Lion server as advanced gateway

Hello, first of all, I want apologize for mistakes in language.
Today I've installed Lion server at work. This is our first time of using Mac as network server.
We need this server for several tasks:
- file sharing
- web server with different hosts (we are web developers)
- gateway (2 internet connections: 1 - fast and expensive (eth0), 2 - slow and cheap (USB 3G))
- collaboration assist.
Here I need to say, that prevoriously we hadn't server with those roles. We had:
- My office iMac as storage
- there was a separate web server on each developer's computer
- Windows Server 2003 and Kerio Contnrol as gateway
- as collaboration assist we use white office desk =)
Now about problems. First and last server roles are not so difficult, and mostly so I want to ask about third role: "Advanced gateway".
We have LAN for a 10 computers (some of them PC, some - macs), also we have two internet connections (as I said before) and the mission =):
- ALL traffic from 7 computers must go thru USB 3G modem
- common traffic from 3 others computers must go thru eth0
- all traffic to google, facebook etc from those 3 comps must go thru USB 3G modem (drivers was installed, modem works fine)
Is it real to get it works?

I'm not entirely sure I understand what you're asking.
From your post it sounds like you just need to setup file sharing and some simple access controls, right? What's the block here? Have you tried it and it didn't work? What's preventing you from just doing this? (it's not all that hard).

Similar Messages

  • Lion Server Gateway Issues

    Hello,
    I have a perplexing issue with both my own server and a client's server.  In both cases I am trying to configure a Lion server as a gateway (Firewall, DNS, DHCP, NAT) and I am unable to get the services working consistently.  If I am able to get my server(s) functioning as gateways I lose DHCP any time the service restarts.
    I have been able to reproduce this issue on two separate networks in two different locations on two separate static IPs with both a Mac Pro and a Mac Mini.
    1. I setup reverse DNS with both ISPs.
    2. I began with a fresh 10.7.0 server installation from the recovery partition, the I configured my static IP address and FQDN during the Setup Assistant, rDNS checked out fine, and after the assistant was done I immediately ran updates.
    3. After restarting I configured my DNS.  I setup a machine address for the server and linked my FCDN to my static IP address.
    4. I downloaded Server Admin Tools 10.7.2 from http://support.apple.com/kb/DL1457 and installed them.  I ran Software Update again to make sure the system was completely up to date.
    5. Using Server Admin I enabled NAT and ran the Gateway Setup Assistant.
    6. After running Gateway Setup Assistant the LAN was unable to obtain IP addresses via DHCP.  Devices connected to the LAN had self-assigned IP addresses.
    7. I opened the Firewall for both "any" and "192.168.1.1-net" by allowing both IP address groups to allow all traffic.
    Still no luck.  A little Googling and I found http://support.apple.com/kb/TS3887 - "Unable to connect to the Internet after running NAT Gateway Setup Assistant".
    8. I follwed the instructions in TS3887 and my LAN was still unable to obtain an IP address via DHCP.
    After 3 days of trial and error I have found that my DHCP settings are being reset whenever I start/stop/start DHCP services.  Whenever I restart the DHCP service I get one of the following error message sequences in /var/system.log:
    Jan 25 16:19:43 server servermgrd[71]: servermgr_dhcp:bootp config:Error:Unable to read configuration file - error 2 (No such file or directory)
    Jan 25 16:19:43 server servermgrd[71]: servermgr_dhcp:bootp config:Notice:Created default configuration file
    Jan 25 16:19:43 server servermgrd[71]: servermgr_dhcp:bootp config:Notice:Created 2 default subnet records
    or
    Jan 25 16:15:50 server serveradmin[4843]: servermgr_dhcp:bootp config:Error:Unable to read configuration file - error 2 (No such file or directory)
    Jan 25 16:15:50 server serveradmin[4843]: servermgr_dhcp:bootp config:Notice:Created default configuration file
    Jan 25 16:15:50 server serveradmin[4843]: servermgr_dhcp:bootp config:Notice:Created 1 default subnet records
    As it turns out, something is overwriting /etc/bootpd.plist:
    sh-3.2# ls -al /etc/bootpd.plist
    -rw-r--r--  1 root  wheel  1536 Jan 25 16:20 /etc/bootpd.plist
    sh-3.2# serveradmin stop dhcp
    dhcp:state = "STOPPED"
    sh-3.2# ls -al /etc/bootpd.plist
    -rw-r--r--  1 root  wheel  1132 Jan 25 16:47 /etc/bootpd.plist
    I have no idea why Server Manager believes that /etc/bootpd.plist does not exist but I began to notice some strang behavior while working on the problem.
    - While DHCP was turned off in Server Admin devices on my LAN were often able to obtain IP addresses through BootP.
    1. I could use Server Admin to start DHCP but it would fail and create two new subnets, one for my WAN and one for my LAN.  Although no subnets were enabled decices on my LAN would obtain IP addresses through BootP.  I could then start DHCP with none of the subnets enabled.
    2. If I enabled the LAN subnet and restarted DHCP Server Admin would fail to start DHCP.  I could try again and DHCP would start with no subnets enabled.
    3. If I stopped DHCP the system would again reset my /etc/bootpd.plist and I woudl be left with one subnet for my LAN.  This subnet was enabled by default.
    4. If I stopped DHCP the system woudl once again reset my /etc/bootpd.plist and I would have one subnet for my WAN.  This subnet was disabled by default.
    And then this loop would continue in slightly different variations indefinately.  Here is what my log looks like while this is happening:
    Jan 25 17:09:04 server servermgrd[71]: servermgr_dhcp:bootp config:Error:Unable to read configuration file - error 2 (No such file or directory)
    Jan 25 17:09:04 server servermgrd[71]: servermgr_dhcp:bootp config:Notice:Created default configuration file
    Jan 25 17:09:04 server servermgrd[71]: servermgr_dhcp:bootp config:Notice:Created 1 default subnet records
    Jan 25 17:09:13 server servermgrd[71]: servermgr_dhcp:bootp config:Error:Unable to read configuration file - error 2 (No such file or directory)
    Jan 25 17:09:13 server servermgrd[71]: servermgr_dhcp:bootp config:Notice:Created default configuration file
    Jan 25 17:09:13 server servermgrd[71]: servermgr_dhcp:bootp config:Notice:Created 2 default subnet records
    Jan 25 17:09:25 server bootpd[5726]: server name server.perfecteden.com
    Jan 25 17:09:25 server bootpd[5726]: interface en0: ip 192.168.2.1 mask 255.255.255.0
    Jan 25 17:09:25 server bootpd[5726]: interface en2: ip 173.160.121.37 mask 255.255.255.252
    Jan 25 17:09:25 server bootpd[5726]: DHCP REQUEST [en0]: 1,d0:23:db:a6:77:d <iPhone>
    Jan 25 17:09:25 server bootpd[5726]: ACK sent iPhone 192.168.2.9 pktsize 300
    Jan 25 17:09:25 server bootpd[5726]: service time 0.001889 seconds
    Jan 25 17:09:25 server bootpd[5726]: DHCP REQUEST [en0]: 1,d0:23:db:a6:77:d <iPhone>
    Jan 25 17:09:25 server bootpd[5726]: ACK sent iPhone 192.168.2.9 pktsize 300
    Jan 25 17:09:25 server bootpd[5726]: service time 0.000943 seconds
    Jan 25 17:09:27 server servermgrd[71]: servermgr_dhcp:bootp config:Error:Unable to read configuration file - error 2 (No such file or directory)
    Jan 25 17:09:27 server servermgrd[71]: servermgr_dhcp:bootp config:Notice:Created default configuration file
    Jan 25 17:09:27 server servermgrd[71]: servermgr_dhcp:bootp config:Notice:Created 2 default subnet records
    Jan 25 17:09:37 server servermgrd[71]: servermgr_dhcp:bootp config:Error:Unable to read configuration file - error 2 (No such file or directory)
    Jan 25 17:09:37 server servermgrd[71]: servermgr_dhcp:bootp config:Notice:Created default configuration file
    Jan 25 17:09:37 server servermgrd[71]: servermgr_dhcp:bootp config:Notice:Created 2 default subnet records
    The only times it seems that DHCP is working is when it is off... which does not make any sense.
    Here are some screenshots:

    I don't know if it's directly related, but your setup is wrong. That could be why the config is resetting.
    On your 'internal' interface you're manually setting the IP address to 192.168.2.1/255.255.255.0, and that's fine, but this interface should have NO router address specified. In your case you've set the router address to the server itself, which is never going to be accurate.
    Secondly, the DHCP settings don't have a router address set. This means that your DHCP server will hand out addresses to clients, but won't tell them how to get to the outside world. Hardly seems appropriate to me.
    In your DHCP settings you should set the router address to the address of your NAT server (in this case 192.168.2.1).
    Try those fixes and see if it makes any difference.

  • Lion Server VPN with 2 networks

    I hope someone has come across a similar problem to what I have had.
    I am having great difficulty trying to configure our OSX Lion Server (7.4) VPN service. The configuration I am trying to reach is one where we have an external IP for the server itself. A VPN configuration where we can use the external IP to get onto the VPN. When successfully on the VPN we would like to route through internal the network for all VPN traffic. We are having difficulty with the source routing so all traffic when successfully authenticated onto the VPN goes via VLAN0.
    I have used the guide:
    http://macminicolo.net/lionservervpn
    When on the VPN all internal network services should be available. But it seems to take the gateway of the public interface for all routing. I have tried adding routing entries with no luck
    Open to suggestion on how we can get this to successfully work. Thanks in advance.

    I am having a similar if not the same problem.  What happens when you log in with the VPN is that instead of giving a proper route the the VPN network, a second "default route is added".
    Internet:
    Destination        Gateway            Flags        Refs      Use   Netif Expire
    default            172.16.200.1       UGSc          166        0     en0
    default            172.16.150.109     UGScI           0        0    ppp0
    69.27.134.89       172.16.200.1       UGHS            0        0     en0
    127                127.0.0.1          UCS             0        0     lo0
    127.0.0.1          127.0.0.1          UH              3       22     lo0
    169.254            link#4             UCS             0        0     en0
    172.16.150/23      ppp0               USc             1        0    ppp0
    172.16.150.109     172.16.150.5       UH              1        0    ppp0
    172.16.200/23      link#4             UCS             5        0     en0
    172.16.200.1       a0:21:b7:60:b:4e   UHLWIi        167      109     en0    845
    172.16.200.11      b8:ac:6f:ff:b6:66  UHLWIi          0      202     en0   1200
    172.16.200.20      127.0.0.1          UHS             0        0     lo0
    172.16.200.54      d8:30:62:6a:4f:4b  UHLWIi          0        0     en0    881
    172.16.201.255     ff:ff:ff:ff:ff:ff  UHLWbI          0       32     en0
    I can add a manual route using:
    route add 172.16.0.0/23 172.16.150.9  and everything works fine.  But if you disconnect the VPN and reconnect you also have to re-enter the route,
    BTW.... works fine from my Win7 PC.

  • Need help setting up Lion Server

    Here's my story... I got a 2006 Xserve for free. It has 2 dual core 2.66 Xeons, 4 GB of RAM, and 2 300 GB SAS drives that I have turned into a RAID 1 array. I've installed OS X Lion Server on it and all is running okay. My OS X Server knowledge is slim to none. I do a little work with it at my job, but our main servers are Windows. I'd like to set it up as a DHCP and Open Directory server at home, just for fun. My home network consists of this Xserve, my 27" iMac, a MacBook Pro, an Xbox, a Samsung TV, a couple of iPads and our iPhones.
    I go from my Charter modem, to my AirPort Extreme, and then broadcast wirelessly to my other devices, and have my Xserve plugged into port 1.
    To get DHCP working, do I need to go from my modem to my Xserve, and then from my Xserve to the WAN port on my AirPort Extreme? Or do I just need to configure something?
    Thanks in advance for any help you can offer!

    If you have just Lion Server installed, go here for the rest of the tools:
    http://support.apple.com/kb/DL1528
    This will include Server Admin.  It will allow you to define DHCP, DNS, and other services not available in Lion's Server.app. 
    You networking knowledge will apply here.  It sounds like you want to use the Xserve as the NAT gateway.  This is possible, but you will need Server Admin to make it easier.

  • AEBS setup behaves differently on Lion Server than Snow Leopard

    I have a small office setup with a Mac Mini Server running Lion server, a Canon Wifi printer scanner and a Canon USB A3 printer connected to an AEBS which is in turn connected to the buildings network gateway for internet access. We have 3 MacBook Pros (snow leopard) which connect wirelessly and the Mac Mini has an ethernet cable to the AEBS. Fairly simple and we just have 1 manual IP address for the server with the AEBS doing DHCP and NAT.
    The issue I have is that if I change the AEBS settings using Airport Utility on a Mac Book Pro (the first time I just changed the DNS numbers to Googles free set and nothing else), I lose internet connectivity. I can get a partial connection if I also set the subnet to 255.0.0.0 (most websites load, but maybe 10% fail). Consistent and repeatable behaviour - every time I change the AEBS settings I lose the internet and the same websites fail to load.
    I can get everything working again by using the Mac Mini server to change something on the AEBS, or just restart the AEBS. In which case I can use the recommended subnet mask of 255.255.255.192 and everything works as it should.
    So my question is Why?? Does the Server change some background ports, or retain some link to the AEBS which stops it functioning if I use a non-server machine to make a change??
    One bit of background: When I first got the Mac Mini Server I let it take control of the AEBS setup - It asked, and I let it, but this activated the 802.1x security and required a login to the server before access to the wifi was granted. A nice feature but the Canon wireless scanner/printer does not support this, so I had to stop this and set the aebs manually, so I could use my scanner again. Is it possible that some link has been retained from this?
    I do have a full working setup now that I realise I have to use the server to operate the AEBS, but can anyone help with an explanation? It caused me a few months of partial internet access and lots of wasted time, so would like to know if there is a solution that would allow me to set the AEBS from any Mac on our LAN.
    Thanks for taking the time to help!

    Which services have been removed or depreicated?
    You have to bear in mind that 'removed' or 'deprecated' only really means 'no longer bundled and supported by Apple'. Just because Mac OS X Lion Server doesn't ship with a foobar server that doesn't mean you can't download and install your own foobar server. It just won't be integrated into the Server Admin apps.
    For example, Lion Server no longer ships MySQL Server. So download and install your own copy. It's not like the GUI apps gave you any control over the MySQL anyway, other than starting it up and controlling the network ports.
    Likewise for print server. Some of the advanced print features such as quotas have been removed from the GUI, but you can implement them yourself.
    Likewise with QuickTime Streaming Server, where the functionality is little more than a web service.
    What features that have been enhanced?
    Lion Server has simplified the setup of a server for small workgroups with simple requirements. If that's you then the whole experience may be enhanced since you're not swamped with a slew of options that you don't understand, or need.
    I think a lot of people were also stymied by Snow Leopard Server because they expected the GUI apps to cover all the options, which was never the case.
    So my original point stands. There is pretty much nothing you cannot do in Lion Server than you could do in Snow Leopard Server, it's just that it might not be supported by the GUI. Most serious server admins eschew Server Admin.app anyway since even Snow Leopard Server's admin app doesn't cover all the capabilities of some of the services, so you end up driving it via the command line anyway.

  • Lion Server unreachable over IPv6?

    My Lion Server is perfectly reachable over IPv4 and as it is housed in a datacenter the DNS must not be an issue either. Does anyone think it's fun to help me sort this question out? If I find the answer before you do, I'll post it here

    I've see this Apple post already:
    To manually set up your computer to use IPv6
    You should only do this if your network administrator or Internet service provider has specifically told you to manually configure IPv6.
    Choose Apple menu > System Preferences, and then click Network.
    If the Network Preference is locked, click on the lock icon and enter your Admin password to make further changes.
    Choose the network service you want to use with IPv6, such as Ethernet or AirPort.
    Click Advanced, and then click TCP/IP.
    Click on the Configure IPv6 pop-up menu (typically set to Automatically) and select Manually.
    Enter the IPv6 address, router address, and prefix length you received from your network administrator or Internet service provider. Your router address may be referred to as your gateway address by some ISPs.
    (source: http://support.apple.com/kb/HT4667)

  • Troubleshooting PPPoE and DHCP on Lion Server 10.7

    I am almost out of ideas, so I wanted to test our gurus out here:
    I am setting up a small office network and don't quite have those last pieces of knowledge to get it running.  It was working fine for us, until we needed to set up the VPN server. 
    PRIOR SETUP:
    Internet -> Modem --> Time Capsule PPPoE Dial UP with DHCP Service --> Mac Pro Lion Server 10.7.4 and other "clients"
    Mail Server worked
    File Sharepoints worked
    Jabber server worked
    VPN did not
    I read in forums that it would be difficult to do double NATs (which is what I think is happening with VPN server set up behind a Time Capsule).  So, I decided to wreck the current set up and gamble on putting the Server forward in the chain.
    NOW IT LOOKS LIKE THIS:
    Internet --> Modem ---> Mac Pro PPPoE Dialup through System Preferences --> and then not sure how to get the rest running...
    Ethernet 1 on MacPro is connected to the Modem
    Ethernet 2 on MacPro is connected to a client notebook for testing DHCP (failed miserably)
    Note:  This minimal setup somehow allowed me to get logged on successfully to the VPN Server on the Mac Pro, but it was just luck and I'm not sure how it happened.  BUT the bad part is now, I can't seem to share this internet connection with the rest of the clients on the network.  "no one can see the internet"
    1.  Fiddled with gateway assistant but didn't get my clients to connect to the internet.
    2.  Fiddled with Internet Connection Sharing outside of the Server Admin.  Didn't work.
    KEY QUESTIONS:
    - Can you share a PPPoE connection with an office on Lion Server?
    - Can you share it AND have VPN access for those who want to log in?
    BONUS:
    When I get to using Gateway Assistant something weird comes up.  Two Ethernet 1 Ports appear during the WAN chooser: (WHY???)
    But my network settings look like this (There is only ONE Ethernet 1):
    OTHER USEFUL SCREENSHOTS:
    THANKS ALL in advance for checking this out and helping!

    I am almost out of ideas, so I wanted to test our gurus out here:
    I am setting up a small office network and don't quite have those last pieces of knowledge to get it running.  It was working fine for us, until we needed to set up the VPN server. 
    PRIOR SETUP:
    Internet -> Modem --> Time Capsule PPPoE Dial UP with DHCP Service --> Mac Pro Lion Server 10.7.4 and other "clients"
    Mail Server worked
    File Sharepoints worked
    Jabber server worked
    VPN did not
    I read in forums that it would be difficult to do double NATs (which is what I think is happening with VPN server set up behind a Time Capsule).  So, I decided to wreck the current set up and gamble on putting the Server forward in the chain.
    NOW IT LOOKS LIKE THIS:
    Internet --> Modem ---> Mac Pro PPPoE Dialup through System Preferences --> and then not sure how to get the rest running...
    Ethernet 1 on MacPro is connected to the Modem
    Ethernet 2 on MacPro is connected to a client notebook for testing DHCP (failed miserably)
    Note:  This minimal setup somehow allowed me to get logged on successfully to the VPN Server on the Mac Pro, but it was just luck and I'm not sure how it happened.  BUT the bad part is now, I can't seem to share this internet connection with the rest of the clients on the network.  "no one can see the internet"
    1.  Fiddled with gateway assistant but didn't get my clients to connect to the internet.
    2.  Fiddled with Internet Connection Sharing outside of the Server Admin.  Didn't work.
    KEY QUESTIONS:
    - Can you share a PPPoE connection with an office on Lion Server?
    - Can you share it AND have VPN access for those who want to log in?
    BONUS:
    When I get to using Gateway Assistant something weird comes up.  Two Ethernet 1 Ports appear during the WAN chooser: (WHY???)
    But my network settings look like this (There is only ONE Ethernet 1):
    OTHER USEFUL SCREENSHOTS:
    THANKS ALL in advance for checking this out and helping!

  • How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

    I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
    Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
    Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
    Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
    DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
    DVD>Install Lion
    Reboot, hopefully Lion install kicks in
    Update, update, update Lion (NOT Lion Server yet) until no more updates
    System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
    Terminal>$ sudo scutil --set HostName server.domain.com
    App Store>Install Lion Server and run through the Setup
    Download install Server Admin Tools, then update, update, update until no more updates
    Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
    System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
    A few DNS set-up steps and these most important steps:
    A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
    B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
    C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
    D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
    E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
    F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
    G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
    H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
    I. Test from web browser server.domain.com/mydevices: Lock Device to test
    J. ??? Profit
    12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
    You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
    Firewall
    Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
    SSH
    Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
    PermitRootLogin no
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
    Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
    client$ ssh-keygen -t rsa -b 2048 -C client_name
    [Securely copy ~/.ssh/id_rsa.pub from client to server.]
    server$ cat id_rsa.pub > ~/.ssh/known_hosts
    I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
    $ diff denyhosts.cfg-dist denyhosts.cfg
    12c12
    < SECURE_LOG = /var/log/secure
    > #SECURE_LOG = /var/log/secure
    22a23
    > SECURE_LOG = /var/log/secure.log
    34c35
    < HOSTS_DENY = /etc/hosts.deny
    > #HOSTS_DENY = /etc/hosts.deny
    40a42,44
    > #
    > # Mac OS X Lion Server
    > HOSTS_DENY = /private/etc/hosts.deny
    195c199
    < LOCK_FILE = /var/lock/subsys/denyhosts
    > #LOCK_FILE = /var/lock/subsys/denyhosts
    202a207,208
    > LOCK_FILE = /var/denyhosts/denyhosts.pid
    > #
    219c225
    < ADMIN_EMAIL =
    > ADMIN_EMAIL = [email protected]
    286c292
    < #SYSLOG_REPORT=YES
    > SYSLOG_REPORT=YES
    Network Accounts
    User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
    2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
         User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
    Oh well.
    Email
    Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
    root:           myname
    admin:          myname
    sysadmin:       myname
    certadmin:      myname
    webmaster:      myname
    my_alternate:   myname
    Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
    cd /etc/postfix
    sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
    sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
    sudo serveradmin stop mail
    sudo serveradmin start mail
    Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
    If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
    iCal Server
    Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
    Web
    The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
    $ diff httpd.conf.default httpd.conf
    95c95
    < #LoadModule ssl_module libexec/apache2/mod_ssl.so
    > LoadModule ssl_module libexec/apache2/mod_ssl.so
    111c111
    < #LoadModule php5_module libexec/apache2/libphp5.so
    > LoadModule php5_module libexec/apache2/libphp5.so
    139,140c139,140
    < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
    < #LoadModule encoding_module libexec/apache2/mod_encoding.so
    > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
    > LoadModule encoding_module libexec/apache2/mod_encoding.so
    146c146
    < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
    > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
    177c177
    < ServerAdmin [email protected]
    > ServerAdmin [email protected]
    186c186
    < #ServerName www.example.com:80
    > ServerName domain.com:443
    677a678,680
    > # Server-specific configuration
    > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
    > Include /etc/apache2/mydomain/*.conf
    I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
    Alias /eyetv /Users/uname/Sites/EyeTV
    <Directory "/Users/uname/Sites/EyeTV">
        AuthType Digest
        AuthName "EyeTV"
        AuthUserFile /Users/uname/.htdigest
        AuthGroupFile /dev/null
        Require user uname
        Options Indexes MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
    <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
        AuthType Digest
        AuthName "EyeTV"
        AuthUserFile /Users/uname/.htdigest
        AuthGroupFile /dev/null
        Require user uname
        Options Indexes MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
    Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
    One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
    Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
    User-agent: *
    Disallow: /
    Misc
    VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

    Privacy Enhancing Filtering Proxy and SSH Tunnel
    Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
    If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
    $ ./ssht 8080:[email protected]:3128
    $ ./ssht 8080:alice@:
    $ ./ssht 8080:
    $ ./ssht 8018::8123
    $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
    $ vi ./ssht
    #!/bin/sh
    # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
    USERNAME_DEFAULT=username
    HOSTNAME_DEFAULT=domain.com
    SSHPORT_DEFAULT=22
    # SSH port forwarding specs, e.g. 8080:localhost:3128
    LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
    REMOTEHOST_DEFAULT=localhost    # Default is localhost
    REMOTEPORT_DEFAULT=3128         # Default is Squid port
    # Parse ssh port and tunnel details if specified
    SSHPORT=$SSHPORT_DEFAULT
    TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
    while [ "$1" != "" ]
    do
      case $1
      in
        -p) shift;                  # -p option
            SSHPORT=$1;
            shift;;
         *) TUNNEL_DETAILS=$1;      # 1st argument option
            shift;;
      esac
    done
    # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
    shopt -s extglob                        # needed for +(pattern) syntax; man sh
    LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
    USERNAME=$USERNAME_DEFAULT
    HOSTNAME=$HOSTNAME_DEFAULT
    REMOTEHOST=$REMOTEHOST_DEFAULT
    REMOTEPORT=$REMOTEPORT_DEFAULT
    # LOCALHOSTPORT
    CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
    CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR%:}                            # delete :
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        LOCALHOSTPORT=$CAR
    fi
    TUNNEL_DETAILS=$CDR
    # REMOTEPORT
    CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
    CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR#:}                            # delete :
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        REMOTEPORT=$CAR
    fi
    TUNNEL_DETAILS=$CDR
    # REMOTEHOST
    CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
    CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR#:}                            # delete :
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        REMOTEHOST=$CAR
    fi
    TUNNEL_DETAILS=$CDR
    # USERNAME
    CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
    CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR%@}                            # delete @
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        USERNAME=$CAR
    fi
    TUNNEL_DETAILS=$CDR
    # HOSTNAME
    HOSTNAME=$TUNNEL_DETAILS
    if [ "$HOSTNAME" == "" ]                # no hostname given
    then
        HOSTNAME=$HOSTNAME_DEFAULT
    fi
    ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
        && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
        || echo "SSH tunnel FAIL."

  • AEBS and Lion Server DHCP

    Hi All!
    I have a scenario I want some input on.
    1 Mac Mini Lion Server 10.7.2
    1 TC 2nd Gen
    x iPads
    x iPhones
    2 Lion clients
    I want to use the Lion Server for all collaboration services, and use Profile Manager to provide central management of iOS and Lion clients, and I want to use network accounts on the server.
    All is set up and working well, mail, ical, wiki, addressbook, VPN servers, profile manager settings, apart from one thing. how do I best push DNS server settings to the client to point to the server?
    In the TC there are no way to set what DNS server is served to clients. That would solve my case in an instant. Now all clients get the ISPs DNS servers, or pass-through of whatever DNS server is set up on the TC.
    I have 2 possible solutions:
    1. Set up TC to only provide 1 DHCP address reserved for the server, and then use DHCP on the Lion Server for the internal clients. This will work as it has been tested by other users here on this forum.
    2. Set the DNS server on the TC to point to the local Lion Server. I actually just came up with this idéa as I was typing.... maybe that is the answer? The inernal clients get the internal server as DNS and the server uses forwarders or roothints.
    What do you think? If you have this combo, TC/AEBS and Lion Server, how did you solve it?
    /Hasse

    Hi All!
    I actually found the solution myself. Soluton 2 does the trick brilliantly! I can't imagine why I didn't think of this before. I have searched this forum for a solution too, but this just was too easy . The Lion Server advanced admin guide didn't mention this either, even in the chapter about AEBS coexistance.
    /Hasse

  • Lion Server for Home use reality check

    Hi All,
    as many others I had the best intentions buying Lion Server for my home network (5 Macs, 2 iPads, 2 iPhones) to manage everything.
    It was destined to be a central server for user management, configuration management, home directories, file server, software update server, web server and Time Machine server and possible VPN gateway to my home network.
    I did not intended to use  as Address Book, iCal, Mail server as I use iCloud. I just don't see the point of iChat, Podcast, Wiki server for my home use.
    Anyway the bits I had to abandon so far are:
    configuration management - Profile Manager works only sometimes and is sluggish to say the least
    home directories - the home sync just doesn't work for Mac libraries such as iPhoto and iTunes
    software update server - worked, broke, fixed, worked, broke, fixed, ... going away with Mountain Lion.
    What works for me is user management, file server, web server and Time Machine backup, haven't gotten around to test VPN yet.
    Given that Mountain Lion is coming next month and presumably I'll have to buy new license for the Server version I am not sure if it's worth it.
    As I see it using a plain vanilla Lion or Mountain Lion system I can still do file server, web server and Time Machine backup. What I'd lose is the user management and I am not sure about VPN on a non-Server system but not really important. User management is a one time task for 5 Macs that's it.
    Would be interested to hear opinions from you folks about pros / cons of using a plain Lion or Mountain Lion OS X for server tasks vs Server version?
    Anything I am missing here?
    Thanks
    Andy

    iToaster wrote:
    most osx server issues are usually DNS problems
    if that is not correct practically nothing else will work correctly
    That's probably true but also within that lies a major problem how this is positioned "The Server for Everyone". I am in IT and know what a DNS is. Most home users would NOT have a DNS running as it's not necessary not even talking about SSL certificates. I think this is a major problem here that it market incorrectly.
    iToaster wrote:
    if your trying to have portable home directories and having iphoto library sync'd
    I don't recomend on wireless , even on a wired 1gb network it's slow
    use WGM to skip iphoto or be prepaired for a long wait
    It's not so much a network bandwidth problem but the fact that home sync doesn't work for package files such as iPhoto, etc. Many people have confirmed that that home sync actually corrupts those files.
    iToaster wrote:
    for the cost of ML server it's probibly cheaper in the long run then the time you'd spend
    trying to get the same funtionallity via terminal.  plus the posiblity of a OS update
    that may blow all your finely crafted terminal work all away.
    Don't intend to do terminal but for example take "File Sharing". It's an Server option but every Mac also has file sharing under the "Sharing Settings". As far as I can tell the server actuallty is just an overlay over the Mac sharing option because if I define a file share it's also updated in the sharing option.
    Same thing goes for the Webserver. Hence I am thinking that Server really only is a central console for some basic services that can also be available by using standard OS X functionality.

  • Lion Server: iOS 5 clients can't connect to Address Card Server

    I have set up shared accounts on the server for Calendar and Address Book (family) sharing. Although I can add and use the Address Book shared account on OS X Lion clients, I can't get this to work on iOS 5 clients (iPhone nor iPad). I keep on getting "CardDAV account verification failed".
    Calendar sharing works just fine on both OS X and iOS5 clients
    Let me briefly describe my setup and observations:
    Server:
    Running Lion Server 10.7.2 on Mac Mini (server)
    Using SSL connections with keys generated during set-up of the server
    Portforwarding in router (ao) for 8008 and 8843 (iCal and Address Book)
    Created  shared accounts on server for Calendar ("sharedcalendar") and Address Book ("sharedcontacts")
    In the DNS server I created services in my primary zone for "_caldavs._tcp." and "_carddavs._tcp." both on port 8443
    OS X Client (Calendar)
    Created additional CalDAV account in preferences (user "sharedcalendar")
    Left the server settings untouched (server path, port "auto" and using SSL but not Kerberos)
    Created in "sharedcalendar" different calendars and reminder lists for the family members which each can access from their OS X client
    This account is now set-up through Profile Manager (tried this with Address Book as well but didn't make any difference)
    iOS 5 Client (Calendar)
    Once tested on standalone and got this working I'm now using the Profile Manager to push the definition of the shared account to all clients
    Hostname with port 8443 (default)
    Left Principal URL blank since it was optional
    User "shared calendar" with the appropriate password
    Ticked "Use SSL"
    OS X client (Address Book)
    Created additional CardDAV account in preferences (user "sharedcontacts").
    Left the server settings untouched (port 443 using SSL)
    iOS 5 client (Address Book)
    In the settings add a CardDAV account (server, user "sharedcontacts", password, description).
    First error message "Cannot connect Using SSL. Do you want to try setting up the account without SSL?". When I press continue I get the error "CardDAV account verification failed"
    If I then save the account details still and edit the account I can access the "advanced settings". When I change to SSL I have tried port 0 (default value), 8443 (the one that's listed in the documentation) and 8843 (which is used by default if you try to set up the
    account in Profile Manager). All to no avail, including Profile Manager
    Observations:
    Lion Server app nicely lists both Calendar and Address Book Server as active (plus Profile Manager, File Server, Web server and Wiki server)
    When I access my server home page, Calendar is listed in addition to other services (Mail | Calendar | Change Password | Profile Manager) but not Address Book. Is this normal behaviour? i.e. can't Address Book entries be changed through a web interface?
    Address Book on OS X client uses 443 for SSL but does not require me to define port 8443 for secure iCal or Address Book server communications
    Lion Server Profile Manager specifies port 8843 as port for SSL communication. I only saw 8443 listed in documentation
    The response "can't connect .." or "account verification failed" happens very quick which make me think either the verification doesn't even leave the iPad or there is something wrong in the SSL connection
    Since iCal set-up works nicely using the same ports I am puzzled why it doesn't work for Address Book
    Your solutions or suggestions how to investigate are most welcome,
    Erik

    Thanks for joining the discussion.
    Although port 8443 is mosten quoted as correct port for CalDAV and CardDAV, port 8843 can be found both on Apple's website and other places:
    see Technical Note 1649 to find port 8443 listed for iCal and port 8843 for Address Book
    Mac OS X Lion Server for Dummies (sic) lists port 8843 on pages 236 and 238 but port 8443 in many other places
    when you want to push iCal and Address Book information with Profile Manager, Profile Manager lists port 8443 for iCal but port 8843 for Address Book as default:
    So I hope you understand I'm somewhat puzzled.
    I did get the Address Book working for my Lion desktops with the all the necessary certificates as far as I know, just not for the iOS devices (iPhone and IpPad). iCal sharing from Lion Server works fine on both Lion and iOS devices.

  • How do I set up my Time Machine and Mac Mini with Lion Server so i have one wifi loop in the house?

    HELP!
    So I have had a Time Machine wifi loop at the house for approx. 6 years. I run two Macbooks, 2 iPhones, 2 iTouch and a Samsung Smart Blueray on the loop.
    I just bought a Mac Mini with Lion Server. When setting it up I'm not sure what or how I managed to do, but I now have 2 wifi loops, one doesn't lock and niether will support the Samsung BlueRay. Also, each time I want to go online with one of the other Mac devices i have to relog into the wifi loop.
    Can someone please walk me through the fix. The mac Mini is plugged straight into the Time Machine to recevie its internet connection.
    Thanks!
    John

    You often see this limit of 10 clients in wireless hotspots but I have yet to see it in an adsl modem.. most strange way to pay for a service that is really irrelevant how many clients you use.
    Have a go .. I recently setup a TC to help a guy run his Roku.. and this setup worked well.. I have no idea if it can work in your case.
    Lets say the IP you get is 192.168.2.1-10 .. doesn't matter what it really is. And the adsl modem is 192.168.2.254
    (Assuming they are private addresses.. if they are public IP you can just use the DHCP and NAT. )
    But go to the airport utility.. I think you need to run v5 at least to change DNS.. but you can do the same thing in v6 using static but no dns changes.
    Now you set the IP of the TC manually.. This address might need to be in the dhcp range of the modem to work. You can set the DNS to same IP as the router address.. ie home address of the modem. Or you can use another DNS.. whatever you like.
    Then set DHCP for clients that will join.. this can then expand the scope of addresses..
    It worked without a NAT error.. although I am not sure exactly how.. on paper it should not be able to work but did.. have a go.. otherwise there is perhaps another way.. but it is complicated.
    Give us an example from a computer plugged into the modem of what IP .. subnet mask .. Gateway and DNS you get. Then I can fine tune the values for it.

  • How can I set up a mail alias in Mountain Lion Server?

    Hi, newbie to Mountain Lion Server here.
    I've set up mail for domain a.com and a virtual domain b.com
    User a receives mail just fine at [email protected] and [email protected], now I wanted to receive mail for [email protected] as an alias, which I understood after reading the posts here is done by going to 'advanced options' of user a and setting b in the alias field.
    But sending a mail to [email protected] bounces with a "550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual alias table".
    However sending a mail to [email protected] does work, so I'm wondering what I'm doing wrong.

    Hi, it's a late response, I know, but I had same problem just now and in my searching for an answer I found your question. ...better yet, I also found the answer - simply make a user alias including the virtual domain, like for instance if you want alias c to receive mails from both a.com and b.com, you should make two aliases:
    c, [email protected]
    where the first alias defaults to a.com as the default domain and the second explicitly specified the virtual domain.
    Cheers

  • Lion Server: All network users have disappeared

    Hi,
    A search through the forums and kbase didn't give me anything that mapped well to my problem. Here's the situation:
    Specs:
    Mac Pro (2008) 6GB RAM, SSD boot with space available, OS X Lion (latest) with Server.app
    Services:
    File Sharing
    Users: less than 15—accounts only used for file server access.
    This is the only server on the local network, all network routing is taken care of by a Meraki router.
    I went to add a new user to our fileserver, and was unable to connect to the server over Apple Remote Desktop. At the time, file sharing from the server (I *believe*) was still working. I logged in with the file server's local admin account via SSH and tried to use Kickstart to get ARD running again—something I'm well versed in. The script ran as usual, but ARD could still not connect. So, as everyone was in a meeting, I tried to use `shutdown` to reboot the fileserver from the CLI, something I've also done in the past (but not frequently). Usually that takes about a minute to work, and then my shell disconnects—but after 5 minutes, the Mac had not rebooted.
    At that point, I decided to walk to the server and manually force it down by holding the power button in. That powered off the Mac, and 30 seconds later, I booted it up.
    Back on my Mac via ARD, I was able to remotely control it and got to the Fileserver's log in screen, which featured a red dot in the use field I'd never seen before. It's tool tip read "network users are currently unavailable" (paraphrased, perhaps). I logged in with the Fileserver's local admin user (as usual) and launched the Server.app, only to find that in the `Users` section, there were no users listed, and the plus and minus buttons were greyed out.
    I tried rebooting but got the same results. I then repaired permissions and verified the boot drive. Lots of permissions repairs (as usual) but nothing improved. Another reboot after the permission repair and disk repair, just for safety's sakes… and as you can guess by me posting here… no improvement.
    I'm not heavily versed in Server. I'm not even sure if those users are stored in a database, and where that DB would live. Does server make dumps or backups of the users on its own? Should I have been? Is this LDAP? Anyone have some next steps I can try? What info would be useful?
    My first goal would be to recover a damaged DB. I only have just under 15 users, so re-creation isn't difficult. But, under the department of "I don't know a ton about Lion Server" I don't know if network users act like OS X users… where you could create a new user with the same username, but if their UID is different, then they won't have access to their owned files on the fileserver… is Server that exacting? Does it care who owns the file?
    Thanks in advance for any ideas, or resources you can point me to!

    It gets far weirder……
    Now no one, myself included can log in.
    Checking the logs, which I'll try to attach a small sample of here (Dropbox link below since you can only attach images here), I see repeated instance of both `opendirectoryd` crashing and respawning, and of server manager unable to authenticate:
    1/19/15 4:57:06.658 PM com.apple.opendirectoryd: Assertion failed: (0 == (connection->flags & eODConnectionFlagSocketValid)), function __odconnection_connect_block_invoke_2, file /SourceCache/opendirectoryd/opendirectoryd-172.17/src/odconnection.c, line 988.
    1/19/15 4:57:07.641 PM com.apple.launchd: (com.apple.opendirectoryd[13760]) Job appears to have crashed: Abort trap: 6
    1/19/15 4:57:07.641 PM com.apple.launchd: (com.apple.opendirectoryd) Throttling respawn: Will start in 9 seconds
    1/19/15 4:57:07.761 PM ReportCrash: Saved crash report for opendirectoryd[13760] version ??? (???) to /Library/Logs/DiagnosticReports/opendirectoryd_2015-01-19-165707_localhost.cras h
    1/19/15 4:57:17.276 PM PasswordService: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: user with slot 4873a20f-0cc0-f7c3-0000-000a0000000a not found.  Result: 80 Other (e.g., implementation specific) error
    1/19/15 4:57:17.277 PM AppleFileServer: _Assert: /SourceCache/afpserver/afpserver-585.7/afpserver/AgentSession.cpp, 856 (4294952813)
    1/19/15 4:57:32.703 PM servermgrd: servermgr_accounts: got error 2100 trying to auth to local LDAP node
    https://dl.dropboxusercontent.com/u/1344045/server-sample.log.txt

  • How can I reset my password via Lion Server web front-end?

    I'm trying to enable my users to be able to change their passwords from the default value I've given them. This can be done from the user's profile page but when with the new Lion Server web interface, I select the "Change Password" at the bottom of the page and I get the following result:
    Changing passwords is turned off.
    You can turn it on by using the Server app on the server.
    I'm assuming I cannot use the Server app on my client computer (a MacBook Pro) so I use the Server app on the server.  I cannot find out how to enable this feature.  I've been all over the Lion Server help documentation but can't find out how.
    I've selected my server in the Hardware section on the left-hand side of the Server app and gone to the Settings tab and checked the "Enable screen sharing and remote management" box but I still get the message above.
    Thanks in advance...

    You will have to enabled "Profile Manager" tab.
    Inside this tab, enable also the "Device Management", which will start a network directory.
    This make sense for a centralized user mgmt.
    But a bit not user-friendly enough.
    After setting above two,
    go back to the "Web" tab, and click the pencil to see the grayed-out activated.

Maybe you are looking for

  • Please suggest how to handle User Transactions in JSP using JTA

    we are using Websphere application server with DB2, Can anyone suggest how to maintain the transactions in JSP ?

  • How to use SIM files

    Hi sap Guru's, Can any one help me to know how to use <b> SIM FILES </b>, If any one knows please help me, please mail me at id: [email protected], I hope positive responce from you all,Advanced thanks to you all, With Regard's sai vishnu

  • Problem when updating apps

    When I try to update my applications it says "Cannot connect to iTunes Store". I´ve connected my phone to my computer, checked Wifi and still nothing. Anyone know what to do?

  • Canvas rotation is not fluid with wacom gestures

    When i use the 2 fingers gesture of my wacom tablet in photoshop to rotate and pan, the process is really not fluid But when i use the rotate tool of photoshop, this one is fast and fluid. Why such a difference? I work on photoshop CC, windows 8.1, i

  • MBP 13" Screen Flickers and Freezes After Upgrading HDD

    Hi There, I have seen on here and a few other forums that people are having issues with graphics cards or overheating that is making the MBP screen flicker and freeze. Mine has been fine until yesterday when I installed a new Seagte 1tb HDD. It works