Advice needed for VPN connections
OK to first describe what I'm looking at .We have a bookmobile that goes to 13 different locations within our county. At each stop we are using the service provider's DSL modem to connect to their network, we have two different providers and staff changes the modem at each stop, and a Cisco831 router to make a VPN connection to our PIX. We are using the router to make the VPN connection so that we can have two staff computers use internal network resources i.e. Library database, network drives, e-mail. We tried using Cisco VPN client on the local machine but when we have two clients going on two machines at the same time neither would work. So we let the router make that connection.
We are going to have two bookmobiles operating and I need to purchase another router to make the connection and I am wondering which router would be a better solution for us.
So for me the question is
1) should I keep things as they are and buy a 871 and have staff change modems as needed
2) Should I get an 877, 878 router and make configuration changes daily as needed. Staff have not been able to do this in past. I've enough to do without this!
3) Up for any suggestions Maybe SDM with a pretty GUI for staff to use. It seems Cisco's CLI was too much for them.
Thanks to all for any help
Systems A
No Nat-traversal is enabled.
When we tried multiple VPN connections it was through a DSL modem/router. This is why we went to a Cisco831 router and having it make the secure connection to our PIX.
Thanks for you help
Similar Messages
-
Entering Correct info for VPN connection
please suggest the correct configuration for entering information in order for my laptop to connect via VPN to my newly installed Leopard Server software. On my laptop, I have entered the following info on the System Preferences> network tab...
Configuration: Default
Server Address: 76.173.xx.xxx (my public IP address - do I need anything else?)
Account name: XXXXXX (same as the account name in Server)
under Authentication Settings, my password is fine and my shared secret is the same as on the Server.
Am I entering in everything correctly? i am most concerned as to how the server address is supposed to be written. thanks!!Hi
If Appletalk is enabled server side and you simply enter the IP address afp is assumed as the protocol to be used. If you prefer the extra effort involved in typing afp:// followed by the IP address you can use that as well. If you want to use the smb service rather than afp simply type smb://followed by the IP address. The same thing applies to ftp services. The Finder supports reads only for ftp services.
If you are using VPN services you simply type in the private IP (LAN-side) address of the server rather than the public IP (WAN-side) address. Once a VPN connection has been established, the remote client behaves as if it is on the same LAN.
You can make a connection using the Public WAN address if you enable port forwarding to a single LAN IP address for services you are interested in. For example if you wanted to access your server remotely using afp you configure your router to forward requests for port 548 to the internal IP address of your server. You can use this method for as many services you like as well as how many your router supports. Most commercially available routers support 10-20. Depending on the router you may have to configure an appropriate firewall rule as well. When faced with that it makes more sense to use a single VPN connection.
I may be in danger of teaching granny to suck eggs but for what its worth for VPN connections to work successfully the remote client’s private IP address has to be different from the host site. For example if the remote site is on 192.168.1.x/24 as is the server then you won’t establish a connection. As far as the remote site is concerned its already connected to that network, why look elsewhere? 192.168.1.x/24 to 192.168.2.x/24 or 10.10.10.x/24 to 192.168.0.x/24 should result in successful VPN connections.
For a list or IP addresses reserved for private use:
http://www.iana.org/faqs/abuse-faq.htm#SpecialUseAddresses
Hope this helps, Tony -
Unable to set manual IP address for VPN connection
Recently a VPN connection with a client stopped working. They changed phone companies and changed some of the IP addresses.
After alerting them I could no longer log in, I received the new server address which I can log in with it,
BUT my computer is assigned a dynamic address that is already in use on their network. This causes my computer to *not* be connected to their network, even though I am inside their firewall; therefore I cannot adjust the database files I need to.
I have tried to set the VPN (PPTP) connection TCP/IP address IPv4 manually, using the static address they just gave me. But each time I connect, [I believe] their router assigns me an address that is already in use.
They do not use IPv6.
Can anyone give me direction on how to make the manual IP address *stick*?
The tech person at the site keeps telling me it is a problem with my "Mac, because with Windows.... blah, blah, blah".
I am pretty sure this is not the case and in fact I was the one who let her know I was receiving a duplicate address.
Your VPN expertise is really appreciated.
Thanks in advance,
MicheleHi,
Please make sure the Ad hoc connection IP adress is at the same range with your local connection. In addition, how about recreate the ad hoc connection for test, please have a try.
If problem persists, please use Network troubleshooter in Action Center to fix this problem for test.
Roger Lu
TechNet Community Support -
Trying to set a delay in an Applescript for VPN connection
I need to be able to set some routes upon opening a particular VPN connection so I did some searching and found a really simple Applescript that does the job. Problem is it tries to set the routes before the VPN actually connects so the routes don't go in.
I added in a 10 second delay which does the trick, but I'm thinking there has to be a way to do this that waits until the VPN actually connects before continuing - so if it takes 5 seconds or 10 or whatever, it waits.
The other thing I'm doing that I think is bad is I'm sending a route delete command before sending the add command. Why? Because if I don't and for some reason the route is partially in the table, it doesn't give an error and ends up not routing. Again, probably a better way to do this.
Here is my current script"
-- Connect Work VPN
tell application "System Events"
tell current location of network preferences
set VPNservice to service "Work" -- name of the VPN service
if exists VPNservice then connect VPNservice
end tell
end tell
delay 10
set gateway to "x.x.x.x" -- omitted here for security
do shell script "route delete 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route delete 192.168.20.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.20.0/24 " & gateway with administrator privileges
Any suggestions??
Thanks.you might want to try asking in the Applescript forum under OS X technologies.
I don't have any VPN connections so can't test anything but applescript dictionary for system events indicates that configuration property of a service has a boolean property "connected". so just run a loop with, say, 1 second delay until this porperty becomes true. presumably it would be something along the lines
<pre style="
font-family: Monaco, 'Courier New', Courier, monospace;
font-size: 10px;
margin: 0px;
padding: 5px;
border: 1px solid #000000;
width: 720px;
color: #000000;
background-color: #ADD8E6;
overflow: auto;"
title="this text can be pasted into the Script Editor">
tell application "System Events"
tell current location of network preferences
set VPNservice to service "Work" -- name of the VPN service
if exists VPNservice then connect VPNservice
repeat until (connected of current configuration of VPNservice)
delay 1
end repeat
end tell
end tell
set gateway to "x.x.x.x" -- omitted here for security
do shell script "route delete 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route delete 192.168.20.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.20.0/24 " & gateway with administrator privileges</pre> -
Making Application deployment working for VPN connection
Hi Guys,
Am trying to deploy application to users machines which are connected to VPN.
I dont have any idea, is that any https connection my SCCM will support. If it is failing, what all the series of steps i need to follow to enable deployment via VPN connection.
Please suggest.If clients are connected through VPN, they will work exactly as any other client you have on your LAN.
Just make sure that you also specify a boundary for you VPN clients, like you do with you LAN clients.
Ronni Pedersen | Microsoft MVP - ConfigMgr | Blogs:
www.ronnipedersen.com/ and www.SCUG.dk/ | Twitter
@ronnipedersen -
Help needed for VPN IPSEC configuration.
Hi There,
I'm trying to set up a IPSEC VPN connection in my GNS3 lab and all the show commands and debugs does not seem to give me any clues of what is wrong or missing...can someone please help me in troubleshooting my VPN config. Below is the config of router 1
R1#sh run
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key 6 cisco123 address 200.20.1.1
crypto ipsec transform-set CISCO_SET esp-des esp-sha-hmac
crypto map VPN_map 10 ipsec-isakmp
! Incomplete
set peer 200.20.1.1
set security-association lifetime seconds 190
set transform-set CISCO_SET
match address INT_TRAFFIC
interface Loopback1
ip address 172.16.1.1 255.255.255.255
interface Loopback2
ip address 172.16.1.2 255.255.255.255
interface FastEthernet0/0
ip address 200.11.1.1 255.255.255.252
ip ospf 1 area 0
duplex auto
speed auto
crypto map VPN_map
router ospf 1
log-adjacency-changes
network 172.16.0.0 0.0.255.255 area 0
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 200.11.1.0 mask 255.255.255.252
neighbor 200.11.1.2 remote-as 65030
no auto-summary
ip forward-protocol nd
ip http server
no ip http secure-server
ip access-list extended INT_TRAFFFIC
permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log
end
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
nill.......
R1#sh debugging
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto Engine debugging is on
Crypto IPSEC debugging is on
settlement:
memory tracing is on
R1#sh ip route
Gateway of last resort is not set
200.20.1.0/30 is subnetted, 1 subnets
B 200.20.1.0 [20/0] via 200.11.1.2, 01:28:21
200.11.1.0/30 is subnetted, 1 subnets
C 200.11.1.0 is directly connected, FastEthernet0/0
172.16.0.0/32 is subnetted, 2 subnets
C 172.16.1.1 is directly connected, Loopback1
C 172.16.1.2 is directly connected, Loopback2
R1#ping 200.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.20.1.1, timeout is 2 seconds:
Cheers,
FabioThanks guys for getting back to me.
I found one problem!!!! The ACL spelling it's been fixed....
crypto map VPN_map 10 ipsec-isakmp
! Incomplete
set peer 200.20.1.1
set security-association lifetime seconds 190
set transform-set CISCO_SET
match address INT_TRAFFIC
p access-list extended INT_TRAFFFIC
permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log
now when I do "sh crypto ipsec sa" sure enough I can see the VPN putput
interface: FastEthernet0/0
Crypto map tag: VPN_map, local addr 200.20.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
current_peer 200.11.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.20.1.1, remote crypto endpt.: 200.11.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
sh isa
and
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
200.20.1.1 200.11.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
and for the last
R1#ping 192.168.1.1 source 172.16.1.1 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
Success rate is 100 percent (10/10), round-trip min/avg/max = 36/62/80 ms
Hey Brian I put that OSPF to run for troubleshooting purposes but I confess it was very silly....
Thanks guys all fixed and it's so good every now and then to brush up your cisco skills... don't you reckon??
Cheers,
Fabio -
Zone Base Forewall for VPN connections does not work after IOS upgrade
Hi all,
We use cisco router 2911 as corporate gateway - there is Zone Based Firewall implemented - I upgraded IOS to last version (15.2(2)T1) - originaly version 15.1(4)M1 - to solve issue with Anyconnect connections (bug CSCtx38806) but I found that after upgrade the VPN users are not able to communicate with sources in other zones.
More specific
WebVPN use this virtual template interface
interface Virtual-Template100
description Template for SSLVPN
ip unnumbered GigabitEthernet0/1.100
zone-member security INSIDE
There are other zones VOICE, LAB, ...
In the policy any connection is allowed (used inspection of icmp, tcp and udp) from INSIDE zone to VOICE or LAB zone
After VPN connection I am able to reach resources in INSIDE zone (which is the most important), but not in other zones. Before upgrade it worked.
Once I changed zone in Virtual-Template interface to VOICE, I was able to reach sources in VOICE zone but not in any other. I searched more and found the stateful firewall is not working for connections from VPN as ping is blocked by policy on returning way - it means by policy VOICE->INSIDE, once I allowed communication from "destination" zone to INSIDE zone - the connections started to work, but of cause it is not something I want to setup.
Does anybody has the same experiance?
Regards
PavelIt seems to me I should add one importatant note - if client is connected directly in INSIDE zone, he can reach resources in other zones without any issue - so the problem is only when the client is connected by VPN - not in ZBF policy setup.
Pavel -
Traffic only allowed one-way for VPN connected computers
Hello,
I currently have an ASA 5505. I have set it up as a remote access SSL VPN. My computers can connect to the VPN just fine. They just can't access the internal LAN (192.168.250.0). They can't ping the inside interface of the ASA, or any of the machines. It seems like all traffic is blocked for them. The strange thing is that when someone is connected to the VPN, I can ping that VPN-connect machine from the ASA and other machines inside the LAN. It seems the traffic only allows one way. I have messed with ACL's with no avail. Any suggestions please?
DHCP Pool: 192.168.250.20-50 --> For LAN
VPN Pool: 192.168.250.100 and 192.168.250.101
Outside interface grabs DHCP from modem
Inside interface: 192.168.1.1
Current Running Config:
: Saved
ASA Version 8.2(5)
hostname HardmanASA
enable password ###### encrypted
passwd ####### encrypted
names
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 10
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport access vlan 10
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan10
nameif inside
security-level 100
ip address 192.168.250.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.250.100-192.168.250.101 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.250.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.250.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.250.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 8.8.8.8
dhcpd address 192.168.250.20-192.168.250.50 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_Pool
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:30fadff4b400e42e73e17167828e046f
: endHello,
I seem to be having the same kind of issue although I cannot ping from either end.
Ive set up a l2tp/ipsec vpn which I am able to connect to and get ip from my ip pool (radius authentication is working).
I tried running:
access-list NAT_0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list NAT_0
but i get an error msg saying that the syntax of the nat command is deprecated. Im running ASA version 8.4.
Ive fiddled around abit to find the correct syntax but have been unsuccessfull so far.
Any help would be much appreciated
This is a part of my config:
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network AD1
host 192.168.1.31
description AD/RADIUS
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network vpn_hosts
subnet 192.168.2.0 255.255.255.0
access-list AD_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list split-acl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_0_outbound extended permit ip object NETWORK_OBJ_192.168.1.0_24 object vpn_hosts
ip local pool POOL2 192.168.2.2-192.168.2.10 mask 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.0_25 NETWORK_OBJ_192.168.1.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.0_25 NETWORK_OBJ_192.168.1.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static vpn_hosts vpn_hosts
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ########## 1
no vpn-addr-assign aaa
no vpn-addr-assign dhcp -
Hi,
if we have a LAN to LAN vpn between to two cisco firewalls and allowed the service as IP (ipsec tunnel) do we need indivugial access-list in the security policy ? (i had a similar case where i had to put in a entry on the security policy for port 16000 between the two subnets used onthe LAN to LAN firewalls)
i was under the impression the security policy applies only for non vpn and for vpn traffic we need to specify on the ipsec tunnel (under the tab service)
ThanksThere are two way you can filter traffic which is moving over VPN.
1) Filter at source ofcourse ACLs are required.
For example Crypto acl allows - Site A 10.0.0.0/24 to Site-B 20.0.0.0/24 but traffic can be filtered at interface where 10.0.0.0/24 is configured .Lets assume port 80 we want to deny.
ACL would be -- access-list XXX extended deny tcp 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0 eq 80
permit any any
acess-group xxxx in inside
So this will deny port 80 and permit rest of the traffic.
2) You can configure VPN filter which is called under group policy .
Thanks
Ajay -
Advice needed for alternative to HH3 adsl
Hi all
I am having problems with my HH3 and need to replace it
I am looking for an alternative such as aTP-link
My needs are quite simple but it must have a good WiFi range I live in a fairly isolated rural spot and am not likely to be able to ever get infinity / cable in the near or even distant future so I am stuck with basic Broadband which I get quite a reasonable dowload speed of aprox 8MBPS
any suggestions ?
IE I want something better than HH3
Regards
MikeWhat about this one, its used by othe forum members?
TP-LINK TD-W8960N 300 Mbps Wireless N ADSL2+ Modem Router for BT Connections £26.99 Amazon
Guide is here.
http://forumhelp.dyndns.info/hardware/TP_link/wa8960/adsl/td8960adsl.html
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
Check for VPN Connection Exists
Hello
I am working on a windows store app for Enterprise. This app will require internet and VPN connection to get data. I have found a way to check for internet access. However, I am not sure how to check if there is a VPN tunnel available. If VPN is available
then I can make a call to a WebService and get data. If there is no VPN then the WebService call will fail [after about 10-15 seconds]. I can assume that if the WebService calls fails that means there is no VPN but there must be another way to find this out
before even calling a Service.
Please help.
Thanks
BevanWe're using Microsoft Direct Access rather than a VPN but I think this is worth sharing anyway.
Rather than calling a web service I'm just using the HttpClient's GetAsync() method to call a small file hosted on an internally hosted web server. This minimises the payload as much as possible which may be important if your users are connected using devices
with 3G/4G with data limit.
I'm wrapping the call in a Stopwatch to get a rough idea of the round robin request/response and visualising that for the users so they know how good their connection to the corporate network is. This info is far more useful than the WiFi/Mobile signal bars.
Stopwatch stopWatch = new Stopwatch();
stopWatch.Start();
HttpClient httpClient = new HttpClient();
HttpResponseMessage response = await httpClient.GetAsync(nslUri);
response.EnsureSuccessStatusCode(); // -- throw exception if not a success code
stopWatch.Stop();
TimeSpan ts = stopWatch.Elapsed;
This might also be of interest...
https://msdn.microsoft.com/en-us/library/windows/apps/xaml/windows.networking.vpn.aspx -
Hi all, Can anyone tell me the normal way of setting up a vpn connection, here we have a router terminating the internet link, and a cisco pix behind it ?
you can try a very simple Easy VPN configuration in this document.
http://www.cisco.com/application/pdf/en/us/guest/products/ps6659/c1650/cdccont_0900aecd80313bdf.pdf
hope this helps.
rate this post. -
OS X Server setup advice needed for small business
I work as audio engineer at a recording studio. I'm an experienced Mac user, but I don't have Mac Server experience. I'm my company's default IT guy. Our office consists of four people, currently using PCs, but we are changing to a Mac-based office: each person will get an iMac, and we'll also get a Mac Mini with OS X Server. And a Time Capsule for both the Apple router and Time Machine backups. The machines will be connected with ethernet for Gigabit networking.
The server will be used primarily for two things:
1. Server-based scheduling/contact database program that each user will log-in to for access
2. Hard drive for storing audio files that will be delivered to clients (currently FTP delivery)
I'm learning about OS X Server services - there's some great You Tube tutorials by Todd Olthoff http://www.youtube.com/user/tolthoff.
The office users currently run their computers as independent PC's with all files stored on their local machines. The network lets them share files, as well as share two printers. Note that my plan is for each office user to continue to store their files locally on the iMacs, not on the server.
I'm trying to decide how much of OS X services I can take advantage of.
I have some specific questions I'm hoping to get some advice on. These questions came up after viewing Todd's tutorials:
1. Do I need Open Directory
I think I do, in order to create local network users. Is this a given for me?
2. We do not have a static IP address. Do I need to establish DNS services?
3. Do I need a verified SSL Certificate?
This is what I have for starters. Any additional advice is welcome!Bob Kirschner wrote:
2. Hard drive for storing audio files that will be delivered to clients (currently FTP delivery)
Remember that ftp is wildly insecure, and a very large ftp credentials dump — reportedly including credentials from the New York Times and some other users — was just posted. ftp is a massive pain in the rump around modern networks; the protocol design predates the uniquitious use of firewalls in modern networks.
Read: I'm not a fan of ftp.
Use sftp or VPNs where you can.
1. Do I need Open Directory
I think I do, in order to create local network users. Is this a given for me?
If you want to start using the same login across different Macs in your office, then you want OD.
2. We do not have a static IP address. Do I need to establish DNS services?
You need local DNS services on your LAN (probably established via OS X Server), and you'll need external DNS to allow external folks to get to your file servers, and you'll need static IP from your ISP. If you get to using your own mail, you'll need a proper DNS configuration — forward and reverse DNS translations and the MX record must all match — for that.
3. Do I need a verified SSL Certificate?
Unless you're serving HTTPS or such, no. You don't even need a certificate and can use a self-signed one, if you're small and not serving much publicly from this server, and not doing something like ecommerce, and if whatever you're doing isn't a target for those that want to spoof or crack web sites; if you're not more of a target than most of the rest of us on the 'net.
Any additional advice is welcome!
I'd probably look to add a VPN-capable firewall router box here, and would use the Time Capsule as a so-called Access Point on the network — not as a NAT-capable gateway router. This if you don't already have a router of some sort. Time Capsule makes a nice home router or low-end SOHO router, but it's fairly limited in its features.
You absolutely need LAN-local DNS, and you need that correct and working and tested before you enable other services on your network.
I'd recommend using a real and registered domain on your internal network, and using a separate (and registered) domain outside your network. You can get away with using a subdomain inside, but that means more typing as it's just longer. I'd avoid a made-up domain, as ICANN is adding all sorts of new domains. I'd also avoid squatting on a domain, and never use the .local top-level domain as your own DNS domain. Leave .local to Bonjour only. -
Advice needed for backup strategy for office
My office is switching from PC to Mac (yay!) and I'm in charge of setting up the system. We'll be using 4 iMacs and a Mac Mini Server with ethernet connections. I'd like to ask what is recommended for backing up these computers.
My thought would be to back up the iMacs separately from the server - is this definitely the way to go?
I'm thinking to get a 3TB Time Capsule for the 4 iMacs so that Time Capsule will do automatic backups.
- Is it OK to have 4 iMacs backup to one Time Capsule like this?
As for the Mac Mini server, I'm not sure how to best back it up.
Since it has two 1TB drives, I'm thinking of using one drive for data and having it automatically backup to the other internal drive. Any thoughts on this idea?
Or, it is possible to connect an external USB drive to the Time Capsule's USB port, and have Time Machine backup the server to the external drive?
Any advice is greatly appreciated!The TC is really a home solution.
For business I think you should consider something extra.
Although 4 computers and a server is not a big setup, it is worthwhile doing a more professional backup and use something more professional than Time Machine.
For instance..
http://www.retrospect.com/au/products/mac
I have not used it.. but I see it recommended in business / larger installs. It is not cheap but well worth considering.
I would not use the internal disk of the server for backup.
As for the Mac Mini server, I'm not sure how to best back it up.
Since it has two 1TB drives, I'm thinking of using one drive for data and having it automatically backup to the other internal drive. Any thoughts on this idea?
You can raid the two disks if you don't need the capacity.
But backup to a USB drive plugged in.. USB3 drives are cheap and speedy. Much more reliable than using network drives.
Raid for integrity of working data.. backup to separate change over disks.
So weekly you change over the USB drive for backup and store the other one at home.
I'm thinking to get a 3TB Time Capsule for the 4 iMacs so that Time Capsule will do automatic backups.
- Is it OK to have 4 iMacs backup to one Time Capsule like this?
You can do this.. It is fine to have 4 Macs backup to it. But if you are not using the wireless router it is a waste.. you can just backup over network to the server.. TM works fine on network.
You can buy another 3TB USB drive for backup of the clients.. normally though you want all the working data on the server and back that up. You are thinking a more peer to peer model.. once you introduce the server you can work on a more server client model where the current files are held on the server. -
Urgent: Advice needed for buying my first RAID
Hi,
I am looking to place an order today as I have a pile of editing to get through - so I would love to hear your recommendations!
First of all I am a networking and RAID newbie so don't go all acronym and geek-speek-tastic on me or I won't have a clue what you are talking about. Seriously I don't know my NAS from my elbow!
My requirements are:
1. Suitable for working with HDV
2. 2TB of storage
3. Must work with PowerMac G5 2GHz Dual (later model)
4. Must support RAID 5
5. RAID must be controlled by hardware (on RAID box or via PCIe card)
The following have been suggested - has anyone used them?:
Opt1: http://www.enhance-tech.com/products/desktop/t4_cr.html
(Would probably need to put an eSATA card in my Mac but RAID control is on the box.
Only goes to 80MB/sec - is this good enough for working with ProRes 422? I am looking to convert my HDV to ProRes 422 before output to mpeg2 as I believe this can give better results.)
Opt2: http://www.g-technology.com/Products/G-SPEED-eS.cfm
(Would need to put a RAID controller in my Mac so not so good for connecting to other Macs.)
But I found this and was wondering if it was also suitable (as its cheaper!):
Opt3: http://www.thecus.com/products_over.php?cid=11&pid=28&PHPSESSID=091b7808cfa54754 383932fc512ea056
(Would connect by 1Gb/sec ethernet to my Mac. RAID controller on the box. Someone said stay away from ethernet but I don't understand why?).
Any advice gratefully received. I need to make a decision real quick!
Keep it mellow, B.It appears that you need to step back and rethink your business. Heck, we don’t even know that you have a business. What you’re up to might just be personal editing. So I apologize if what I’m about to say overestimates you or underestimates you.
FORMAT
You say, “suitable for working with HDV”, but you don’t say whether you MUST work with HDV. As others in this thread have pointed out, HDV is a “poor man’s Hi-Def”. It compresses images so diabolically in Long GOP that image quality suffers, and, as Shane points out, “the long GOP format is very complex and takes a LOT of time to do things.”
The other extreme is recording and editing in 1080i/p at 4K. Very few people in this world demand extreme quality. So, the best format overall is DVCPro HD. Today, DVCPro HD cameras cost only about a third more than the next nearest HDV. What’s more important, to me, is that DVCPro allows you to move away from having to use tape at all. It’s the year 2008 (almost). Tape is over. If it’s too late to sell your camera and switch, then so be it.
STORAGE
You say, “2TB of storage”. For HD work, that’s a bare minimum. My recommendation is to get a 4-tray or 5-tray box with room to grow, even though the extra trays will remain empty your first 6-12 months.
Buy an empty enclosure that you can populate with your own drives. That way, you can use 1TB bare drives. (Don’t buy anything smaller.) You can put together a stack of 5 1TB drives in an eSATA RAID box for less than $2,000.
RAID
You say, “PowerMac G5 2GHz Dual...via PCIe card”. You mean PCIx card. PCIe is for Intel Macs.
You write, “I want RAID (esp. RAID 5... If a drive fails I want to simply be able to swap a new drive in, restore, and be under way again.” But several of your comments indicate that you really don’t need in-line failsafe. For that reason, let me recommend mirroring or something even simpler: a backup drive.
JBOD (Just a Bunch Of Disks) treats each drive in your stack as a separate volume. So, what you see on your desktop is Drive_01, Drive_02. If you subtract the cost for the RAID controller (in the box or in your PCI slot), you can afford to buy TWO plain JBOD boxes, and maintain one as redundant. That satisfies your, “If a drive fails I want to simply be able to swap a new drive in, restore, and be under way again.” In fact, you can skip the “restore” part.
Ken Summerall wrote: “If you are shooting HDV then you have the tapes, those are your backups. If a drive goes down you recapture.”
You responded, “that is not the same as having redundancy of data - and simply being able to swap in a new drive and do a restore.”
You make it sound as though you expect this to happen once a week. It won’t. Backup is good enough. That kind of “time saved” once every year or two isn’t worth it.
SATA vs. FIREWIRE
Again, it’s the year 2008 (almost). Why would you want FireWire? Apple is being so stubborn, pretending that eSATA does not exist, because it has so much invested in its FW technology. But even Apple will be forced to come around in its next models.
While we’re talking about it, the claimed 80MB/sec for the Enhance T4 CR probably refers to the FireWire and USB interfaces, not to the SATA.
ENCLOSURE SHARING
You write, “I also wanted to use the same RAID box with a Macbook Pro. So how would two Macs share the same RAID box?
What kind of sharing do you mean? If you mean that you and your partner can access the same video simultaneously in adjoining rooms, then you need FibreChannel. But, as Shane points out, “...a Fibrechannel setup, then an XServe Server...is NOT cheap.”
As Ken writes, “You can get a eSata card for your G5 and an ExpressCard for your MBP and share the box. With this you could get a Kona or Blackmagic card and capture your footage as DVCProHD and also have a way to monitor your HDV footage.”
Amen.
VENDORS
G-SPEED is reliable, with good support. Caldigit has a platinum reputation. Of course, there are MaxxDigital, Sonnet and Dulce Systems.
Enhance is the new kid on the block, and they are significantly less expensive with, in my experience so far, excellent build quality and quick (human) response. They manufacture in Taiwan, but they’re headquartered in -- and ship out of -- Lower California. So they don’t talk to you in Taiwanese as the cheap enclosure sites do.
So there.
Message was edited by: Al Hatch
Maybe you are looking for
-
Error message when trying to open Messages.
Just upgraded to Mountain Lion (10.8) yesterday. Messages won't open. Reports "An Internal Messages error occurred. There was a problem with Messages. You need to quit and open Messages again." Console shows: 7/29/12 8:53:41.594 PM Messages[834]: [Wa
-
how do i get my audio booklet?
-
Role based oracle adf security and filtering data
while oracle adf security looks great its only role based... does anyone know of any resources describing an architecture where this is used in addition to filtering of data based on say, organization? it seems that oracle adf security is not really
-
Order not cmoming in Delta Que
Hi Friends , I have created an order , but the order is not coming in the rsa3 . I think the delta Que is not having those orders . How to get those order in delta Que .Can anyone help me in this . Reagrds Ankit
-
Need help with coding: getting an error
Hi there everyone, this would be my first post here, and my first post on any forum related to programming. Im taking a highschool computer science course, in which we are learning J2SE. I have read ahead a bit, and am having trouble with the followi