Skip navigation

Advice on Fixing/Setting Up Mac Server behind Router

1380 Views 6 Replies Latest reply: Jul 13, 2013 8:54 AM by Melissa Hines RSS
Melissa Hines Calculating status...
Currently Being Moderated
Jun 28, 2013 11:17 AM

I would like advice on how to setup/fix a Mac Snow Leopard (10.6.8) server running on an Xserve. The server is only used to to host network accounts / act as a remote drive for a Mac-based laboratory. It is not a mail server, web server, etc. The goal is to enable (i.e., force) students to keep all of their documents on the server while accessing them easily from any computer, ideally from any point in the world.

 

The current setup is:

 

Linksys router (192.168.1.1) connects WAN (address WWW.WW.WWW.WWW)  to LAN with both DMZ and local DNS pointing to server address (192.168.1.55)

 

Snow leopard server at 192.168.1.55

 

Client macs and pcs with various local addresses 192.168.1.XXX

 

From the LAN side, this setup works well in that all of the client Macs (from PowerPCs running 10.5 to brand new machines running 10.8.4) have no problem accessing their network accounts. They can also access the outside world seamlessly. The server can be administered using Screen Sharing from client machines running recent versions of Mac OS (e.g., 10.8.4)

 

From WAN side, some things work but others don't:

 

          – Macs can access the server using AFP://WWW.WW.WWW.WWW, although VPN

                    needs to be running if we are off-campus

 

          – Macs CANNOT login to the Network Account Server when outside the LAN

                     If I go to "Users & Groups", "Login Options" and enter the server address

                    WWW.WW.WWW.WWW, I get unable to add server  with a "Connection

                    failed to the directory server (2100) error message

 

          – I can no longer login to the server using Screen Sharing. (This worked a few months ago,

                    so I am not sure why this is failing.)

 

          – I worry that opening a DMZ to the server is unnecessary from a security standpoint, and

                    I would be better with port forwarding specific ports (but which ones?)

 

I am open to new configurations if necessary, but I suspect this is something straightforward. I am also happy to RTFM for either the server or the router, but I'd like some guidance as to what is feasible/preferred. Specifically, I would particularly like students to be able to login to the Network Account Server from outside the LAN.

 

The server does not do anything else (e.g., mail, web hosting).

 

Although we do have an IT support group in-house, their opinion seems to be that computers are security risks that should not fall into the hands of users. The mere mention of Apple products sets off a rant.

 

Thank you for your advice and suggestions.

Xserve, Mac OS X (10.6.8)
  • MrHoffman Level 6 Level 6 (11,720 points)

    Ensure DNS services are working and stable.  On the server, launch Terminal.app from Applications > Utilities and issue the diagnostic command:

     

    sudo changeip -checkhostname

     

    Ensure that the VPN clients get the address of your on-LAN DNS server, and that all traffic is routed over the VPN.

     

    I'd get out of the 192.168.1.0/24 subnet.  VPNs will not work when both ends of the VPN connection are in the same subnet, as the underlying IP routing gets tangled.  The 192.168.0.0/24 and 192.168.1.0/24 subnets are the two most common choices on the planet, and there are much better private subnets available; subnets much less likely to conflict with VPN use.

     

    You'll need to probe the network and the vLANs for the issues connecting TCP port 5900; that's usually either a vLAN issue, a firewall issue, or the target server may have been reconfigured to disable screen sharing.  (Trust what your network folks tell you about the configuration, but always verify it.)

     

    There are a gazillion Linksys gateway-firewall-router boxes, of varying capabilities.  The configuration of this gateway device will definitely need to be investigated.  (I usually prefer to look to a slightly higher-end router than these, as many of the Linksys devices tend to target low-end and residential networks.)

     

    Somebody in senior management likely needs to assist you in achieving your goals here, and to assist your IT staff in better understanding and meeting the goals of the organization.

  • Simon Turnill Calculating status...

    I am struggling with one of the same issues. I am unable to access my Open Directory server via my domain name or IP address via internet. The dot next to the network account server is red when I'm trying to connect via the internet. I get the error 2100 as well. VPN is fine, all ports on the router are open, and if I could VPN into the Server at the login window, network authentication would work, I'm sure. But you can't and it doesn't. A quandary. So any ideas would be much appreciated.

     

    Simon

  • MrHoffman Level 6 Level 6 (11,720 points)

    We'll need some more details....  


    Are you attempting to VPN directly into OS X Server, or are you using (as is my preference) a VPN server in your firewall-gateway device?  

     

    (Why?  VPNs and NAT also work at cross-purposes.   The VPN wants to "know" the end-points of the connection, where NAT wants to hide that detail.)

     

    L2TP in particular generally gets tangled when more than one VPN is established through NAT.  Subsequent L2TP connections will generally get all but one of the connections kicked off.  PPTP is better here as it was built to try to deal with the NAT traversal, but PPTP is less secure than L2TP.  (Put another way, if you're testing VPN connectivity, try PPTP first.)

     

    Using a VPN server in the firewall-gateway box means the VPN processing for the connection can occur "before" the NAT processing.

     

    Rather than tangling with both VPN and OD together (either of which can kick the connection to the curn/kerb), I'd get the VPN working with a local user first, and — once that's stable and working — move to getting the OD connection working.

     

    Also (as mentioned up-thread) ensure DNS is working.  If that's not working from the OD server all the way through to the remote client DNS requests, OD probably won't work reliably.

  • MrHoffman Level 6 Level 6 (11,720 points)

    I usually use either telnet (non-SSL/TLS ports) or openssl s_client (SSL/TLS ports) or maybe nc (for scanning ranges of TCP and UDP ports) to check access to specific ports from the command line, though it's very simple to run a port scan via Network Utility for this case.  Launch that remotely, and see what your client can see.

     

    Here is a list of the ports used by Apple (TS1629)   For Open Directory, you'll need at least TCP 389 or preferably 636 punched through your gateway and your local firewall, if you're not VPN'ing in.   If you're using your own DNS, you'll need TCP port 53 open (and this is mildly hazardous to your bandwidth, as more than a few folks are using DNS servers as part of DDoS attacks; they'll spoof queries and cause your DNS servers to send a reply at somebody else as part of the DDoS.  The DNS servers really need to be locked down against this dreck.)

     

    You may also need to aim your client's DNS explicitly at your own DNS server, if you're using a private domain and a private IP address space; if your servers don't have public IP addresses and public names.

     

    Personally, I generally wouldn't expose the Open Directory ports to the 'net, or most anything else for that matter.   I'd usually VPN into the network, and "DMZ" the web-facing stuff where I can.  Too much weird cruft is hitting the firewalls I'm monitoring, undoubtedly looking for weaknesses and vulnerabilities.  Using the VPN services isn't a panacea, but does mean your traffic is hidden from most monitoring, your servers' ports and services are relatively protected, your DNS services are your own, and your exposure is largely limited to the VPN server access.

     

    For the remote clients, I'd use Portable Home Directory for the wandering devices, or straight OD via VPN.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.