NTP Service If you run NTP service on your network make sure your designated NTP server can access a higher authority time server Apple provides a Stratum 2 time server for customer use at time apple com Make sure your firewall permits NTP queries to an authoritative time server on UDP port 123 and that it also permits incoming queries from local clients on the same port For more information see Chapter 4 Working with Firewall Service To set up NTP service Open Server Admin and connect to the server Click Settings then click Date amp Time Make sure your server is configured to Set date amp time automatically From the pop up menu choose the server you want to act as a time server Click General Select the Network Time Server NTP checkbox Click Save Configuring NTP Service on Clients If you have a local time server you can configure your clients to query your time server for the network date and time By default clients can query Apple s time server Use the following instructions to set your clients to query your time server To configure NTP on clients Open System Preferences Click Date amp Time Chapter 8 Working with NTP Service 179 3 Select the Set date amp time automatically checkbox 4 Select and delete the text in the field rather than using the pop up menu 5 Ent
220. rPlugins array_ index n com lt name gt ppp pptp Default DSAuth PPP AuthenticatorPlugins array_ index n 208 Appendix Command Line Parameters for Network Services Parameter vpn Servers com PPP lt name gt ppp 12tp AuthenticatorProtocol array_ index n Description Default MSCHAP2 com PPP lt name gt ppp pptp AuthenticatorProtocol array_ index n Default MSCHAP2 com PPP lt name gt ppp pptp CCPEnabled Default 1 com PPP lt name gt ppp pptp CCPProtocols array _index n Default MPPE com PPP lt name gt ppp 12tp PCPCompressionvVJ Default 0 com PPP lt name gt ppp pptp PCPCompressionVJ Default 0 com PPP lt name gt ppp 12tp LCPEchoEnabled Default 1 com PPP s lt name gt ppp pptp LCPEchoEnabled Default 1 com PPP com PPP com FPP lt name gt ppp 12tp LCPEchoFailure lt name gt ppp pptp LCPEchoFailure lt name gt ppp 12tp LCPEchoInterval Default 5 Default 5 Default 60 com PPP lt name gt ppp pptp LCPEchoInterval Default 60 com PPP lt name gt ppp 12tp LogFile Default var log ppp vpnd log Appendix Command Line Parameters for Network Services 209 Parameter vpn Servers Description com lt name gt ppp pptp Default var log ppp vpnd log PPP
221. rademarks of their respective companies Mention of third party products is for informational purposes only and constitutes neither an endorsement nor a recommendation Apple assumes no responsibility with regard to the performance or use of these products 019 1418 2009 08 01 Contents 11 Preface About This Guide 11 What s New in Network Services 11 What s in This Guide 12 Using Onscreen Help 13 Documentation Map 14 Viewing PDF Guides Onscreen 14 Printing PDF Guides 14 Getting Documentation Updates 15 Getting Additional Information 16 Chapter 1 Linking Your Network to the Internet 16 About Gateway Setup Assistant 17 Running Gateway Setup Assistant 18 Connecting a Wired LAN to the Internet 19 Connecting a Wired LAN and Wireless Clients to the Internet 21 Connecting a Wireless LAN to the Internet 23 About Network Services 25 Chapter 2 Working with DHCP Service 26 DHCP Setup Overview 26 Before Setting Up DHCP Service 26 Creating Subnets 27 Assigning IP Addresses Dynamically 27 Using Static IP Addresses 28 Locating the DHCP Server 28 Interacting with Other DHCP Servers 28 Using Multiple DHCP Servers on a Network 28 Assigning Reserved IP Addresses 28 Getting More Information About the DHCP Process 29 Turning DHCP Service On 29 Setting Up DHCP Service 29 Creating Subnets in DHCP Service 31 Configuring Log Settings for DHCP Service 49 50 50 50 50 51 52 52 53 56 56 56 57 59 59 60 Starting DHCP
222. red LAN and wireless clients to the Internet Your LAN can consist of any number of computers connected to each other through Ethernet hubs and switches but the LAN must have one point of contact with the Internet the gateway Your LAN must also have an AirPort Base Station to connect the wireless computers to the wired network Your wireless clients must be able to connect to the AirPort Base Station s wireless network to be linked to the wired LAN Chapter 1 Linking Your Network to the Internet 19 20 _ 17 18 19 20 21 After this process computers on the LAN and those connected to the AirPort Base Station Can get IP addresses and network settings configured using DHCP Can access the Internet if the gateway is connected to the Internet e Can t be accessed by unauthorized network connections originating from the wired connection to the Internet e Can be accessed over the Internet by authorized VPN clients if VPN is configured e Can benefit from DNS lookup caching in the gateway which speeds DNS resolution To connect a wired LAN and wireless clients to the Internet Plug the connection to the Internet into Ethernet 1 en0 port Plug the connection to your LAN into Ethernet 2 en1 port Connect the AirPort Base Station port the WAN port if there are two to the wired network Using AirPort Utility configure the Base Station to connect using Ethernet and to get its address using DHCP You can open it f
223. rk connection service for your account such as Built in Ethernet from the Services list From the Configure pop up menu choose one of the following methods e Manually enter the IP address subnet mask router and DNS information in the appropriate fields e Using DHCP with manual address enter the IP address and DNS information in the appropriate fields If your DHCP server is using static mapping configure your client computers to use DHCP When your client computers connect to your network they will always obtain the same IP address The static mapping uses the MAC address of the client computer to determine the IP address the client gets assigned to Where to Find More Information Request for Comments RFC documents provide an overview of a protocol or service and explain how the protocol should behave If you re a novice server administrator you ll probably find the background information in an RFC helpful If you re an experienced server administrator you can find technical details about a protocol in its RFC document You can search for RFC documents by number at www ietf org rfc html For details about DHCP see RFC 2131 For more information about advanced configuration options see the bootpa man page Chapter 2 Working with DHCP Service Working with DNS Service Use this chapter to set up secure and manage DNS service on your network When users want to connect to a network resource such as a web or file
224. rmation about RADIUS server settings see RADIUS Settings on page 210 For information about radiusconfig see its man page For the basics of command line tool usage see Introduction to Command Line Administration Chapter 7 Working with RADIUS AO un A WwW Adding AirPort Base Stations to a RADIUS Server You use the Base Stations pane of RADIUS in Server Admin to add AirPort Base Stations that will use RADIUS service You can add up to 64 Base Stations to RADIUS To add AirPort Base Stations to a RADIUS server On the management computer open Server Admin Click the triangle at the left of the server The list of services appears In the expanded Servers list click RADIUS Click Base Stations Below the AirPort Base Stations list click the Add button Enter the following AirPort Base Station information e Name Specify the name of the AirPort Base Station e Type Specify the model of the AirPort Base Station e IP Address Specify the IP address of the AirPort Base Station e Shared Secret and Verify Specify a shared secret The shared secret is not a password for authentication nor does it generate encryption keys to establish secure tunnels between nodes It is a token that the key management systems use to trust each other You must enter the shared secret on the server as well as a client Click Add Adding Bonjour Enabled AirPort Base Stations to a RADIUS Server If your network has AirPort Base Stations t
225. rnet e Can be accessed over the Internet by authorized VPN clients if VPN is configured Can benefit from DNS lookup caching in the gateway which speeds DNS resolution To connect a wired LAN to the Internet Plug the connection to the Internet into Ethernet 1 en0 port Plug the connection to your LAN into Ethernet 2 en1 port Open Server Admin and connect to the server Click Settings then click Services Select the NAT checkbox Click Save Click the triangle at the left of the server The list of services appears From the expanded Servers list select NAT 9 Click Overview then click Gateway Setup Assistant 10 11 Click Continue If your server has existing DHCP DNS NAT and VPN configurations you are prompted to overwrite those configurations To overwrite configurations click Overwrite to continue From the Gateway WAN Interface pop up menu choose Ethernet 1 en0 for your WAN interface then click Continue From the list of network interfaces select the Ethernet 2 checkbox for you LAN interface and click Continue Chapter 1 Linking Your Network to the Internet 13 14 15 16 17 Your LAN interface is the one connected to your local network Computers on the LAN share the server s Internet connection through the server s WAN interface If your server has more than one interface available Ethernet port 2 Ethernet port 3 and so on choose those you want to enable Optional If you wa
226. rom the Applications Utilities folder Select the Base Station and then choose Manual Setup from the Base Station menu Enter the Base Station password if necessary Click Internet in the toolbar then click Internet Connection From the Connect Using pop up menu choose Ethernet From the Configure IPv4 pop up menu choose Using DHCP From the Connection Sharing pop up menu choose Off Bridge Mode To change Base Station settings click Update Open Server Admin and connect to the server Click Settings then click Services Select the NAT checkbox Click Save Click the triangle at the left of the server The list of services appears From the expanded Servers list select NAT Click Overview then click Gateway Setup Assistant Click Continue For your WAN Internet interface designate Ethernet 1 For your LAN sharing interface designate Ethernet 2 Chapter 1 Linking Your Network to the Internet 22 23 Your LAN interface is the one connected to your local network Computers on the LAN share the server s Internet connection through the server s WAN interface If your server has more than one interface available Ethernet port 2 Ethernet port 3 and so on choose those you want to enable Choose whether to make this gateway a VPN entry point to your LAN If you enable VPN you need a shared secret A shared secret is a passphrase that users must provide to securely connect to the VPN gateway It should be a
227. rotocols are supported by different platforms If you have You can use L2TP IPSec You can use PPTP Mac OS X v10 5 and v10 4 x X X clients Mac OS X v10 3 x clients X X Mac OS X v10 2 x clients X Windows clients X if Windows XP X Linux or Unix clients X X If you re using L2TP you must have a Security Certificate from a certificate authority or self signed or a predefined shared secret between connecting nodes If you use a shared secret it must also be secure at least 8 alphanumeric characters including punctuation and without spaces preferably 12 or more and kept secret by users If you re using PPTP make sure all your clients support 128 bit PPTP connections for greatest transport security Using only 40 bit transport security is a serious security risk Chapter 6 Working with VPN Service 141 142 Configuring Other Network Services for VPN Enabling VPN on Mac OS X Server requires detailed control of DHCP DHCP is configured separately in Server Admin The IP addresses given to VPN clients cannot overlap with addresses given to local DHCP clients To learn more about DHCP see Chapter 2 Working with DHCP Service on page 25 Enabling VPN also requires Firewall service to be configured The firewall settings must be able to pass network traffic from external IP addresses through the firewall to the LAN The firewall settings can be as open or restricted as necessary For example if your VPN clients u
228. rough the server without masquerading IP addresses is a condition that involves IP address forwarding The steps for creating a gateway for address forwarding are the same as those for creating a NAT LAN This means that network ports must be properly configured and that Firewall service must be enabled To configure a gateway without NAT service Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select NAT Click Settings Select IP Forwarding only Click Save Chapter 5 Working with NAT Service 131 132 Monitoring NAT Service You might want to monitor NAT service for troubleshooting and security reasons This section describes how to view the NAT status overview and how to monitor NAT divert activity Viewing the NAT Status Overview The NAT status overview lets you see if the service is running and how many protocol links are active To see the overview Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select NAT Click Overview to see whether the service is running when it started and the number of TCP UDP and ICMP links From the command line To view NAT status overview sudo serveradmin status nat To see detailed NAT status overview sudo serveradmin fullstatus nat For information abou
229. roved ranges for private LANs or you can use Mac OS X Server s DHCP feature to assign addresses for you Step 3 Configure the gateway s network settings You assign your public IP address to the WAN port and you assign your internal gateway s address to the LAN port Step 4 Turn NAT service on Before configuring NAT service you must turn NAT on See Turning NAT Service On on page 126 Step 5 Configure NAT settings Use the NAT settings to set the network interface See Configuring NAT Service on page 126 Step 6 Configure port forwarding settings Use the Terminal application to direct incoming traffic to your NAT network to a specific IP address behind the NAT gateway See Configuring Port Forwarding on page 127 Step 7 Start NAT service After you configure NAT start the service to make it available See Starting and Stopping NAT Service on page 130 Step 8 Start Firewall service For NAT service to operate you must enable NAT service and Firewall service See Starting Firewall Service on page 96 Step 9 Conditional Configure and start DHCP service If clients will have their addresses dynamically assigned configure DHCP and start it now See Chapter 2 Working with DHCP Service Chapter 5 Working with NAT Service 125 126 wu AA WwW N Oo uu A WwW Turning NAT Service On Before you can configure NAT settings you must turn on NAT service in Server Admin To turn NAT service
230. rver Admin to stop VPN service To stop VPN service Open Server Admin and connect to the server Click the triangle at the left of the server The list of servers appears From the expanded Servers list select VPN Click the Stop VPN button below the Servers list Click Stop Now From the command line To stop VPN service sudo serveradmin stop vpn For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Configuring VPN Network Routing Definitions By using network routing definitions you can choose whether to route data from VPN clients to an address group through the VPN tunnel referred to as private or over the VPN user s ISP connection referred to as public For example you can have all VPN client traffic that goes to the LAN IP address range go through the secure tunnel to the LAN but make all traffic to other addresses be routed through the user s normal unsecured Internet connection This helps you have greater control over what goes through the VPN tunnel Important Notes About VPN Routing Definitions e If no routing definitions are added traffic is routed through the VPN connection by default If routing definitions are added the VPN connection is no longer set as the default route and traffic destined for addresses not specifically declared as a private route will not go over the VPN connection e DNS lookups go ov
231. ry secure passphrase use Password Assistant in Account Preferences For more information see Mac OS X Server Security Configuration For more information about VPN see Chapter 6 Working with VPN Service Inspect and confirm the changes Options You can fine tune the settings from this base configuration but you perform additional configuration in Server Admin For example you can use Server Admin to assign IP addresses to specific computers To do this add static address mappings in the DHCP section s Settings tab For more information see Chapter 2 Working with DHCP Service You can also change firewall settings to permit connections from the Internet to the LAN To do this change the firewall settings opening up IP ports as needed and configure port forwarding in the NAT pane to designate which computer on the LAN is to accept incoming traffic About Network Services Mac OS X Server uses the xinetd process to manage many UNIX network services such as FTP finger and so on xinetd listens for requests on specific TCP IP sockets and is a secure replacement for inetd However because xinetd does not handle RPC services well inetd and xinetd are included with Mac OS X xinetd does the same things as ineta with the added security benefits of access control based on source address destination address and time and provides extensive logging efficient containment of denial of service attacks and the ability to bi
232. s but don t provide this service to Internet users To prevent recursion entirely see Enabling Recursion on page 66 The most common balance is permitting recursion for requests coming from IP addresses in your own range but denying recursion to external addresses Chapter 3 Working with DNS Service BIND enables you to specify this in its configuration file named conf Edit named conf to include the following options allow recursion 127 0007 8 your internal IP range of addresses like 192 168 1 0 27 i For more information see the BIND documentation Common Network Administration Tasks That Use DNS Service The following sections illustrate common network administration tasks that require DNS service Configuring DNS for Mail Service To provide mail service on your network you must set up DNS so that incoming mail is sent to the correct mail host on your network When you set up mail service you define a series of hosts known as mail exchangers or MX hosts each of which has a defined priority level The host with the highest priority gets the mail first If that host is unavailable the host with the next highest priority gets the mail and so on Suppose the mail server s host name is reliable in the example com domain Without an MX record users mail addresses would include the name of your mail server computer like this user name reliable example com To change the mail server or redirect
233. s an overview of the basic steps for setting up DHCP service Note If you used Gateway Setup Assistant to configure ports on your server when you installed Mac OS X Server some DHCP information is already configured Follow the steps in this section to finish configuring DHCP service You can find more information about settings for each step in Managing DHCP Service on page 32 Step 1 Before you begin For issues to keep in mind when you set up DHCP service read Before Setting Up DHCP Service on page 26 Step 2 Turn DHCP service on Before configuring DHCP service turn on DHCP See Turning DHCP Service On on page 29 Step 3 Create subnets Use Server Admin to create a pool of IP addresses that are shared by the client computers on your network You create one range of shared addresses per subnet These addresses are assigned by the DHCP server when a client issues a request See Creating Subnets in DHCP Service on page 29 Step 4 Configure DHCP log settings You can log the activity and errors in DHCP service to help you identify use patterns and problems with your server DHCP service records diagnostic messages in the system log file To keep this file from growing too large you can suppress most messages by changing log settings in the Logging pane of DHCP service settings See Configuring Log Settings for DHCP Service on page 31 Step 5 Start DHCP service After you configure DHCP start the service
234. s in the system log for error and alert messages You can filter the log to narrow the type of log entries and make it easier to find those you want to see To view Mobile Access service logs Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Mobile Access Click Log Select the log you want to see from the View pop up menu You can view Mail access and error logs HTTP error logs Calendar access logs AddressBook access logs and Web access logs Use the Filter field above the log to search for specific entries Stopping Mobile Access Service Use Server Admin to stop Mobile Access service To stop Mobile Access service Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Mobile Access Click Stop Mobile Access below the Servers list 5 Click Stop Now The service might take a few seconds to stop From the command line To stop the service sudo serveradmin stop proxy For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Optional HTTP Configurable Items Important aspects of Mobile Access service HTTP can be configured by editing the plist file at Library Preferences com apple securityproxy_http plist
235. s started the current connections which protocols are enabled or disabled and their authentication type From the command line To view VPN status sudo serveradmin status vpn To view a detailed status of the VPN service sudo serveradmin fullstatus vpn For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Chapter 6 Working with VPN Service 157 158 an un A WwW Changing the Log Detail Level for VPN Service You can choose from two levels of detail for VPN service logs e Nonverbose These logs describe only conditions where you must take immediate action for example if VPN service can t start up e Verbose These logs record all activity by VPN service including routine functions By default nonverbose logging is enabled To change the VPN log detail to verbose Open Server Admin and connect to the server Click the triangle at the left of the server The list of servers appears From the expanded Servers list select VPN Click Settings then click Logging Select Verbose logging to enable verbose logging Click Save Viewing the VPN Log Monitoring VPN logs helps you make sure your VPN is running properly VPN logs can help you troubleshoot problems The log view shows the contents of the var log ppp vpnd log file You can filter the log records with the text filter box in the Log pane of VPN To view
236. se a large range of IP addresses you have many users each connecting from different ISPs you might need to open the any firewall address group to VPN connections If you want to narrow access to a small range of IP addresses including static ones you can create an address group that reflects that smaller range and only enable VPN traffic originating from that list You must also open the relevant firewall ports for the VPN type you are using L2TP or PPTP Further a VPN using L2TP must permit traffic for VPN clients on UDP port 4500 IKE NAT Traversal if you are using a NAT gateway Your specific network configuration can also require other open ports VPN Setup Overview Here is an overview of the steps for setting up VPN service Step 1 Before you begin For information to keep in mind before you set up VPN service read Before You Set Up VPN Service on page 141 and Configuring Other Network Services for VPN on page 142 Step 2 Turn VPN service on Before configuring VPN service you must turn it on See Turning VPN Service On on page 143 Step 3 Configure VPN L2TP settings Use Server Admin to enable L2TP over IPSec set the IP address allocation range and set the shared secret or security certificate See Configuring L2TP Settings on page 143 Step 4 Configure VPN PPTP settings Use Server Admin to enable PPTP to specify encryption key length and to specify the IP address allocation range S
237. se ports To disable mail transfer deselect the Mail SMTP Standard checkbox in the ports list Click Save Chapter 4 Working with Firewall Service 111 112 Permitting a Customer to Access the Apple File Server This section provides an example of how to permit a customer with an IP address of 10 221 41 33 to access an Apple file server To grant a customer access to the Apple file server Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select Firewall Click Settings then click Services From the Editing Services for pop up menu choose any Select Allow only traffic to these ports In the service pane deselect Apple Filing Protocol AFP Select Address Groups To create an address range click the Add button Name the address group To indicate the customer s address enter 10 221 41 33 in the address range field Click OK Click Services Select the newly created address group To enable file access select Apple File Service in the service pane Click Save Common Network Administration Tasks That Use Firewall Service Your firewall is the first line of defense against unauthorized network intruders malicious users and network virus attacks that can harm data or abuse network resources This section describes common uses of Firewall service in network administration
238. st inform them of changes you make to your domain name including added subdomains Chapter 3 Working with DNS Service 53 54 The range of IP addresses used with a domain must be clearly defined before setup These addresses are used exclusively for one specific domain never by another domain or subdomain Coordinate the range of addresses with your network administrator or ISP Step 2 Learn and plan If you re new to DNS learn and understand DNS concepts tools and features of Mac OS X Server and BIND See Where to Find More DNS Information on page 82 When you re ready plan your DNS service Consider the following questions Do you need a local DNS server Does your ISP provide DNS service Can you use multicast DNS names instead How many servers do you need How many additional servers do you need for backup DNS purposes For example should you designate a second or third computer for DNS service backup What is your security strategy to deal with unauthorized use How often should you schedule periodic inspections or tests of DNS records to verify data integrity How many services or devices such as intranet websites or network printers need aname There are two ways to configure DNS service on Mac OS X Server Use Server Admin This is the recommended method For instructions see Setting Up DNS Service on page 56 Edit the BIND configuration file BIND is the set of programs used by Mac OS X Server that
239. stem Preferences is set to DHCP This configuration allows computers to be managed by an LDAP or Open Directory server getting their network configuration information from DHCP They can have access to truly static IP address or consistently assigned IP addresses on the same network You also get centralized configuration for all computers Student Lab Configuration The student lab configuration example is very much like the workgroup configuration example but it adds NetBoot as an extra service that uses DHCP Along with DHCP providing centralized networking configuration NetBoot standardizes startup environments by having each computer start up from a disk image on a central NetBoot server The configuration would be like the workgroup configuration example with the following differences e There might be static address resources This depends on the lab composition You might have a class printer or file server but if you use a mobile cart that moves from classroom to classroom you won t take a server and printer to each class e NetBoot must be enabled and configured along with firewall settings to support it Any client on the network can be set to start up from the NetBoot server New computers can be deployed by setting the startup disk of the computer to the NetBoot image No further configuration is necessary and computers can be repurposed easily because the hard disk can remain unchangeable With this configuration
240. t Click Save Chapter 3 Working with DNS Service 69 70 Importing a BIND Zone File You might already have a BIND zone file from a DNS server of another platform If so instead of entering the information in Server Admin manually you can use the BIND zone file directly with Mac OS X Server Using an existing zone file requires e Root access permissions to the BIND configuration file etc named conf e The working zone directory var named e A basic knowledge of BIND and the Terminal application Otherwise use the Server Admin DNS tools Important In Mac OS X Server v10 6 the configuration and zone files used by Server Admin have changed If you edit named conf and zone files manually from Terminal the information is used by DNS However the information does not appear in the DNS zones pane of Server Admin Also changes made in Server Admin are not made to named conf It is recommended that you use Server Admin To import a zone file Verify that you have root privileges Add the zone directive to the BIND configuration file etc named conf For example for zone xyz com described in zone file db xyz com in the working zone folder var named the zone directive might look like this zone xyz com IN Forward lookup zone for xyz com type master It s a primary zone file db xyz com Zone info stored in var named db xyz com allow update none he 3 Confirm that the zone file is added to the var nam
241. t most 2 byte pairs can be rewritten in IPv4 notation Using this mixed notation the above example can be expressed as 2001 DB8 4AC8 192 168 100 32 IPv6 Reserved Addresses IPv6 reserves two addresses that network nodes can t use for communication purposes 0 0 0 0 0 0 0 0 unspecified address internal to the protocol 0 0 0 0 0 0 0 1 loopback address like127 0 0 1 in IPv4 IPv6 Addressing Model IPv6 addresses are assigned to interfaces for example your Ethernet card and not nodes for example your computer A single interface can be assigned multiple IPv6 addresses Also a single IPv6 address can be assigned to several interfaces for load sharing Routers don t need an IPv6 address eliminating the need to configure routers for point to point unicasts IPv6 doesn t use IPv4 address classes IPv6 Address Types IPv6 supports the following IP address types e Unicast one to one communication e Multicast one to many communication e Anycast IPv6 does not support broadcast Multicast is preferred for network broadcasts Otherwise unicast and multicast in IPv6 are the same as in IPv4 Multicast addresses in IPv6 start with FF 255 Anycast is a variation of multicast Multicast delivers messages to all nodes in the multicast group but anycast delivers messages to one node in the multicast group Chapter 11 Supporting IPv6 197 198 nu AeA U N Creating an IPv4 to IPv6 Gateway Mac OS X Ser
242. t serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Viewing the NAT Service Log and Log Path To view the contents of the NAT service log or to view log paths use tail or another file listing tool To view the latest entries in the log tail log file To view the log path sudo serveradmin command nat command getLogPaths The computer responds with the following output nat natLog lt nat log gt Value Description lt nat log gt The location of the NAT service log Default var log alias log Chapter 5 Working with NAT Service _ For more information about NAT commands see Command Line Parameters for Network Services For information about tail and cat see its man page For the basics of command line tool usage see Introduction to Command Line Administration Common Network Administration Tasks That Use NAT The following sections illustrate common network administration tasks that use NAT service Linking a LAN to the Internet Through One IP Address To link a LAN you need a Mac OS X Server computer with two network interfaces one to connect to the Internet and one to connect to your private network The steps below use the following configuration as an example Ethernet interface names and functions Ethernet Built in connected to Internet PCI Ethernet Slot 1 connected to internal network Internet or public IP address
243. t up network services Viewing PDF Guides Onscreen While reading the PDF version of a guide onscreen e Show bookmarks to see the guide s outline and click a bookmark to jump to the corresponding section e Search for a word or phrase to see a list of places where it appears in the guide Click a listed place to see the page where it occurs e Click a cross reference to jump to the referenced section Click a web link to visit the website in your browser Printing PDF Guides If you want to print a guide you can take these steps to save paper and ink e Save ink or toner by not printing the cover page e Save color ink on a color printer by looking in the panes of the Print dialog for an option to print in grays or black and white e Reduce the bulk of the printed document and save paper by printing more than one page per sheet of paper In the Print dialog change Scale to 115 155 for Getting Started Then choose Layout from the untitled pop up menu If your printer supports two sided duplex printing select one of the Two Sided options Otherwise choose 2 from the Pages per Sheet pop up menu and optionally choose Single Hairline from the Border menu If you re using Mac OS X v10 4 or earlier the Scale setting is in the Page Setup dialog and the Layout settings are in the Print dialog You may want to enlarge the printed pages even if you don t print double sided because the PDF page size is smaller than standard pri
244. tLogPaths The computer responds with output similar to the following ipfilter systemLog lt system log gt Value Description log file The name of the log file lt system log gt The location of the ipfilter service log Default var log ipfw log The filters you create in Server Admin correspond to rules in the underlying filtering software Log entries show you the rule applied the IP address of the client and server and other information Chapter 4 Working with Firewall Service 107 108 For information about tail and serveradmin see their man pages For the basics of command line tool usage see Introduction to Command Line Administration Here are examples of firewall log entries and how to read them Log Example 1 Dec 12 13 08 16 ballch5 mach_kernel ipfw 65000 Unreach TCP 10 221 41 33 2190 192 168 12 12 80 in via en0 This entry shows that Firewall service used rule 65000 to deny unreach the remote client at 10 221 41 33 2190 from accessing server 192 168 12 12 on Web port 80 through Ethernet port 0 Log Example 2 Dec 12 13 20 15 mayalu6 mach_kernel ipfw 100 Accept TCP 10 221 41 33 721 192 168 12 12 515 in via en0 This entry shows that Firewall service used rule 100 to permit the remote client at 10 221 41 33 721 to access the server 192 168 12 12 on the LPR printing port 515 through Ethernet port 0 Log Example 3 Dec 12 13 33 15 smithy2 mach_kernel ipfw 10 Accept TCP 192 168 12 12 49152
245. the expanded Servers list select Firewall Click Settings then click Logging Select the Enable logging checkbox and choose to log permitted packets denied packets or a designated number of packets Click Save Configuring Advanced Settings You use the Advanced Settings pane in Server Admin to configure specific rules for Firewall service This is an optional configuration step for Firewall service For more information see Configuring Advanced Firewall Rules on page 100 Starting Firewall Service By default Firewall service blocks incoming TCP connections and denies UDP packets except those received in response to outgoing requests from the server Before you turn on Firewall service make sure you ve set up rules permitting access from IP addresses you choose otherwise no one can access your server If you add or change a rule after starting Firewall service the new rule affects connections established with the server For example if you deny all access to your FTP server after starting Firewall service computers connected to your FTP server are disconnected Chapter 4 Working with Firewall Service To start Firewall service Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Firewall Click the Start Firewall button below the Servers list Managing Firewall Service After you have set up
246. the zone is valid This is the zone s time to live TTL setting It determines how long query response information can remain cached in remote DNS systems before requerying the authoritative server e Enter the interval of time that the secondary zones should refresh from the primary zone e Enter the interval of time between each retry if the refresh of the secondary zone fails e Enter the amount of time after refreshing before the zone data expires Click Save Adding a Secondary Zone Use Server Admin to add a secondary zone to your DNS server You perform the following steps on the secondary server To add a secondary zone Make sure the primary server is correctly configured and that zone transfers are enabled on the primary server On the secondary server open Server Admin and connect to the secondary server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Zones Click Add Zone then click Add Secondary Zone Slave Select the new zone In the Secondary Zone Name field enter a zone name The zone name is the same as the primary zone defined on the primary name server Below the Primary Zone addresses list click the Add button Enter the IP addresses for each primary server in the secondary zone Click Save Adding a Forward Zone A forward zone directs lookup requests to other DNS servers The forward zone also caches previo
247. through the VPN gateway can access the file server and no other network traffic can go through the encrypted gateway Chapter 6 Working with VPN Service 161 162 Linking Remote Network Sites You can use a VPN to link a computer to a main network and you can also link networks When two networks are linked they can interact as if they are physically connected Each site must have its own connection to the Internet but the private data is sent encrypted between the sites This type of link is useful for connecting satellite offices to an organization s main office LAN About the Site To Site VPN Administration Tool Linking multiple remote LAN sites to a main LAN requires the use of a command line utility installed on Mac OS X Server named s2svpnadmin site to site VPN admin Using s2svpnadmin requires the use of and facility with Terminal and the administrator must have access to root privileges through sudo For more about s2svpnadmin see the s2svpnadmin man page Linking multiple remote LAN sites to a main LAN can require the creation of a security certificate The tool s2svpnadmin can create links using shared secret authentication both sites have a password in their configuration files or certificate authentication To use certificate authentication you must create the certificate before running s2svpnadmin You can only make site to site VPN connections using L2TP IPSec VPN connections You cannot link two sites using PPTP
248. ting indicating whether the service must be restarted Using ipfilter Groups with the Rules Array An array of the following settings is included in the ipfilter settings for each defined IP address group These arrays aren t part of a standard ipfw configuration They are created in Server Admin to implement the IP address groups in the General pane of Firewall service settings In an actual list lt group gt is replaced with an IP address group Parameter ipfilter ipAddressGroupsWithRules array_ id lt group gt rules Description An array of rules for the group ipAddressGroupsWithRules array_ id lt group gt addresses The group s address ipAddressGroupsWithRules array_ id lt group gt name The group s name ipAddressGroupsWithRules array_ id lt group gt readOnly Whether the group is set for read only Appendix Command Line Parameters for Network Services ipfilter Rules Array An array of the following settings is included in the ipfilter settings for each defined firewall rule In an actual list lt rule gt is replaced with a rule number You can add a rule by using serveradmin to create an array for firewall settings Parameter ipfilter Description rules array _id lt rule gt source The source of traffic governed by the rule rules array id lt rule gt protocol The protocol for traffic governed by the rule rules _ array id lt rule gt destination The
249. tion When an origin server is proxied it is limited to specific authentication mechanisms For example when Address Books and iCal are proxied they only support Basic or Digest authentication over an SSL session For information about the authentication methods supported by Mail service when it s proxied see Configuring Mobile Access Service Mail Settings on page 187 For information about the authentication methods supported by Web service when it s proxied see Configuring Mobile Access Service Web Settings on page 188 182 Chapter 9 Working with Mobile Access Service About Split DNS When you configure a typical Domain Name Server you assign a domain name to an IP address For example example sampleserver com would have a record on the DNS server assigning it the IP address 72 113 112 97 With a split DNS configuration a public and private IP address are assigned to the same domain name The public IP address is used for the external network Internet and the private IP address is used on the internal network intranet Your ISP must have a DNS record associating the public IP address with your domain name and your internal DNS server must have DNS record associating the private IP address with the same domain name For example example sampleserver com would have the public IP address 172 113 112 97 assigned to it on the ISP s DNS server and the private IP address 192 168 99 10 would be assigned to the same doma
250. tion Server Monitor Server Admin servermgrd Workgroup Manager DirectoryService 389 TCP LDAP directory RFC 2251 407 TCP UDP Timbuktu 427 TCP UDP SLP Service Location Protocol 443 TCP HTTPS secure web over SSL 445 TCP Microsoft Domain Server 465 TCP Mail SMTP 497 TCP UDP Dantz Retrospect 500 3999 Port Description Reference 500 UDP VPN ISAKMP IKE 513 UDP Who 514 TCP Shell syslog 514 UDP Syslog 515 TCP LPR print spooling RFC 1179 532 TCP NetNews 548 TCP AFP Apple Filing Protocol 554 TCP UDP QTSS RTSP streaming RFC 2326 587 TCP Mail SMTP submission 591 TCP FileMaker web access 600 1023 TCP UDP Mac OS X RPC based services 625 TCP Remote Directory Access 626 UDP Serial number support for Mac OS X Server 631 TCP UDP IPP printer sharing 636 TCP LDAP over SSL 116 Chapter 4 Working with Firewall Service Port Description Reference 660 TCP Server administration using Server Settings 687 TCP Server administration using Server Admin 749 TCP UDP Kerberos administration and changepw using the kadmind command line tool 985 TCP NetInfo static port 993 TCP Mail IMAP over SSL 995 TCP UDP Mail POP3 over SSL 1099 8043 TCP Remote RMI and RMI IIOP access to JBoss 1220 TCP QTSS administration 1694 TCP IP Failover 1701 UDP VPN L2TP 1723 TCP VPN PPTP RFC 2637 2000 TCP Mail Custom filtering sieve 2049 TCP UDP Network Fi
251. to make it available See Starting DHCP Service on page 32 Before Setting Up DHCP Service This section provides information about creating subnets assigning static and dynamic IP addresses locating your server on the network and avoiding reserved IP addresses Creating Subnets Subnets are groupings of computers on a network that simplify administration You can organize subnets any way that is useful to you For example you can create subnets for different groups in your organization or for different floors of a building Chapter 2 Working with DHCP Service After you group computers into subnets you can configure options for all computers on a subnet at one time instead of setting options for individual computers Each subnet needs a way to connect to other subnets A hardware device called a router typically connects subnets Assigning IP Addresses Dynamically With dynamic address allocation an IP address is assigned for a limited period of time the lease time or until the computer doesn t need the IP address whichever comes first By using short leases DHCP can reassign IP addresses on networks that have more computers than IP addresses Leases are renewed if the address isn t needed by another computer Addresses allocated to virtual private network VPN clients are distributed much like DHCP addresses but they don t come out of the same range of addresses as DHCP If you plan on using VPN be sure to leave so
252. trolling or Enabling Network Game Usage Contents 114 114 115 116 118 119 123 124 124 124 126 126 127 128 130 130 131 132 132 132 133 133 135 135 138 139 139 140 140 141 141 142 142 143 143 143 146 149 150 150 151 Preventing Network Virus Propagation TCP and UDP Port Reference 1 499 500 3999 4000 50999 A Z by Service Where to Find More Information Chapter 5 Working with NAT Service Using NAT with Other Network Services NAT LAN Configuration Overview Turning NAT Service On Configuring NAT Service Configuring Port Forwarding Port Forwarding Examples Testing Port Forwarding Rules Starting and Stopping NAT Service Creating a Gateway Without NAT Monitoring NAT Service Viewing the NAT Status Overview Viewing the NAT Service Log and Log Path Common Network Administration Tasks That Use NAT Linking a LAN to the Internet Through One IP Address Setting Up a LAN Party for Gaming Setting Up Virtual Servers Where to Find More Information Chapter 6 Working with VPN Service VPN and Security Transport Protocols Authentication Method Using VPN Service with Users in a Third Party LDAP Domain Before You Set Up VPN Service Configuring Other Network Services for VPN VPN Setup Overview Turning VPN Service On Setting Up VPN Service Configuring L2TP Settings Configuring PPTP Settings Configuring Client Information Settings Configuring VPN Logging Settings Starting VPN Service Managing VPN Service
253. ttings ipfilter To change a setting sudo serveradmin settings ipfilter setting value To change several settings sudo serveradmin settings ipfilter setting value ipfilter setting value ipfilter setting value see Control D setting An ipfilter service setting See Command Line Parameters for Network Services value A value for the setting For information about command line parameters see Command Line Parameters for Network Services on page 199 For information about serveradmin see its man page For the basics of command line tool usage see Introduction to Command Line Administration Chapter 4 Working with Firewall Service 95 96 Configuring Firewall Logging Settings You can choose the types of packets to log You can log the packets that are denied access the packets that are permitted access or both Each logging option can generate many log entries but you can limit the volume of entries by e Logging only permitted packets or denied packets instead of all packets e Logging packets only as long as necessary e Using the Logging Settings pane to limit the total number of packets e Adding a count rule in the Advanced Settings pane to record the number of packets that match the characteristics you re interested in measuring To set up firewall logs Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From
254. umber not assigned to another subnet on the server Also it can included embedded hyphens Note Include the special first setting ending with create This is how you tell serveradmin to create the settings array with the specified subnet ID To create a DHCP subnet sudo serveradmin settings dhcp subnets array id subnetID create dhcp subnets array id subnetID descriptive name description dhcp subnets array id subnetID net_range_ start start address dhcp subnets array id subnetID net_range_end end address dhcp subnets array id subnetID net_mask mask dhcp subnets array id subnetID selected_port_name port dhcp subnets array id subnetID dhcp router router dhcp subnets array id subnetID lease time secs lease time dhcp subnets array id subnetID dhcp_ enabled yes no Control D To view DHCP configurations settings sudo serveradmin settings dhcp Chapter 2 Working with DHCP Service ao uu A WwW Parameter Description subnetID A unique number that identifies the subnet Can be any number not assigned to another subnet on the server Can include embedded hyphens Other parameters The standard subnet settings described in Command Line Parameters for Network Services For information about setting DHCP subnet parameters see Command Line Parameters for Network Services For information about serveradmin see its man page For the basics of command line tool usage see
255. unt on your server e User password the password of the user s account on your server Client computers behind a firewall that want a VPN connection must configure the firewall to allow traffic on UDP ports 500 1701 and 4500 on TCP port 1723 and on IP protocol 50 Where to Find More Information About L2TP IPSec The Internet Engineering Task Force IETF is working on formal standards for L2TP IPsec user authentication For more information see www ietf org ids by wg ipsec html Request for Comments RFC documents provide an overview of a protocol or service and details about how the protocol should behave If you re a novice server administrator you ll probably find some of the background information in an RFC helpful If you re an experienced server administrator you can find all technical details about a protocol in its RFC document You can search for RFC documents by number at the website www ietf org rfc html e For L2TP description see RFC 2661 e For PPTP description see RFC 2637 e For Kerberos version 5 see RFC 1510 Chapter 6 Working with VPN Service 167 168 Working with RADIUS Use this chapter to learn how to configure and use Remote Authentication Dial In User Service RADIUS to keep your wireless network secure and to make sure it is used only by authorized users By configuring a RADIUS server with Open Directory you can secure your wireless environment from unauthorized users Wireless n
256. ure advanced firewall rules to further configure other services strengthen network security and fine tune your network traffic through the firewall See Configuring Advanced Firewall Rules on page 100 By default all UDP traffic is blocked except traffic arriving in response to an outgoing query Apply rules to UDP ports sparingly if at all because denying some UDP responses could inhibit normal networking operations If you configure rules for UDP ports don t select the Log all allowed packets option in the Firewall Logging settings pane in Server Admin Because UDP is a connectionless protocol every packet to a UDP port is logged if you select this option To learn how IP rules work read About Firewall Rules on page 86 Step 7 Turn Firewall service on You turn Firewall service on using Server Admin See Starting Firewall Service on page 96 Important If you add or change a rule after starting Firewall service the new rule affects connections established with the server For example if you deny all access to your FTP server after starting Firewall service computers connected to your FTP server are disconnected Turning Firewall Service On Before you can configure firewall settings you must turn Firewall service on in Server Admin To turn Firewall service on Open Server Admin and connect to the server Click Settings Click Services Select the Firewall checkbox Click Save Chapter 4 Wor
257. us lookup requests for enhanced speed Use Server Admin to add a forward zone to your DNS server To add a forward zone Open Server Admin and connect to the server Chapter 3 Working with DNS Service ao uu A UW N AO Ww A W N A Ww A W Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Settings Click the Add button below the Forwarder IP Addresses list Enter the IP addresses for the master servers for the forward zone A forward zone directs lookup requests to other DNS servers The forward zone also caches previous lookup requests for enhanced speed Click Save Changing a Zone Use Server Admin to change zone settings You might need to change the administrator mail address or domain name of a zone To change a zone Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Zones Select the zone you want to change Change the zone information as needed Click Save Deleting a Zone When you delete a zone all records associated with it are deleted To delete a zone Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears From the expanded Servers list select DNS Click Zones Select the zone you want to delete Click Remove below the Zones lis
258. ver com apple ppp pptp IPv4 DestAddressRanges array index 0 value vpn vpn Server com apple ppp pptp IPv4 DestAddressRanges array index 1 value Chapter 6 Working with VPN Service 147 vpn vpn Server com apple ppp pptp PPP AuthenticatorProtocol array_ index 0 value vpn vpn Server com apple ppp pptp PPP AuthenticatorPlugins array index 0 value vpn vpn Server com apple ppp pptp Radius Server array index 0 Address value vpn vpn Server com apple ppp pptp Radius Server array_ index 0 SharedSecret value vpn vpn Server com apple ppp pptp Radius Server array index 1 Address value vpn vpn Server com apple ppp pptp Radius Server array_ index 1 SharedSecret value vpn vpn Server com apple ppp pptp PPP MPPEKeysize40 value vpn ivpn Server com apple ppp pptp PPP MPPEKeysizel28 value Control D To view all VPN service settings sudo serveradmin settings vpn Parameter vpn Servers Description com apple ppp pptp enabled Default no com apple ppp pptp Default empty array IPv4 DestAddressRanges com apple ppp pptp Default MSCHAP2 PPP AuthenticatorProtocol array_ index n com apple ppp pptp Default DSAuth PPP AuthenticatorPlugins array_ index n com apple ppp pptp Default 1 1 1 1 Radius Server array_ index 0 Address com apple ppp pptp Default 1 Radius Server array_ index 0 SharedSecret 148 Chapter 6 Working with VPN Service _ 3 4 5 O
259. ver includes an IPv4 to IPv6 gateway that enables the deployment of IPv4 based server services in IPv6 networks to support the industry wide IP transition You can configure the IPv4 to IPv6 gateway by setting up 6 to 4 in Network Preferences of your server Important You must have a public IPv4 address an IP address issued by your ISP and you cannot be behind a gateway or NAT To configure a 6 to 4 gateway Open System Preferences and click Network Below the list of Interfaces click the Add button From the Interface pop up menu choose 6 to 4 In the Service name field enter a unique name for the service then click Create If you have a relay address choose Manually from the Configure pop up menu and enter it otherwise leave the Configure pop up menu set to Automatically Click Apply Where to Find More Information About IPv6 The working group for the IPv6 website is www ipv 6 org A group of IPv6 enthusiasts maintains a list of applications that support IPv6 at www ipv6forum com Request for Comments RFC documents provide an overview of a protocol or service and details about how the protocol should behave If you re a novice server administrator you ll probably find some of the background information in an RFC helpful If you re an experienced server administrator you can find all technical details about a protocol in its RFC document You can search for RFC documents by number at www ietf
260. wall If a firewall is too restrictive the network behind it can be too isolated If a firewall is too permissive it fails to secure the assets behind it Adhering to the following aspects of the basic model provides maximum flexibility and utility with minimum risk e Permit essential IP activity Essential IP activity includes those network activities necessary to use IP and function in an IP environment These activities include operations such as loopback and are expressed as high priority low numbered rules visible in the Advanced pane of Firewall service settings These rules are configured for you e Permit service specific activity Service specific activity refers to network packets destined for specific service ports such as Web service or Mail service By permitting traffic to access ports with designated configured services you permit access through the firewall on a per service basis These services are expressed as medium priority rules and correspond to check boxes in the Service pane of Firewall settings You make these changes based on your settings and address groups e Deny packets not already permitted This is the final catch all practice If a packet or traffic to a port is unsolicited the packet or traffic is discarded and not permitted to reach its destination This is expressed as low priority high numbered rules visible in the Advanced pane of Firewall service settings A basic set of deny rules for
261. you want to change then do the following e To edit the services list click the Edit button below the Advanced Rules list e To delete a rule click the Delete button below the Advanced Rules list Edit the rule as needed and click OK Default rules which are designated by the lock icon cannot be edited or deleted Click Save Changing the Order of Advanced Firewall Rules The priority level of an advanced firewall rule is determined by its order in the Advanced Rules list Default rules that are locked cannot be reordered in the list To change the rule order Open Server Admin and connect to the server Click the triangle at the left of the server The list of services appears 3 From the expanded Servers list select Firewall Click Settings then click Advanced Drag the rules to reorder them in the needed sequence Default rules which are designated by the lock icon cannot be reordered Click Save Troubleshooting Advanced Firewall Rules Advanced firewall configuration settings accept any input assuming you are correctly configuring a rule Errors are not noticed until the rules are saved and Server Admin applies all rules using the ipfw command Then the first rule with a syntax error causes the operation to stop and an error message is logged This error message does not indicate which rule is invalid but all valid rules before the invalid one are loaded in the firewall The following section describ
Download Pdf Manuals
Related Search