Author Topic: Need a little Help Setting up server  (Read 810 times)

Nick Tappe

  • Newbie
  • *
  • Posts: 2
    • View Profile
Need a little Help Setting up server
« on: December 06, 2015, 05:09:21 AM »
Hey Reid, Just got your book yesterday and I am really loving it! I have a server that has been in use for a few years now.  It was previously running 10.6.8 server but now I upgraded it to 10.11.1 server. I don't believe I ever really set it up properly in the first place when it was running 10.6.8 but I set it up enough to work for what we needed it for which was a FileMaker server. Well now after upgrading it I am interested in getting it setup the proper way so I started doing some research and came across your books. I have my ssl certificate installed. I have been following your steps on setting up the DNS and have a couple questions as to how best hook it up.

So I'm running a 2008 MacPro with El Capitan Server.  I am using both ethernet ports on the back, both going to the switch but I setup a v-lan on the switch with Ethernet 1 going to our LAN and Ethernet 2 going to a business class cable modem both setup (with a static IP with Ethernet 2 being a static WAN IP).  On the LAN is a wifi router that also goes to the business class cable modem to get internet for the rest of the LAN. So essentially the server is connected directly to the LAN and WAN using each ethernet port.  I don't know if thats how it is supposed to be but thats how I set it up before and got it working.  But now I am wanting to set it up properly and maybe have the server do a little more than just serve our FileMaker files.  While reading your book you are only setting up one ethernet port using an IP that I assume is a LAN ip but I am not sure.  I don't really know which Ethernet port I need to be setting up DNS on.  I currently have it setup on the LAN (Ethernet 1).

When I run nslookup I am getting:

Server:   127.0.0.1
Address:   127.0.0.1#53

Thats different from what you were getting which was your servers actual IP address not the localhost IP.  The name and address were both coming up properly though. Even when I edited the host name and chose Ethernet 2 I still got the same results as above. I don't know whats all mucked up. Everything was prob setup out of order originally but I am trying to get things back on track and trying to figure out whats the best way to set this thing up.

Side Note:
FileMaker Server uses ports 80 and 443 by default and complains about the ports not being available when trying to install it on the server.  I did see that part in your book about commenting out port 80 and 443.  I did that and installed FileMaker Server on those ports but if I am wanting to run other Mac Server stuff shouldn't I leave that alone and run FileMaker Server on different ports? or should I do that multihome the ethernet connection? I guess I don't really need the Apple web interface though.

Whats your recommendation for my setup? Let me know if you need any more info on it.

Thanks for any help you can provide. Its greatly appreciated! Cant wait to get through this book and get one of your other ones!

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Need a little Help Setting up server
« Reply #1 on: December 06, 2015, 07:26:01 AM »
Nick,

Thanks for the kind words.  I am glad the book is helping with your deployment.

Before we go on, I will caution that it sounds like you are working on a production system.  Make sure you have a backup.  Be thoughtful about your alterations.  And, despite the fact that your system is not set up as I recommend, it has gotten you this far.  If the machine's primary function is FileMaker, then many of the rules go out the window.  It would be the same as using a server class system for only Rumpus or only Kerio.  While it might be good to set a proper foundation for the possibilities of the future, these third party tools can run mostly in isolation.

Also, regarding FileMaker.  Ports 80 and 443 are only required if you are using the web publishing engine.  So while the installer will yell at you, if you are not using that part of the product, you generally can ignore the message.  As long as you can reach the admin pages you should be fine.

Ok, so let me focus on dual ethernet, DNS, and network setup.

Dual Ethernet:  You describe the Mac Pro as having a public and a private address.  Eth 1 has a LAN address and I assume it is the primary interface when looking at the Network Preference panel (in other words it is at the top of the list).  Eth 2 is set up with a WAN address.  Ok, so some questions.

• Is this server accessible by its public IP address?
• Are you using a firewall to protect and prevent access to the server from the public IP?  Back in 10.6 Server it was relatively easy to implement the NAT feature allowing the server to act as a router.  In 10.11 these features are a bit more obscure.
• Does the server really need to have a public address?  How do your users interact with the server when they are not in the office?  Do you have a traditional firewall/network gateway?

Now the next statement is clearly my bias.  I am not a fan of using OS X as a firewall/router/gateway.  Even in the 10.6 days when it was generally as easy as enabling the NAT service, I would always insist on a true firewall product and then safely deploy server behind the firewall.  This would allow me to selectively port forward to the server if needed and then implement a remote access policy involving VPN.  In our world today there are too many network scanners (open up SSH and count the minutes before you are actively being brute forced with a dictionary attack), vulnerability attacks, and software flaws that can expose your business data.  While no system is 100% secure, the right perimeter security approach can limit your exposure and provide alerts should active attacks occur.

So, what to do with the dual ethernet.  I agree that if it is there, don't waste it.  But as mentioned above, not a fan of using the system as a router.  Instead, if the environment demands, I would aggregate the ports to double bandwidth.  That may be overkill in your environment.  Instead, you can make two LAN connections (effectively multihoming across multiple physical connections).  By making the two connections, you can make the primary address the one for all of OS X's services and then use the second for all other services.  (As a side note, the 1.3 release of Foundation Services adds a section on multihoming - It will be released when Apple drops 10.11.2 which I think will happen this week).

Next is DNS:  I am a bit of a fanatic when it comes to DNS.  I will admit that I get a little too passionate in my opinion of DNS.  I truly believe after all these years building servers that DNS is the key to success.  So your results may not be bad.  If this is an upgrade from 10.6, the presence of the localhost address is easily explained.  To confirm my suspicions, open System Preferences > Network.  Take a look at the DNS settings for your primary network interface (the one at the top of the list).  Is the first DNS server address listed as 127.0.0.1?

127.0.0.1 is the localhost address.  This was a trick that Apple used to pull on a server installation.  Since DNS is a locally running process, the use of the loopback address meant that no routing or link status was required to resolve names to DNS.  If you are getting proper answers to your DNS questions, (for example if nslookup host.domain.tld is returning the proper IP address and nslookup <ip_address> is returning the proper hostname), then DNS is working.  If the reported DNS server is 127.0.0.1 it is because your Network interface lists the loopback address instead of the actual LAN address of the server.  Once again, this is something I dislike because I've seen it cause confusion.  But technically it is functional.

Quote
I don't really know which Ethernet port I need to be setting up DNS on.  I currently have it setup on the LAN (Ethernet 1).

Yes.  The LAN interface.  If you continue to bridge the device, the WAN port will be satisfied by a public DNS server hosted by your domain registrar.  You should not be trying to host a public DNS server.  Not worth the effort.

The idea of DNS on the LAN is to ensure the smooth transition of mobile clients.  This is so much more important today with the growing number of mobile devices.  Here is a simple example.  You are running a mail server on your LAN.  You want to name the server mail.domain.tld and this name must exist on both the LAN and WAN nodes.  If it does not, then your users will need to alter client configuration each time they move from LAN to WAN and back again.  This is too much work.  By keeping the name the same, client devices simply use DNS to route to the appropriate path.  If on the LAN, the LAN DNS says go to this private address.  When on the WAN, a WAN DNS says go to this public address and then your port forwarding rules take over and translate to the server.

The Network:  You mention the server is acting as a router by being bridged to the ISP router.  But the WiFi router is also.  With a business router I assume you have multiple public addresses.  Since you state that both the WiFi device and the server has public addresses I will assume the modem is in bridge mode.  So my question is, does anyone other than the server use its public route?  If you went to any client device on the network and looked at its network stack (likely handed out via DHCP) do you see the server's LAN address in the router field?  I will guess not.  Based on your description of the network topology I will bet the LAN address of the WiFi router is what is listed and it is acting as the default route.  If this is the case, then the server's connection to the public may be an unnecessary connection unless external clients are routing directly to it using its public address.

Quote
Whats your recommendation for my setup?

What ever keeps your business running  :) 

Here are some questions for you to ask yourself.  What services am I running now?  What functionality am I missing that I want to deliver to my environment?  Am I as secure as I can be?  How well am I providing access to my users regardless of their location?  Am I securing the remote access of my users to prevent exposure of data?

If this server is just doing FileMaker and in your wildest dreams you can't foresee the need for additional services, then you could even ditch server and just use FileMaker on a client system.  But I suspect you are running more services.

Anything you do, take small steps and allow time to validate.  Even with the public connection of the server.  I suspect (unless users are accessing via its public address) that this connection is generally unused.  If this is that case, simply unplug the ethernet cable, leaving all configuration in place, and see it anyone screams.  If nothing changes, then that connection is extraneous and likely just a security concern.

Let's start there.  I hope the rest of the book rounds out your thinking and approach to your foundation services.  If the book(s) is/are helpful, please leave feedback and a review in the iBooks Store.  Let me know your thoughts on the topics raised above.  Don't post any public IP information about your environment.  ;)



Nick Tappe

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Need a little Help Setting up server
« Reply #2 on: December 06, 2015, 10:52:06 PM »
Thanks for the quick reply! Sorry I have been busy all day and haven't really been on a computer most of the day.

I do have a backup of the previous server state when it was on 10.6.8 but I have not made a backup of the current state with it being on 10.11.1.  I figured if something happened I would just restore back to 10.6.8 but I will be making a backup of the server once I get everything working how I want it to work.

The installer for FileMaker Server gives you the option to install it on any port but the values default to 80 and 443 but you can change them.  One problem I had when I installed FileMaker on ports 81 and 444 I could not get the ports open to allow access to them over the WAN.  We will be using the web publishing from inside and outside the network.  I have added a new rule to the Access tab in the Server.app but the ports are not open still.  I don't have the Firewall enabled in System Preferences and the Business Gateway has its firewall disabled so all ports are open all the way to the server.  One thing I did notice after upgrading that the Server.app doesn't have a Firewall option like 10.6.8 Server did.  It seems as the rules I had configured in there previously are still open but I don't know where to go to open further ports and don't see where the current open ports are configured.  I remember when I setup 10.6.8 server I had to open the ports FileMaker uses for remote connections and administration.  Those ports are still open as far as I can tell.  I ran a port scan and I can see all the ports open.  No matter what I did I could not get port 81 and 444 to open up on the server.

Quote
• Is this server accessible by its public IP address?

Yes the server is accessible from the public IP address

Quote
• Are you using a firewall to protect and prevent access to the server from the public IP?  Back in
10.6 Server it was relatively easy to implement the NAT feature allowing the server to act as a router.  In 10.11 these features are a bit more obscure.

If the only firewall on the system is the one in System Preferences under Security & Privacy then no the firewall is currently not active. I was having a hard enough time trying to get ports 81 and 444 open for FileMaker server.  Currently I do not have FileMaker server installed because I was changing the ports around from 81/444 to 80/443 but I will be installing it back on there tonight because we will need to use it this week for work. I couldn't get port 81 open so I figured out how to comment out the listen ports using your book and installed FileMaker server on port 80 then I was able to access it over the internet.

Quote
• Does the server really need to have a public address?  How do your users interact with the server when they are not in the office?  Do you have a traditional firewall/network gateway?

Well it doesn't absolutely need to have a public address I guess. When we signed up for our internet about 8 years ago I told them we needed static ip's so we had to get a group of 5 static IP's from them.  I currently only use two static IP's one for the router on the network and one for the server.  We have a external sales person who needs to access FileMaker and stuff while out and about.  And I access the server remotely quite a bit from home because I can't do everything that I want to it while I am at work.  The only firewall/gateway is the wifi router that provides internet to the entire LAN over ethernet and obviously wifi. 

Quote
I am not a fan of using OS X as a firewall/router/gateway.

I'm not either.  I'm like you I designate those tasks to hardware made for the task which for us is a decent wifi router, we don't need a stand alone firewall or anything.  Our network is rather small it consists of 8 computers in total most of them plugged in via ethernet to the switch but a couple use wifi.

Quote
So, what to do with the dual ethernet.

My switch does not have the ability to aggregate ports.  My thought was originally I guess was one port for local traffic and one port for internet traffic.  This way each have their own port to get the max bandwidth possible for each service.  But it also means that my server is more exposed the WWW than if it were fully behind my router.  I do understand that I can edit the VLAN on the switch so both ports are now on the LAN and the only way out to the world now is through the router which I can configure ports on and such to forward properly.  But as I said above I have been struggling to open ports on the server as it is, hopefully I can get that figured out.  I do remember the first time I launched the Server.app it said something about the computer have two something.  That might of been two sets of rules for the firewall or something I don't really remember, it made me think something from 10.6.8 might of been carried over but the server can't do anything about it.  If it comes down to it I will completely restore the server and start it from scratch but if I can avoid that I will try.

Quote
Next is DNS:  I am a bit of a fanatic when it comes to DNS.  I will admit that I get a little too passionate in my opinion of DNS.

Nooooo not you, I couldn't tell at all from reading your book haha.  Yea I could tell by reading the DNS section that you are really Passionate towards DNS.  It almost seemed if you could marry DNS you would haha...

Quote
To confirm my suspicions, open System Preferences > Network.  Take a look at the DNS settings for your primary network interface (the one at the top of the list).  Is the first DNS server address listed as 127.0.0.1?

Yup the first DNS server listed was 127.0.0.1, I deleted it so I just have my Servers IP and then the routers IP which has the DNS for the external world.  Now when I run nslookup it looks exactly as it does in your book other than the fact my IP and hostname is different.

Quote
Yes.  The LAN interface.  If you continue to bridge the device, the WAN port will be satisfied by a public DNS server hosted by your domain registrar.  You should not be trying to host a public DNS server.  Not worth the effort.

Not trying to bridge anything and I am sure not trying to host a public DNS server.  All public DNS needs goes to GoDaddy.  ;)

Quote
The Network:  You mention the server is acting as a router by being bridged to the ISP router.

Im not using the server as a router.  Sorry if I said something to make you think that.  The server and our wifi router are both connected to the Business Gateway and both devices have a static IP that I manually assigned to them.  But the router is doing just what it is supposed to do, its routing LAN to WAN and is the only device routing traffic this way.  All client devices currently use the routers ip for DNS but I assume I can set them up to use my server as the primary DNS then the router as the secondary so I can setup local DNS routs from within the local network.  I am still learning about DNS and don't fully understand it yet but I know much more about it than I did a few years ago.

Quote
Here are some questions for you to ask yourself.  What services am I running now?  What functionality am I missing that I want to deliver to my environment?  Am I as secure as I can be?  How well am I providing access to my users regardless of their location?  Am I securing the remote access of my users to prevent exposure of data?

These are all excellent questions and I have a long way to go still on my path to learning all about setting up Mac Servers "Properly".  I will defiantly take all these into consideration.



The server right now is mainly used as a FileMaker Server, I know I want to configure it to do more but I have yet to determine what else I want it to do.  Still learning more about servers and what all services they provide.  I know by reading your books I will have a better understanding of Mac servers and can't wait to get things up and going properly.

I guess by installing FileMaker Server on ports 81 and 444 it is technically a little more secure as you would have to type in the port number in the address bar to get to the webdirect side of FileMaker Server.  But I can't get them to open up properly so I guess I will just use ports 80 and 444 by commenting them out of the apache_serviceproxy.conf file for now.

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Need a little Help Setting up server
« Reply #3 on: December 09, 2015, 08:58:09 PM »
Sorry for the slow reply   :o  Been one of those weeks...

Quote
I ran a port scan and I can see all the ports open.  No matter what I did I could not get port 81 and 444 to open up on the server.

Did you run the port scan from the LAN or the WAN?  If you are able to hit these on the LAN but not the WAN, then something is still acting as a firewall.  Try running this command on the server:

Code: [Select]
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
I would expect to see "Firewall is disabled. (State = 0)"

Then for good measure, try:

Code: [Select]
/usr/libexec/ApplicationFirewall/socketfilterfw --getblockall
Once again I would expect "Block all DISABLED!"

On the Access tab of Server.app, is your Default User Access and Default Network Access set to All users and All networks?  If so, are all the ports listed set to All Networks (excluding caching server)?  If so, I would agree that you likely do not have the software firewall enabled.  So that leads to:

Quote
If the only firewall on the system is the one in System Preferences under Security & Privacy then no the firewall is currently not active. I was having a hard enough time trying to get ports 81 and 444 open for FileMaker server.  Currently I do not have FileMaker server installed because I was changing the ports around from 81/444 to 80/443 but I will be installing it back on there tonight because we will need to use it this week for work. I couldn't get port 81 open so I figured out how to comment out the listen ports using your book and installed FileMaker server on port 80 then I was able to access it over the internet.

I am wondering if you are using that route to the server.  In my mind I picture an ISP provided router with a WAN port (connected to the coax or ethernet) going into the router.  This gives the router a public address of 17.18.19.20 (example) that you or the ISP fixed on the device.  In fact, if you asked for 5 public addresses then the ISP's router is listening for all those addresses.  The only way for you to get the server to pick up one of those addresses would be to put a switch between the feed and the ISP provided router.  Then you can assign fixed public addresses to multiple devices.

So here is another question.  Let's say your two public addresses are 17.18.19.20 and 17.18.19.21 (the others are 22, 23, and 24 and they are not yet used).  Which address do you hit the server with from the outside?  And if you think you are hitting the server I suspect you are hitting the router and there are port forwards enabled. 

I think I am speaking in circles here.  My head is going faster than my hands.  If the topology is like this:



Then what is the ???? port configured as?  A secondary WAN port or is it part of the LAN?  If part of the LAN then you are not routing direct to the server.  If a secondary WAN then the firewall on the router must be active. 

By way of testing, disconnect the secondary ethernet on the server while the port 80 trick is in play.  If you are able to hit the server while off your Lan then you are routing through the primary WAN port.

Quote
Well it doesn't absolutely need to have a public address I guess. When we signed up for our internet about 8 years ago I told them we needed static ip's so we had to get a group of 5 static IP's from them.  I currently only use two static IP's one for the router on the network and one for the server.  We have a external sales person who needs to access FileMaker and stuff while out and about.  And I access the server remotely quite a bit from home because I can't do everything that I want to it while I am at work.  The only firewall/gateway is the wifi router that provides internet to the entire LAN over ethernet and obviously wifi. 

I will admit I am getting chills thinking about a server being placed on a public address with no firewall.  While Apple does a good job locking systems down, ports are still active. 

Hmm, now I am rethinking my topology sketch.  You say the wifi router is the firewall gateway?  Did the ISP set their device to bridge mode?  Above you mention the business gateway has the firewall disabled.  Did you mean it is in bridge mode allowing you to define static addressing further down the line? 

I will admit, I am having a hard time wrapping my head around your network setup.  If the ISP router is in bridge, then the server, at the second address, should be wide open assuming you have not software firewall.  However, if it is not in bridge mode, then I suspect the second connection is not routing.  (another test would be to disconnect the server from your LAN and try to browse the internet.  The secondary port will flip to primary making it default route.)

I am going to let you provide some answers.  I believe you can simplify your topology and possibly implement some better security.  If 80 and 443 are coming inbound then there is a device that is granting that port forward.  If 81 and 444 are not coming in, then the same device is not letting those ports pass.

Quote
It almost seemed if you could marry DNS you would haha...

I won't go that far but DNS is a critical service and proper setup solves many odd issues.

Quote
The server right now is mainly used as a FileMaker Server, I know I want to configure it to do more but I have yet to determine what else I want it to do.  Still learning more about servers and what all services they provide.  I know by reading your books I will have a better understanding of Mac servers and can't wait to get things up and going properly.

I guess by installing FileMaker Server on ports 81 and 444 it is technically a little more secure as you would have to type in the port number in the address bar to get to the webdirect side of FileMaker Server.  But I can't get them to open up properly so I guess I will just use ports 80 and 444 by commenting them out of the apache_serviceproxy.conf file for now.

Nice!  Just did the same earlier in the week to get a Rumpus server back on line.

Again, I apologize for the delay.  The rest of the week (fingers crossed) should be better).