Accessing Xserve Desktop Out Of Network via VPN or Remote Desktop
Hi everyone,
Thanks a lot for taking the time to look at my question.
I'm trying to figure out how I would set up an Xserve so that it could operate on a work network while allowing users to access it away from work (at their houses) with a login and password that I've set up in the Xserve. That way they can access specific applications on the server.
I've searched through the forums and other documentation already with moderate success. Apparently I don't NEED a static IP address for my Xserve but it would make it easier. It seems that the most highly recommended solution is setting up a VPN.
So after some further research, I found that the VPN can be set up directly within the OSX server but I'm unclear on how to actually allow it to do what I'm trying to do. I don't want my external users to be able to have any admin rights -- I basically want them to remote desktop into a user account on the xserve with no ability to change any settings, but to access one application on it so they can run that application on the server.
Any help would be greatly appreciated.
Thank you!
If I understand your request correctly, what you want cannot be done out of the box.
Despite Mac OS X Server's ability to support multiple users, it's still limited to one GUI environment/desktop. That means that there's only one set of GUI apps that can run at a time.
You could have multiple users log on using Remote Desktop, but they'd all see the exact same thing. In addition, actions (key presses, mouse movements, etc.) by any one user would be reflected on every other screen, so it's not practical to have multiple users trying to use the same GUI environment.
You need to more clearly define what it is you're trying to achieve. Why, for example, are you trying to run applications remotely over the internet, given the additional latency inherent in this kind of setup)? What do you expect to gain?
More importantly, what application(s) are you trying to run?
Some applications support remote processing (e.g. an application you run locally on your machine submits a job to the server for processing, based on the idea that the server is a more powerful machine).
Other apps support collaboration where multiple users can share the same data and updates are dynamically reflected on other clients.
There are some hacks that emulate multiple desktops, and they might work for you, but you need a better understanding of what you're trying to do.
Similar Messages
-
Can I connect to my microsoft network via VPN and download network files?
Can I connect to my microsoft network via VPN and download network files to my iPad2? If so, what app is required?
There are several apps available from App Store but the one I use is iTeleport.
Oops the Windows specific version is called Jaadu Remote Desktop for Windows
Message was edited by: Joe Bailey to add Windows version -
4150L - Works on web, but can not connect via VPN or Remote Desktop
Recently purchased a 4150L and installed the latest firmware. We have been able to access all public websites without any problems. But, when we try and access our customers computers via VPN (various types) or Remote Desktop, we can't connect. We can sign-in to VPN, but when we try and access the computer, it says "can't connect". Exact same message with Remote Desktop. We are able to connet when use a Verizon phone as a hotspot and from every other internet service that we have tried (i.e. hotels, starbucks, etc.) It appears it is an issue with the 4150L.
Verizon Tech Support has been no help!
All ideas are appreciated!
Thanks,
SkipSkip,
VPN traffic should be allowed through on the MiFi 4510L by default. I know I do not have any issues with mine on either the Cisco IPSec or Cisco SSL VPN Clients.
If Verizon DNS is interferring then perhaps you could try to connect to your VPN via a direct IP Address instead of a URL. Not sure what VPN client you have but there should be a No DNS option to connect if you know the correct IP. You could also try switching your DNS to one of the free ones such as the one offered by Google or any of the others.
VPN's carry alot of overhead on existing connections in my experience. Its not untypical to have a 3G connection cut in half when a VPN is applied. Try running a speed test to make sure your connection is atleast 1 MB on download before initiating a connection. If the performance of the MiFi is too poor in that area it may never be stable enough to support a connection. Feel free to post some Speedtest.net averages so we can see what you are working with.
Something to note about the MiFi 4510L is that it is on the SIM card network. That means that NAT is always going to be an issue and block your users from providing a truely public IP Address. Directly remoting to them through any means will be nearly impossible. -
Asa 8.2 access files share on outside network from VPN Client.
please help me
I have cisco asa 5505 with 8.2
outside is 111.22.200.51
inside is 192.168.1.0/24 dhcp
vpnpool is 192.168.10.1-192.168.10.30
configured split tunnel to vpn client to access web
I was able to connect from outside via vpn.
Goal is access fileserver(on window) on 111.22.200.21 from vpn clients.
internal client can access the share folder
vpn client cannot access ther share on 111.22.200.21
============================
names
name 192.168.1.1 ciscogw
name 111.21.200.1 umgw
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
switchport access vlan 5
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 5
interface Ethernet0/6
switchport access vlan 5
interface Ethernet0/7
switchport access vlan 5
interface Vlan1
nameif inside
security-level 100
ip address ciscogw 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 111.22.200.51 255.255.255.0
interface Vlan5
no nameif
security-level 50
ip address dhcp setroute
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name vpn.nmecsc.org
access-list RAteam_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.30 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 111.22.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.50 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd wins 111.22.210.65 111.22.210.61 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
group-policy DfltGrpPolicy attributes
banner value WARNING: Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized usage is suspected.
group-policy RA_SSLVPN internal
group-policy RA_SSLVPN attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value team
group-policy RAteam internal
group-policy RAteam attributes
wins-server value 111.22.210.65
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAteam_splitTunnelAcl
default-domain value vpn.nmecsc.org
username teamssl2 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
username teamssl2 attributes
vpn-group-policy RA_SSLVPN
username team2 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
username team2 attributes
vpn-group-policy RAteam
username teamssl1 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
username teamssl1 attributes
vpn-group-policy RA_SSLVPN
username team1 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
username team1 attributes
vpn-group-policy RAteam
tunnel-group team type remote-access
tunnel-group team general-attributes
default-group-policy RA_SSLVPN
tunnel-group team webvpn-attributes
group-alias team enable
group-url https://111.22.200.51/team enable
tunnel-group RAteam type remote-access
tunnel-group RAteam general-attributes
address-pool vpnpool
default-group-policy RAteam
tunnel-group RAteam ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:680b9059ca6ca6610857bab04d855031I just upgrade asa to 9.3
add access-list but still no luck. I attached the diagram.
name 192.168.1.1 ciscogw
ip local pool vpnpool 192.168.10.1-192.168.10.50 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address ciscogw 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 111.22.200.51 255.255.255.0
boot system disk0:/asa923-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_26
subnet 192.168.10.0 255.255.255.192
access-list ipsec_group_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list ipsec_group_splitTunnelAcl standard permit host 111.22.200.21
access-list ipsec_group_splitTunnelAcl standard permit 111.22.200.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.10.0_26 NETWORK_OBJ_192.168.10.0_26 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 111.22.200.1 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
tunnel-group-list enable
group-policy ssl_vpn internal
group-policy ssl_vpn attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value carino
group-policy DfltGrpPolicy attributes
group-policy ipsec_group internal
group-policy ipsec_group attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ipsec_group_splitTunnelAcl -
How do you access a machine connected to network via internet sharing?
I have a G5 which shares its airport connection via its ethernet connection with an iMac. Now I'd like to access the iMac from a MacBook Pro which has a wireless connection. Is this at all possible? Right now the G5 and iMac know about each other as do the MacBook and iMac. But the iMac and MacBook don't seem to have a connection. Do I have to do something on the G5 so the iMac and MacBook are known to each other?
Well it seems I missed the response when it occurred. Need to check my notification settings. Any way, to answer and summarize:
1. Yes the G5 had a wireless connection to an Airport.
2. The G5 was connected via an ethernet cable to the iMac
3. I worded the connections wrong. I meant to say the g5 and macbook know about each other as do the g5 and iMac. But not the macbook and iMac. Know about each other in the sense that they could be references like g5.local or imac.local.
4. I couldn't get the macbook to find a route to the imac through the g5.
In the end I decided what I was doing was stupid, and just put the iMac back on the wireless network so it was universally visible. -
Cant access dashboards from home wireless network via my personal 10.1.3.4
Hi,
I installed 10.1.3.4 on my laptop at work - which worked fine. though when attempting dashboards via presentation layer at home the url cannot be displayed. I believe it is because i am using a static ip & at home on my wireless i get assigned any old ip. can anyone advise how to get around this?Yes, It has impact. You create groups in the Repository & Answers and assign the object level permissions.
You Populate Group Variable during authentication via LDAP server. Once you login with X name you see the authorized groups in the my account.
For dashboard A - For group Executive - User X - You have given full access.
Now you have changed the Group name to AD_Executive. When You Login variable values would be
User - X
Group - Ad_Executive
Dashboard A - No permissions.
If you have a scenario of changing the group names then get Groups from database using Init block after authorization. -
I have a wired nework in a remote closet (3 PC's to a 100/1000 Linksys switch). I have an Apple Extreme network connected to the Internet in another remote closet allowing wireless PC's and wired PC's access to the internet and printers. I do not have the ability to connect the two networks together via wired although they are 50' apart.
My objective is to configure two Airport Extreme devices so the remote wired PCs can connect via the remote/relay Airport Extremen to the main Airport base station for DHCP, internet and intranet.
One Aiport Extreme base station is Model # A1034 and the other is Model A1408.Can I extend......?
Yes, this is possible. But sometimes, the fact that something can be done does not necessarily mean that it should be done. In a case like this....Upsides are far outweighed by Downsides.
Upsides
You will have more wireless coverage (but 50 feet is a long way if there are multiple walls or ceilings in the signal path...I am not optimistic about this)
The Ethernet ports will be enabled on the remote Extreme.
Downsides
The required WDS configuration will drop the performance of your newer "n" Extreme down to wireless "g" levels.
In addition, the bandwidth on the entire network will drop by 50%. In effect, you will have a "g" wireless network running at half speed
WDS is difficult for most users to configure. It is very easy to make a mistake and literally impossible to recover without starting all over again with the configuration attempt
It might work. But things are going to be extremely slow. Might be OK for general Internet browsing or light email. Any file transfers or copies from one device to another are going to take a very long time.
You also might want to review the WDS setup required to get an idea of what is involved here:
http://support.apple.com/kb/HT4262
As you know, a far better way to do this would be to connect the two AirPort Extremes using an Ethernet connection. If you cannot run the Ethernet cable, you might want to consider a pair of Ethernet Powerline Adapters.
These devices send an Ethernet signal over the existing AC powerlines in your home. So, you already have the wiring in place....you just need the adapters. I've used these devices for runs up to 70-80 feet or so with good results. But, you need to understand that there are number of factors that can affect performance here.
So, if you want to try the powerline adapters, I would strongly recommend that you understand the store's return policy in advance. The bottom line is always this.....you won't know how they will work until you install them in your home.
Apple's instructions for a setup using Ethernet are here:
http://support.apple.com/kb/HT4260 -
Accessing a subnet via VPN session
Hi everybody.
I have not to much experience configuring and managing VPN´s and at this moment I am facing a bit issue. I've got a remote site which is connected to the headquarters via VPN site to site IP Sec tunnel. When I am in my office I have no problem to reach the remote network, but, when I try to connect to the remote network via VPN client, I can't reach it.
in the remote office I've hot a Router 3800 (Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(13c), RELEASE SOFTWARE (fc2)) in the headquarters I've got an ASA 5520 Version 8.0(3) I've chequed access-list, and network objects and it seems everythink ok.
local network: 10.30.0.0 0.0.0.0
remote network 10.31.0.0 0.0.0.0
ASA
object-group network remote-network
network-object 172.16.27.0 255.255.255.0
network-object 10.31.0.0 255.255.0.0
object-group network network-local
network-object 0.0.0.0 0.0.0.0
access-list VPN_Remote_Access_splitTunnelAcl standard permit 10.31.0.0 255.255.0.0
Router 3800
ip access-list extended vpn
permit ip 10.31.0.0 0.0.255.255 any
Can someone guide me about what is missing in the config? no problem if you need more "sho run" lines.
Regards and Thanks very much!!Hi Ankur, thanks very much for your reply!
this is the "sho run" in my remote router:
I do not undesrtand well your first question, but if it is usefull, I loggin to headquerters "headquerters public ip address"
this is a simple diagram of where I want to connect to:
REMOTE_SITE --------------------------( vpn site to site IP sec tunnel )-------------------------HEADQUERTERS
(10.31.0.0/24 network) (10.30.0.0/16network)
|
|
|
|
REMOTE USER
(10.30.23.130/25)
REMOTESITE#sho run
Building configuration...
Current configuration : 10834 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname PYASU1ROU01
boot-start-marker
boot-end-marker
logging buffered 64000 debugging
no logging console
aaa new-model
aaa authentication login default group tac-auth local
aaa authentication enable default group tac-auth enable
aaa authorization console
aaa authorization exec default group tac-auth local if-authenticated
aaa authorization network default local
aaa accounting exec default start-stop group tac-auth
aaa session-id common
clock timezone PR -3
ip cef
voice-card 0
no dspfarm
crypto pki trustpoint TP-self-signed-4112391703
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4112391703
revocation-check none
rsakeypair TP-self-signed-4112391703
crypto pki certificate chain TP-self-signed-4112391703
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313132 33393137 3033301E 170D3131 31313234 30323430
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313233
39313730 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A09B 8740E68A 0C5BB452 D4D26D1B C91E4B5A 71FF0E11 411D70DB ED09EE4C
95C67911 0DFB9557 EB17CE79 9A3AF1C8 3B4DC1C0 75F6B938 F3431C4D 6DEAB793
A560C0AE 88007146 4312FBDF F979476B AB55CACD 9EE00DAC B3227CD6 9861DE87
DD462212 6E8FDA90 7BEA7967 26FCF6B6 6DDDBD5A A6E3D7F8 12AE4F5E 71BDDEE3
D5130203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
551D1104 0F300D82 0B505941 53553152 4F553031 301F0603 551D2304 18301680
14C86D3D 3AF1854B 977D5BD8 A9ABAF33 4E7483BC 3B301D06 03551D0E 04160414
C86D3D3A F1854B97 7D5BD8A9 ABAF334E 7483BC3B 300D0609 2A864886 F70D0101
04050003 8181005A 5A20ACB9 EE50A66C 054B5449 62A98E5F B42E5193 6D3D71A8
B0949BE2 70BE6F3C 2FAD7E2D AA0FCF6C 4D8E8344 035A33D6 6538EF32 33F8C746
31119E9C F08091A2 9F8DCF8F 1B779D90 82F3366C D0F84D6B AB7E3248 E532E224
91E404E9 608ECF11 5525D52B A02C3D9C 7BC1C1EF 496D1246 1125086B 54EEF4A2
94350AFF EA7CB2
quit
username admin privilege 15 secret 5 $1$P3xv$e99l3YcRWgFPEp/m6uXZg1
username cwuser privilege 15 secret 5 $1$Ir9X$CZgLaFy7XKsmT9avFHTTk/
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
crypto keyring apex
pre-shared-key address "headquerters public ip address"
key apex
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile companyname
keyring apex
match identity address "headquerters public ip address"
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto map outside 10 ipsec-isakmp
set peer "headquerters public ip address"
set transform-set 3DES
set isakmp-profile companyname
match address vpn-companyname
interface Loopback1
description monitoreo
ip address 10.31.21.255 255.255.255.255
interface GigabitEthernet0/0
description Teysa
ip address public ip address
ip nat outside
no ip virtual-reassembly
load-interval 30
duplex auto
speed auto
media-type rj45
crypto map outside
interface GigabitEthernet0/1
description TO CORE-SW
ip address 192.168.255.249 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
interface FastEthernet0/0/0
switchport access vlan 2
duplex full
speed 100
interface FastEthernet0/0/1
switchport access vlan 10
shutdown
duplex full
speed 100
interface FastEthernet0/0/2
switchport mode trunk
shutdown
interface FastEthernet0/0/3
switchport access vlan 10
shutdown
duplex full
speed 100
interface Vlan1
no ip address
no ip http server
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nat interface GigabitEthernet0/0 overload
ip access-list extended nat
deny ip host 172.16.27.236 10.0.0.0 0.255.255.255
deny ip 10.31.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 172.16.27.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.31.11.0 0.0.0.255 any
permit ip 10.31.13.0 0.0.0.255 any
permit ip 172.16.27.0 0.0.0.255 host 209.59.188.93
permit ip 172.16.27.0 0.0.0.255 host 190.180.145.46
permit ip 172.16.27.0 0.0.0.255 host 46.51.171.127
permit ip 172.16.27.224 0.0.0.31 any
ip access-list extended vpn-apex
permit ip 10.50.20.0 0.0.1.255 any
permit ip 172.16.27.0 0.0.0.255 any
permit ip 10.31.0.0 0.0.255.255 any
permit ip 10.30.0.0 0.0.255.255 any
route-map nat permit 10
match ip address nat
control-plane
line con 0
password 7 xxxxxxxxxx
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 xxxxxxxxxx
scheduler allocate 20000 1000
ntp server 10.30.5.38
end
REMOTESITE#
Regards! -
I am not sure if this a right forum for this. I have some non-domain devices that are coming in to my network via VPN (VPN client). can someone tell me on how to deny these non-devices coming in to my network. Is their a configuration in the VPN concentrator to deny non-domain computers? please advise
Did u deploy IPSEC in ur VPN network?.If snot, u just deploy IP SEC on all the peers and the VPN server.
IPSEC is a 2 phase VPN security provider.This IPsec along with IKE provides double level security.
With this ipsec, we configure some security parameters like hostname or remote ip address , pre-shared key etc on both ends(server and peer).When a non-domain client tries to access ur VPN, the vpn server may authenticate the in coming client using either ip address or host name and it wil contact with a aaa server or its own database for validating the user.
If u r using an external server for validating the incoming users, u must go for aaa server externally.
For a complete detail of deploying vpn with ipsec,
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1045493 -
Transfer files from mac to company drives via VPN?
I have several files that I design/update on my mac which I want to write to a company network drive.
On my PC I go through the installed VPN (I have host address, passwords etc). I am new to mac's and wondered if a similar method is available?
Any step by step instructions would be very much appreciated.
Al
iMac 2006 Mac OS X (10.4.5)It depends on the VPN system being used by the office.
If it uses PPTP or L2TP, just open /Application/Utilities/Internet Connect and create a new VPN connection profile.
Fill in the blanks and click connect. With luck you'll be connected to the office network via VPN and can do whatever you would normally do while in the office.
If the office VPN uses IPSec as its VPN protocol, or doesn't work with the built-in client then you may need to install a separate VPN client. You should be able to get this from the network administrators, or you can try one of the third-party clients such as VPNTracker or DigiTunnel. -
Access AFP, email, Remote Desktop via VPN and local network but NOT web
How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?
How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?
-
Can connect via VPN, but can't access AFP server on same Xserve
Hi:
I've set up our XServe with MacOS X Server 10.5.2 to do AFP and VPN (L2TP only; PPTP is disabled). The XServe is a standalone server, not connected to any other direstory server.
I can connect to the XServe's AFP server from my Mac over our wired and wireless network. The AFP server shows up in the sidebar of Finder windows. So far, so good.
I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret.
But I cannot connect to the XServe itself to use Server Admin or AFP (using afp://server.company.com or afp://xxx.xxx.xxx.xxx via the Go > Connect to Server command).
The error I get while connecting to the 10.5.2 AFP server is Some data in apf://server.mycompany.com could not be read or written (Error Code -36 ). I saw this error associated with a SMB problem in 10.4.x, but SMB is not running.
Other iChat users in my office also do not automatically show up in the Bonjour list when I connect to the network. Other computers on our network do not appear in the sidebar of a Finder window. (I'm told these are to be expected, as Bonjour isn't supported (in the "local area Bonjour" over a WAN link - it's purely a multicast feature on the network in the office, and won't be routed across the VPN link. True?)
Now, here's the odd part. There is a second server (v10.4.11) on our network running AFP. I can connect to it (using afp://server.company.com via the Go > Connect to Server command) and mount its various sharepoints via the VPN.
The only thing I see in the VPN log that seems amiss is this (but I have no idea what it means):
Tue Mar 11 23:09:27 2008 : Unsupported protocol 0x8057 received
--Both the 10.5.2 and the 10.4.11 servers have DNS properly configured (though our ISP; we're not running our own DNS).
--Both servers and the client have public IP addresses and have the same subnet mask. Network Utility confirms this while connected to the VPN.
--NAT is not running. The ISP is responding with public IPs for the servers.
--The firewall for the 10.5.2 server is not running (but will be once I get this all working).
--The IP address range for the VPN server doesn't overlap our DHCP pool (which also currently uses public IP addresses).
--Any user can access any service.
--No network routing definitions have been set up.
--In essence, I've followed the steps on Pages 141-142 of the Network Services Admin Guide.
One other note: After I connect, the Network Preferences > VPN > Advanced > TCP/IP window shows the IP address for the client just fine (assigned from the VPN pool), but lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?
I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server.... And I'm not sure why I would have to if I can already successfully connect to the 10.4.11 AFP server .
What simple step am I missing?
TIA,
mm"I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret."
I suspect you mean UDP ports and you might need UDP port 1701 open too.
You only need IP protocol 50 (ESP), protocol 51 (AH) isn't used. And ESP is only used when client and server isn't behind NAT (when NAT is used only the UDP ports are used).
"Unsupported protocol 0x8057 received"
This is usually seen when you can't get GRE through but since you don't use PPTP I can't be sure why this is registered in the logs. Sometimes when connecting using PPTP you have to disconnect and then reconnect for everything to work - you might try this for L2TP too.
But if you already can reach services on any LAN nodes through the VPN I wouldn't bother with it.
As you have a firewall in front of the server you need a second alias IP on the server that you can use to get at the services running on the server through the VPN. The firewall blocks all ports protocols not opened - that's why you can't use the server main IP even if the VPN is up.
The netmask is used by all nodes to determine how big your subnet is: what part of the IP number is the network number and what range the node number is in => really: should traffic be directed to a node on the same LAN or sent directly to the gw/router for forwarding.
What you can't do is connect from a NATed network to another NATed network that both are using the same network number. (That's why people should stay away from using the "default" 192.168.0.0/24 and 192.168.1.0/24 networks for VPN server LANs).
Try your settings at http://www.jodies.de/ipcalc to see what I mean.
"...lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?"
Yes. The VPN server is the VPN gw/router.
"The firewall for the 10.5.2 server is not running (but will be once I get this all working)."
If you already have a firewall in front of your servers that is a bit redundant.
"--No network routing definitions have been set up."
"I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server"
You need routing definitions if you want to setup a split tunnel VPN or all traffic is routed through the VPN when connected. The VPN becomes the default gw.
Without ipforwarding ON in the server you can only reach nodes on the server LAN - not Internet.
DNS is needed for your servers forward and reverse names/IPs for advanced services but doesn't need to run in any of your own servers.
If you decide to do a split tunnel VPN config (adding public and private routing definitions) a reachable DNS IP for VPN clients (in VPN config on server) is needed for VPN clients or they can't use names to find anything. To reach this DNS IP if public/not on your server LAN, you need your server to forward IP DNS lookups and have a routing definition for it.
A split tunnel VPN only send traffic for your server LAN through the VPN and all other traffic directly to the local gw/router (Internet). -
Window 8.1 system unable to access network shares via VPN connection
Is there something inherent to Windows 8.1 that prevents it from accessing shares on a domain?
I know that it cannot join a domain, but does that also mean that it cannot access shares which are on a domain?
My problem is that I have several user that are running windows 8.1 that are connecting to our network via a VPN.
The users have domain accounts but their computers as windows 8.1 cannot joined to the domain.
So to access network shares they have to use their domain credentials to create a VPN connection.
Once connected the user can RDP to systems on the domain using their domain accounts, so I know that their user names/passwords and permissions are correct. They can access these systems using the computer name, so I don't feel that I have a DNS issue.
They can see the shares on our file server, but when they try to access their departments shared file, they receive an access denied message. There are a few shares that are completely wide open, shared to all users and all departments but they cannot access
those shares either.
You can ping the file server, from the the client when they are connected to the VPN but you just cannot access any of the shares.
So...
I am thinking that it has something to do with windows 8.1 and not being able to join a domain, but I cannot find anything to explicitly support this thought.
Other users running a variety different OS (windows 7, OSX, Linux) can all access the shares without any problems via the VPN, so I am a little stumped.I have done some more testing and oddly enough I can map a drive if I use the IPaddress, but not the computer name, when checking the check box "connect using different credentials"and providing they users domain credentials.
This seems to point to a DNS issue, one would think, but I can hit the file share server by name \\fileserver.dev.lan
I can see all the shares, so dns seems to be fine right?
So I don't understand why I can map a drive using do the IPaddress and not the machine name, but yet I can see and ping the server by name?
When I try to create a mapped drive by machine name I receive the following message:
Windows cannot access \\fileserver.dev.lan\all
You do not have permissions to access \\fileserver.dev.lan. contact your network administrator to request access.
But if I use the \\x.x.x.x\all using the very same user and password I get connected with no problem.
This only seems to happen on windows 8.1, which leads me to think that has something to do with OS.
I am thinking about upgrading to windows 8.1 pro, but I don't want to go though the hassle and expanse is the OS is not the problem. -
Best way to access files on Xserve via VPN on iPad?
Can anyone tell be the best solution for accessing files housed on the companies Apple Xserve remotely via VPN from an iPad? Numbers / Pages etc.
thanks,
RickThe iPad doesn't natively support file systems such as those on servers, but there are third-party apps that can allow this. FileBrowser is one often mentioned, so you might look into that. VPN will be a separate issue; iOS has a built-in VPN client which works with many VPN systems, but you'll need to see if yours is supported.
Regards. -
Problem accessing an adjacent remote network over VPN (2 asa5505)
Hello all,
I have 2 ASA5505 (CORP and remote) connected via VPN. The remote site contains 2 subnets (192.168.1.0/24 and 192.168.0.0/24 (for remote VPN users)). The corp site has 192.168.2.0/24 directly connected to ASA5505 and an adjacent network connected via another device namely the 172.16.0.0/16 network.
I am able to ping site-to-site between 192.168.0 -> 192.168.2
and
192.168.1 -> 192.168.2
I am unable to ping from remote site to the 172.16 network however.
I added permit ACLs on both my NAT and CRYPTO ACLs. and when I am trying to ping the remote 172.16 network I get the following messages on my CORP ASA:
4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside
reply is timing out though.
Any tips would be appreciated!
My ACLS:
REMOTE SITE:
#NONAT
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
#CRYPTO ACL
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
CORP SITE:
#CORP
access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list 200 extended permit ip 172.17.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 200
nat (inside) 1 0.0.0.0 0.0.0.0
#CRYPTO ACL
access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
Thanks in advance!The config looks ok.
If you were trying to ping 172.16.x.x I don't see why the log would be what you displayed. Where are you pinging from, the remote site?
"4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside"
Does the 172.16 network have a route to the 192.168.0.0 and 192.168.1.0 network?
Maybe you are looking for
-
How do I change the itunes account on my computer?
How do I change the itunes account on my computer? I let my ex keep my Apple ID as he had purchased a large amount of music, so he uses it on his Iphone and computer, and I started a new account on my Iphone, and I'd like to use that one on my compu
-
Whenever I open my recently Mavericks booted mac, a pop up box appears asking me "Where is GrowlHelperApp.app?" I have never used nor heard of Growl before. I spent around an hour googling for a soultion, but the only ones I can find all relate to ha
-
HOW TO USE HIDE STATEMENT IN INTERACTIVE ALV.
Hi Friends, Actually i am writing the INTERACTIVE ALV.In this ALV i need to USE HIDE STATEMENT. This is an urgent requirement. Please anybody help me. Thanks&Regards Thummala Krishna Reddy.
-
Despite having o2's MMS mail server address (from an email sent from another o2 account holders mobile to my iPhone), this address does not accept incoming email messages and therefore I cannot send MMS messages to another mobile on o2. With all the
-
Delete element from a collection (JDev 10.1.2)
Hello I have a bean which has a collection "testCollection" and accessors for it. This has been populated with some elements (similar to the LDAPDataControls example). I have created the data control for it and dragged the collection onto a JSP as a