So If we can set up the firewall NAT rule, we can get away with just 1 caching server (unless of course it gets overloaded and we need another).
The OP's original problem was that one server for multiple locations wasn't viable since it would overload the WAN links between the hub and each location. This may or may not be an issue for you, depending on your network topology, but it's something to consider.
So does anyone have the information needed to create a custom NAT in the firewall?
No one here can answer that for you since we don't know what router/firewall you're using.
You may be thinking of using the firewall built-in to Mac OS X, but this will not be appropriate here. You need to look at whatever device is performing NAT at your network edge. I highly doubt that's a Mac OS X Server.
Overloading the WAN links shouldn't be a problem. The only problem I could see is that we are running this on a Mac Mini and I could see that getting overloaded. So having additional ones to share the load may be needed.
As far as the custom NAT rule, I'm not looking for directions or anything (and I'm not the firewall guy here). I'm looking for the information such as URLs, IPs, ports, etc that we would need to create a rule. I'm assuming we could set a rule saying any traffic going to these locations uses this public IP. If I can get this information, I can give it to our firewall guy and see what he can do with it.
Does anyone ever answer a question without a question in these forums? Can anyone point to a white paper, or design guide to use this? Servicing over 35,000 in a school district, it is not even an option to have one outbound address when we are multi homed (mulitiple ISP providers) So if I want to direct all of my traffic down one pipe to Apple represented by one ip address... what is the address range I would create the rule with? Searching Apple support I can find no design guides or references... just a bunch of people chiming in with more problems.
I contacted Apple to ask them about the IP addresses I would need and they pointed me here: http://support.apple.com/kb/ht3923 They said it would be the same addresses for the caching server. So we created a rule with those as the destination and it didin't do anything.
Apple owns the entire 18.104.22.168/8 range. So we tested a rule by saying any traffic going to 22.214.171.124/8 will get a specific external IP, which is the same external IP as the caching server. That worked great. But we would really like to be able to narrow it down to more specific IP addresses. However, as we monitor a device going out to get updates, we seem to get different IP addresses every time.
We are using a Checkpoint firewall. Here's what we did:
- Added the Apple Cache server as a host with a single, unique external IP address
- Created a group (Group_AppleCacheTest) and added the network ranges for each of our 3 sites we wanted to cache (this was just to test as we didn't want to change all 50 sites at once without first testing to make sure it worked)
- Added Apple's network as a network with the 126.96.36.199/24 IP range
- Created a NAT rule
- Original Packet Source: Group AppleCacheTest
- Original Packet Destination: Network 188.8.131.52/24
- Original Packet Service: Any
- Translated Packet Source: Host Apple Cache Server
- Translated Packet Destination: Original
- Translated Packet Service: Original
So basically we just wanted to create a rule to make any traffic from our test sites to 184.108.40.206/24 use the same external IP as the Apple Cache Server. As long as the external IP is the same, the information gets cached. Eventually I belive we'll be removing the group of 3 sites and just cache all sites on our network (so the Original Packet Source would just be Any).
Hope this helps!