PDA

View Full Version : Mac OS X Server - where will "it" live?



rickyd
18th August 2007, 06:18 PM
Hey,

I am interested in the upcoming release of Leopard Server, and was taking a look at the home page. http://www.apple.com/server/macosx/leopard/

All these calendar servers, wiki's, directory servers etc live? Can I put them on my local drive and be able to connect to them from my internal wireless network? Or is it also possible to get in from the outside via the Internet.

I am very new to all this "Server" jazz and was just wanting to learn what it's all about.

TIA,
Ricky.

purana
18th August 2007, 06:21 PM
Or is it also possible to get in from the outside via the Internet.

Any service ran on your internal network can be accessible from the internet, as long as you have a static ip (or setup a dyndns address to your none static ip) and then forward the port/s through your router.

rickyd
18th August 2007, 06:22 PM
Thanks purana,

My only concern is my network is a mere airport one. is this a problem?

Jedda
18th August 2007, 07:07 PM
Thanks purana,

My only concern is my network is a mere airport one. is this a problem?

No, but if you have to ask that, it's probably a bit too high end for you to setup and maintain.

rickyd
18th August 2007, 07:08 PM
Rightio, but where can I go to learn how to do so?

Jedda
18th August 2007, 07:15 PM
Rightio, but where can I go to learn how to do so?

http://www.apple.com/server/documentation/

is a good start.

rickyd
18th August 2007, 07:29 PM
From the 'Getting Started' PDF it looks like you need an Xserve??

decryption
18th August 2007, 07:38 PM
From the 'Getting Started' PDF it looks like you need an Xserve??

Nope, Mac OS X Server works on any Mac. The XServe is just a more robust Mac designed for server duties.

rickyd
18th August 2007, 07:45 PM
Cool. So all this IP, MAC address and other fancy mambo will be found on my AirPort Extreme??

iSlayer
18th August 2007, 07:46 PM
Cool. So all this IP, MAC address and other fancy mambo will be found on my AirPort Extreme??

Indeed

rickyd
18th August 2007, 07:51 PM
thanks guys for your help. I'll snoop around and see how all goes. Just a final question. the server edition has all the same apps and stuff as the normal client edition?

thanks again,
Ricky.

iSlayer
18th August 2007, 07:58 PM
ust a final question. the server edition has all the same apps and stuff as the normal client edition?

Yep pretty much. Few extra server apps.

rickyd
18th August 2007, 10:28 PM
Okay, after reading a little more about it, say I do setup this whole shebang complete with iCal server, Directory etc., will I be able to access this stuff from the web, providing my machine is still on?

Cheers,
Ricky.

decryption
18th August 2007, 10:33 PM
Okay, after reading a little more about it, say I do setup this whole shebang complete with iCal server, Directory etc., will I be able to access this stuff from the web, providing my machine is still on?

Cheers,
Ricky.

Correct.

rickyd
18th August 2007, 10:35 PM
oooo... sounds interesting!
thanks.

iSlayer
18th August 2007, 10:35 PM
Okay, after reading a little more about it, say I do setup this whole shebang complete with iCal server, Directory etc., will I be able to access this stuff from the web, providing my machine is still on?

Yes but unless you really need it all your probably just going to make things more complex then needed. Unless your running a business with lots of systems then its overkill to run OS X server

rickyd
18th August 2007, 10:43 PM
Right,
The main purpose for this is because - well, I'm going to get the Server edition of Leopard anyway, and so I thought it would be fun to play around with it - all because I know stuff all about servers/networks.

I will take your suggestion into consideration.

Ricky.

jubilantjeremy
19th August 2007, 01:55 AM
Um, save your time and money - my understanding is that the server edition only includes some hardcore stuff that only hardcore server admins would need/want - most feautures are already in the normal Desktop release. The ($500?) or so for server is mainly to cover multiple machine/business licensing, I think?

Buying Server probably isn't the best way to learn about it, or learn about plain networking. If you're really interested (and you'd want to be looking at a career in it to be that interested, I reckon) then maybe think about a TAFE course, eh?

-J

kakman
19th August 2007, 09:05 AM
Right,
The main purpose for this is because - well, I'm going to get the Server edition of Leopard anyway, and so I thought it would be fun to play around with it
Just out of curiosity, why are you getting leopard server anyway? It seems a strange thing to buy if you don't have a specific need.

//k

iSlayer
19th August 2007, 09:07 AM
I believe ricky is an adc select member which means he can get it for free

kakman
19th August 2007, 10:08 AM
I believe ricky is an adc select member which means he can get it for free
Ah, OK. Probably my only advice then, would be to install it on a separate partition or drive. Having used every version of Apple server software since Appleshare 4 I've never been tempted to run it as my 'normal' OS. They do work 'differently', even if only in small ways, but I'd be inclined to think it could make a fair difference in day to day functionality.

Mind you, I haven't used Leopard Server so maybe everything will be different.

//k

rickyd
19th August 2007, 06:11 PM
iSlayer is right :)

timdotexe
26th September 2007, 02:46 PM
Do it mate, have a play with OSX Server!

Alot might be over your head but you will have some fun trying to figure it out.

Probably best to stick it on a spare machine though if you have one available to you.

coljac
26th September 2007, 03:57 PM
I'm a developer, but earlier this year I decided enough was enough - I've been administering many machines and networks for so long, I really should know what I'm doing. I read the networking part of a book designed for training CCNAs (Cisco Certfied Network Associate) and most of what I could get my hands on in terms of linux networking, and built my own router with scripts to failover between my two internet connections.

Now networking issues are a bit less of a mystery to me - always comes in handy as a developer. Overall it was a pretty cheap and quick educational process, too.

rickyd
18th December 2007, 06:29 PM
Well I just set it up now. During the setup I listed what I wanted my server to be called and setup my user account (admin). Now wherever I go (in iChat, Mail - even the Dashboard status widget) those credentials as I entered won't work. Does anyone have any ideas of what might be happening?

Thanks,
Ricky.

jubilantjeremy
18th December 2007, 06:34 PM
Maybe you can't use the 'master' admin account locally, as a normal user. Like how you don't really login as root on a linux box.

Tried creating another account?

PS I probably know less about Leopard Server than you do.

rickyd
18th December 2007, 06:36 PM
PS I probably know less about Leopard Server than you do.

Oh, I doubt that!

rickyd
18th December 2007, 06:46 PM
Okay so I just entered my IP into some fields and it works, but still not for iChat and Mail. I have a registered domain (rickyprograms (dot)(com)) so when I enter server.rickyprograms.com is it looking for that internet site??

Thanks,
Ricky.

kakman
20th December 2007, 04:38 PM
Okay so I just entered my IP into some fields and it works, but still not for iChat and Mail. I have a registered domain (rickyprograms (dot)(com)) so when I enter server.rickyprograms.com is it looking for that internet site??
Have you setup the appropriate DNS. OSX Server really needs proper DNS to work properly.

Just out of interest, did you do a workgroup or advanced install?

/k

rickyd
20th December 2007, 06:22 PM
Standard.

AUSMUG
20th December 2007, 07:12 PM
kakman is probably spot on,. DNS is critical for the services you mentioned.

You should use the host command in terminal to check how your host is resolving. You can also use dig command. I'm not sure if the Leopard command line documentation has been released yet or not but the Tiger Server Command Line Documentation is available on Apple's site which should contain the commands needed to fix your DNS. It is critical though that forward and reverse DNS is set up properly.

To be honest although there is thousands of pages of documentation for the server software in around 20 separate PDF's the actual instructions are that disjointed and confusing as well as missing vital information that you would expect to find that it is a complete disaster. I showed the docs to my TAFE Teachers (Sys Admin Diploma) and like me they all agreed that this was the worst documentation they had ever seen.

I'd never used Windows in my life before but I learned how to set up Windows Server 2003 & Server 2008 beta completely with every service running perfectly without even needing to use the documentation that came with it in 1/100th the time it has taken me so far trying to follow Apple's docs just to set up DNS (which is still a disaster).

rickyd
20th December 2007, 07:35 PM
If I were to ring up Apple (133-MAC) would they be able to walk me through it?

AUSMUG
20th December 2007, 09:33 PM
Apple doesn't have any staff working in basic support with the skills to help you with any server related problems.

I bought 5 XServe's all with Premium Support & Spare Parts Kits then I bought copies of Tiger Server for each. I contacted Premium Support (in the US) to ask for help setting up DNS and they were great up to a certain point, the moment I needed to run some required commands in Terminal. At this point they stated support only covers the GUI and unfortunately they would be unable to help me any further as Command Line support was not within the scope of their duties. Let's just say I have been far from impressed with the support Apple offers.

I've tried seeking help on Apple's own XServe Mailing List but got attacked numerous times, got told RTFM. These guys were more about showing how superior they each were as IT & Network experts quoting RFC regulations whenever they could. Basically intellectuals who because of their superiority complexes don't want new users on their list.

You could try Apple's Discussions Forums, there are hundreds of DNS Server setup posts. Unfortunately most are from people seeking help. Of those that do answers 90% provide totally incorrect instructions so the trick is to sift out the 10% of answers that aren't FUD.

I have had suggestions I try MacEnterprise but I haven't checked out their support other than reading a few articles and Webcasts. AFP548.com is another site you could try for info eg http://www.afp548.com/article.php?story=20071031195155456

I just got a copy of Leopard Server to try out for a review so I'll post back if I'm more successful with it setting up DNS. I know there have been a lot of changes in the new version.

rickyd
20th December 2007, 09:51 PM
Thanks AUSMUG. I did post a topic on the discussions earlier. Here it is;



Hi guys,

First let me clarify I know next to nothing about networking.

I successfully setup Mac OS X Leopard Server on my old iMac G5. It all works fine in the local network (a MacBook Pro + iMac strung together by an AirPort Extreme Base Station.

I have had nothing but trouble though in regards to trying to get the server outside my local network (the internet). I have done what everyone has told me.

I have enabled Port Mapping on my AEBS and forwarded port 80 to my iMac's local IP address.
My AEBS has an incoming Internet connection (ADSL) from a modem. I have been told to setup Dynamic DNS through www.dyndns.com but that doesn't work either.

When I set it up, I choose Dynamic DNS, enter my desired hostname and current IP address (not my local IP) but still with no avail.

Either way, I get other people to put my iMac's IP address in their browser and it cannot connect to the server.

Can anyone recommend any holes I need to fill?

Your help is much appreciated,
Ricky.

kakman
20th December 2007, 10:18 PM
I don't know anything about DynDNS but first things first.

My suggestion would be to connect your server machine directly to your ADSL and then try to access it using the IP it delivers (Is your IP static or dynamic?). If you get success here, at least you know the machine and services are working OK. If it doesn't work using the same configuration *with* DynDNS, you have a DNS problem. If it works with DynDNS, you probably have a router problem.

Setting up a server is fairly straightforward if the DNS and router are right. We've been using QuickDNS Pro (or whatever it's called now) since Appleshare IP days and we've never changed to the OSX Server DNS. They both use BIND, but as he had a working setup already, updates of the server never affect the DNS as they're separate. It costs $50 a year for tech support and it's money well spent (menandmice.com)

And AUSMUG was right about the OSX Server list - if you post there expect to get bashed with RTFM and 'you're not worthy'. The problem you have could be any one of a million things (which is why it's going to be hard to diagnose) but I very much suspect DNS is at the root of it.

/k

kakman
20th December 2007, 10:19 PM
If I were to ring up Apple (133-MAC) would they be able to walk me through it?
no...

/k

rickyd
20th December 2007, 10:28 PM
Well I downloaded the Dyn DNS client for Mac and that got the wiki up and running. But for things like iChat, iCal and Mail I can still not access/set them up properly. I used rp.server as my Server name, and that will never work in any of the applications. What do I do?

Thanks,
Ricky.

kakman
21st December 2007, 06:11 AM
Well I downloaded the Dyn DNS client for Mac and that got the wiki up and running. But for things like iChat, iCal and Mail I can still not access/set them up properly. I used rp.server as my Server name, and that will never work in any of the applications. What do I do?I'm starting to think this is somewhat futile but...

Did you do what I suggested in my previous post? What were the results?

I have no idea what the Dyn DNS client is or does, nor do I have any interest in finding out:), but it would help if you told us what you did with it.

How do you access the wiki? What address do you use?

How aren't iChat, iCal and Mail working? Do you mean the client apps aren't working or the server services?

Is rp.server setup somewhere in your DNS?

As far as what to do, it really sounds like you need some hands on help. Either read the manual until you understand it or consider getting a consultant. As I said earlier, it's very hard to diagnose this which such vague descriptions. Are you still trying to use this as your main OS? I still think this is a bad idea as it's just not for what OSX Server is intended.

Apologies if I sound a bit harsh but this could takes years to resolve at this rate.

/k

rickyd
21st December 2007, 09:04 AM
Well the reason why I didn't try your solution before was because I had already got the wiki working via the Dynamic DNS client. It just sits there and continues to change my "ricky.dyndns.com" (or whatever you choose) to my current IP address.

At the moment, to access the wiki internally I just type in my computer's local IP address. For people outside of the network they type in my IP address or rickyprograms.selfip.com.

The applications themselves are working, I just can't connect them to the server. E.G when I open iChat and it asks me to login with rickyd@rp.server I type in my password and it fails. But all my services in Server Preferences are showing up fine (with a green light).

I have to clarify I find DNS very confusing so I don't really know what you mean by is rp.server setup somewhere in my DNS.

In the Apple Discussions forum someone said I needed to setup MX record for my Mail service to work.

Thanks,
Ricky.

Currawong
21st December 2007, 09:47 AM
Ricky, did you read the article I linked to? It explains DNS very simply.

rickyd
21st December 2007, 09:52 AM
I did read it. But I can't see anything relating to setting up DNS on Leopard Server :o

kakman
21st December 2007, 02:35 PM
Well the reason why I didn't try your solution before was because I had already got the wiki working via the Dynamic DNS client. It just sits there and continues to change my "ricky.dyndns.com" (or whatever you choose) to my current IP address.
My advice is to do what I said earlier - get rid of any reference to DynDNS so you can diagnose the problem. Having it there is only adding to the confusion and is certainly not the way a server should be set up. The reason I suggested the things in my previous post is to help - if you don't want to do them that's fine, but I'm not willing to try and diagnose by guesswork.


At the moment, to access the wiki internally I just type in my computer's local IP address. For people outside of the network they type in my IP address or rickyprograms.selfip.com.

Typing the internal IP is simply bypassing the DNS. What the heck is rickyprograms.selfip.com? Where did you set that up? So far I'm seeing rickyprograms.selfip.com, ricky.dyndns.com and rp.server and you haven't told us where you've set these up or where they point.


The applications themselves are working, I just can't connect them to the server. E.G when I open iChat and it asks me to login with rickyd@rp.server I type in my password and it fails. But all my services in Server Preferences are showing up fine (with a green light).

This just shows that the services are on and working so the problem is not the server. Do you have users set up?


I have to clarify I find DNS very confusing so I don't really know what you mean by is rp.server setup somewhere in my DNS. In the Apple Discussions forum someone said I needed to setup MX record for my Mail service to work.

Simplistically, MX record is DNS talk for a mail server - it's all related to your existing problem. The more we discuss this the more I'm sure it's a DNS problem. I'm certainly not a DNS expert but my first suggestion is to read the DNS manual for Leopard server - I'm sure there'll be one.

I'll reiterate my original suggestions, connect it directly to the ADSL and try to contact it via the public IP address. Once you've established this is working (which I'm sure it is), you can then start to work on the DNS issues confident the server is not the problem.

FWIW, iChat would not be my first choice of services to be using to learn OSX Server - it's a tad cryptic to get working so you'd be better off starting with something simple - I'd suggest web or AFP.

cheers

/k

rickyd
21st December 2007, 02:48 PM
Excuse me, but how do you think your solution is going to work?



I'll reiterate my original suggestions, connect it directly to the ADSL and try to contact it via the public IP address. Once you've established this is working (which I'm sure it is), you can then start to work on the DNS issues confident the server is not the problem.


How will that resolve the issue? I have clarified that I (and people outside my network) are able to access my iMac's web sharing via it's public IP address with the router.

The Dynamic DNS client is staying - so as I have been told as my public IP address may change, the Dynamic DNS client keeps the rickyprograms.selfip.com address connected to my iMac's proper IP address.

rp.server is what I named the server;
rickyprograms.selfip.com as I just explained is the address I got from http://www.dyndns.com to prevent me having to type in my public IP address to access the wiki.

So let me confirm - the blog/wiki/whole internet jazz is working fine (both locally and externally) but things like Calendar and Mail are not working (fine - don't worry about iChat).

Ricky.

kakman
21st December 2007, 03:30 PM
Excuse me, but how do you think your solution is going to work?I'm trying to work logically through the problem but clearly you don't seem to think DNS is a problem. I happen to think DNS is *exactly* your problem. Do you have an MX record? Have you read the calendar docs?

I may be completely wrong - but at this stage we're simply going to have to agree to disagree on our problem solving techniques. Good luck with it though, hope you get it sorted.

/k

rickyd
21st December 2007, 03:37 PM
The only thing I'm not understanding is why rp.server won't work. At the end of the setup it confirmed everything was running fine.

Are you saying I have to setup some DNS thing (I don't know how) to get it working. What do I have to point rp.server to? That's what DNS does - right?

Currawong
21st December 2007, 03:53 PM
The problem is, you keep talking about DNS, but each time you are referring to something different.

Look at it this way. Any computer anywhere, networked or not, can call itself a DNS server. In a manner of speaking, if you set up a regular network of Macs that can self-discover each other using the built-in Bonjour networking, each of the Macs is itself acting as a kind of DNS server. Confused? Not surprised. What's going on is similar. Your server is a DNS server. As far as it is concerned, all its settings are fine. Whether or not the rest of the internet can see what is needed on it depends on things outside of it, respectively, the DynDNS settings and your router settings before it gets involved in showing your wiki. The same as if i want to drive to your house. Your house is fine where it is, but unless I know the city, suburb and street and how to drive there I wont make it.

Going back to the situation, it seems with the DynDNS client we can get to your internet connection fine. Now we have to make sure that incoming connections can get to your server and that your server knows what to do with them.

That connections from YOUR computer to your server work is because you have TWO networks to ponder. The first is the internet, the second is your internal network, which is known as an INTRANET. Internally all the Macs know what they are doing and work fine. However, that isn't translating across to the internet. The house analogy again - you can go from your kitchen to the living room no problem, but we can't get to either because we don't know how to get in the front door.

I guess now I'm going to have to fire up Leopard server sometime and figure out how to set up a wiki so I can help you.

mab
21st December 2007, 03:54 PM
from the terminal can you ping rp.server?

rickyd
21st December 2007, 03:57 PM
Thanks Currawong, that clears things out a bit.

mab - no I cannot ping it.

rickyd
22nd December 2007, 10:01 PM
Now that I have the wiki thing setup, (server.rickyprograms.com), I was imagining I'd be able to use the same IP address to access File Sharing. Now, I can successfully access the files using the internal IP address but people on the net can't get them using the external IP address...but they can access the wiki.

What the hell!?

Help is much appreciated,
Ricky.

Currawong
23rd December 2007, 10:48 AM
Did you forward port 80 on your router to the internal IP address of the server?

rickyd
23rd December 2007, 05:22 PM
Yup...

kakman
23rd December 2007, 05:27 PM
Did you forward port 80 on your router to the internal IP address of the server?my final input - he needs to open port 548 for AFP and check there's no firewall blocking it elsewhere (ISP etc).

rickyd
23rd December 2007, 05:33 PM
I am trying to do that, but...

http://img211.imageshack.us/img211/4758/picture1qo6.th.png (http://img211.imageshack.us/my.php?image=picture1qo6.png)

rickyd
26th December 2007, 11:40 PM
Okay got that all working. It was a pretty obvious issue.

Now my only concern is that my local IP address has changed. When I setup Leopard Server I told it to have a manual (static) IP. Why is it changing and how can I stop it from changing.

To help - I'm running through a new AEBS as a router.

Thanks again,
Ricky.

rickyd
27th December 2007, 05:51 PM
Anyone??

AUSMUG
28th December 2007, 01:16 AM
Some things to consider about your external connection

1/ DYNDNS

Companies like dyndns.com own a number of domains which you can choose from as a base address eg dyndns.org, dyndns.com, selfip.com etc which they manage the DNS records for. What these services do is let you choose host names such as rickyprograms which gives you an address like rickyprograms.selfip.com in affect giving you a sub domain which you can control to a limited extent.

Unfortunately you can't specify exact 4th level domain names like www, mail, chatserver or whatever to give you names like mail.rickyprograms.selfip.com or www.rickyprograms.selfip.com (http://www.rickyprograms.selfip.com). What you can do is use * (wildcard) as a setting. This setting tells all traffic destined to these 4th level domain names to be sent to the same IP that the main rickyprograms.selfip.com address points to.

Though this now allows you to serve a variety of names for different services being served from a single machine it is no good if you ever need to add a second server. Also you only have a * (wildcard) entry for your DYNDNS hosted records rather than an actual name like mail.rickyprograms.selfip.com. This means many ISP's are likely to block mail sent from your domain. These companies block dynamically assigned blocks that most ISPs hand out. Sure a lot of mail may still work with many ISPs, companies etc but to guarantee all your mail works smoothly it is becoming more and more essential that you have a Static IP assigned by your ISP and have the ability to set-up properly configured reverse dns for this address.

What rickyd has set up will send traffic to his IP address using a variety of host names (really 4th level domain names) but as mentioned above he may have problems with mail. As far as I know mail is the only protocol that requires a fully functioning reverse dns to comply fully with RFC specifications to be guaranteed to work with every compliant mail server on the planet.

Conclusion: To run a compliant internet accessible external mail server you should have a fixed IP, the ability to set up proper A records & MX records in your DNS for your host names eg www.rickyprograms.selfip.com (http://www.rickyprograms.selfip.com/) or mail.rickyprograms.selfip.com etc pointing to your fixed IP as well as the ability to edit your reverse dns entries which has to be done through your ISP. For example with my iiNet Business ADSL2+ Control Panel I can set reverse dns for each of the fixed IPs I have been allocated.

2/ Registrars

These are the people you register your domain name through if you want your own domain name and not a sub-domain name under some other companies name. This is important for search engines to rank you higher in most cases. Most registrars can provide an interface where you can enter the names/IPs for the DNS servers provided for your domain name by the company you sign up for your DNS services.

DNS is essential for the internet to work. You should have 2 DNS server addresses listed as a minimal but the more you list the better.

3/ External DNS

I've used ZoneEdit which offers up to 5 zone names with unlimited sub-domains for free but there are many companies offering this service either for free or paid.

The more geographically separated DNS servers the better as far as customer experience is concerned and thats why large providers place DNS servers on multiple continents. However if your customer base is mainly local having Australian based DNS servers will speed things up.

It is even possible if working on the cheap and you know someone else with a fixed IP and preferably on another network (for redundancy) running servers to have them act as your secondary DNS. As mentioned earlier 2 address's are required as a minimum for DNS servers in your DNS records.

In this set-up you handle primary DNS and your friend handles secondary DNS for your domain names. Likewise your friend can host primary DNS for his domains and you can become his secondary DNS. This is a free solution which works OK and makes it very easy when updating records if new hosts are added to your domain or if new domains are added.

As mentioned earlier being allocated dynamic IPs by your ISP basically forces you to use a DYNDNS type solution unless your prepared to go in and edit your IP address in your DNS records whenever your IP changes. This can be a pain in the butt however it does give you a lot more freedom to create properly configured DNS for your domain.

4/ Working with your ISP

Companies that provide dynamic IPs generally don't provide an interface for setting up reverse dns. Overseas some ISPs will manually edit their own records to include reverse dns for your allocated IP however I know of none in Australia who offer this service. Those using ISPs who can provide static IPs are capable of using their ISP provided Control Panel/interface to set reverse dns for their allocated IPs if their ISP provides this service. Check with your ISP.

Other considerations: Set up a redundant connection (many ISPs provide a backup dial in number for emergency access) if possible. For even better redundancy set up an account with a totally different ISP using a different pipe. This does require having a router/modem capable of taking advantage of this other pipe.

5/ Routers

The reality: Unless your running some horribly expensive hardware to handle connection teaming etc you can't really get any real speed increase out of using a redundant connection so although a number of medium priced routers offer this capability for most people redundancy only provides a back up service if your main connection drops. Remember whenever your main connection drops you would have to update your DNS records and again when your main connection comes back to reflect your current status. This can be a real pain.

That said having a reliable and configurable router is essential if running web servers unless your rich enough to buy a block of IPs.

The router is a piece of hardware that acts as a gateway between networks (routers can be placed externally or internally depending on the set-up of your network). In rickyd's case he is using an Airport Extreme Base Station as an external gateway which receives any external IP allocated to him by his ISP which is associated to the WAN port on his router.

By default external access to the internal network is blocked thus rickyd's need to set-up port forwarding for any services he wishes to serve to external clients.

Remember by default port 80 is open on all routers (out of the box) that provide a web based admin interface. This web based interface is only accessible via a predefined non public ip address via one of its LAN interfaces such as 192.168.0.1 or whatever depending on brand. External access from the WAN side is blocked. However normal outbound traffic from the LAN side to the WAN side is allowed. From the admin interface you set up all your routing rules, policies etc, change admin username and admin password as well as name of device depending on model. What you can do will vary depending on the model router you use i.e. its capabilities, available ports, port speed, VPN access, built-in DHCP or DNS server etc.

Some things to consider about your internal network

6/ Network Topology and Requirements

Most people have very basic needs so setting up your network shouldn't be much trouble.

Scenario 1
People who don't run servers only need to turn on the DHCP server on their router to ensure each machine is allocated a local IP address so as to be able to share the internet to any computer on their local subnet. Remember DHCP is restricted to a single subnet only. The DHCP server provides addresses within a given range. You can use static IP's or Manual DHCP instead depending on your needs or preferences as long as they are within the same subnet as would be allocated dynamically by the DHCP server.

In this situation you set up your router to point to your ISPs DNS server and then set-up each machine on the local subnet to use the routers internal LAN IP as their DNS server address.

You are now basically ready to go.

Scenario 2
People serving some services to the web or requiring external access to internal services from machines on the same local subnet as allocated or set-up in your router.

This is rickyd's situation

The first step is to determine what services you will need and what ports they will need to run on. OS X Server docs will contain a list of all the ports required or capable of being used to run various services.

You need to log in to your router and set-up port forwarding rules for these services pointing to the machine offering those services on your local network.

It appears rickyd has port forwarding set-up properly now. His problem lies with him using a DYNDNS service which stops him being able to set-up customized DNS records which stops him even in the unlikely situation his ISP would let him to, set-up reverse dns records properly. As stated earlier ISPs not allocating fixed IPs don't offer this service.

Rickyd will still be able to offer services however without proper reverse dns some mail will be blocked.

Scenario 3
People who run services whereby their servers are separated from their main internal network. This could be achieved by configuring your router if it is capable to separate your network so any services you wish to make public are handled by machines in a DMZ. Depending on the topology of your network this could be in front of you router protected by a physical firewall, behind your router in a pre-configured DMZ setup, behind your router using VLANs depending on needs or abilities of your router. This protected network must be in a different subnet to your main LAN subnet and routing rules must be configured to control access from the DMZ to the LAN interface because by default traffic between these interfaces should be disallowed unless specifically required on a per machine or service basis.

Extra Considerations
As mentioned earlier port forwarding is accomplished by configuring your router. Most people set-up their routers for a form of port forwarding known as 1-Many which means theoretically as long as the services are unique as far as their port requirements go one external IP can be forwarded to numerous machines e.g. ftp traffic could go to one machine and web traffic to another.

Unfortunately this is not a good thing as far as reverse dns is concerned. To set this up properly the external IP address you intend to be used by your mail server should not point to the external WAN interface of your router like is done in 1-Many port forwarding. Instead the external interface on your router needs to be set up on this IP with what they call 1-1 port forwarding. This means the external address is actually linked to the Ethernet interface on your actual server machine.

By duplicating your network interface on your server machine using Network Preferences the same port can respond to both your external IP and a local IP for access within the local network. Please note that you must have the external address above the internal address for things to work properly. The OS expects the external IP to be on top.

By setting things up this way you can have OS X Server be set-up using a real world address as its fully qualified domain name eg myserver.com or mailserver.myserver.com as long as this domain name has been set up prior to set-up in your DNS. Remember reverse dns must be set up first through your ISPs interface.

After being configured properly and having tested DNS is working properly you can change Open Directory from a standalone machine to a domain controller.

7/ Open LDAP

By default OS X Server is set-up as a standalone server and only manages accounts on the machine it is running on. With proper DNS set-up and by elevating it to a master controller you can extend its capabilities to handle authentication and authorisation for your entire network.

What does this have to do with rickyd's problem?

Apple in their infinite wisdom decided to make certain services dependent on having a properly set up Open Directory infrastructure. These happen to be the services rickyd said he couldn't access externally.

Rather than having a real domain name with an external address with a fully qualified domain name as a basis for his network rickyd is using a made up local hostname linked to his local IP, probably 127.0.0.1 which will give him a fully qualified domain name as far as OS X Server is concerned. There is a specific order that OS X Server searches for matching records starting with external IP properly configured down to localhost if that is all that is available when creating a fully qualified domain name for itself.

What impact would this have?

While rickyd can set up Open Directory services the way he has it set up I think it is only working with his local domains on his local network. It is not set up to accept authentication for real world external domain names. Thus the services that require that for external access fail where as when accessed via a local address they suceed.

Without seeing local logs or monitoring network with something like WireShark to inspect packets being sent this is all theoretical but it does make sense as a possible cause of his problems. I am sorry for the long post but this is a difficult topic to get your head around so I thought things would be easier to follow if I wrote this post in the amount of detail I have.

rickyd
28th December 2007, 08:03 AM
Thanks a lot AUSMUG,

That clarifies a few things. I just want to ask you - you mentioned that two DNS servers were the least amount required, however I only have one. There was only one in Server Admin so I presumed that was all it needed.

Where the hell do I find out what DNS servers I am currently using on my MacBook or what I am meant to be using.

Thanks again,
Ricky.

Venom71
28th December 2007, 08:30 AM
Hi Ricky

Have you seen this page? It may be able to provide you with some help as well.

Apple OS X Server Resources (http://www.apple.com/server/macosx/resources/)

rickyd
28th December 2007, 02:07 PM
Sorry guys.

This morning I was accessing my web wiki thing fine...but now all I get is 'Internal Server Error'. I haven't done anything to the settings. I don't understand.

EDIT: I'm just entering my local IP.

AUSMUG
28th December 2007, 03:37 PM
Thanks a lot AUSMUG,

That clarifies a few things. I just want to ask you - you mentioned that two DNS servers were the least amount required, however I only have one. There was only one in Server Admin so I presumed that was all it needed.

Where the hell do I find out what DNS servers I am currently using on my MacBook or what I am meant to be using.

Thanks again,
Ricky.

What I meant was when you register your domain name with a registrar you'll find the registrar offers an interface/Control Panel where you enter the names/IPs of the DNS servers handling your domain. It is here you should have a minimum of 2 DNS servers listed. When you sign up with a DNS supplier they'll provide the ip's/names to use. Remember this is for your external DNS only.

If you were running your own public Primary DNS server and had someone else acting as Secondary DNS for your domain you could enter yours and your friends public IPs for these machines as entries in the previous paragraph.

The reality is that you haven't got this set up so you will just use the supplied addresses from your External DNS provider.

As far as your internal DNS is concerned unless you have 2 ISP's on different pipes for redundancy, reverse dns set up on your external address etc it is unnecessary to run 2 i DNS servers (primary & secondary). Therefore in your situation all you should need is 1 local DNS server on your local network to handle local name resolution only. Basically your internal DNS is set up to handle these local addresses and forwards requests for domains it doesn't know about in its local records to other DNS servers up the line.

Imagine how it is if you weren't running OS X Server. You would set up your router with the DNS servers provided by your ISP in its set up and then each client machine on the local network would have the local IP address of this router listed in Network Preferences on each machine for their DNS. In this set up every machine can reach any domain that has public DNS records configured somewhere on the internet. However no machine knows of any other machines on your local network other than by IP address or .local machine names (Bonjour).

So now in your set up where you have installed OS X Server with an imaginary domain name in DNS linked to its local address eg 127.0.0.1 for this machine which will pass Apple's requirements as far as qualifying as a fully qualified name. This machine would also have the address you assigned during set up eg 192.168.20 or whatever you choose.

On the DNS server on your OS X Server you set up machine/host names for each machine, printer etc on your local network. This is entered as a machine name and a matching IP for that piece of hardware. On this server machine you also open Network preferences and enter the machines IP eg 192.168.0.20 as the first DNS entry then add your routers address as the second IP address eg 192.168.0.1 underneath and save. This lets the machine know that it is acting as a DNS Server for itself.

Now on each machine on your local network in Network Preferences you set the local DNS servers IP first eg 192.168.0.20 and your router address second eg 192.168.0.1

Now each machine can contact all services using local imaginary domain names as set up in local DNS server. Addresses not listed locally are passed onto the router when not found in local DNS which are again forwarded to your ISPs DNS servers and if necessary propagated further up the line until resolved.

In your situation using a DYNDNS service set up with a * (wildcard) entry in its external DNS records you can't get a public fully qualified domain name using your publicaly accessible domain name and was forced to have it resolved on a local name only when setting up OS X Server. The result is that Open Directory knows nothing of users outside the local network. This probably explains why services that require a working Open Directory infrastructure only work for users on the local network (known about) and not the general public on the web (unknown). Like I said earlier I could be wrong but this theory seems logical to me.