Q: Use caching server with multiple public Addresses?

If your sites have their own external 'Public' IP then you'd want a caching server at each site. After a week or so of testing we've found it great for delivering cached Apps (iOS & Mac) to Mac's but not so great for delivering to iOS devices

So If we can set up the firewall NAT rule, we can get away with just 1 caching server (unless of course it gets overloaded and we need another).

The OP's original problem was that one server for multiple locations wasn't viable since it would overload the WAN links between the hub and each location. This may or may not be an issue for you, depending on your network topology, but it's something to consider.

So does anyone have the information needed to create a custom NAT in the firewall?

No one here can answer that for you since we don't know what router/firewall you're using.

You may be thinking of using the firewall built-in to Mac OS X, but this will not be appropriate here. You need to look at whatever device is performing NAT at your network edge. I highly doubt that's a Mac OS X Server.

Overloading the WAN links shouldn't be a problem. The only problem I could see is that we are running this on a Mac Mini and I could see that getting overloaded. So having additional ones to share the load may be needed.

As far as the custom NAT rule, I'm not looking for directions or anything (and I'm not the firewall guy here). I'm looking for the information such as URLs, IPs, ports, etc that we would need to create a rule. I'm assuming we could set a rule saying any traffic going to these locations uses this public IP. If I can get this information, I can give it to our firewall guy and see what he can do with it.

Thanks!

Does anyone ever answer a question without a question in these forums? Can anyone point to a white paper, or design guide to use this? Servicing over 35,000 in a school district, it is not even an option to have one outbound address when we are multi homed (mulitiple ISP providers) So if I want to direct all of my traffic down one pipe to Apple represented by one ip address... what is the address range I would create the rule with?  Searching Apple support I can find no design guides or references... just a bunch of people chiming in with more problems.

I contacted Apple to ask them about the IP addresses I would need and they pointed me here: http://support.apple.com/kb/ht3923 They said it would be the same addresses for the caching server. So we created a rule with those as the destination and it didin't do anything.

Apple owns the entire 17.0.0.0/8 range. So we tested a rule by saying any traffic going to 17.0.0.0/8 will get a specific external IP, which is the same external IP as the caching server. That worked great. But we would really like to be able to narrow it down to more specific IP addresses. However, as we monitor a device going out to get updates, we seem to get different IP addresses every time.

After testing the last few hours, I found that the network of 17.173.66.0/24 seems to be Apple's update servers for apps. So I've created a rule and have apps from 3 of our schools caching now.

This is exactly what we want to do, but I'm not sure what needs to be done or even what to google to get it done.  What changes exactly did you need to make in your firewall?  What kind of firewall are you working with?

Hi Nathan,

We are using a Checkpoint firewall. Here's what we did:

• Added the Apple Cache server as a host with a single, unique external IP address
• Created a group (Group_AppleCacheTest) and added the network ranges for each of our 3 sites we wanted to cache (this was just to test as we didn't want to change all 50 sites at once without first testing to make sure it worked)
• Added Apple's network as a network with the 17.173.66.0/24 IP range
• Created a NAT rule
  • Original Packet Source: Group AppleCacheTest
  • Original Packet Destination: Network 17.173.66.0/24
  • Original Packet Service: Any
  • Translated Packet Source: Host Apple Cache Server
  • Translated Packet Destination: Original
  • Translated Packet Service: Original

So basically we just wanted to create a rule to make any traffic from our test sites to 17.173.66.0/24 use the same external IP as the Apple Cache Server. As long as the external IP is the same, the information gets cached. Eventually I belive we'll be removing the group of 3 sites and just cache all sites on our network (so the Original Packet Source would just be Any).

Hope this helps!

-Logan

Very helpful.  Thanks very much!

By the way, in the OS X Server 4.0 Developer Preview notes, it appears caching server will support multiple public IPs.

Caching Server

• IP address range registration to support caching content in non-NAT’ed networks.

After playing with caching server in Server 4.0 I don't think this is the case. From what I can tell it supports the following configurations:

1. Supporting clients that NAT to the same public IP as the caching server.

2. Supporting clients that don't NAT at all, and instead are issued public IPs directly. A DNS record is required for these internal clients (using public IPs) to find the caching server.

It still doesn't support the scenario we want, which is internal clients that NAT to a different public IP than the caching server. Or if it does, I can't figure out how to make it work and the documentation does not spell out this scenario like it does the others.

We also have an engineering ticket opened and are having Apple's engineers review this.  I tested the same thing as you mentioned it did not work for us either.

Who assigns public ip addresses directly to workstations anymore?

I would like to bump up this topic now after one year and Server 5 being released apparently with the same limitations.

Cross-link to another related topic: Re: How do I create a TXT record?

Enlightenment anywhere?

I think the question was solved in the above-mentioned Topic.

Caching services work with multiple IP addresses, regardless of NAT or no NAT