Advice on Fixing/Setting Up Mac Server behind Router
I would like advice on how to setup/fix a Mac Snow Leopard (10.6.8) server running on an Xserve. The server is only used to to host network accounts / act as a remote drive for a Mac-based laboratory. It is not a mail server, web server, etc. The goal is to enable (i.e., force) students to keep all of their documents on the server while accessing them easily from any computer, ideally from any point in the world.
The current setup is:
Linksys router (192.168.1.1) connects WAN (address WWW.WW.WWW.WWW) to LAN with both DMZ and local DNS pointing to server address (192.168.1.55)
Snow leopard server at 192.168.1.55
Client macs and pcs with various local addresses 192.168.1.XXX
From the LAN side, this setup works well in that all of the client Macs (from PowerPCs running 10.5 to brand new machines running 10.8.4) have no problem accessing their network accounts. They can also access the outside world seamlessly. The server can be administered using Screen Sharing from client machines running recent versions of Mac OS (e.g., 10.8.4)
From WAN side, some things work but others don't:
– Macs can access the server using AFP://WWW.WW.WWW.WWW, although VPN
needs to be running if we are off-campus
– Macs CANNOT login to the Network Account Server when outside the LAN
If I go to "Users & Groups", "Login Options" and enter the server address
WWW.WW.WWW.WWW, I get unable to add server with a "Connection
failed to the directory server (2100) error message
– I can no longer login to the server using Screen Sharing. (This worked a few months ago,
so I am not sure why this is failing.)
– I worry that opening a DMZ to the server is unnecessary from a security standpoint, and
I would be better with port forwarding specific ports (but which ones?)
I am open to new configurations if necessary, but I suspect this is something straightforward. I am also happy to RTFM for either the server or the router, but I'd like some guidance as to what is feasible/preferred. Specifically, I would particularly like students to be able to login to the Network Account Server from outside the LAN.
The server does not do anything else (e.g., mail, web hosting).
Although we do have an IT support group in-house, their opinion seems to be that computers are security risks that should not fall into the hands of users. The mere mention of Apple products sets off a rant.
Thank you for your advice and suggestions.
I usually use either telnet (non-SSL/TLS ports) or openssl s_client (SSL/TLS ports) or maybe nc (for scanning ranges of TCP and UDP ports) to check access to specific ports from the command line, though it's very simple to run a port scan via Network Utility for this case. Launch that remotely, and see what your client can see.
Here is a list of the ports used by Apple (TS1629) For Open Directory, you'll need at least TCP 389 or preferably 636 punched through your gateway and your local firewall, if you're not VPN'ing in. If you're using your own DNS, you'll need TCP port 53 open (and this is mildly hazardous to your bandwidth, as more than a few folks are using DNS servers as part of DDoS attacks; they'll spoof queries and cause your DNS servers to send a reply at somebody else as part of the DDoS. The DNS servers really need to be locked down against this dreck.)
You may also need to aim your client's DNS explicitly at your own DNS server, if you're using a private domain and a private IP address space; if your servers don't have public IP addresses and public names.
Personally, I generally wouldn't expose the Open Directory ports to the 'net, or most anything else for that matter. I'd usually VPN into the network, and "DMZ" the web-facing stuff where I can. Too much weird cruft is hitting the firewalls I'm monitoring, undoubtedly looking for weaknesses and vulnerabilities. Using the VPN services isn't a panacea, but does mean your traffic is hidden from most monitoring, your servers' ports and services are relatively protected, your DNS services are your own, and your exposure is largely limited to the VPN server access.
For the remote clients, I'd use Portable Home Directory for the wandering devices, or straight OD via VPN.
Similar Messages
-
RMI Server behind Router: How to set the right IP?
Hi, I am having trouble with the Server of an RMI application, the set up is this:
1. The server is not always running on the same host: it may be a computer with a publicly visible and unique IP, or it may be under a computer behind a router.
2 . The user that runs the server may not know how to get his IP in the router environment.
3. The user that runs the server knows sh*t about rmiregistry or how to set a Property to the java interpreter (for example: -Djava.rmi.server.hostname=<host>).
4. The Server code is this:
* Represents the Server to the Domination app (including the chat plugin).
public class Server {
private static final int PORT_NUM = 1099;
private static final String CHAT = "chat";
private static final String DOMINATION_FACTORY = "Domination";
* Sets the Chat and Application Servers.
* @param args
* Never used.
public static void main(String[] args) {
try {
Registry registry = LocateRegistry.createRegistry(PORT_NUM);
Chat chatObject = new ChatImpl();
UnicastRemoteObject.unexportObject(chatObject, true);
UnicastRemoteObject.exportObject(chatObject, PORT_NUM);
registry.rebind(CHAT, chatObject);
System.out.println("Chat ready...");
Fabrica fabricaObject = new FabricaImpl();
UnicastRemoteObject.unexportObject(fabricaObject, true);
UnicastRemoteObject.exportObject(fabricaObject, PORT_NUM);
registry.rebind(DOMINATION_FACTORY, fabricaObject);
System.out.println("Domination Factory ready...");
System.out.println("All systems up and running");
} catch (Exception e) {
e.printStackTrace();
System.exit(1);
}I wrote the code that way (and not using Naming.rebing("//" + host_name + "/Service", serviceObject)) so the server user won't need to run the rmiregistry (In fact, the Server is deployed via a jar file, so just a happy double-click to the jar will do the work)...
OK, then the problem is this: The client is always having "connection refused" Exceptions while the server is behind a router and not in the same network of the client.
The IP that is shown in the exception is always the inner IP of the host (or 10.x.x.x or 192.168.x.x or whatever it may be). So it seems that the registry is always choosing that IP and not the router's.
I need to know if there is a way to rewrite the Server code so the user just should do the same 'double-click' to run the server and not mess around "investigating" the outer IP. I read some of the RMI specs and it suggest to do IP Tunneling and some other techniques that I don't think may be appropiate to the nature of this "roaming server" application.Thanks, but that still doesn't do the work. As I stated in the post, not every user will know how to set java.rmi.server.hostname or even look for an outer IP... I was asking for an "automagical" way to code my server class so it could do some job to do the guessing.
Even though... I tried both ways at home with the help of a friend as the client, and it seemed to work. The client connected to the server but it was kicked out in less than 30 seconds. Being specific, every client, the ones inside and the ones outside my network. As if the only right way was to let the JVM set the IP (but again, in that way the server is invisible to the clients outside the network). -
Problem with server behind router
Hey there,
I'm working on a small chatting application which performs pretty well when connecting to a server on the same local network, but not-so-well when it's connecting to a server behind a router that's not on the same network.
Is there any way to get past this problem without using port forwarding? I'd try using that, if it weren't for the fact that the router in question didn't come with any software for configuring it.
I've looked around for a fix to this problem for a while, but I still haven't managed to find anything. Any ideas?
The chat program uses ObjectInput/Output streams to send data between the client and server.Without port forwarding on the router, your options are a bit limited. You'll probably need a central server to act as a go-between, or at least a rendez-vous point.
But doesn't your router have an HTML interface? What make and type is it? A manual should be easy to find online, if you don't have a printed version. -
I want to set up my server to run a webserver with virtual hosting behind a router. I had set it up in the past with a static IP from AT&T to run my web services with an outside DNS sending all traffic to me and a local IP 192.168.1.26 to run my file services. I was told it is better to run everything behind a router but I don't know how to set it up.
Can someone help with my initial setup?
Thanks in advance.192.168
You are probably already behind a router or switch at some point. No machine connected directly to the Internet should have an IP address starting with those numbers.
(32583) -
Need help setting up Mac server for dental practice?
My dentist is running windows server 2003 and wants to do a total upgrade to Apple server components. The issue is that the software his office uses for patient records is not Mac compatible. He is really set on the Mac environment and is curious if he can run the software on a Mac running Windows and I guess my question is the same. I don't have the specifics on the software he needs to run but from what he says it is fairly low overhead and handles some large jpeg files but mostly small data files.
I am curios how difficult the task of migrating all the info into the Mac environment will be? He is also curious about remote access from home or wherever he needs to get to his info and am curious if a VPN or other method is best.
ThanksOk, I am a sucker. I will bite.
The answer is yes. OS X and OS X Server can run Windows in a virtual machine using Parallels of VMWare (or virtual box, or Crossover, or... you get my point). This will allow you to run Mac hardware with Mac software but at the same time run Windows and the required applications.
But, there is a cost penalty here. First, there is the cost of the hardware. Not a big deal, Apple is competitive in price and the server hardware is very nice. Then there is the cost of Windows and the VM software. This is your tax. You have to add these costs on top of what you are already buying and then there is the hidden cost of the additional support. You are now supporting two operating systems, OS X and Windows. And just because Window is running on a Mac does not make it immune to viruses/spyware/trojans/etc.
If this guy really wants to go the Mac route, then go all Mac. Check out http://www.macpractice.com/mp/dds/ or http://www.macdentpro.com/index.php or do a search. There are a number of products that can handle dental practices on Macs, including the radiology aspect. Google is your friend.
As for remote access, OS X Server has a VPN built in that works well. That is not a problem. Or you can get a dedicated VPN appliance to handle security. Once bit of advice. Make sure you implement a good backup solution. Don't be foolish and think that TIme Machine alone is going to save you. This is medical records. Do not mess with them. Spend the dollars to properly harden the environment and ensure record retention policies are met.
Hope this helps -
HT5390 What port should i forward in the router if I'm to connect to the mac server behind NAT?
I am trying to remote administrate a Mac Mini running Mac 10.8 server but couldn't figure out which port to use.
Tried the following but still woudn't connect unless DMZ is opened.
Remote Login (SSH) - 22
Screen Sharing Service (VNC) - 5900
Web Service - 80, 443
VPN Service (L2TP) - 500, 1701, 4500
VPN Service (PPTP) - 1723
Any clue?When you say administer, do you mean something like control your parent's Mac remotely, or do you mean officially adminster a classroom full of Macs? If a classroom full of Macs, then you are most likely taking about using the Apple Remote Desktop software which you pay for.
If, as I suspect, you just want to control your own or a family member's Mac remotely, then you do not need to pay for anything.
If you need Screen Sharing, you open port 5900 (the VNC port)
If you need File Sharing, you open port 548 (AFP)
If you need access to the Unix command line, or you want to use the ssh 'scp' or 'sftp' file transfer commands, then you need to open port 22.
Visit <http://PortForward.com>, they will provide port forwarding instructions for just about every home router out there.
I would also suggest you get a free dynamic DNS name so you can address the remote Mac by a constant name instead of having to know the current IP address assigned to the home router, which the ISP can change anytime they want. No-IP.com or DynDNS.org offer free dynamic DNS names. You run one of their dynamic DNS updating clients on the remote Mac to keep the dynamic DNS name updated with the current ISP assigned IP address.
Once you have the port forwarding working, you connect for screen sharing using
Finder -> Go -> Connect to Server -> vnc://address.of.remote.mac
and for file sharing
Finder -> Go -> Connect to Server -> afp://address.of.remote.mac
If you are going to use ssh, scp, or sftp, then from an Applications -> utilities -> Terminal session you would do something like:
ssh [email protected]
scp local.file [email protected]:/path/where/to/put/the/file
scp [email protected]:/path/of/file/to/get /local/place/to/put/the/file
There are also sftp GUI clients you can use to make this part easier.
If you really cannot get this working, then consider using something like TeamViewer.com which deals with all the messy home router NAT navigation. -
My current network setup is a modem from Time Warner with 2 separate ethernet ports. 1 Port is assigned to our Lynksis router which gives out DCHP addresses to the network. The Mac Mini is on a separate port of the modem and has a public static IP address. Is there any way to set up the Mini Server to have a local address as well as be visible publicly? I would like to be able to achieve network speed to the server as well as have access to it from the outside for hosting email and other services.
Any help would be greatly appreciated.
Thanks.Your gateway gets the static IP, and gets configured to port-forward specific traffic to a private static IP address on your server; get the LAN into a subnet in the 172.16.0.0/12 or 10.0.0.0/8 private blocks (to make VPNs easier; it's really ugly to have both ends of a VPN in 192.168.0.0/16 or 192.168.1.0/16 or one of the other common subnets.
This presumes you don't have enough public static addresses to pass those out to all the hosts.
Read up on "port forwarding" and read the documentation on whichever of the gazillion different Linksys boxes this is, and definitely look around around for a server-grade gateway (firewall, NAT, VPN end-point, etc) from Linksys or from one of the other vendors (if this is one of the low-end Linksys boxes).
[More reading|http://labs.hoffmanlabs.com/node/275]. -
Help needed with Mac Server set up
Hi
I have purchased a mini mac server, that i want to use as a replacement for my windows home server, for basic back ups & to run a website with possible remote access.
At the initial configuration screen where if you manually configure your connection via ethernet, after putting the desired internal ip, sub net, router and DNS, it should find my domain on the next page where the server would be named. this does not happen, ( this is where i need the help )
I have a domain name
fixed external ip with my it pointing to my domain name
and a RDNS setup with my ISP
Any help?
you can email me directly : [email protected]
many thanksIf you're running NAT, well, you have some choices on how you might choose to [set up DNS services|http://labs.hoffmanlabs.com/node/1436]. Once you get that sorted, there's a link there to the set-up for the public-facing (outside your external firewall) network configuration, too.
-
Setting up FTP Server on Mac OS 10.4.4
Hello.
I am trying to set up my Mac so that I can use it as an FTP Server.
I am connected via BT Business Broadband and I am using the following router:
3COM Office Connect ADSL Wireless 11g Firewall Router (3CRWDR100A-72)
I have been assigned a Static IP Address, which I am 99% certain that I have entered correctly into the router. If I go to www.whatismyip.com it shows my static IP correctly.
What I cannot do is access my Mac via FTP from another computer.
I think I need to set up port forwarding on the Router to the Mac, but I dont know where to do this.
Then, once I have that set, How do I set the Mac up so I can connect via FTP.
I hope this makes sense..
I would be very greatful for any help / advice.
Many thanks
GlennHi
Thanks for the reply - its very much appreciated.
So I go into my router and forward on ports 20 and 21. I assume that the router will automatically forward to the Mac without entering any IP addresses (?)
You mention that if I need read /write access I will need an FTP client.
I host some websites which I need to back up to the mac. The backend system allows me to automatically back up to any computer with ftp access.
So, I want to have the back ups sent to the Mac using ftp. (The back end will connect using ftp://user:password@serveraddress
which will obviously need write access. Would this still work without an ftp client. (as I write this, I have the feeling it would be OK as the back end to the hosting will be using ftp protocols anyway))
Any clarification would be great
Many thanks again
Glenn -
Trying to set up iChat server for office with Macs, PCs and iPads on LAN
Looking for advice on compatable clients and issues setting up iChat server in a small office environment to chat between Macs, PCs, and iPads on the LAN.
Same situation before here...
I would advise to go arround on the net, in search for applications at your taste.
We successfully installed the jabber clients for windows: Adium and SafetyJabber
For the pad's we use IM Pro
Works all togeather.
Suc6
Martyin -
How to set a static IP address on a Mac server?
I am setting up a New Mac server for a mail sever and have resieved the MX record and IP address from the ISP and DNS providers. Now I am trying to set up the server to be seen on the out side, or even on the network. Is this all done in the Network confiruration by maually setting the IP and Sub Mask there? I have set it all up to what I think they should be but not having any luck. When I installed the server software I told it to be a stand alone server was that wrong. I will not be running DNS or any other services on this system only Mail.
thanksYou should enter the IP address/netmask, etc. during the first-time-boot setup. Changing it later can be a PITA, but it sounds like you did that.
Setting 'standalone' shouldn't be an issue since that only relates to directory services.
It sounds like the problem is a more basic connectivity issue.
Have you verified that you have basic IP address connectivity? Can you ping the router address provided by your ISP? Can you ping remote sites outside your network? If that's not working you're not going to get much further. -
How can I set up Mavericks Server on a Test Mac without affecting the production server
I have Mountain Lion server running as on an xserve as our main server, it has developed a few issues particularly related to Profile Manager and Certificates.
So I was going to use the move to Mavericks as an opportunity to have a fresh start.
So I want to set up Mavericks Server on a mac mini temporarily to test it and configure all the services before moving it to the Xserve as the main server.
My question is what is the best way to do this, obviously I can't use the same IP or hostname as the main server if it is connected to the network, and some services can't be set up without a network connection.
So do I give it a new IP and hostnmame for now and then change it later on, my concern is that changing the hostname might cause issues down the line.
So what is the best way to set up a fresh server in preperation as a drop in replacement of the current server?Ok I got the test server set up fine and cloned it over to a spare partition on the Xserve.
But when I booted into the new partition several things broke.
1st the IP address changed itself despite the fact it is set to Manual, The Alert section of Server.app let me repair this.
Profile Manager no longer worked, the web page just said Profile manager could not be found, was working fine on the test mac
Tried deleting the OD master and resetting Profile Manager but it still didn't work.
DNS needed repairing and restarting
I decided at that point to abandon it and go back to the test mac where everything is still working.
Any tips for overcoming these issues.
I have thought maybe it would be best to turn off all server services before making the clone and then turn them on one at a time once it has been restored to the new partition on the xserve
Also if the certificates that are created when making an OD master were made on the mac mini does that cause a problem when it has been restored to a different machine, should I leave OD off and just set it up when it is in its final place? -
How to set ACLs on Remote MAC server Volumes..
Hi,
I have Mac OS X server v 10.5 Leopard. Initially I have enabled the ACLs using fsaclctl on the MAC server volume. When this volume gets mounted(through afp) on some other MAC client(MAC OS X 10.4 Tiger), the ACL status is shown as disabled. And it not allowing to set the ACLs on the remote volume from the client side.
I have used the following command to enable ACLs from Client.
sudo fsaclctl -p /Volumes/<server Volume> -e
This failed as "not supported".
Anyone knows how to set the ACLs on the remote MAC server volumes? Basically I want to see ACL working on Remote MAC server volumes.Hi
+". . . remote MAC server volumes . . ."+
Are you saying you are trying to enable ACLs on volumes shared by another OSX Server when volumes are mounted on the server in question?
Or are saying you can't see if ACLs on mounted volumes when issuing ls -lae for example?
You might want to read:
http://discussions.apple.com/thread.jspa?messageID=648307򞑳
http://discussions.apple.com/thread.jspa?messageID=1535247
and
http://discussions.apple.com/message.jspa?messageID=8456140#8456140
http://discussions.apple.com/message.jspa?messageID=8340573#8340573
http://discussions.apple.com/message.jspa?messageID=7777878#7777878
Tony -
I set up mac mini and when I test the mail server by sending a mail from administrator to administrator I get the error message 'Diagnostic-Code: X-Postfix; connect to 127.0.0.1[127.0.0.1]:10024: Connection refused'. Can any one suggest a solution
Thanks. Where could I possibly look for a firewall rule. I knowingly did not creat any. My system has internet coming to a Modem which then is connected to a wireless router. I have computers connecting to the router through cable as well as wireless. One of these computers has been our mailserver using Mercury and Pegasus and that computer has a static IP address. The Mac Mini also has been assigned a different srtatic IP address. I have only set up user account, none of them an email account as I initially expect them to receive only internal mails. Is it necessary that I must set up an email id for each user while setting up the user account. My server id is server.local. So would the email id for local users be [email protected]?
-
How do I archive my 30,000 emails off the mac server so when set up new ...
computer I still have/keep them in case I need them on my computer?
Thanks!It is not clear what you mean by "mac server"? If you have a MobileMe or any other IMAP type account, the messages are on the server, and will be seen by any other computer that sets up the account. Nothing requires archiving. If, however, you have POP accounts, or On My Mac mailboxes, then other steps are needed.
More info, please.
Ernie
Maybe you are looking for
-
What happens when a OUT parameter of a web-service returns an empty string
Hi, Any idea on how to deal with the situation when a web-service returns an empty string I get the following System Exception:- Caused by: java.lang.AssertionError: Attempt to set empty javaType to ticketResponse(out,0) :: fuego.type.FuegoClass$Lazy
-
Photos look squashed in dvd slideshow
I am taking many different photos (digital, scanned, etc) and creating a slideshow in imovie then importing that movie into idvd. The images look fine on the computer, but when I view them on a widescreen tv the pictures all look a little squished -
-
I have an ebook in ITunes that is showing up under Music>more>Genres>Audiobooks, and I would like for it to go in the IBook app. I just added to my phone, is there a way to add this book to that app.?
-
Wireless trackpad not working after lion update on May 15, 2012
Right after OSX update on May 15, 2012, the pairing of my wireless trackpad to the desktop is no longer working. First the bluetooth found my trackpad. After clicking "continue", the box showed: "No trackpad found The pariing attempt was unsuccessf
-
Hello, I've got a problem that just recently started. When I try to capture footage the visual is being caught but the audio isn't. When I'm capturing I can hear the audio through the camdcorder, but not through the computer. Then when I disconnect t