Author Topic: SSL Certificates with firewall  (Read 1481 times)

urban420

  • Newbie
  • *
  • Posts: 11
    • View Profile
SSL Certificates with firewall
« on: April 28, 2015, 10:54:07 PM »
It's been way too long since I have posted but I think that is because your books have been so great that everything just works. Seriously, I read a few other books and nothing was as dead simple and easy to understand as your writing and the way you walk through stuff.

I have a couple of issues I am working on but I can't seem to completely wrap my mind around.

The first thing is that I want to do is to make some of my network users mobile users. I think you talked about this briefly in one of the books, but I am having trouble locating where it was. So if I have a network user and I want to change them to a mobile user is it really as simple as outlined in this article:

https://support.apple.com/kb/PH14265?locale=en_US

My network users have local home folders and I don't want to use any type of sync services, I just want to allow users to log on to a specific machine without being connected to the network. Seems simple enough, but maybe I am missing something that is supposed to be done on the actual server?

My second, possibly more complicated issue is that when I set up our server I did so with an SSL following your book. Everything worked, no problems and the world is wonderful.

At the same time I installed our server I purchased a new Sonicwall TZ 215. I'm not overly Sonicwall savvy so I work with a company that set it up and manages it for us. Really they just help me when changes are needed, but they did the original configuration. We liked the idea of the SSL VPN so we use that for remote access. When they originally set up the firewall they did not install a 3rd party SSL but rather used a self signed certificate. There are only two of us that use it so it has never been an issue.

Fast forward a year and now I am thinking that SSL certs are so cheap I should just install one for the firewall. I will also likely need it in place for PCI compliance as they are starting to fail merchants for using self signed certs. Keep in mind we don't host our website on our server and we are not currently using it as our mail server. Right now it is purely for basic server functionality.

So here is my questions:

- I have an SSL installed on our server. The SSL is set up with the server's name - server.domain.com. The server sits behind the firewall with no public IP.

- I need to install an SSL on our firewall that has a public static IP address.

It seems like I am going to run into problems but I am not sure why. I guess I am trying to understand why there is even a need for an SSL on the server in the first place when it does not have an external IP. Plus, how does it validate without a public IP address? Or does it even matter

Long story short, if I install a SSL cert on the firewall (named firewall.domain.com) that has a public IP will this cause me any issues?

I kind of feel like maybe it really is not as complicated as I am making it out to be, so I had to ask the question.

Again, thanks for the books because I can say that while I still have not completely harnessed everything that OS X Server has to offer, I'm not afraid to try things that I would otherwise never touch. Our network is solid and I rarely have to deal with any problems. It just runs like it should and I feel that that is due in large part to being set up correctly thanks to the wealth of info you shared in your books. I tell anyone that asks about switching to an OS X Server to go buy your book.

Thanks again.

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: SSL Certificates with firewall
« Reply #1 on: April 29, 2015, 05:54:22 PM »
Great!  I am so glad to get the good feedback.  Let's see if I can help you out.

Converting local to mobile
I have always found that KBase article (https://support.apple.com/en-us/HT202506) to complicated.  I prefer a simpler method.  And you are correct.  I detailed this in “Migrating Accounts From Local To Domain” on page 99 of the “Mavericks Server – Control and Collaboration”  But this is for local accounts that you want to move to domain accounts. 

Sounds like you have network accounts but you do not yet have mobility enabled to allow the caching of the account.  There are two solutions for this.  Either you use MCX and the Mobility payload (this is for legacy systems 10.8 and before) or you use Profile Manager and use the Mobility payload to define the mobile account.  The basics here are that the device is bound to the domain (for account visibility) and that you deliver a config profile or MCX for the mobility payload. 

I will address the second part later today.

urban420

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: SSL Certificates with firewall
« Reply #2 on: April 29, 2015, 07:24:11 PM »
Thanks for the reply. I was reading in the scenarios of the control and collaboration book about creating a managed mobile user, but how would you handle situations where the users are already local network users, but need to be "promoted" to mobile users? (Edit To add: For example these users having been using a MacBook on the network for a year but now we are going to allow the MacBooks to be taken out of the office. They were also already set up with a local home folder on the machine.) Maybe I am missing something, or maybe it is just because I fear that I've gone too far and backtracking may be in order to do things correctly.

The other problem I am wondering about is where you talk about not mixing MCX and Profile Manager. Can you expand a little on that? I have workgroup manager installed but I don't think it was ever really used for anything. If I remember correctly I attempted to use it when I ran into some issues with creating local home folders for users, but I am not sure it was what fixed the problem. This might sound like a strange question but is there a way to tell if MCX has a hand in the way things are running?

Thanks.
« Last Edit: April 29, 2015, 09:16:53 PM by urban420 »

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: SSL Certificates with firewall
« Reply #3 on: April 30, 2015, 04:42:07 PM »
Ok, Catching up to the first post.  Sorry.  Busy day.

SSL Certificates

Single Site Certificates are designed to protect single servers with a single host name.  For example, if your server's fully qualified host name is server.urban420.com you will purchase a certificate matching that URL.  Now, once you have another server or device (SonicWall) you will really want to get another cert and address that device by a unique name.  The reason for this is that while the OS X Server is not accessed externally now, it may at some point in the future.  If you use the cert for both devices, you might run into some trouble.  However, to be honest, you likely could get away with it if you used one IP address and then port port forwarding.  From the outside world, the address server.urban420.com would terminate at your public address so the sonic wall can respond to ports and services that it is controlling.  Then when you hit a service that needs to be port forwarded, you will route to the OS X Server and it will reply on the same host name.  In theory, it might work.

- I need to install an SSL on our firewall that has a public static IP address.

Again, you might be able to reuse the cert on both devices.  But as you said, there cost is so low it may make sense to get a unique cert for the SonicWall.  Plus, if you do this, then the public URL could be vpn.urban420.com instead of using the name of a LAN resource (your server).

It seems like I am going to run into problems but I am not sure why. I guess I am trying to understand why there is even a need for an SSL on the server in the first place when it does not have an external IP. Plus, how does it validate without a public IP address? Or does it even matter

Many server deployments never need an SSL cert.  I generally install it on most deployments because customers always say they want to server to do a, b and c.  Then 12 months down the line they say, now I need it to do p, q, r, s, and z.  And three of those are public facing services.  I generally like having the cert in place for the inevitable.  And no, the server does not need a public address.  SSL certs do not contain IP address information, only host name.  The host name must match the certificate and servers that are accessible through NAT or PAT work fine with SSL certs.

Long story short, if I install a SSL cert on the firewall (named firewall.domain.com) that has a public IP will this cause me any issues?

Nope.

I tell anyone that asks about switching to an OS X Server to go buy your book.

Thanks!  I really need to finish the 4th book.  Will try and post more tonight.

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: SSL Certificates with firewall
« Reply #4 on: April 30, 2015, 10:32:46 PM »
Ok, let's get back to the promotion of network accounts to mobile accounts.

...but how would you handle situations where the users are already local network users, but need to be "promoted" to mobile users? (Edit To add: For example these users having been using a MacBook on the network for a year but now we are going to allow the MacBooks to be taken out of the office. They were also already set up with a local home folder on the machine.) Maybe I am missing something, or maybe it is just because I fear that I've gone too far and backtracking may be in order to do things correctly.

Ok, so Apple has a number of home folder types.  There is the local account.  An example is the admin account created when you setup a new Mac.  The account is local on the machine and requires no infrastructure to function.

Next, you have network accounts.  This is what you have accomplished.  This is done by creating an OD domain and then binding the workstation to the domain.  As long as the domain user account has a valid home folder path, the user will be able to login to a bound Mac using domain credentials.  A local home folder will be created but the user's account attributes will not be cached to the machine for offline use.  Should the network, the server, or anything in between the client and the server fail, the user will have no access to her data.

Next, there are network home accounts.  In this case, you still are using domain accounts but instead of the home folder being created on the workstation, a special network mount is used to allow the user's home folder to mount from the server.  This is really only good in schools or other short duration environments in which user mobility is critical.

And finally, there is what you are looking for... The mobile account.  This is a domain account that creates a local home folder AND caches the users credentials for offline use.

So how to create this?  Relatively simple.  You have two methods of doing this.  The legacy MCX method still works in 10.10 but Apple clearly would prefer using a configuration profile.  Here is the quick cheat sheet:

MCX:  If you are doing MCX, then you will:
1:  Bind the machine to the domain (you have done this already)
2:  Using Workgroup Manager, select a group (or you can do this by the user but that is less efficient) and press the Preferences tab.
3:  Press Mobility and define you setting.  Basically, they are to set Always, check "Create mobile account when user logs in to network account" and then set home as local home template.
4:  Save this and reboot the workstation.
5:  Log in as user. 
6:  Later, you can uncheck the "Require confirmation before creating mobile account" once you are happy with the results.

Profile Manager:  If you are running Profile Manager or another MDM, you can use the Mobility payload to effectively set the same preference.
1:  Bind machine to domain and enroll into MDM.  Keep in mind that enrolling into MDM can perform the bind so the steps can be simplified.
2:  Once again, set the payload on a group or group of computers
3:  Select the Mobility payload and check "Create mobile account when user logs in to network account" and then set home as local home template.
4:  Experiment with other settings

Once the profile is pushed to the workstation, login as the domain users.

Either of these methods should "convert" the network account to a mobile account.  Disconnect the machine from your network and reboot.  Confirm that you have access to the account.


The other problem I am wondering about is where you talk about not mixing MCX and Profile Manager. Can you expand a little on that? I have workgroup manager installed but I don't think it was ever really used for anything. If I remember correctly I attempted to use it when I ran into some issues with creating local home folders for users, but I am not sure it was what fixed the problem. This might sound like a strange question but is there a way to tell if MCX has a hand in the way things are running?

So MCX is depreciated and there is no promise than any of the settings will work going forward.  That being said, "most" everything still works in Yosemite.  But the writing is clearly on the wall.  Apple wants MCX buried and Configuration Profiles put on a pedestal.

One of the easiest ways is to launch Workgroup Manager and select the Preferences tab.  Select all users and all groups.  If you have no arrow next to a payload, then you have not set MXC values.  You can also use mcxquery but that will likely be tedious.

Ok, hope that clears it up.

urban420

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: SSL Certificates with firewall
« Reply #5 on: April 30, 2015, 11:19:07 PM »
Awesome info on both the SSL and mobile user questions. Thanks again for taking the time to post such a detailed reply.

Thanks, thanks and thanks again!

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: SSL Certificates with firewall
« Reply #6 on: May 01, 2015, 07:40:01 AM »
No problem.  Keep those servers running!