Set-up Gateway configuration

Why would you go from a mac server to a dell just for a gateway?

If a Gateway and Firewall is all you need then I would not use OS X Server or any form of Windoze for it. Aside from being a bad idea to use windoze at all, niether one of these server is what I would term a "real" gateway device. It is more of a second task for them. There are lots of Firewall/Gateway Appliances out tehre that will do all of the functions of either of them and provide you with even more network features. (traffic shaping to mention one)

What is your Goal here? Idea of a budget?

Stephen,

Assuming you want server and gateway functionality which, according to Apple gives you a secure and highly functional setup for a small business or school and which I chose for my business, I present the following (comments upon which, are more than welcome):-

Guide to installation and configuration of Apple's OS X 10.4.0 server as a gateway/proxy server. I've been helped a little in the past by an article written by Jason Bruder on how to install and configure a Mac OS X 10.3.6 server as a gateway:-
http://macsig.si.umich.edu/public/viewHowTo.php?HowToID=46

Use is made of both built-in Ethernet ports on Apple's Xserve. If use is made of "external" NICs, there's no guarantee things will work as expected.

My set-up is as follows:-

ADSL / Broadband internet --> Modem --> XServe (en0 / Ethernet interface 1, physically below interface 2!)
XServe (en1 / Ethernet interface 2) -->
A switch --> Ethernet Macs & Windows client computers
Same switch --> Airport (WAN interface) --> wireless Mac client computers

1. Ensure the modem is configured as a bridge. If it has an "internal" IP address, it must be in the same subnet as the public IP address given to you by your ISP which you're going to give to the external interface of your server. I gave my modem a public, "stolen" IP address very similar to my given public address which could be in use elsewhere in the internet domain but which however, is not visible to external internet users the other side of my modem.

2. Just to be sure of not being attacked during your installation and when your firewall is not yet configured, turn your internet connection off. However, ensure there are at least ethernet cables plugged into both ethernet interfaces on the server.

3. If it's not the first installation on the machine, reset NVRAM (just in case this affects a clean installation!) Also, reformat the target partion or volume, overwriting with zeroes.

4. Install Tiger server.

5. Don't yet choose to have your clock set by an external server (your internet connection is turned off.)

6. Configure the external (internet) interface manually with your given, public IP address.
I used en0 instead of en1 as the external interface although, I don't think it matters provided that it is listed above the internal interface in the list of network interfaces in the Network panel of System Preferences. For "router", enter the "stolen" IP address referred to above. For "DNS servers", at the top of your list, enter 192.168.2.1 if you decided to use en0 as your external interface or, enter 192.168.1.1 if en1 plays this role. This entry should be followed by the IP addresses of your ISP's DNS servers.

7. Don't configure your internal interface now. Leave it at it's default setting of "configure using DHCP" - you'll configure it later using the new, "Gateway Setup Assistant".

8. For the computer name, give a Fully Qualified Domain Name (FQDN) with at least three components such as, myserver.mydomain.com. If you don't have a domain name and don't think you will in the future, just dream up a FQDN. This avoids any problems later with trying to get Kerberos running for an Open Directory Master usage of your server.

9. It's best initially to configure your server as a Standalone server rather than choosing any of the other options as there is more configuration to complete before you can successfully run as an Open Directory Master.

10. From the list of services to set running in the initial installation, choose only Netboot.

11. After the server reboots, log in as "root" and repair file permissions (a recommended course of action after every upgrade or installation). There is an option for doing this from within Disk Utility or if you prefer, from within Terminal, you can issue the following two commands:-
/sbin/mount -uw /
/usr/sbin/diskutil repairPermissions /

12. Log out of root and in as your previously defined user.

13. Within Server Admin,

13. Within Server Admin, configure the firewall for "any", your external interface, turn it on and quit SA.

14. Connect to the internet in preparation for updating the software on your server. Set your server's clock to be calibrated by one of Apple's time servers. While it's true you can update from within Server Admin and you'd get a log of your downloads, I've found it to be faulty at times and prefer to go to the System Preferences panel for "Software Update". Download the updates and repair file permissions again.

In order to save disk space, I used to delete the downloaded update software packages from Library/Receipts. I've stopped doing this now as their removal can / used to hinder the repairing of Permissions. Secondly, software update sometimes finds an update to be downloaded and installed even though you've installed it once already. Finally, not an awful lot of disk space is taken up by the packages.

15. Start Server Admin and from View in the top menu, choose "Gateway Setup Assistant". This is easy to use. If desired, you can easily configure VPN services later from within Server Admin.

16. Gateway Setup Assistant will configure your internal Ethernet interface with a commonly used LAN IP address of 192.168.2.1 or 192.168.1.1 as explained in 6, above. From within System Preferences --> Network --> Built-in Ethernet 1/2 (choose the internal interface), in DNS Servers, enter this same assigned LAN IP address, as this isn't automatically entered by the Gateway Assistant.

17. It's possible, if you wish, to change the LAN IP address assigned by Gateway and if it's not so easy to change the IP address of other devices on your LAN such as printers, Airport Base Stations or whatever to fall within the same subnet mask. Login as root and issue the following command from within Terminal,
changeip - <old IP address> <new IP address>
e.g.. changeip - 192.168.2.1 10.0.0.148

Reboot the server. Within System Preferences --> Network, change your old IP address to the new one.

18. Start Server Admin, connect to your server, select DNS and Settings.
Deselect, Zone Transfers.
Select Zones and the plus sign to add a new zone. Make the following entries:-
Zone Name: mydomain.com
Server Name: myserver
Server IP Address: 192.168.2.1 (for example - it's your private LAN IP address)
Administrator email: admin@mydomain.com
Zone is valid for: 24 hours (for example)

Select Machines and enter your other devices with fixed IP addresses (printers, Airport Base Stations etc.)
Select the entry for "myserver" and add whatever alias entries you wish including ones for "www" and for "kerberos".

19. Still within Server Admin, select, DHCP
Select and edit the interface made active for you by Gateway.
Under, General, make whatever changes you see fit and ensure, Router has your assigned, private LAN IP (e.g.. 192.168.2.1)
Under DNS:-
Default Domain: mydomain.com
Name Servers: your LAN IP
Under LDAP, if you wish, make entries that will be sent to client computers along with a DHCP assigned IP address. I didn't make any entries here as DHCP supplied LDAP information is not as secure as a binding that can be established between a client and your server.
Under WINS:-
WINS / NBNS Primary Server: your LAN IP
NBT Node Type: Broadcast (b-node)

20. Server Admin --> NAT
Check the correct External interface is selected
If NAT is not enabled elsewhere on your network and you wish to share one internet interface with more than one client, ensure "IP Forwarding and NAT" is selected and not just "IP Forwarding only".

21. Server Admin --> AFP --> Access
Ensure "Enable Guest access" is checked.
Start AFP

22. Server Admin --> Web --> Settings --> Proxy
Check, "Enable Proxy" and start the service.

23. Reboot the server.

Points 24 - 26 are only for changing the role of your server to be that of an Open Directory Master. Initially, I configured with the least stringent security, without using S

Points 24 - 26 are only for changing the role of your server to be that of an Open Directory Master. Initially, I configured with the least stringent security, without using SSL, certificates or whatever, just to get it working!

24. Start Terminal and check the following:-
hostname should give you your FQDN e.g.. myserver.mydomain.com

If you don't get your FQDN, your server might be getting the hostname from your ISP, as mine was. There are those who recommend editing the unix configuration file, /private/etc/hostconfig and changing the entry for HOSTNAME=-AUTOMATIC- to
HOSTNAME=myserver.mydomain.com and rebooting. However, I read somewhere that if you do this, you miss out on something else within Bonjour and/or Kerberos. Indeed, I've tried it myself but without 100% success. Instead, you can play a trick upon your server! Go to System Preferences --> Network --> Network Port Configurations and position your internal Ethernet interface to be above your external interface. Click, Apply Now. Reboot your server. Now, if you go to Terminal, hostname should give you your FQDN.

Check also, you can do a reverse look-up of your FQDN:-
host myserver.mydomain.com should give you your LAN IP address e.g.. 192.168.2.1
host 192.168.2.1 should give you myserver.mydomain.com

25. If you have success with 24, above, back in Server Admin --> Open Directory, you should be able to make your server an Open Directory Master, should this be desired. For the default Realm Name, you should see, capitalised, your FQDN. If not, go back and check the steps you took. I've found that if your Realm Name is something else, you get trouble further down the line. For the search base, don't make an entry for all components of your FQDN e.g.. enter only, dc=mydomain,dc=com
Restart your server, if you change its role.
Within Workgroup Manager, ensure the directory your viewing is /LDAPv3/127.0.0.1 and change the password of your LDAP administrator so their new password will sit within the newly configured LDAP structure.

26. Go back to System Preferences and make your external Ethernet interface to be your primary interface by repositioning it above your LAN interface. Click, Apply Now. Reboot your server.