User profile for user: jasystems
jasystems Author
User level: Level 1
4 points

OS X Snow Leopard Server 10.6.5 VPN setup - Need help from end users!

I need anyone that has had a basic MAC OS X 10.6.4/5 VPN setup experience to help me with the following; I need to access my serer remotely (from Home and/or remote location) whereby not only do I access the server, but three additional iMACs that are also part of the LAN segment (i.e., 192.168.2.XX) network, ech with it's own public IP address and that address being NAT'ed into the 192.168.2.XX for each desktop and the server itelf.

Every time I turn on the MAC OS X Firewall Services, I can't even log into the Open Directory server/file server as an existing user because it doesn't authenticate me. When the firewall services are turned OFF, I am able to log into the server without any problems at all, however, I still don't know where to begin in setting up my VPN service, what ports to open in the "internal" firewall services (if it needs to be open at all) and what to do next on my actual gateway appliance (which happens to be a "new" SONICWALL NSA 240 VPN Firewall.)

HERE IS MY SCENARIO-

Maybe someone can help me setup a first time VPN on my Mini MAC Server running 10.6.5

I have the following MAC Mini Server:
- Running 10.6.5 OS X Snow Leopard Server software
- DNS Service resolves perfectly for all LAN client iMACs and PCs as well.
- We have the following services running:

1. DNS
2. PRINT
3. VPN
4. AFP
5. SMB
6. Open Directory (perfectly running, I might add ...)
7. Push Notification Service
8. DHCP Services
9. Firewall Services (NOT TURNED ON BECAUSE IT RESTRICTS Users logging into domain - DON'T KNOW WHY YET !)

SERVER IP ADDRESS:
Server has one Ethernet LAN IP under 192.168.2.25/255.255.255.0

CLIENT MACHINE DETAILS:
I have three client machines, each with static IPs already assigned and that are also joined to the domain (192.168.2.25) server machine described above.

OBJECTIVE:
To be able to login directly to the server, or any one of the target iMACs (with fixed IP addresses) via a VPN Tunnel that I can configure in each remote iMAC (Home machines). How do I forward the ports ? - where is the forwarding to take place (internal MAC Mini Server FIREWALL ?) or the SonicWall LAN/WAN Firewall appliance ?

OTHER EQUIPMENT:
I also have a SonicWall NSA 240 Firewall in between the above described network (my Gateway with IP 192.168.2.254) that sits in between my Cisco 1821 Router that has a single T-1 interface out to the internet.

What do I need to use in order to establish a clean, not too difficult VPN directly into my 192.168.2.25 server ? and also, into each client machine ?

I really need help with this ?

Any suggestions would be appreciated !

MAC Mini Server OS X 10.6.5, Mac OS X (10.6.5)

Posted on Dec 10, 2010 5:52 PM

Reply
3 replies
User profile for user: Nachos Libres
Nachos Libres
User level: Level 4
1,210 points

Dec 10, 2010 7:52 PM in response to jasystems

1. If you turn the server firewall on almost nothing is going to work. It is configured to be very strict and you have to manually configure which ports you want open. Unless you need a very secure private network (i.e. you don't want users on your private lan to access certain ports or services on your Mac mini server) then I would leave it off. Since you have one or more firewalls already setup between the public internet and your private lan you are likely fine.

2. I can't really visualize how you have your network setup but I'll tell you how my VPN setup is configured (very simple honestly). I have my Mac mini server connected to my Time Capsule which is connected to my cable modem. The Time Capsule acts as the DHCP server and firewall and I don't have the firewall on the server running (the only people who access my server privately are myself and my wife).

I'm using L2TP as my VPN service and the ports needed to forward for this service are UDP ports 500, 1701, and 4500. I don't know exactly how many firewalls you have setup but every firewall in between your server and the public internet will need to have those ports forwarded (assuming you are going to use L2TP).
Reply
User profile for user: Camelot
Camelot
User level: Level 9
58,593 points

Dec 10, 2010 9:48 PM in response to jasystems

You really have two options here.

Your SonicWall Firewall has a built-in VPN server, so you could configure that, point your remote client to the SonicWall's address and you're set - the remote machine will be given an address in your internal (192.168.2.x) LAN and will be able to communicate with all the other machines on the LAN.

The other option is to configure the VPN server on your Mini, in which case you'll need to configure port forwarding on the SonicWall so that the VPN traffic (the UDP ports listed above) are passed through to the server.

The advantage of running on the Mac is that it's automatically tied into the directory system on your Mac, so any user in your Mac's directory will be able to establish a VPN connection. The downside is that it's a little more complex to setup due to the port forwarding requirements.

In either case, once the VPN connection is established your remote Mac will be able to communicate with any machine on the LAN (the Mini, other clients, printers, etc.). The only thing that won't work will be auto-discovery (e.g. Bonjour), so VPN-based servers won't appear in your Finder's sidebar, for example. To overcome this you'll need to make sure your LAN DNS is working properly or know the IP address of each machine on your LAN.
Reply
User profile for user: Mark23
Mark23
User level: Level 4
994 points

Jan 10, 2011 8:40 AM in response to jasystems

From page 72 of the Open Directory Admin Guide ( http://images.apple.com/server/macosx/docs/OpenDirectory_Adminv10.6.pdf):

"Set up the firewall service to block all ports except those listed here for directory, authentication, and administration protocols:

-Open Directory Password Server uses ports 106 and 3659.

-The Kerberos KDC uses TCP/UDP port 88, and TCP/UDP port 749 is used for
Kerberos administration.

-The shared LDAP directory uses TCP port 389 for an ordinary connection and TCP port 636 for an SSL connection.

-When creating an Open Directory replica, keep port 22 open between the master and prospective replica. This port is used for SSH data transfer, which is used to transfer a complete, up-to-date copy of the LDAP database. After initial replica setup, only the LDAP port (389 or 636) is used for replication.

-Workgroup Manager uses TCP port 311 and 625.

-Server Admin uses TCP port 311.

-SMB uses TCP/UDP ports 137, 138, 139, and 445."
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

OS X Snow Leopard Server 10.6.5 VPN setup - Need help from end users!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up