Dual ethernet connection on OS X server

You misunderstand IP networking.

The choice of interface is dictated by IP address, not port (or service).

The OS knows the IP subnet assigned to each interface, and traffic for each subnet will go out the appropriate interface.

In addition the OS has one or more routes defined that tells it where to send traffic for non-local networks. Commonly you have one default route defined, so all non-local traffic is sent to that address (typically your router).

The OS doesn't care whether the traffic is HTTP, SMTP, Open Directory, or anything else. All it knows is that the connection is to a specific IP address and that IP address is reached through a specific interface/route combination.

Now, there is a twist to this, in that when you're running a service you can define which interface(s) the service listens on. This means that requests for a service (e.g. HTTP, OD, etc.) only work on interfaces that are configured, and others are dropped, but the same rules of IP routing still apply.

If you want to restrict services you have two options. One is to use the firewall to block connections on the interfaces you don't want. The other is to edit the services' individual configuration file to set which interface(s) are active. Unfortunately there are almost as many ways of doing this as there are services - each service can have its own option. Server Admin/Server.app only provide this kind of option for certain services.

Apache, for example, lets you setup the IP address/port combinations in each site's configuration file and is one of the services that Server.app can configure. Other services aren't as easy.

I want to let all AD authentications for profile manager to go through the local network and all other traffic such as web and APNS go through the external network

Even though the Ethernet adaptor on the mini works for you right now, it's not supported by Apple for Minis. It's only meant for MacBook Air. It might keep working forever, but it might not... You wouldn't want your server to break because some future software update breaks the second NIC.

More importantly, your proposed setup doesn't make any sense. That's not how you would take advantage of two NICs on a server.

There are a few reasons you would need to take advantage of a second NIC on a server. One would be if you were using your server as the gateway for your LAN. You would need a NIC for your LAN and a NIC for your WAN. Another reason would be something like creating a link aggregate between two NICs, effectively doubling the bandwidth of your LAN client's connection to the server.

If I understand you correctly you want to use the second NIC for a network firewall application with Lion Server. This is a different application then the standard Lion Server admin and it has additional options including detailed network configuration and firewall config.

http://support.apple.com/kb/HT5050

You will cnfigure a different subnet on your trusted / untrusted networks and setup your firewall / NAT, etc rules accordingly.

I may be under analysing this but as @camelot said all you need to do is set up appropriate routes. Assuming the following setup:

eth0 (onboard NIC) IP address 10.0.0.10 mask 255.255.255.0 used for AD connections

eth1 (USB NIC) IP address 192.168.0.10 mask 255.255.255.0 used for everything else

AD server IP address 10.1.1.10 mask 255.255.255.0

add a default router to your eth1 NIC of the network router on that segment (192.168.0.1 normally) in Settings->Network

remove any default router on the eth0 NIC in Setting->Network

add a network route using the terminal command line to 10.1.1.0/24 via the eth0 router (10.0.0.1 normally).

route -n add 10.1.1.0/24 10.0.0.1

If want to make this permanent there are plenty of posts on how to accomplish it.

Most of the OS X Server services will automatically work on both interfaces. However the priority of which interface is used can be important and in this case you would want to use the built-in 1Gigabit port for the LAN and the USB Ethernet for the internet.

This is done by setting the order they are listed in the Network preference pane. Just drag one to change the order.

With regards to having this Apple USB adaptor work on models other than the MacBook Air. This can be done and even if Apple have omitted the driver (Kext file) on a particular copy of OS X you can download a generic driver that still lets it work.

See http://www.sustworks.com/site/news_usb_ethernet.html

It is also possible now to buy an Apple Thunderbolt to 1Gigabit Ethernet adaptor which is officially supported on all Thunderbolt compatible Macs including the new Mac mini. This will also offer better 100Mbps performance than the USB adaptor.

This is done by setting the order they are listed in the Network preference pane. Just drag one to change the order.

That's fine, but it doesn't address the original question, which is how to ensure that specific services run on specific interfaces.

Changing the interface priority really only affects non-local traffic since it defines the gateway addresses to use. It doesn't affect whether a specific service (e.g. directory service) listens/responds to requests on one interface only. In this case, the OP wants specific services to use one interface while other services use a different interface. That can't be done by simple interface ordering.