Author Topic: Chapter 3: DNS, 1 Static IP Address & Port Mapping  (Read 5389 times)

C_Redmond

  • Newbie
  • *
  • Posts: 1
    • View Profile
Chapter 3: DNS, 1 Static IP Address & Port Mapping
« on: December 01, 2013, 04:12:41 PM »
Just purchased your book today - only gotten through the first few chapters, but so far you have done a really good job of talking about the "little things" that only a person with OS X Server experience would know. It's those points that will save someone hours as opposed to other books.

Had a question, many small businesses that do purchase a static IP address for their OS X Server only acquire 1 and usually have their own routers in place. It's probably best to configure the router with the static IP and then port forward to the server. Maybe I'm missing it, but it seems like your DNS chapter doesn't really cover the scenario above. Maybe you can shed some light on this. Thanks


Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #1 on: December 02, 2013, 05:31:09 PM »
Thank you so much for your comments and congratulations on being the first to post to the forum!  I hope the remainder of the book will prove as useful.

Yes, you are correct that many small businesses will settle with 1 static address.  I will admit that we commonly will recommend that customers get a 5 block, just to protect against the potential for growth and new services.  Much the way we are now planning /23 subnets, we want to make sure that customers have the foundation for growth.  I've been burned on too many deployments when customers choose a single address and then say, "so I want to run Kerio, our web Server and a Rumpus server on these three machines."  Argh.  Port 80 on three internal devices with one public IP address... sunk.  And then there is the inevitable service interruption when the ISP comes in to give you a larger block.

So unless there is a significant financial punishment for a 5 block, we always steer customers in that direction.  The first address will be the router, leaving 4 dedication NATs to be built.  Or, if they really grow, a combination of NAT and PAT.

And you are correct.  I will review the chapter.  In no way do I suggest running OS X Server configured with a public IP Address.  Those days are long gone.  OS X should be behind a firewall and access should be greatly restricted to only the ports needing public access.  By the way, as an aside, and something I discovered by accident... Caching Server will not run on a device not configured with private address.

Again, thanks for the comments and I would appreciate any additional feedback.

Henry28

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #2 on: April 25, 2014, 05:30:39 AM »
Hi,

first of all thank you very much for a really helpful book! I agree with the other users about how the level of detail and explanation fills exactly the gaps often found in other documentation.

Despite its age, let me hijack this thread as it seems to address my current question. We are planning to set up (our first) Mavericks server in a small business environment with a maybe somewhat typical setup: one fixed external IP address, a LANCOM small business router providing DHCP services and also running a DNS server.

The planned setup currently is to keep on using DHCP and DNS servers in the router. We plan to set up the router's DNS server with a subdomain of our (externally hosted) domain (e. g., office.example.com). FQHN of the Mavericks server would then be set to something like server.office.example.com and a correspondent record in the router's DNS server would point this name to the fixed internal IP address of the Mavericks server.

Do I understand your DNS chapter correctly that in this specific case the OS X server's DNS server is not required, hence does not need to be configured and activated? In this setup and without its "own" DNS server, will I still be able to run at least services like Caching Server, Profile Manager, and potentially RADIUS as well as Open Directory on the Maverick server?

A short comment/advise is highly appreciated. Thanks and regards, Henry.

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #3 on: April 25, 2014, 01:40:07 PM »
I am glad this is proving helpful!  Thanks for the comments.  So to your question:

"Do I understand your DNS chapter correctly that in this specific case the OS X server's DNS server is not required, hence does not need to be configured and activated? In this setup and without its "own" DNS server, will I still be able to run at least services like Caching Server, Profile Manager, and potentially RADIUS as well as Open Directory on the Maverick server?"

Yes.  Absolutely.  DNS is a requirement, but DNS on OS X Server is not.  In most deployments that I do, there are Windows servers running DNS.  I use them.  OS X Server simply needs to be able to resolve its name and IP address to a DNS system.  This is the foundation for proper function of many services.

Now, Caching Server really needs nothing.  Love this service.  Just turn it on and you will wait will you are in the office to upgrade your devices :)

Profile Manager needs Open Directory.  Open Directory needs DNS.  So hence, by association, Profile Manager needs DNS.

And Radius...  Make sure you get an SSL cert.  I am upgrading my office to the Airport ac in a few months so I will be redoing my Radius config.

Bottom line is that DNS on the router should work as well as DNS on OS X.  So go for it.

Henry28

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #4 on: April 28, 2014, 06:13:36 AM »
Thanks very much for the quick reply! Looking forward very much to trying this all out and see how it works in practice.

Speaking of starting the deployment: Looking forward to the second part of your book! Any current estimates on completion date? Sorry, but us readers out here become insatiable‚Ķ  ;)

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #5 on: April 28, 2014, 08:20:08 AM »
Thank you for the encouragement.  I would say it is 75% complete.  Apple is killing me on the Profile Manager service.  Every time I think I have it done, a new release changes everything.  I've set myself the task of getting the second one into Apple's hands before the end of May.  Once school ends, the summer gets busy for us.  So I am still moving forward.  It just feels like the target is moving so much.  Fingers are crossed that Apple is now stabilizing on features and they are looking to resolve issues with the next release, not create new ones.


anog

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #6 on: May 02, 2014, 06:16:25 PM »
Lets hope all the Apple changes are for the better.   :D

I like to think I might had a small part of some of these.  It started when I wrote Tim Cook an email explaining that Server was in a bad shape and needed lots of love. I had heard that he reads all his email. 

I never got a reply from Tim, but I did get an email from an engineer on the Server team wanting to know additional information.  I guess I was a bit surprised but happy to hear that they were listening.  Then I got to thinking "Why they care what I think?"  Many of my comments to them were related to the question, if this product was geared to a Small Business, it wasn't really designed for a Small Business in my opinion. Server to me seems like an Enterprise product with most of the features removed. That is a much different beast. It pains me to say it, but Microsoft WHS was a much better product than Server, and we know where that went.   >:(

My sense is Apple is not getting the good Server feedback from small businesses (and home users) that they hoped for, and sales are less than they had hoped, but I know nothing to confirm that. All I know is that I have years of server experience and I'm pretty technical, but I can't imagine most small business owners using this business without major problems.

So started my several month back-and-forth with Apple, with them looking at all the issues I addressed and me sending them them log files and config. files and setup files and more log files.  You name it.  In Apple character, they haven't once told me they have actually fixed a problem or fixed a complaint I had, but the fact that they write me at least two or three times a week requesting a clarification or more log files tell me something is happening.  A few times I really didn't want to reproduce the problems I told them about because doing so would usually corrupt the server where I had to reformat the disk and start from scratch reinstalling everything. This was a bit of more commitment than I had the time for at the moment.

So I have my fingers crossed that Server is getting better.


Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #7 on: May 03, 2014, 08:55:59 AM »
Let's hope.  Apple does not realize what potential there is for developing a reliable and capable product for small business.

People don't want to be IT administrators on a day to day basis.  And the advances in the mobile platform demonstrates that products can just work with minimal user involvement.  In most cases, the iPhone is a product that works or is completely broken.  There is very little middle ground.  But with a Desktop/Laptop and a server, there is so much middle ground that it is overwhelming for most people.

While I will lament over the "loss" of features like Podcast server and Xgrid, I also realize that these technologies were never going to be used by the common business that needs file services and groupware.  So I can understand the reasons behind cutting the fat and streamlining the product.

But, in the streamlining of the product, Apple must make the surviving features work and work reliably.  When I hear the disappointment and frustration from users who have lost all users in OD or who have had mail services unexpectedly just outright fail, it pains me.  I have enough history in the product to know that OD (and NetInfo before it) were reliable services that were almost bullet proof.  Yes, the new features would have growing pains but the core functions just worked.  I mean come on... failure to create a replica in 10.7?  Inexcusable.

So yes, reach out to Apple.  Report bugs.  I try to spend a few days a month submitting bug reports to Apple.  Sure many come back as duplicated.  But I know I am increasing the count related to that problem.  Plus, much like the attention you are getting, every now and again, Apple will reach out and actually fix something. 

This recently happened with Xsan.  While I know this is not technically an Apple product (Xsan is really StorNext), Apple is distributing a subset and provides a very good product for environments that needs massive shared storage.  Well, I had many customers stuck on 10.6.8 because Apple decided that saving Photoshop documents to the San volume was not an important feature.  So I went on a campaign when 10.8 started to seed.  I posted a bug report on every beta release through 10.8.3.  Finally I got the call.  I informed Apple that I had 8 Xsan deployments stuck on old Mac Pros and 10.6.8 who wanted to move to the New Mac Pro and the new Final Cut and the new OS.  But all this was impossible because the SAN volume would eat Photoshop files.  I was connected to a enterprise developer and the fix was implemented.  I am now selling Mac Pros at $10k each or more and my customers are thrilled to be on the latest of everything.

So keep it up.  While Apple makes the product, I feel that it is ours to govern and direct.  Back in the heyday or OS X Server 10.4 through 10.6, Apple had some very talented people working on the server staff.  It has all be cut back but there remains a dedicated (although overworked) core that is the caretaker of server.  I was very resistant when Apple made the changes but once again, they have shown me that they are ahead of their time.  Mavericks server is a good product that can fit in a 1 man shop all the way up to a 100,000 fortune 500 company.  So I will keep it going strong.

Now if only Apple would fix SMBX...  Start reporting the bugs.




tcguru

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #8 on: May 28, 2014, 06:56:42 PM »
First, thanks also for your book. This time I really want to get organized.

Currently I have a mini-business (3 people involved plus others on an ad hoc basis) and a small budget so the server has to perform several functions. The current server is a Linux box that acts as a router for the LAN as well as a server for several (virtual) websites. It has two interfaces: one for the LAN, the other to a cable modem, all with static IPs. I was doing just fine reading your book until I came to Chapter 3.

My current setup doesn't have a DNS server; all the DNSing is done through our ISP service. nslookup gives a "Non-authoritative answer" to the address of computers on the LAN. The server address it gives is one of the ISP vendor's DNS servers. So I'm beginning to wonder if my new mini server is not going to work out even though it's smaller and presumably more efficient than the Linux box. Also, your comment: "So unless there is a significant financial punishment for a 5 block, we always steer customers in that direction.  The first address will be the router, leaving 4 dedication NATs to be built" leaves me partially calmed since we do have a 5 block but your other comment that OS X should never face a public network (there's no firewall in OS X server?) makes me think that OS X server is far less capable that what's on our Linux box. That and the fact that I need to invoke some pfctl wizardry just to get it to NAT.

So do I also need to get a router that does local DNS between the cable modem, the OS X server and the LAN or can I kludge up some version of a local DNS server on the mini plus the other uses of the Linux box before pressing on to Chapter 4?

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #9 on: May 28, 2014, 07:53:33 PM »
Welcome and thanks.  So I think I can provide some more insight into your situation.

First, it sounds like you are aiming to replace the Linux box.  If so, then in my opinion, a Mini and OS X is really not a great choice.  Yes, it can be done if you hack the plumbing and become a master of pfctl.  I am likely too lazy and have the good fortune of always having a better alternative.  However, if this is the route you need to go, I would suggest looking into IceFloor.  (http://www.hanynet.com/icefloor/).  This is a GUI that allows you to configure the mini as a router with NAT.

Now, the alternative might be to leave the Linux box in place.  If it is doing a good job and is not due for retirement, you can simply add the mini as a client of the network.  Then from there, you can define internal DNS and Mavericks Server will be happy.  DNS can be defined on either the Linux box (it uses BIND just like OS X) or on the mini.  Since it is the LAN, it can be anywhere.  The key is letting OS X Server know its name.  Without it, services will get funky.

It is also worth pointing out that you can even just run Apple's DNS and have the server point to itself.  If you are not pointing clients to it, that may not matter in your organization.  DNS is critical for the proper function of Open Directory and Profile Manager as well as client integration and single sign on.  If these are not your goals, then distributing the DNS to clients may not make sense.

I guess the question comes down to what role do you want the mini Server to play on your network.  Which services do you plan on using?  And how do you envision your clients (internal and external) interacting with the server?

Keep the discussion going.

Francesco DellaPorta

  • Newbie
  • *
  • Posts: 14
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #10 on: May 29, 2014, 05:24:08 AM »
Dear forumadmin, dear tcguru
Let me please add something to the discussion...

There is a third alternative to those two proposed by forumadmin, which are the NAT on OS X (master of pfctl) or to leave the Linux box in place (NAT on Lunix). The third alternative would be: NAT on a router between the cable modem and the LAN. Minimal changes and simple configurations is the goal here.

We work on the assumptions/requirements that imply:
  • removal of the Linux box (@tcguru, please describe why would you need to do that?)
  • adding a router, eventually a new Airport Extreme manageable form the Server.app
  • OS X Server running with minimal DNS configuration (nslookup to the Server only would give an authoritative answer)
  • hosting the several (non-virtual) websites on OS X Server (@tcguru, please check if OS X Server fulfills your requirements)
  • starting additional services on OS X Server (Quoting forumadmin: "what role do you want the mini Server to play on your network?")
Keep your discussion going...

tcguru

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #11 on: May 29, 2014, 06:14:48 PM »
Here's my motivation for trying the Mavericks server. It's basically frustration with the dysfunctional upgrade process of SuSE Linux; every time I finally opt to upgrade, all my settings for the network, apache2, mysql, squid, firewall, etc. get trashed and I have to spend a day (or days) tracking down and fixing whatever was broken. So I figured that, since I never have had a major problem upgrading OS X on our Macs, why not try Mavericks server even though it's almost double the cost of the Linux box. Then I could use the Linux box as the failover server in case the Mini-server crashed -- without buying a duplicate mini. This way I could enjoy the seamless updates (?) of OS X and avoid the Linuxangst.

Right now I'm running the network and websites with the Linux box while I sort out the options and alternatives for Maverick server. I'm also assuming/hoping that my configuration scripts for apache, PHP and MySQL databases will work on the OS X version. They have worked in my tests using MAMP on one of the Macs on the LAN.

Many thanks for all your good advice, Reid and Francesco. Certainly by next year at this time I'll have it all sorted out, unless Apple throws a curve on June 3rd. ;)

Francesco DellaPorta

  • Newbie
  • *
  • Posts: 14
    • View Profile
Re: Chapter 3: DNS, 1 Static IP Address & Port Mapping
« Reply #12 on: May 31, 2014, 03:55:11 AM »
Thanks for replying, tcguru

So the SuSE Linux upgrade seems too cumbersome to deal with. It might be. Even though Apple strives for simplicity, an OS X Server upgrade may also show its hiccups. Anyway, it really looks like that switching from a Linux box to a Mac mini fits your needs. Using the Linux box as the failover server implies that you keep it up-to-date. Although the OS X Server is a perfect match for running Apache with PHP, it stills requires some out-of-the-box thinking for MySQL databases. Moving from MAMP trials to a full-fledged OS X Server's Websites deployment comes with some measures. Check this out: https://discussions.apple.com/thread/5579232 

Here my proposals for your case:
  • Use NAT on a router between the cable modem and the LAN
  • Keep your Linux box, but downgrade it to that router
  • Deploy Mac mini Server with minimal DNS configuration
  • Install MySQL for Mac OS X Server
  • Migrate your webpages to the Mac mini Server
  • Start Websites service on OS X Server
  • Cross your fingers and enjoy the Mavericks Server
Furthermore, better than assuming/hoping that your configuration scripts for apache, PHP and MySQL databases will work on the OS X Server would be to test them thoroughly beforehand. Also try to keep the SuSE Linux software up-to-date in case of server failover.