034-2351_Cvr 9/12/03 10:26 AM Page 1 Mac OS X Server Network Services Administration For Version 10.
LL2351.Book Page 2 Monday, September 8, 2003 2:47 PM Apple Computer, Inc. © 2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services.
LL2351.
LL2351.
How to Use This Guide Preface LL2351.Book Page 5 Monday, September 8, 2003 2:47 PM What’s Included in This Guide This guide consists primarily of chapters that tell you how to administer various Mac OS X Server network services: • DHCP • DNS • IP Firewall • NAT • VPN • NTP • IPv6 Support Using This Guide Each chapter covers a specific network service. Read any chapter that’s about a service you plan to provide to your users.
LL2351.Book Page 6 Monday, September 8, 2003 2:47 PM Setting Up Mac OS X Server for the First Time If you haven’t installed and set up Mac OS X Server, do so now. • Refer to Mac OS X Server Getting Started for Version 10.3 or Later, the document that came with your software, for instructions on server installation and setup. For many environments, this document provides all the information you need to get your server up, running, and available for initial use.
LL2351.Book Page 7 Monday, September 8, 2003 2:47 PM 1 DHCP Service 1 Dynamic Host Configuration Protocol (DHCP) service lets you administer and distribute IP addresses to client computers from your server. When you configure the DHCP server, you assign a block of IP addresses that can be made available to clients. Each time a client computer configured to use DHCP starts up, it looks for a DHCP server on your network. If a DHCP server is found, the client computer then requests an IP address.
LL2351.Book Page 8 Monday, September 8, 2003 2:47 PM Creating Subnets Subnets are groupings of computers on the same network that simplify administration. You can organize subnets any way that is useful to you. For example, you can create subnets for different groups within your organization or for different floors of a building.
LL2351.Book Page 9 Monday, September 8, 2003 2:47 PM Interacting With Other DHCP Servers You may already have other DHCP servers on your network, such as AirPort Base Stations. Mac OS X Server can coexist with other DHCP servers as long as each DHCP server uses a unique pool of IP addresses. However, you may want your DHCP server to provide an LDAP server address for client auto-configuration in managed environments. AirPort Base Stations can’t provide an LDAP server address.
LL2351.Book Page 10 Monday, September 8, 2003 2:47 PM Step 2: Set up logs for DHCP service You can log DHCP activity and errors to help you monitor requests and identify problems with your server. DHCP service records diagnostic messages in the system log file. To keep this file from growing too large, you can suppress most messages by changing your log settings in the Logging pane of the DHCP service settings.
LL2351.Book Page 11 Monday, September 8, 2003 2:47 PM 7 Enter a starting and ending IP address for this subnet range. Addresses must be contiguous, and they can’t overlap with other subnets’ ranges. 8 Enter the subnet mask for the network address range. 9 Choose the Network Interface from the pop-up menu. 10 Enter the IP address of the router for this subnet. If the server you’re configuring now is the router for the subnet, enter this server’s internal LAN IP address as the router’s address.
LL2351.Book Page 12 Monday, September 8, 2003 2:47 PM Deleting Subnets From DHCP Service You can delete subnets and subnet IP address ranges when they will no longer be distributed to clients. To delete subnets or address ranges: 1 In Server Admin, choose DHCP from the Computers & Services list. 2 Click Settings. 3 Select a subnet. 4 Click Delete. 5 Click Save to confirm the deletion.
LL2351.Book Page 13 Monday, September 8, 2003 2:47 PM Setting LDAP Options for a Subnet You can use DHCP to provide your clients with LDAP server information rather than manually configuring each client’s LDAP information. The order in which the LDAP servers appear in the list determines their search order in the automatic Open Directory search policy. If you have are using this Mac OS X Server as an LDAP master, the LDAP options will be pre-populated with the necessary configuration information.
LL2351.Book Page 14 Monday, September 8, 2003 2:47 PM To set WINS options for a subnet: 1 In Server Admin, choose DHCP from the Computers & Services list. 2 Click Settings. 3 Select the Subnets tab. 4 Select a subnet and click Edit. 5 Click the WINS tab. 6 Enter the domain name or IP address of the WINS/NBNS primary and secondary servers for this subnet. 7 Enter the domain name or IP address of the NBDD server for this subnet. 8 Choose the NBT node type from the pop-up menu. 9 Enter the NetBIOS Scope ID.
LL2351.Book Page 15 Monday, September 8, 2003 2:47 PM Setting the Log Detail Level for DHCP Service You can choose the level of detail you want to log for DHCP service. • “Low (errors only)” will indicate conditions for which you need to take immediate action (for example, if the DHCP server can’t start up). This level corresponds to bootpd reporting in “quiet” mode, with the “-q” flag.
LL2351.Book Page 16 Monday, September 8, 2003 2:47 PM Where to Find More Information Request for Comments (RFC) documents provide an overview of a protocol or service and details about how the protocol should behave. If you’re a novice server administrator, you’ll probably find some of the background information in an RFC helpful. If you’re an experienced server administrator, you can find all the technical details about a protocol in its RFC document. You can search for RFC documents by number at www.
LL2351.Book Page 17 Monday, September 8, 2003 2:47 PM 2 DNS Service 2 When your clients want to connect to a network resource such as a web or file server, they typically request it by its domain name (such as www.example.com) rather than by its IP address (such as 192.168.12.12). The Domain Name System (DNS) is a distributed database that maps IP addresses to domain names so your clients can find the resources by name rather than by numerical address.
LL2351.Book Page 18 Monday, September 8, 2003 2:47 PM Before You Set Up DNS Service This section contains information you should consider before setting up DNS on your network. The issues involved with DNS administration are complex and numerous. You should only set up DNS service on your network if you’re an experienced DNS administrator. You should consider creating a mail account called “hostmaster” that receives mail and delivers it to the person that runs the DNS server at your site.
LL2351.Book Page 19 Monday, September 8, 2003 2:47 PM Once you register a domain name, you can create subdomains within it as long as you set up a DNS server on your network to keep track of the subdomain names and IP addresses. For example, if you register the domain name “example.com,” you could create subdomains such as “host1.example.com,” “mail.example.com,” or “www.example.com.” A server in a subdomain could be named “primary.www.example.com,” or “backup.www.example.com.” The DNS server for example.
LL2351.Book Page 20 Monday, September 8, 2003 2:47 PM The configuration file is located in this file: /etc/named.conf The zone file name is based on the name of the zone. For example, the zone file “example.com” is located in this file: /var/named/example.com.zone See “Configuring BIND Using the Command Line” on page 37 for more information. Step 3: Configure basic DNS settings See “Managing DNS Service” on page 21 for more information. Step 4: Create a DNS Zone Use Server Admin to set up DNS zones.
LL2351.Book Page 21 Monday, September 8, 2003 2:47 PM Managing DNS Service Mac OS X Server provides a simple interface for starting and stopping DNS service as well as viewing logs and status. Basic DNS settings can be configured with Server Admin. More advanced features require configuring BIND from the command-line, and are not covered here. Starting and Stopping DNS Service Use this procedure to start or stop DNS service.
LL2351.Book Page 22 Monday, September 8, 2003 2:47 PM To enable or disable recursion: 1 In Server Admin, choose DNS in the Computer & Services list. 2 Click Settings. 3 Select the General tab. 4 Select or deselect Allow Recursion as needed. If you choose to enable recursion, consider disabling it for external IP addresses, but enabling it for LAN IP addresses, by editing BIND’s named.conf file. See BIND’s documentation for more information.
LL2351.Book Page 23 Monday, September 8, 2003 2:47 PM To add a master zone: 1 In Server Admin, choose DNS in the Computer & Services list. 2 Click Settings. 3 Select the Zones tab. 4 Click Add beneath the Zones list. 5 Enter a zone name. The zone name must have a trailing period: “example.com.” 6 Choose Master from the Zone Type pop-up menu. 7 Enter the hostname of the domain’s SOA.
LL2351.Book Page 24 Monday, September 8, 2003 2:47 PM Adding a Forward Zone A forward zone directs all lookup requests to other DNS servers. To add a forward zone: 1 In Server Admin, choose DNS in the Computer & Services list. 2 Click Settings. 3 Select the Zones tab. 4 Click Add beneath the Zones list. 5 Enter a zone name. The Zone name must have a trailing period: “example.com.” 6 Choose the Forward zone type from the Zone Type pop-up menu. 7 Click OK.
LL2351.Book Page 25 Monday, September 8, 2003 2:47 PM Modifying a Zone This section describes modifying a zone’s type and settings but not modifying the records within a zone. You may need to change a zone’s administrator address, type, or domain name. To modify a zone: 1 In Server Admin, choose DNS in the Computer & Services list. 2 Click Settings. 3 Select the Zones tab. 4 Click the Edit button beneath the Zones list. 5 Change the zone name, type, or administrator email address as needed.
LL2351.Book Page 26 Monday, September 8, 2003 2:47 PM • Name Server (NS): Stores the authoritative name server for a given zone. • Pointer (PTR): Stores the domain name of a given IP address (reverse lookup). • Text (TXT): Stores a text string as a response to a DNS query. If you need access to other kinds of records, you’ll need to edit BIND’s configuration files manually. Please see BIND’s documentation for details. Adding a Record to a Zone You need to add records for each domain name (example.
LL2351.Book Page 27 Monday, September 8, 2003 2:47 PM Modifying a Record in a Zone If you make frequent changes to the namespace for the domain, you’ll need to update the DNS records as often as that namespace changes. Upgrading hardware or adding to a domain name might require updating the DNS records as well. To modify a record: 1 In Server Admin, choose DNS in the Computer & Services list. 2 Click Settings. 3 Select the Zones tab. 4 Select the Zone in which this record will be modified.
LL2351.Book Page 28 Monday, September 8, 2003 2:47 PM Monitoring DNS You may want to monitor DNS status to troubleshoot name resolution problems, check how often the DNS service is used, or even check for unauthorized or malicious DNS service use. This section discusses common monitoring tasks for DNS service. Viewing DNS Service Status You can check the DNS Status window to see: • Whether the service is running. • The version of BIND (the underlying software for DNS) that is running.
LL2351.Book Page 29 Monday, September 8, 2003 2:47 PM To change the log detail level: 1 In Server Admin, choose DNS in the Computer & Services list. 2 Click Settings. 3 Select the Logging tab. 4 Choose the detail level from the Log Level pop-up menu. The possible log levels are: • • • • • • Critical (less detailed) Error Warning Notice Information Debug (most detailed) Changing DNS Log File Location You can change the location of the DNS service log.
LL2351.Book Page 30 Monday, September 8, 2003 2:47 PM To see DNS usage statistics: 1 In Server Admin, choose DNS in the Computer & Services list. 2 Click Activity to view operations currently in progress and usage statistics. Securing the DNS Server DNS servers are targeted by malicious computer users (commonly called “hackers”) in addition to other legitimate Internet servers. There are several kinds of attacks that DNS servers are susceptible to.
LL2351.Book Page 31 Monday, September 8, 2003 2:47 PM With a copy of your master zone, the hacker can see what kinds of services a domain offers, and the IP address of the servers that offer them. He or she can then try specific attacks based on those services. This is reconnaissance before another attack. To defend against this attack, you need to specify which IP addresses are allowed to request zone transfers (your slave zone servers) and disallow all others.
LL2351.Book Page 32 Monday, September 8, 2003 2:47 PM It is difficult to prevent this type of attack before it begins. Constant monitoring of the DNS service and server load allows an administrator to catch the attack early and mitigate its damaging effect. The easiest way to guard against this attack is to block the offending IP address with your firewall. See “Creating an Advanced IP Filter for TCP ports” on page 51.
LL2351.Book Page 33 Monday, September 8, 2003 2:47 PM Common Network Administration Tasks That Use DNS Service The following sections illustrate some common network administration tasks that require DNS service. Setting Up MX Records If you plan to provide mail service on your network, you must set up DNS so that incoming mail is sent to the appropriate mail host on your network. When you set up mail service, you define a series of hosts, known as mail exchangers or MX hosts, with different priorities.
LL2351.Book Page 34 Monday, September 8, 2003 2:47 PM Configuring DNS for Mail Service Configuring DNS for mail service is enabling Mail Exchange (MX) records with your own DNS server. If you have an Internet Service Provider (ISP) that provides you with DNS service, you’ll need to contact the ISP so that they can enable your MX records. Only follow these steps if you provide your own DNS Service. To enable MX records: 1 In Server Admin, choose DNS in the Computers & Services list. 2 Click Settings.
LL2351.Book Page 35 Monday, September 8, 2003 2:47 PM Step 2: Create records and priorities for the auxiliary mail servers These instruction assume you have edited the original MX record. If not, please do so before proceeding. These instructions also assume you have already set up and configured one or more auxiliary mail servers. To enable backup or redundant mail servers: 1 In Server Admin, select DNS in the Computers & Services pane. 2 Click Settings. 3 Select the Zones tab.
LL2351.Book Page 36 Monday, September 8, 2003 2:47 PM Mac OS X’s Rendezvous feature allows you to use hostnames on your local subnet that end with the “.local” suffix without having to enable DNS. Any service or device that supports Rendezvous allows the use of user-defined namespace on your local subnet without setting up and configuring DNS. Network Load Distribution (aka Round Robin) BIND allows for simple load distribution using an address-shuffling method called round robin.
LL2351.Book Page 37 Monday, September 8, 2003 2:47 PM Important: If you think you might want to connect to the Internet in the future, you should register with an Internet registry and use the IP addresses provided by the registry when setting up your private network. Otherwise, when you do connect to the Internet, you’ll need to reconfigure every computer on your network. If you set up a private TCP/IP network, you can also provide DNS service.
LL2351.Book Page 38 Monday, September 8, 2003 2:47 PM BIND is configured by editing text files containing information about how you want BIND to behave and information about the servers on your network. If you wish to learn more about DNS and BIND, resources are listed at the end of this chapter. BIND on Mac OS X Server Mac OS X Server uses BIND version 9.2.2. You can start and stop DNS service on Mac OS X Server using the Server Admin application.
LL2351.Book Page 39 Monday, September 8, 2003 2:47 PM Setting Up Sample Configuration Files The sample files can be found in /usr/share/named/examples. The sample files assume a domain name of example.com behind the NAT. This may be changed, but must be changed in all modified configuration files. This includes renaming /var/named/example.com.zone to the given domain name, for example, /var/ named/foo.org.zone To set up the sample files: 1 In Terminal, log in as root.
LL2351.Book Page 40 Monday, September 8, 2003 2:47 PM If you are using Mac OS X Server as your DHCP Server: 1 In Server Settings, click the Network tab, click DHCP/NetBoot, and choose Configure DHCP/NetBoot. 2 On the Subnet tab, select the subnet on the built-in Ethernet port and click Edit. 3 In the General tab, enter the following information: Start: 10.0.1.3 End: 10.0.1.254 Subnet Mask: 255.255.255.0 Router: 10.0.1.1 4 Click the DNS tab and enter the following information: Default Domain: example.
LL2351.Book Page 41 Monday, September 8, 2003 2:47 PM For instance, if “Bob” walks into work in the morning and starts up his computer, and the DHCP server assigns his computer a dynamic IP address, a DNS entry “bob.example.com” can be associated with that IP address. Even though Bob’s IP address may change every time he starts up his computer, his DNS name remains the same. This lets users communicate with Bob’s computer without knowing the IP address.
LL2351.
LL2351.Book Page 43 Monday, September 8, 2003 2:47 PM 3 3 IP Firewall Service Firewall service is software that protects the network applications running on your Mac OS X Server. Turning on firewall service is similar to erecting a wall to limit access. Firewall service scans incoming IP packets and rejects or accepts these packets based on the set of filters you create.
LL2351.Book Page 44 Monday, September 8, 2003 2:47 PM Services such as Web and FTP are identified on your server by a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number. When a computer tries to connect to a service, firewall service scans the filter list for a matching port number. • If the port number is in the filter list, the filter applied is the one that contains the most specific address range.
LL2351.Book Page 45 Monday, September 8, 2003 2:47 PM Understanding Firewall Filters When you start firewall service, the default configuration denies access to all incoming packets from remote computers except ports for remote configuration. This provides a high level of security. You can then add new IP filters to allow server access to those clients who require access to services. To learn how IP filters work, read the following section.
LL2351.Book Page 46 Monday, September 8, 2003 2:47 PM Addresses with subnet masks in CIDR notation correspond to address notation subnet masks. 46 CIDR Corresponds to Netmask Number of addresses in the range /1 128.0.0.0 4.29x109 /2 192.0.0.0 2.14x109 /3 224.0.0.0 1.07x109 /4 240.0.0.0 5.36x108 /5 248.0.0.0 1.34x108 /6 252.0.0.0 6.71x107 /7 254.0.0.0 3.35x107 /8 255.0.0.0 1.67x107 /9 255.128.0.0 8.38x106 /10 255.192.0.0 4.19x106 /11 255.224.0.0 2.09x106 /12 255.240.0.
LL2351.Book Page 47 Monday, September 8, 2003 2:47 PM Using Address Ranges When you create filters using Server Admin, you enter an IP address and the CIDR format subnet mask. Server Admin shows you the resulting address range, and you can change the range by modifying the subnet mask. When you indicate a range of possible values for any segment of an address, that segment is called a wildcard. The following table gives examples of address ranges created to achieve specific goals.
LL2351.Book Page 48 Monday, September 8, 2003 2:47 PM Setting Up Firewall Service for the First Time Once you’ve decided which filters you need to create, follow these overview steps to set up firewall service. If you need more help to perform any of these steps, see “Managing Firewall Service” on page 49 and the other topics referred to in the steps. Step 1: Learn and plan If you’re new to working with IP Firewall, learn and understand firewall concepts, tools, and features of Mac OS X Server and BIND.
LL2351.Book Page 49 Monday, September 8, 2003 2:47 PM Step 5: Save firewall service changes Once you have configured your filters and determined which services to allow, save your changes so the new settings take effect. Important: If you add or change a filter after starting firewall service, the new filter will affect connections already established with the server.
LL2351.Book Page 50 Monday, September 8, 2003 2:47 PM • • • • • • • DNS/Rendezvous ICMP Echo Reply (incoming pings) IGMP (Internet Gateway Multicast Protocol) PPTP VPN L2TP VPN QTSS media streaming iTunes Music Sharing Important: If you add or change a filter after starting firewall service, the new filter will affect connections already established with the server.
LL2351.Book Page 51 Monday, September 8, 2003 2:47 PM Editing or Deleting an Address Group You can edit your address groups to change the range of IP addresses effected. The default address group is for all addresses. You can remove address groups from your firewall filter list. The filters associated with those addresses are also deleted. Addresses can be listed as individual addresses (192.168.2.2) or IP address and CIDR format netmask (192.168.2.0/24).
LL2351.Book Page 52 Monday, September 8, 2003 2:47 PM To create an IP filter for TCP ports: 1 In Server Admin, choose Firewall from the Computers & Services list. 2 Click Settings. 3 Select the Advanced tab. 4 Click the New button. Alternatively, you can select a rule similar to the one you want to create, and click Duplicate then Edit. 5 Select whether this filter will allow or deny access in the Action pop-up menu. 6 Choose TCP from the Protocol pop-up menu. 7 Choose a TCP service from the pop-up menu.
LL2351.Book Page 53 Monday, September 8, 2003 2:47 PM • Remote Desktop • NFS • NetInfo UDP ports above 1023 are allocated dynamically by certain services, so their exact port numbers may not be determined in advance. Addresses can be listed as individual addresses (192.168.2.2) or IP address and CIDR netmask (192.168.2.0/24). To easily configure UDP access for these ports, see “Opening the Firewall for Standard Services” on page 49.
LL2351.Book Page 54 Monday, September 8, 2003 2:47 PM Editing Advanced IP Filters If you edit a filter after turning on firewall service, your changes affect connections already established with the server. For example, if any computers are connected to your Web server, and you change the filter to deny all access to the server, connected computers will be disconnected. To edit advanced IP filters: 1 In Server Admin, choose Firewall from the Computers & Services list. 2 Click Settings.
LL2351.Book Page 55 Monday, September 8, 2003 2:47 PM Monitoring Firewall Service Firewalls are a networks first line of defense against malicious computer users (commonly called “hackers”). To maintain the security of your computers and users, you need to monitor firewall activity and deter potential threats. This sections explains how to log and monitor your firewall. Viewing the Firewall Status Overview The Status Overview shows a simple summary of the firewall service.
LL2351.Book Page 56 Monday, September 8, 2003 2:47 PM Log Example 1 Dec 12 13:08:16 ballch5 mach_kernel: ipfw: 65000 Unreach TCP 10.221.41.33:2190 192.168.12.12:80 in via en0 This entry shows that firewall service used rule 65000 to deny (unreach) the remote client at 10.221.41.33:2190 from accessing server 192.168.12.12 on Web port 80 via Ethernet port 0. Log Example 2 Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP 10.221.41.33:721 192.168.12.
LL2351.Book Page 57 Monday, September 8, 2003 2:47 PM Practical Examples The IP filters you create work together to provide security for your network. The examples that follow show how to use filters to achieve some specific goals. Block Access to Internet Users This section shows you, as an example, how to allow users on your subnet access to your server’s Web service, but deny access to the general public on the Internet: To do this: 1 In Server Admin, choose Firewall from the Computers & Services list.
LL2351.Book Page 58 Monday, September 8, 2003 2:47 PM To do this: 1 In Server Admin, choose Firewall from the Computers & Services list. 2 Click Settings. 3 Select the General tab. 4 Select the Any address group. 5 Enable “SMTP Mail” in the right pane. 6 Click the Add button to create an address range. 7 Name the address group. 8 Enter 17.128.100.0 to the address range to indicate the junk mail sender’s address. 9 Click OK. 10 Select your newly created address group.
LL2351.Book Page 59 Monday, September 8, 2003 2:47 PM Common Network Administration Tasks That Use Firewall Service Your firewall is the first line of defense against unauthorized network intruders, malicious users, and network virus attacks. There are many ways that such attacks can harm your data or use your network resources. This section lists a few of the common uses of firewall service in network administration.
LL2351.Book Page 60 Monday, September 8, 2003 2:47 PM Controlling or Enabling Network Game Usage Sometimes network administrators need to control the use of network games. The games might use network bandwidth and resources inappropriately or disproportionately. You can cut off network gaming by blocking all traffic incoming and outgoing on the port number used by the game. You’ll have to determine the port used for each network game in question.
LL2351.Book Page 61 Monday, September 8, 2003 2:47 PM If you want to put your own rules in the ipfw.conf file, you can use a template that is installed at /etc/ipfilter/ipfw.conf.default. Duplicate the file, rename it, and edit it as indicated in the template’s comments. Precautions By using the Advanced panel or creating your own rules, you can put the server in a state that is completely cut off from network access. This might require a reboot in single-user-mode to restore network access.
LL2351.Book Page 62 Monday, September 8, 2003 2:47 PM Rule number Used by firewall module for 63300 Denying access for igmp. Created when Deny IGMP is selected in the Advanced pane of the Configure Firewall window. 63400 Allowing any TCP or UDP packet to access port 111 (needed by NetInfo). Created when a shared NetInfo domain is found on the server. 63500 Allowing user-specified TCP and UDP packets to access ports needed for NetInfo shared domains.
LL2351.Book Page 63 Monday, September 8, 2003 2:47 PM Deleting IP Filter Rules To delete a rule, use the ipfw delete command. This example deletes rule 200: ipfw delete 200 For more information, consult the man pages for ipfw. Port Reference The following tables show the TCP and UDP port numbers commonly used by Mac OS X computers and Mac OS X Servers. These ports can be used when you’re setting up your IP filters. See the website www.faqs.org/rfcs to view the RFCs referenced in the tables.
LL2351.
LL2351.
LL2351.Book Page 66 Monday, September 8, 2003 2:47 PM Where to Find More Information For more information about ipfw: You can find more information about ipfw, the process which controls IP firewall service, by accessing its man page. It explains how to access its features and implement them.
LL2351.Book Page 67 Monday, September 8, 2003 2:47 PM 4 NAT Service 4 Network Address Translation (NAT) is sometimes referred to as IP masquerading, or IP aliasing. NAT is used to allow multiple computers access to the Internet with only one assigned IP address. NAT allows you to create a private network which accesses the Internet through a NAT router or gateway. The NAT router takes all the traffic from your private network and remembers which internal address made the request.
LL2351.Book Page 68 Monday, September 8, 2003 2:47 PM Configuring NAT Service You use Server Admin to indicate which network interface is connected to the Internet or other external network. To configure NAT service: 1 In Server Admin, select NAT from the Computers & Services pane. 2 Click Settings. 3 Choose the network interface from the “Share your connection from:” pop-up menu. This interface should be the one that connects to the Internet or external network. 4 Click Save.
LL2351.Book Page 69 Monday, September 8, 2003 2:47 PM To view the NAT divert log: 1 In the Terminal application enter: ipfw add 10 divert natd all from any to any via Where is the network interface selected in the NAT section of Server Admin. 2 In Server Admin, choose Firewall from the Computers & Services list. 3 Click Settings. 4 Select the Advanced tab. 5 Select the rule that was just created. 6 Click the Edit button. 7 Choose to log packets that match the filter. 8 Click OK.
LL2351.
LL2351.Book Page 71 Monday, September 8, 2003 2:47 PM 5 VPN Service 5 Virtual Private Network (VPN) is two or more computers or networks (nodes) connected by a private link of encrypted data. This link simulates a local connection, as if the remote computer were attached to the local area network (LAN). VPNs allow users at home or otherwise away from the LAN to securely connect to it using any network connection, such as the Internet.
LL2351.Book Page 72 Monday, September 8, 2003 2:47 PM VPN and Security VPNs stress security by strong authentication of identity, and encrypted data transport between the nodes, for data privacy and inalterability. The following section contains information about each supported transport and authentication method. Authentication Method Mac OS X Server VPN uses Microsoft’s Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) for authentication.
LL2351.Book Page 73 Monday, September 8, 2003 2:47 PM Before You Set Up VPN Service Before setting up Virtual Private Network (VPN) service, you need to determine which transport protocol you’re going to use. The table below shows which protocols are supported by different platforms. If you have... you can use L2TP/IPSec. you can use PPTP. Mac OS X 10.3.x clients X X Mac OS X 10.2.
LL2351.Book Page 74 Monday, September 8, 2003 2:47 PM To enable L2TP: 1 In Server Admin, choose the VPN Service from the Computers & Services list. 2 Click Settings. 3 Select the General tab. 4 Select L2TP. 5 Enter the shared secret. 6 Set the beginning IP address of the allocation range. 7 Set the ending IP address of the allocation range. 8 Enter the group that has access to VPN login. You can use the Users & Groups button to browse for a group.
LL2351.Book Page 75 Monday, September 8, 2003 2:47 PM Configuring Additional Network Settings for VPN Clients When a user connects in to your server through VPN, that user is given an IP address from your allocated range. If this range is not served by a DHCP server, you’ll need to configure additional network settings. These setting include the network mask, DNS address, and search domains.
LL2351.Book Page 76 Monday, September 8, 2003 2:47 PM Monitoring VPN Service This section describes tasks associated with monitoring a functioning VPN service. It includes accessing status reports, setting logging options, viewing logs, and monitoring connections. Viewing a VPN Status Overview The VPN Overview gives you a quick status report on your enabled VPN services.
LL2351.Book Page 77 Monday, September 8, 2003 2:47 PM Viewing the VPN Log You’ll need to monitor VPN logs to ensure smooth operation of your Virtual Private Network. The VPN logs can help you troubleshoot problems. To view the log: 1 In Server Admin, choose VPN Service from the Computers & Services list. 2 Click Logs. Viewing VPN Client Connections You can monitor VPN client connections to ensure secure access to the Virtual Private Network.
LL2351.
LL2351.Book Page 79 Monday, September 8, 2003 2:47 PM 6 NTP Service 6 Network Time Protocol (NTP) is a network protocol used to synchronize the clocks of computers on your network to a time reference clock. NTP is used to ensure that all the computers on a network are reporting the same time.
LL2351.Book Page 80 Monday, September 8, 2003 2:47 PM Using NTP on Your Network Mac OS X Server can act not only as an NTP client, receiving authoritative time from an Internet time server, but also as an authoritative time server for a network. Your local clients can query your server to set their clocks. It’s advised that if you set your server to answer time queries, you should also set it to query an authoritative server on the Internet.
LL2351.Book Page 81 Monday, September 8, 2003 2:47 PM Configuring NTP on Clients If you have set up a local time server, you can configure your clients to query your time server for getting the network date and time. By default, clients can query Apple’s time server. These instructions allow you to set your clients to query your time server. To configure NTP on clients: 1 Open System Preferences. 2 Click Date & Time. 3 Select the Network Time tab. 4 Select “Set Date & Time automatically.
LL2351.
LL2351.Book Page 83 Monday, September 8, 2003 2:47 PM 7 IPv6 Support 7 IPv6 is short for “Internet Protocol Version 6."IPv6 is the Internet’s next-generation protocol designed to replace the current Internet Protocol, IP Version 4 (IPv4, or just IP). The current Internet Protocol is beginning to have problems coping with the growth and popularity of the Internet. IPv4’s main problems are: • Limited IP addressing. IPv4 addresses are 32 bits, meaning there can be only 4,300,000,000 network addresses.
LL2351.Book Page 84 Monday, September 8, 2003 2:47 PM IPv6 Enabled Services The following services in Mac OS X Server support IPv6 in addressing: • DNS (BIND) • IP Firewall • Mail (POP/IMAP/SMTP) • SMB • Web (Apache 2) Additionally, there are a number of command-line tools installed with Mac OS X Server that support IPv6 (for example, ping6, and traceroute6). IPv6 Addresses in the Server Admin The services above don’t support IPv6 addresses in the user interface.
LL2351.Book Page 85 Monday, September 8, 2003 2:47 PM The final notation type includes IPv4 addresses. Because many IPv6 addresses are extensions of IPv4 addresses, the right-most four bytes of an IPv6 address (the rightmost two byte pairs) can be rewritten in the IPv4 notation. This mixed notation (from the above example) could be expressed as: E3C5:4AC8:192.168.100.
LL2351.Book Page 86 Monday, September 8, 2003 2:47 PM Where to Find More Information The working group for the Internet Protocol Version 6 website is www.ipv6.org. A group of IPv6 enthusiasts maintains a list of applications that support IPv6 at the website www.ipv6forum.com/navbar/links/v6apps.htm. Request For Comment Documents Request for Comments (RFC) documents provide an overview of a protocol or service and details about how the protocol should behave.
Glossary Glossary LL2351.Book Page 87 Monday, September 8, 2003 2:47 PM This glossary defines terms and spells out abbreviations you may encounter while working with online help or the Mac OS X Server Network Services Administration for Version 10.3 or Later manual. References to terms defined elsewhere in the glossary appear in italics. bit A single piece of information, with a value of either 0 or 1. broadcast The process of transmitting one copy of a stream over the whole network. byte Eight bits.
LL2351.Book Page 88 Monday, September 8, 2003 2:47 PM firewall Software that protects the network applications running on your server. IP firewall service, which is part of Mac OS X Server software, scans incoming IP packets and rejects or accepts these packets based on a set of filters you create. FTP (File Transfer Protocol) A protocol that allows computers to transfer files over a network.
LL2351.Book Page 89 Monday, September 8, 2003 2:47 PM ISP (Internet service provider) A business that sells Internet access and often provides web hosting for ecommerce applications as well as mail services. L2TP (Layer Two Tunnelling Protocol) A network transport protocol used for VPN connections. It is essentially a combination of Cisco’s L2F and PPTP. L2TP itself is not an encryption protocol, so it uses IPSec for packet encryption.
LL2351.Book Page 90 Monday, September 8, 2003 2:47 PM multicast An efficient, one-to-many form of streaming. Users can join or leave a multicast but cannot otherwise interact with it. multihoming The ability to support multiple network connections. When more than one connection is available, Mac OS X selects the best connection according to the order specified in Network preferences. MX record (mail exchange record) An entry in a DNS table that specifies which computer manages mail for an Internet domain.
LL2351.Book Page 91 Monday, September 8, 2003 2:47 PM port A sort of virtual mail slot. A server uses port numbers to determine which application should receive data packets. Firewalls use port numbers to determine whether or not data packets are allowed to traverse a local network. “Port” usually refers to either a TCP or UDP port. protocol A set of rules that determines how data is sent back and forth between two applications.
LL2351.Book Page 92 Monday, September 8, 2003 2:47 PM SLP (Service Location Protocol) DA (Directory Agent) A protocol that registers services available on a network and gives users easy access to them. When a service is added to the network, the service uses SLP to register itself on the network. SLP/DA uses a centralized repository for registered network services. SMTP (Simple Mail Transfer Protocol) A protocol used to send and transfer mail.
LL2351.Book Page 93 Monday, September 8, 2003 2:47 PM UDP (User Datagram Protocol) A communications method that uses the Internet Protocol (IP) to send a data unit (called a datagram) from one computer to another in a network. Network applications that have very small data units to exchange may use UDP rather than TCP. unicast The one-to-one form of streaming. If RTSP is provided, the user can move freely from point to point in an on-demand movie. UTC (universal time coordinated) A standard reference time.
LL2351.
LL2351.
LL2351.
LL2351.
