IntroductionWelcome| 00:04 | I'm Sean Colins, and this is Mac OS
X Server DNS and Network Services.
| | 00:09 | This course presents you with an
excellent opportunity to quickly and easily
| | 00:14 | understand the networking
concepts that typically elude people.
| | 00:18 | We start with DNS because DNS is my
number one source of student questions and
| | 00:23 | it's the first service you must set up
for Mac OS X Server to work correctly.
| | 00:28 | DNS is there to help you locate
resources on networks, varying in size from the
| | 00:33 | very small to the largest
network in the world, the Internet.
| | 00:36 | Together, we'll set it up and tear it apart,
until you understand it inside and out.
| | 00:41 | Next, we'll explore firewall
technology, which is designed to protect your
| | 00:45 | computer and your network from
intruders, and to help move traffic around our
| | 00:50 | increasingly complex networks.
| | 00:52 | After firewalls, it makes sense to talk
about DHCP, which makes configuration of
| | 00:57 | many devices on a network very easy.
| | 01:00 | DHCP gives you power, but with any power
comes responsibility and we'll talk about both.
| | 01:05 | Once you have DNS, a firewall, and
DHCP enabled on your network, you're ready
| | 01:11 | for the security and remote
accessibility provided by a VPN.
| | 01:15 | I'll show you how to set one up
properly and we'll talk about which level of
| | 01:19 | security is right for you and your organization.
| | 01:21 | Of course, with subjects this complicated,
something is bound to go wrong somewhere.
| | 01:26 | So I will lead you through the most
effective and efficient ways to troubleshoot
| | 01:30 | each of these services when
things don't work exactly as you want.
| | 01:33 | Even though your server will nearly
configure itself, to learn any of this
| | 01:37 | we're going to have to roll
up our sleeves and get to work.
| | 01:40 | So please, join me now as we begin in
Mac OS X Server DNS and Network Services.
| | Collapse this transcript |
| Understanding this course and the exercise files| 00:01 | In this course, we have two
computers you will see repeatedly.
| | 00:04 | One is our server which has a gray
desktop and the other is our recording
| | 00:08 | machine, which is our client,
and it has a blue desktop.
| | 00:12 | You will see us use Apple Remote Desktop to
flip back and forth between them in some movies.
| | 00:16 | So please don't be alarmed.
| | 00:17 | That's completely normal.
| | 00:19 | Because this course explores and
reconfigures Network Services both on the
| | 00:23 | client and on the server, it's a
really good idea to have a monitor and a
| | 00:27 | keyboard, and a mouse hooked up to not
only your client machine, but also the server.
| | 00:32 | Normally, I'd say you don't need to
configure your server locally, because we
| | 00:35 | have such robust network tools, but
you're learning here and you are likely to
| | 00:39 | configure something somewhere along
the way that will make it difficult or
| | 00:42 | impossible to connect remotely to your server.
| | 00:45 | In which case, you'll be slowed down
while you hunt down the equipment to hook
| | 00:48 | up to get to a local connection again.
| | 00:51 | In fact, I've purposely included a
configuration in this course that will
| | 00:55 | disable communication between the
client and server, which we then
| | 00:58 | troubleshoot and correct.
| | 00:59 | You will not be able to follow the
troubleshooting steps on your equipment if
| | 01:02 | you don't have a local
connection to the server available.
| | 01:06 | Please remember not to follow
this course using a server in a live
| | 01:10 | production environment.
| | 01:12 | In fact, do not do anything in this
class on a system that is connected to
| | 01:16 | an existing network.
| | 01:18 | Because we will be enabling DHCP during
this class, we will disrupt your other
| | 01:22 | network devices almost
certainly when you turn that service on.
| | 01:27 | For our purposes, we used a D-Link
wireless router, in fact, the cheapest we
| | 01:31 | could find, because we believe that you
will probably go out and try to find the
| | 01:35 | cheapest router you can use as test equipment.
| | 01:37 | We configured it specifically to have NAT
turned on and DHCP turned off in the router.
| | 01:44 | We configured the WAN interface with
our public IP address and we configured
| | 01:47 | the LAN interface with the router's
address you will see throughout the title,
| | 01:51 | 192.168.12.1. Our server
is at address 192.168.12.2.
| | 01:59 | I recommend that you set up your
network before you install the server software
| | 02:03 | necessary to follow this course.
| | 02:05 | If your router and cabling are set up
correctly before you begin, the entire
| | 02:09 | process of taking this course
will be much more productive for you.
| | 02:13 | If you are not a premium subscriber,
you won't have access to the exercise files,
| | 02:16 | but for this course, that only
includes saved preferences for Server
| | 02:20 | Admin and a VPN configuration file which I
use in the VPN movie later in this course.
| | 02:25 | After you take the course, you can
submit questions to ts@lynda.com where I and
| | 02:31 | my team of server experts will be
happy to respond to your questions.
| | 02:35 | If you ask something unique and clever,
we may ask your permission to post your
| | 02:39 | question and the answer to our
technical articles blog, which is available to
| | 02:43 | everyone at www.corequick.com/groups/articles.
| | 02:49 | You can also find us on Facebook
at the www.facebook.com/corequick.
| | 02:54 | Now, get settled in, get your
popcorn ready, and let's get started!
| | Collapse this transcript |
|
|
1. DNSWhat is DNS and how does it fit into your server puzzle?| 00:00 | There are many misconceptions about DNS.
| | 00:03 | Do you need or want DNS?
| | 00:06 | Funny thing about the word need. You
don't really need DNS unless you're running
| | 00:11 | mail or directory services.
| | 00:14 | But when you start talking about want,
now there is an interesting word.
| | 00:18 | You might want DNS for several reasons.
| | 00:21 | But I bet the best reason
is to make something easier.
| | 00:24 | That's what DNS does;
| | 00:26 | it makes much of what you
do with a computer easier.
| | 00:30 | Have you noticed how much your iPad
wants to be connected to a network?
| | 00:35 | How about web browsing or getting onto a
social service like Facebook so you can
| | 00:40 | easily interact with people?
| | 00:42 | None of that would be easy
without DNS. So what is DNS?
| | 00:47 | Really, it's just a system to match
numbers to names and names to numbers on
| | 00:54 | a computer network. It's that simple.
| | 00:56 | Computers find their way around using numbers.
| | 00:59 | People find it a lot easier to work with names.
| | 01:02 | So, DNS was invented to
make life easier for people.
| | 01:06 | Now, when I say numbers, I mean addresses.
| | 01:09 | At the moment, we all use IPv4
addresses on our computers, our routers,
| | 01:15 | our printers, etcetera.
| | 01:17 | So, the number part of the equation is
going to be something that looks like this,
| | 01:21 | where we replace the
pound symbols with actual numbers.
| | 01:26 | Each of those four segments is called an octet,
and each octet can only be the number 0-255.
| | 01:31 | There is a lot more to it than that,
but this gives you the basic idea.
| | 01:38 | When I say names in this context,
I mean fully qualified domain names.
| | 01:43 | Fully qualified is a very specific way
to refer to a name that means full name.
| | 01:50 | It's kind of like saying my name is Sean.
| | 01:52 | That's my host name. Or saying
my name is Sean Matthew Colins.
| | 01:57 | That's my fully qualified domain name.
| | 01:59 | Well, not really, but you get the idea.
| | 02:02 | The fully qualified domain name is the
complete name with nothing more to add.
| | 02:07 | Now, if I had a dog named Scruffy Colins,
Scruffy would be the dog's host name,
| | 02:13 | Scruffy Colins would be my dog's fully
qualified domain name, and Colins would
| | 02:18 | be the domain or the zone name.
| | 02:20 | So, within the domain Colins, I have
hosts named Sean, Matthew, and Scruffy, and
| | 02:27 | I could have more if I wanted to
add my wife and kids to the zone file.
| | 02:31 | If I changed that analogy to a more
literal representation, I could actually
| | 02:36 | name computers after everyone in my family.
| | 02:38 | So, mine could be Sean.Matthew.Colins,
and my dog's could be Scruffy.Colins.
| | 02:45 | So, how does your request for
Scruffy Colins get to where it's intended?
| | 02:51 | That has more to do with the DNS
system than the names and the numbers.
| | 02:55 | You see, to make all of those matches,
something needs to have the matching
| | 03:00 | names and numbers in a system
that can answer your questions.
| | 03:05 | That system is the DNS system and it's huge.
| | 03:10 | The DNS or Domain Name System starts
at 13 root servers, which are actually
| | 03:16 | clusters of servers.
| | 03:18 | Those 13 root servers are managed by the
organization responsible for DNS on the Internet.
| | 03:25 | Everything in the DNS system is
listed at various levels of a chain of
| | 03:30 | interconnected DNS servers, each DNS
server talking to servers above and
| | 03:36 | below in the hierarchy.
| | 03:39 | It's very complicated, but actually,
kind of cool when you think about it.
| | 03:43 | The DNS system is a fantastic example of
international cooperation and adherence
| | 03:48 | to rules that make a very
complicated system very stable.
| | 03:53 | I don't know about you, but I don't
know of too many complicated things that
| | 03:56 | are also very stable.
| | 03:58 | So, a zone is just your
little corner of the DNS universe.
| | 04:03 | It's going to be a name that is either
private to only your network, or it's
| | 04:07 | something that is public that you
purchased from a domain name registrar.
| | 04:11 | Sometimes, you can have two zones with
the same name but different information.
| | 04:17 | That's called Split DNS.
| | 04:19 | And we'll talk about that later on.
| | 04:21 | A DNS zone is essentially a file
on a computer that contains records.
| | 04:25 | Your DNS zone is a namespace
for which you own authority.
| | 04:31 | So you can do whatever you want with it.
| | 04:33 | An A record is one entry, or item in that zone.
| | 04:38 | An A record just maps a name to a number.
| | 04:41 | A PTR record does the opposite,
mapping a number to a name.
| | 04:45 | An MX record is responsible for sending
mail to a specific machine for delivery.
| | 04:51 | A CNAME is kind of like an alias.
| | 04:53 | It lets the machine it references go
by another name, but that machine keeps
| | 04:58 | its original identity too.
| | 05:00 | Now that you know what DNS is, how it
fits into your world, and what the major
| | 05:04 | pieces and bits look like, let's
dig in and see how to make it work.
| | Collapse this transcript |
| DNS prerequisites| 00:01 | To complete this course, you're going
to need some things to be finished before
| | 00:04 | you start each chapter.
| | 00:06 | DNS being the first in our services,
we're really not going to have too many
| | 00:10 | things that are necessary in order to
get this set up, but there are some things
| | 00:14 | you should be aware of.
| | 00:14 | First, you're going to need Snow Leopard Server.
| | 00:16 | You have to have the software and a
computer to run it on and you probably want
| | 00:20 | to have a client set up as well, so
that you can test your DNS setup between
| | 00:25 | your client and your server.
| | 00:27 | It can also be helpful to already have
DNS set up on the Internet, but we'll
| | 00:31 | talk about that later on in the course.
| | Collapse this transcript |
| Deploying DNS| 00:01 | With DNS especially, there is an
order in which you have to do things.
| | 00:04 | Otherwise, you'll be chasing
your tail for hours trying to get
| | 00:06 | everything working.
| | 00:07 | First, and this should happen well in
advance of your deployment, decide on and
| | 00:11 | obtain a domain name.
| | 00:13 | When I think about it, this is also
important to the installation of your
| | 00:16 | server, because you have to know the
fully qualified domain name of your server
| | 00:20 | during initial setup.
| | 00:21 | You get a domain name either
from your network administrator.
| | 00:24 | If you are setting up at a large
organization where there is already a domain
| | 00:27 | name, or a domain registrar, if the
server will do things like route mail to
| | 00:31 | other computers on the Internet,
and you don't have one already.
| | 00:35 | If you've watched our other server
titles here at lynda.com, you'll remember
| | 00:38 | that we've covered how to purchase a
domain name from a registrar in the movie
| | 00:42 | "Registering a Domain Name," which
is in Chapter 4 of Snow Leopard Server
| | 00:46 | Essential Training.
| | 00:47 | Once you have your domain
name, you have to set up zones.
| | 00:49 | To do that, we're going to go into Server Admin.
| | 00:52 | Once we're in Server Admin, it should
automatically connect up to your server.
| | 00:56 | If it doesn't, you can add your
server by name, or IP address.
| | 01:00 | You'll see here that if you've
already got your server set up and you went
| | 01:03 | through the automatic setup process
and you didn't have DNS on your network
| | 01:06 | already, it set up DNS for you.
| | 01:09 | That's why it's down here in the list,
and it's already got the green light next
| | 01:12 | to it to say that it's running.
| | 01:13 | If you look at zones, it's going to give
you a warning that says "don't mess with this.
| | 01:16 | You're going to change something
that's going to really screw up your server."
| | 01:19 | You're going to say OK, and then
we're going to change it anyway.
| | 01:23 | We're going to do this
for a very specific reason.
| | 01:25 | We need more than just
server.groundswellgear.com.
| | 01:28 | We need to create additional records.
| | 01:30 | We want to modify what this is doing.
| | 01:32 | So, we're going to add a different zone here,
one that gives us a little more flexibility.
| | 01:38 | For example, server.groundswellgear.com
is going to be authoritative and this
| | 01:43 | zone will respond authoritatively when
someone asks this DNS server for anything
| | 01:48 | within server.groundswellgear.com.
| | 01:50 | That would include if I had
another hostname before the word server.
| | 01:54 | So, first.server.groundswellgear.com
could be dealt with by this zone, but if
| | 02:00 | I want to set up another machine
record or a CNAME like for example
| | 02:03 | mail.groundswellgear.com or www.groundswellgear
.com, this zone isn't going to cut it for me.
| | 02:10 | I can't do that here.
| | 02:11 | So, I need to set up a different one.
| | 02:13 | But I don't want to just delete this yet.
| | 02:14 | I want to set up the other zone first, and
then we'll come back and delete this afterwards.
| | 02:18 | So, the first thing we do to add a zone,
click the Add Zone button, and then add
| | 02:22 | a primary zone here, and we're going to
just add the words groundswellgear.com
| | 02:28 | right here where it says Primary Zone Name.
| | 02:31 | We add an e-mail and the e-mail address
here is going to appear in our DNS records.
| | 02:36 | This way if someone has got a problem
with something we've listed in DNS,
| | 02:39 | they can contact us and tell us that there's
something wrong, or they need something
| | 02:43 | added or removed or whatever.
| | 02:44 | We're also going to add this server
as Nameserver, so we'll click the Plus
| | 02:48 | button and we'll save that.
| | 02:49 | For the zone groundswellgear.com,
the nameserver is going to be
| | 02:53 | server.groundswellgear.com.
| | 02:55 | All of that is fairly straightforward.
| | 02:57 | The only other box we have down here is
for Mail Exchangers and we'll just click
| | 03:01 | the Plus button and put in
the name server and a priority.
| | 03:05 | The priority here is weighted downward.
| | 03:07 | So, if you put in 90, that will be a
lower priority than if you put in 10.
| | 03:11 | On the Internet these days, whenever
you're setting up MX records, you'll see a
| | 03:14 | lot of registrars giving you the
number 0 by default. I like using 10.
| | 03:19 | Once you've got those all in place,
click Save and you see here that underneath
| | 03:23 | Hostname, the Mail Exchanger will
autocomplete the rest of the domain name and
| | 03:26 | you get your fully qualified
server.groundswellgear.com.
| | 03:29 | The tricky part with setting up your
zones is you have to set them up locally
| | 03:33 | and on the Internet if you expect
your names to work in both places.
| | 03:36 | This is called split DNS and it's a pretty
common way to handle a domain in a SOHO network.
| | 03:42 | Next, we're going to have to
add DNS records to the zone.
| | 03:46 | In a Split DNS setup, you'll have to do
that both on the Internet and locally.
| | 03:50 | If you're in education, your
district IT department probably has solid
| | 03:54 | control over their DNS, so you can
just ask them to add your server machine
| | 03:57 | record to their DNS zone, just be sure
to request both an A record and a PTR
| | 04:02 | record for your OS X Server.
| | 04:04 | If you have your server sitting on the
Internet with its own public IP address,
| | 04:07 | you could get away with just setting up
your zones on the DNS system where you
| | 04:11 | purchase the domain.
| | 04:13 | How you do that will vary
depending on your choice of vendors.
| | 04:15 | Some do it with a phone call; others
will provide a web management tool.
| | 04:19 | But either way, you'll have to
manage DNS on that public system.
| | 04:23 | At a minimum, you'll have to do this
for a machine record and an MX record for
| | 04:27 | Internet routing of e-mail.
| | 04:28 | The MX record that we just
set up, tells the world, "hey!
| | 04:31 | When you send mail to
groundswellgear.com, transfer the message to
| | 04:34 | server.groundswellgear.com, so that
computer can handle the routing and
| | 04:38 | delivery of the message."
| | 04:40 | So, what we need to do now-- underneath
groundswellgear.com is we'll flip this
| | 04:44 | triangle down-- we'll just
select that name and click Add Record.
| | 04:47 | We're going to add a machine record.
| | 04:49 | As soon as we do, this pops up right
below our primary domain name and we have
| | 04:54 | the opportunity to put in a machine name.
| | 04:56 | I'm just going to put in the name server,
and then I'm going to put in its IP address.
| | 05:01 | If I want, I can put in software
information, hardware information or comments,
| | 05:06 | and all of these things will be
returned when someone requests information
| | 05:10 | through either nslookup or
through the Network Utility.
| | 05:12 | We'll show you how that looks later on.
| | 05:14 | For right now, I'm just going to put
this is on a Mac Pro, but the software is
| | 05:18 | running 10.6.x. That way it'll be correct for as
long and as many versions as I upgrade through.
| | 05:25 | Under Comments, I'm just going to put
that this server was set up by Sean Colins.
| | 05:31 | I'll click Save.
| | 05:33 | Now, because it wasn't fully qualified,
what we end up with here is server maps
| | 05:37 | to 192.168.12.2, and that's useful
for a couple of different reasons.
| | 05:41 | First of all, if somebody looks
up the name server in the zone
| | 05:44 | groundswellgear.com, the
completion of that is assumed.
| | 05:49 | If we wanted, we could have typed the
entire fully qualified domain name in
| | 05:52 | the box down here under Machine Name
and clicked Fully Qualified and that
| | 05:56 | would have been fine.
| | 05:57 | But by putting in server, we limit
the amount of data we have to put in.
| | 06:00 | If we're putting a lot of records in,
this is a perfectly acceptable way to
| | 06:04 | enter your machine record.
| | 06:06 | Now, I want more than one name to
resolve to server.groundswellgear.com,
| | 06:10 | so I'm going to add what are called CNAME records.
| | 06:13 | CNAME records are just basically aliases.
| | 06:15 | They are very, very easy ways for
people to enter a name that makes sense to
| | 06:19 | them or that they've been given
that will redirect to this machine.
| | 06:22 | So, for example, a very common one is
www, and if we say www is always going to
| | 06:27 | go to server.groundswellgear.com, give
it the fully qualified name, and click Save,
| | 06:33 | what we end up with is
www will always redirect to
| | 06:37 | server.groudswellgear.com, and
because we have our A record saying server
| | 06:41 | points to 192.168.12.2, that www will
always go to 12.2. Another name I'd like
| | 06:49 | to use as a redirect.
| | 06:50 | I'm going to go add alias.
| | 06:51 | I'm going to say mail.
| | 06:53 | Mail is going to also go to server.
groundswellgear.com. Click Save.
| | 07:02 | So now we know that www and mail will
both redirect to the same machine address.
| | 07:08 | So, that's what we've done.
| | 07:11 | Now importantly, even though this isn't
about DNS, this is about SSL, whenever
| | 07:16 | you're buying an SSL certificate,
be sure that you're buying the certificate for
| | 07:20 | whatever name the end user
will use to access the server.
| | 07:24 | So, if you're buying your SSL cert
specifically for mail services on your
| | 07:29 | server and you're using an alias
redirect of mail, you want to make sure that
| | 07:33 | you buy it with mail.groundswellgear
.com as the name of your SSL cert.
| | 07:37 | This can get a little complicated.
| | 07:39 | If you set up the SSL cert for server.
groundswellgear.com and then you tell
| | 07:43 | your users to use mail.
groundswellgear.com as the DNS name of the server,
| | 07:47 | the SSL won't match up.
| | 07:49 | There will be a name mismatch and SSL
will still throw up an error message for
| | 07:53 | those users whenever they try to
access that server using that name.
| | 07:56 | So, just be aware that
that's a potential hiccup there.
| | 07:59 | All right, now that we've got our
names and we've got a couple of aliases
| | 08:03 | pointing to that machine.
| | 08:05 | Let's get out of here and
let's go over to our settings.
| | 08:09 | Under settings, we have a couple of
different things we can configure.
| | 08:12 | We can configure our log level, which
during initial setup is usually a good
| | 08:16 | idea here at the debug level.
| | 08:17 | We have the recursive queries area
here where we can tell the system who it
| | 08:22 | should respond to whenever
they're requesting information.
| | 08:25 | So, if somebody on our local networks or
the localhost itself makes a request of
| | 08:29 | the DNS server, those responses
will be going out to those networks.
| | 08:34 | A nifty thing about this area here is
that you could add various different
| | 08:38 | network ranges or specific IP
addresses that can be allowed to request
| | 08:42 | information from our DNS server.
| | 08:44 | Anything that's not in this box will
not receive a response to a request.
| | 08:48 | But what I wanted to show you down
here is the Forwarder IP Address area.
| | 08:53 | Now this is where you would put in
the IP address for your local ISP.
| | 08:57 | This is best if it's next highest DNS
server as you head out towards the Internet.
| | 09:03 | So, your Internet service provider
is a really good number to use here.
| | 09:06 | For example, a commonly used
number for a well-known ISP in our area.
| | 09:12 | So, these numbers are used
by a local ISP in our area.
| | 09:18 | So, those are going to be really good
numbers for us to use, because they are
| | 09:21 | very close to us, so
responses are going to be very quick.
| | 09:24 | They're very large networks, so they're
likely to have a lot of information in
| | 09:28 | their local cache, which will
also speed up our DNS responses.
| | 09:31 | Anything that they don't have,
they'll be able to refer out to the root servers,
| | 09:35 | which will then be able to traverse
the DNS hierarchy in order to give us our answers.
| | 09:40 | If you don't put anything into the
Forwarder IP Addresses area, you'll still be
| | 09:44 | able to resolve traffic, because Apple
has put a database or a list of bunch of
| | 09:49 | the root server IP addresses right in
to every machine that they ship out.
| | 09:53 | But those will be much slower responses.
| | 09:55 | This is useful because it's much, much quicker.
| | 09:58 | Once that's in, you click Save.
| | 10:00 | Once you've configured your new DNS
zone and your settings, you'll need to
| | 10:04 | delete the preconfigured zone that
the server created for you initially.
| | 10:07 | To do that, we go back to
Zones, come down here to
| | 10:10 | server.groundswellgear.com, and click Remove.
| | 10:14 | We also want to delete the PTR
zone for that specific IP address.
| | 10:18 | You see how it in reverse is 192.168.12.2.
| | 10:22 | The one up here is 192.168.12.
| | 10:26 | This one was the one that was
created automatically at startup.
| | 10:28 | We want to delete that one.
| | 10:30 | Once we've reviewed our settings,
and we know that this is all good,
| | 10:34 | we've got our Forward record, we've got
our PTR pointing back to that forward,
| | 10:38 | and we've got our two aliases
pointing to that machine record right there.
| | 10:42 | Click Save and we're done.
| | 10:45 | Next, we want to configure our
client to use the DNS we just set up.
| | 10:49 | So, what I'm going to do now is I'm
going to get out of the screen sharing that
| | 10:53 | we've been using in order to
control the server remotely.
| | 10:59 | Here we are on our client machine.
| | 11:00 | We're going to go to our Apple, pulldown
to System Preferences, go to Networking.
| | 11:06 | In networks, I had already configured
our DNS server to point to the server
| | 11:10 | that we've just set up.
| | 11:12 | If yours wasn't already set up to look
there, you would want to do that now.
| | 11:16 | So, on your client machine, make sure
that you're pointed to the IP address of
| | 11:20 | your Mac OS X Server on which
we just set up DNS services.
| | 11:24 | When adding your DNS information here,
remember that you can use the Search
| | 11:27 | Domain field right here to tell the
client machine what your local zone name is.
| | 11:33 | This will allow your client computer
to find resources in the local DNS zone
| | 11:37 | by only looking up the hostname without
having to type in the fully qualified domain name.
| | 11:41 | I'll show you how that works now.
| | 11:42 | If we type that in and hit Apply,
I'll just pull this down over here so
| | 11:48 | it's out of the way.
| | 11:49 | Then we're going to go to the
Go menu. Pull down to Utilities.
| | 11:53 | In Utilities, we're going to
open up the Network Utility.
| | 12:00 | Now here in the Network Utility,
we should be able to do a lookup without typing
| | 12:05 | groundswellgear.com. Just
by typing the name server.
| | 12:12 | There's our lookup, server.
groundswellgear.com and an A record,
| | 12:16 | 192.168.12.2. That's the function
that the search domain performs for you.
| | 12:22 | If I remove that, click Apply and
try a search on server again, we get
| | 12:27 | a different response.
| | 12:29 | You can see that it doesn't have an answer for
us, because it doesn't know. So, your choice.
| | 12:33 | It's completely up to you, but that
can save your users an awful lot of time,
| | 12:41 | and all they have to do is know the
actual hostname of the server, without
| | 12:44 | knowing the fully qualified domain
name or without needing to type it.
| | 12:47 | When you set up DNS for the first
time, lots of things can go wrong.
| | 12:53 | In the next movie, we'll look at how to test
our connection and to troubleshoot when things do go wrong.
| | Collapse this transcript |
| Troubleshooting DNS files| 00:01 | BIND stands for Berkeley
Internet Name Domain. BIND is software.
| | 00:06 | Clients lookup information in the DNS
by calling a resolver library which sends
| | 00:10 | queries to one or more name
servers and interprets the responses.
| | 00:15 | The BIND9 software distribution
contains a name server and a resolver library.
| | 00:21 | The BIND files that Mac OS X creates
for you are not the easiest things to
| | 00:24 | hunt down, but I've a short list of the ones
you should care about and where they're located.
| | 00:28 | The first file of DNS importance is
located at etc/named.conf, and that's
| | 00:35 | because the service is the name daemon or name-d.
| | 00:39 | So I'm going to show you this
in a couple of different ways.
| | 00:42 | First, I want to go to folder and to
show you that you can get into etc just by
| | 00:46 | typing /etc right there and hit Go.
| | 00:49 | That will show you this
file right here in the Finder.
| | 00:52 | So for those of you who are Terminal
averse you've got this option here.
| | 00:57 | There's named.conf right there.
| | 00:58 | But as this is an advanced title we
are going to go down to Utilities.
| | 01:03 | We are going to open up the Terminal and we
are going to get in and take a look at this.
| | 01:07 | So, just closing some windows, getting
things centered here, and here we are.
| | 01:11 | Now we are on the server obviously, as
indicated here. That's the name of the
| | 01:15 | server and that's who we
are logged in as right now.
| | 01:18 | Just so we can move around freely without any
errors I am going to type sudo -s and hit Return.
| | 01:25 | And I am going to put in the password on
the server, and that returns us into a
| | 01:30 | shell in which we are root.
| | 01:32 | Now, this is going to allow us to move
around with utter flexibility, because we
| | 01:35 | are basically operating as root now.
| | 01:38 | So what I want to do is we are going
to cd, which is just short for change
| | 01:41 | directory, into at etc, and
that's /etc/ and hit Return.
| | 01:47 | If I type ls -l and hit Return, I get a
list of pretty much what we were looking
| | 01:52 | at there in the Finder.
| | 01:53 | Now, let's see here. And let's clear this
just to clean up the screen a little bit.
| | 01:56 | Now let's do that in a slightly different way.
| | 01:59 | This time what we are going to do is
instead of listing the directory named.conf
| | 02:02 | as in we are going to look inside of it.
| | 02:06 | But I don't want to do that with a
text editor, because a text editor will
| | 02:09 | allow me to change the contents of named.
conf, and we really don't want to do that.
| | 02:13 | To do this, we are going
to type up less named.conf.
| | 02:19 | This gets us right in here.
| | 02:21 | This file really just adds include
statements that tell BIND to look at what are
| | 02:26 | called views elsewhere in the file system.
| | 02:28 | But this file is important for another reason.
| | 02:30 | You see it's fragile in the
context of the complete server.
| | 02:33 | If you edit named.conf, named
will use that new information.
| | 02:38 | It'll use it if it's written correctly.
| | 02:40 | But the changes won't show up in Server Admin.
| | 02:42 | So you'll have no outward
indication of the change.
| | 02:45 | For our purposes here the important
part of named.conf is that it points to
| | 02:49 | publicView.conf.apple.
| | 02:53 | And I am scrolling down
here so that you can see this.
| | 02:55 | It's right here at the bottom of the file.
| | 02:57 | This include basically says "I want you
to go over here to see the stuff that
| | 03:02 | Server Admin has been putting in,
because it's all listed over there."
| | 03:06 | So we say, "All right, fine."
| | 03:07 | I am going to hit the Q key on our keyboard.
| | 03:10 | That gets us out of less and returns
us back here to our Terminal window.
| | 03:16 | So other useful files that
were referenced there included
| | 03:19 | etc/dns/options.conf.apple.
| | 03:23 | That is another hands-off file that the
system has auto generated for you with
| | 03:27 | options information about DNS.
| | 03:29 | etc/dns/loggingOptions.conf.apple
lists the logging options enabled for DNS.
| | 03:35 | Again, you shouldn't edit that.
| | 03:36 | Just check it when troubleshooting
to make sure the log level was written
| | 03:40 | correctly by Server Admin.
| | 03:41 | Now, the file we really
want to look at is over here.
| | 03:44 | We are going to go cd /etc/dns/.
| | 03:49 | That gets us into the directory.
| | 03:50 | If I type ls all three of those files
that I just mentioned are listed here,
| | 03:54 | loggingOptions, options, and
publicView all followed by .conf.apple.
| | 03:59 | If we just type less publicView, and I
can just hit Tab here and that will auto
| | 04:04 | complete that name, because after
publ that's all unique after that.
| | 04:09 | So I can just hit Tab,
it'll auto complete and I'll hit Return.
| | 04:12 | And it warns you in big capital letters
right here, please do not manually modify this file.
| | 04:16 | Please make your changes in the named.conf file.
| | 04:20 | But we know that we don't want
to make our changes there either.
| | 04:22 | We want to make our changes in Server Admin.
| | 04:24 | At any rate this is a really good
place to go to see if all of the stuff that
| | 04:29 | was supposed to be
entered in here was entered in.
| | 04:31 | And this is where we get to see our
zone information, where it says type master,
| | 04:35 | and that the file is at db.groundswellgear.com.
| | 04:40 | The transfer and update
information there as well.
| | 04:42 | Then here is the zone
information for our reverse.
| | 04:46 | So, that all looks good too.
| | 04:48 | So we are going hit Q to get out of that.
| | 04:50 | Again, Q gets us out of less.
| | 04:52 | The include statements told us that we
needed to look for our zone information
| | 04:55 | in the /var/named/zones.
| | 04:58 | So that's where we are going to go.
| | 04:59 | We're going to go cd /var/named/zones
and so you can see I am sort of taking
| | 05:10 | you on the path here.
| | 05:11 | There is a long and circuitous
route that takes us from the source,
| | 05:15 | that named.conf file all the way
through to this directory here.
| | 05:18 | Now that we've changed directories into
var/named/zones, if I type ls I can see
| | 05:23 | those two files that it referenced
right here, db.groundswellgear.com.zone.apple
| | 05:28 | and db.12.168.192.in-addr.
arpa.zone.apple as well.
| | 05:35 | Those are the forward
and the reverse zone files.
| | 05:38 | Even though this has a .apple
extension, don't let that throw you.
| | 05:40 | Apple didn't provide these files.
| | 05:42 | The zone files in var/named/zones
are the place where your zones and the
| | 05:46 | records they contain are located.
| | 05:48 | So if, once again, we type less and we
type db.groundswellgear.com, blah, blah,
| | 05:54 | blah, we just hit Tab to go
through that and I hit Return,
| | 05:57 | what I am going to see here is our
zone information, which is really great,
| | 06:02 | because now we can check to see
if what was entered is correct.
| | 06:08 | So here we can see that we've
got our groundswellgear.com IN SOA
| | 06:12 | server.groundswellgear.com.
| | 06:14 | There is the e-mail address
that I was telling you about.
| | 06:17 | So if that was entered in
correctly then that's how that appears.
| | 06:20 | By the way, don't be thrown
by that not being an @ symbol.
| | 06:22 | That's the way it's supposed to be.
| | 06:24 | Groundswellgear.com is in a name
server at server.groundswellgear.com.
| | 06:28 | Server is in an A record at 192.168.12.2.
| | 06:33 | Server is in an HINFO record,
and that says Mac Pro and 10.6.x.
| | 06:37 | Remember when we typed that in.
| | 06:39 | And we've also got our TXT information,
which says the server was set up by Sean Colins.
| | 06:44 | So all of that information that we
entered into Server Admin is here, including
| | 06:48 | down here you see our
aliases or our CNAME records.
| | 06:51 | We have the mail CNAME right there
and we have the www CNAME right there.
| | 06:56 | That's how those should look.
| | 06:58 | We also have our MX record down below.
| | 07:00 | Groundswellgear.com has an MX record of
a priority 10 that tells it, hey, send
| | 07:04 | mail if it's received for this
domain over to server.groundswellgear.com.
| | 07:09 | So this is a properly formatted,
properly formulated zone file with the
| | 07:14 | appropriate records within.
| | 07:15 | That's what this looks like.
| | 07:17 | If everything looks fine then you
know that the problem is not here.
| | 07:21 | And you can start looking elsewhere,
assuming you're having problems and that's
| | 07:24 | why you're troubleshooting DNS.
| | 07:25 | So I am going to press the Q key again here.
| | 07:28 | The Q button gets us out of that.
| | 07:30 | We've used less several times.
| | 07:32 | We've used the cd command. We've used ls.
| | 07:35 | So those are some of the tools we've used to
navigate our way around and to view files so far.
| | 07:41 | Next, I'd just like to take
you into the logs directory.
| | 07:45 | When troubleshooting DNS, it can
be helpful to check the logs out.
| | 07:48 | So one thing we can do is we can use
the Terminal right here to just change
| | 07:52 | directories into Library/Logs.
| | 07:53 | We can see we've got several logs in here,
and right there you can see we've a named.log.
| | 08:02 | If you'd like me to show that to you over
here in the Finder, I can do that as well.
| | 08:05 | Library/Logs and there we
have it right there, named.log.
| | 08:13 | Same thing listed there, listed there.
| | 08:16 | So if I just type less
named.log, it'll load up the log.
| | 08:23 | And I can just keep arrowing
through this and you'll see everything.
| | 08:26 | It can feel a little bit
difficult to read the logs here though.
| | 08:29 | So what I am going to do is
type Q to get out of that.
| | 08:32 | I'll type exit and exit again.
| | 08:34 | The first exit got us out of our root
session and the second one got us out of
| | 08:38 | our Server Admin session.
| | 08:39 | So now I can quit Terminal and I can
go to my Utilities folder,and I can open
| | 08:44 | up the Console application.
| | 08:46 | If I do that I can click the Show Log
List over here and I can find all of the
| | 08:51 | logs that are in Library/Logs.
| | 08:53 | In there I should be able to find my named log.
| | 08:55 | You can see how this is organized in
the same way that it would be found in the
| | 08:59 | Terminal, if you were just changing
directories through those directories or in
| | 09:03 | the Finder if you're going through that way.
| | 09:05 | So here we see the named.log.
| | 09:07 | In here if we had any DNS errors at
all we would find them here, and it would
| | 09:12 | tell us what was going on.
| | 09:13 | If the service had quit unexpectedly or
if it had shut down because of an error
| | 09:18 | in a configuration somewhere,
that would all be listed right here.
| | 09:21 | I want to quit that now.
| | 09:23 | Once you've looked that the files
DNS uses to determine if the files were
| | 09:27 | written the way you intended them to be,
you should move on to using tools to
| | 09:31 | test DNS to find out why it isn't working.
| | Collapse this transcript |
| Troubleshooting DNS with tools| 00:01 | When we start talking about
troubleshooting DNS with tools, we're going to start
| | 00:04 | here on the client system.
| | 00:05 | We'll move over to the server and
then we'll come back here to the client.
| | 00:08 | We're going to move around a bit.
| | 00:09 | So you'll see Apple Remote
Desktop in the middle here.
| | 00:12 | Once you've analyzed your DNS file on
your server, you really should move on to
| | 00:15 | checking hardware and network settings
if things still aren't working correctly,
| | 00:19 | both on the server and the client.
| | 00:21 | Then to testing or altering aspects
of DNS with several helpful tools.
| | 00:24 | The first step in all of this after
you've gone through all these steps looking
| | 00:28 | at files that we did in the previous
movie, is you should look at your hardware
| | 00:31 | and your networking.
| | 00:32 | Now this is the "is it
plugged in"? question really.
| | 00:36 | You're going to look at
your System Preferences here.
| | 00:38 | We're going to go to networking.
| | 00:39 | If your DNS Server isn't entered correctly
here on the client, it's not going to work.
| | 00:43 | Same thing is true on the server by the way.
| | 00:45 | If it's not the correct number, then DNS
resolution won't function because it's
| | 00:49 | all based on what's in
this little space right here.
| | 00:52 | If we quit those and we go back over to
say, for example, the Network Utility.
| | 00:58 | We can know the Go menu and
come to Utilities menu here.
| | 01:01 | We open up Network Utility right
there and come to Lookup and Ping.
| | 01:05 | These are two fantastic tools that
we can use in order to see if our DNS
| | 01:10 | is working properly.
| | 01:11 | If we can't get name resolution, say we
went into Lookup and we've tried to look
| | 01:15 | for groundswellgear.com and it didn't work.
| | 01:18 | We can set that up for ourselves right now.
| | 01:20 | We can set up a failure
situation right here just for you.
| | 01:23 | Click on Network, come in here, and we'll
just put 23 there in the DNS server address.
| | 01:29 | Now what you will see is when we try to
look up groundswellgear.com, it'll just
| | 01:32 | spin and spin and spin and spin.
| | 01:33 | And it's not going to find anything.
| | 01:35 | There just won't be a response
because we're not looking at a DNS server
| | 01:39 | that has an answer.
| | 01:41 | But if we come over here and we ping
the IP address of the server, we know that
| | 01:45 | the IP address is that 192.168.12.2.
| | 01:50 | If we ping it based on its
number, we are getting a response.
| | 01:54 | That tells us something.
| | 01:56 | If the number works but the name
doesn't, it means we're not looking to a DNS
| | 01:59 | server that can resolve that name.
| | 02:02 | The first place you want to come back
and look if that's the case is right here,
| | 02:05 | because simply by changing this
back to the correct numbers so that we
| | 02:09 | are looking for DNS resolution on our server,
we can still do our ping based on the number.
| | 02:15 | But now if we type in the full name of
the server, we ping again, we can get
| | 02:23 | full resolution off of that as well.
| | 02:25 | If we come over here and do a lookup
on groundswellgear.com right away,
| | 02:29 | we start getting responses.
| | 02:31 | If we type in server.groundswellgear.com, we
get our A record response just like we should.
| | 02:37 | By checking your settings here in the
Network System Preferences pane and by
| | 02:41 | testing here using Lookup and Ping in
the Network Utility application, you can
| | 02:46 | get a better idea of what
is and what is not working.
| | 02:49 | Now let's say all of this failed.
| | 02:51 | I'm going to quit Network
Utility here and I'm going to quit the
| | 02:54 | System Preferences there.
| | 02:56 | We're going to switch over
here to Apple Remote Desktop.
| | 02:58 | We're going to control the server itself.
| | 03:02 | We did our lookup on the client in
Network Utility and we found the A record,
| | 03:05 | and we saw that we could ping the server
and that was all working, but what if
| | 03:09 | we tried that on the client and it didn't work?
| | 03:11 | Well, the next step would be to come
over here to the server to make sure that
| | 03:15 | we can do it actually locally to make
sure that the services are functioning the
| | 03:19 | way that they should.
| | 03:20 | One sure-fire way to do that is to come
in here into the Terminal on the server
| | 03:23 | itself and type the following.
| | 03:26 | If we use the dig command and we
follow that with the name of the server,
| | 03:33 | what we should get back is an answer from
the DNS server that the server is looking at.
| | 03:39 | If we want to look at the PTR record,
I'll clear this so we get a fresh screen.
| | 03:44 | We would use the same command dig
with a -x flag and instead of using
| | 03:50 | the name, we just use the IP
address that we've just found.
| | 03:54 | That tells us right here with our
Answer Section that we have a valid PTR.
| | 03:59 | We can see the numbers in reverse, and they've
resolved out to the correct name. So we've got that.
| | 04:04 | That's all checked out.
| | 04:05 | Another really good tool
that you can use here is host.
| | 04:09 | If you type host and the IP address,
you'll see here that it's giving you the
| | 04:15 | reverse with a domain name
pointer to server.groundswellgear.com.
| | 04:20 | Thanks to the copy and paste
functionality and Terminal here in OS X,
| | 04:24 | you can type host and then paste the
name of the server in, and it'll give us
| | 04:28 | the A record return.
| | 04:29 | So, there's dig and host.
| | 04:31 | Those are two fantastic tools you can
use at the command line to do pretty much
| | 04:34 | what you saw us do on the client
side there with the Network Utility.
| | 04:38 | Of course, we also have
Network Utility here on our server.
| | 04:41 | But if we didn't have access to the GUI
for some reason, if we had to SSH into
| | 04:44 | the server or the client for that
matter, we can run these tools and get the
| | 04:48 | results that we need to troubleshoot DNS.
| | 04:51 | Now sometimes the DNS server on Mac OS
X Server might not be running at all,
| | 04:55 | even the Server Admin might say it is.
| | 04:57 | So, there are two ways to
check if it's really running.
| | 05:00 | One, of course, is to open Activity Monitor.
| | 05:03 | So I've just gone to the Utilities
folder and I'm opening Activity Monitor.
| | 05:07 | If I look at All Processes and look for
named, I can see right here that named
| | 05:12 | is running and it has a process ID of 44
and it's functioning. So that's great.
| | 05:17 | So we know that that's running.
| | 05:18 | But say we don't have
access to Activity Monitor.
| | 05:21 | What if we needed to do that in the
Terminal, because we could only SSH into the
| | 05:24 | system, for example?
| | 05:26 | Well, to do that, first we're going
to type sudo -s so that we are root.
| | 05:29 | Now we're going to type ps ax | grep named.
| | 05:39 | What that will return is the same thing
that we saw over there in Activity Monitor.
| | 05:44 | The only difference is that here it's
just expressed slightly differently, but
| | 05:48 | here you can even see we've got our process
IDof 44 and we know that it is functioning.
| | 05:51 | So that's good.
| | 05:52 | That means that DNS is actually running.
| | 05:55 | If we didn't find that then even if we
had a little green dot next to the DNS
| | 06:00 | service in Server Admin, if it
wasn't showing up as a running process,
| | 06:04 | it wouldn't in fact be running.
| | 06:06 | As we talked about in the files
troubleshooting portion of this chapter, you
| | 06:11 | would look at the log files to see why.
| | 06:13 | If your Lookups are not working from a
client, it can be useful to check to see
| | 06:17 | if you can perform a
lookup locally from the server.
| | 06:20 | You can be absolutely sure which DNS
server you're querying by typing its IP
| | 06:24 | address or its local loopback
address after the dig command.
| | 06:27 | That would look something like this.
| | 06:29 | You would type dig, then a space, then
an at symbol, and then you'd either type
| | 06:33 | the local loopback address, which
is always going to be 127.0.0.1.
| | 06:37 | That's on any computer. That basically
is the address that says, hey, look at my
| | 06:41 | local ethernet connection there.
| | 06:43 | Look back at myself essentially.
| | 06:45 | Then you would put in a space
and the name of your server.
| | 06:48 | Ours is server.groundswellgear.com.
| | 06:52 | So what we're saying here is you're
telling the dig application to query the DNS
| | 06:58 | server at that address which is the
local loopback address for this information.
| | 07:02 | We hit Return, and it gives us our answer.
| | 07:05 | There's our Answer Section right here.
| | 07:07 | So it has responded correctly to that query.
| | 07:10 | If our queries were not working
anywhere else, but they did work here,
| | 07:14 | you would know that your DNS service was
in fact working, but then perhaps there
| | 07:19 | was something in-between your client
system and the server that was interrupting
| | 07:24 | the requests from completing, maybe a
network service error or maybe cable was
| | 07:27 | unplugged in some room somewhere.
| | 07:29 | But this gives you an idea of where
your troubleshooting should take you.
| | 07:32 | This tells you, yes, DNS is
working, and it can resolve my query.
| | 07:36 | Since we're here on the server, if you
find you DNS server doesn't respond to
| | 07:40 | requests properly, it may be that
the DNS root cache needs to be updated.
| | 07:47 | Sometimes these numbers and names
of the DNS root servers do change.
| | 07:51 | It's very infrequent however.
| | 07:53 | Still, it's good to know that there is
a command you can type that will go out
| | 07:58 | and look at the root servers and
get a new list of names and addresses.
| | 08:02 | That command is once again dig, but
with a different option. dig space dot,
| | 08:07 | it's just the period, another space, ns,
space, the greater than symbol, that's
| | 08:12 | just Shift and the period on your keyboard,
space slash var, slash named, slash named.ca.
| | 08:21 | Hit Return.
| | 08:22 | It won't give you any response.
| | 08:24 | It won't tell you that things are going well.
| | 08:26 | It won't tell you that things are going badly.
| | 08:27 | But in the background what's happening
is it's now updating the contents of the
| | 08:31 | file named.ca which is
location there in var/named.
| | 08:36 | And it is making sure that names and IP
addresses of all the root servers are correct.
| | 08:41 | And that's really important.
| | 08:43 | Now if you suspect that your server or
client system is responding to your DNS
| | 08:46 | queries with stale information, you can
force the refresh of that DNS cache by
| | 08:51 | just restarting the service that
handles all DNS queries now in OS 10.6.
| | 08:56 | This is on the server or the client.
| | 08:57 | So really you could do this on either place.
| | 09:00 | You restart the mDNSResponder process,
responsible for all DNS in X.6 by typing
| | 09:06 | the following into the Terminal on
whatever system you believe to have bad data.
| | 09:10 | If you haven't already typed sudo,
you would type sudo. We have.
| | 09:13 | So assume that.
| | 09:14 | Killall -HUP mDNSResponder.
| | 09:33 | Case sensitivity is important here. Hit Return.
| | 09:37 | Again, no response, but in the
background DNS has just restarted.
| | 09:41 | In the process of restarting, it's going to
clean out that cache and start with a fresh one.
| | 09:46 | So all this is done,
and it still doesn't work.
| | 09:48 | Well, maybe your problem isn't DNS at all.
| | 09:51 | Maybe your problem is in routing
from the Internet to your server.
| | 09:55 | If your server like ours here is on a
private network behind a net gateway,
| | 09:59 | make sure that you've forwarded the ports
necessary for your services to work properly.
| | 10:04 | If you're looking for the ports you
need to forward, you can either look at
| | 10:08 | the well-known TCP and UDP ports knowledge
base article at apple.com, or you can
| | 10:14 | just open up ServerAadmin and
look at the firewall interface.
| | Collapse this transcript |
|
|
2. FirewallWhat is a firewall and how does it fit into your server puzzle?| 00:00 | Having nothing to do with dangerous
walls of fire a firewall is a device or
| | 00:06 | software on a computer that watches
data traffic and either allows or denies
| | 00:12 | passage, either in or
out based on rules you set.
| | 00:16 | Firewalls are cleverly named to
strike fear into the hearts of people
| | 00:20 | everywhere and yet they're very handy tools.
| | 00:23 | Essentially, firewalls are about
security, but I prefer to think of them in the
| | 00:28 | context of a nice
nightclub in a tough neighborhood.
| | 00:33 | The firewall in my analogy is the
bouncer standing out in front of the club.
| | 00:38 | In this case our bouncer is
standing in front of many different doors.
| | 00:44 | He can let you in or not.
| | 00:46 | He can also keep track of you
leaving and let you back in when you return
| | 00:51 | because he gave you a stamp on your
hand to show you've already been inside.
| | 00:56 | He controls who can get in, but he also
controls which doors can be opened or closed.
| | 01:03 | He can allow only the public in
one door, the mailman in another.
| | 01:09 | He can send the press to a special door,
and he can send kitchen deliveries to
| | 01:13 | an entirely different door.
| | 01:15 | All doors lead inside, but the
different doors are for different purposes.
| | 01:21 | The bouncer makes sure the right stuff
can get into the appropriate doors, and
| | 01:25 | the wrong stuff can't. He gets his rules
from the owner of the club and follows
| | 01:30 | them no matter what.
| | 01:32 | Because the club owner has a bouncer,
the club is a safer and more orderly place.
| | 01:38 | A firewall does the same thing, but with data.
| | 01:43 | The doors in our analogy are ports on
the network. Not physical ports, not a
| | 01:47 | hole you can plug something into, but
something defined in software that exists
| | 01:53 | for the purpose of organizing
the flow of data through a network.
| | 01:57 | In software, services have
ports associated with them.
| | 02:02 | Unsecured web pages are viewed and
served over one specific port that everyone
| | 02:07 | agrees to, just to keep things organized.
| | 02:11 | Web traffic is on port 80.
| | 02:13 | So by allowing or denying access to port 80,
we can allow or deny access to web pages.
| | 02:21 | All services that can travel
over networks have one or more ports
| | 02:25 | associated with them.
| | 02:26 | When a computer that happens to be a
web server sees a request come in on port
| | 02:31 | 80, it knows what to do with that
request, because of the port it came in on.
| | 02:36 | Services and ports are directly linked.
| | 02:39 | So it can be helpful to keep
track of frequently used ports.
| | 02:43 | Apple has a knowledge base article
that is updated whenever they create a new
| | 02:47 | service or use something new. Check it out.
| | 02:51 | It can really help when you
need to set up your firewall.
| | 02:54 | There are two protocols
commonly used on networks.
| | 02:57 | One is TCP and the other is UDP.
| | 03:01 | While the standards are tightly
defined and complicated, we can simplify them
| | 03:05 | down to one really important distinction.
| | 03:09 | Data transmitted over TCP is very
careful about whether all of the data arrives
| | 03:15 | at its destination and UDP isn't. TCP is
slower than UDP, because it spends a lot
| | 03:21 | of time checking with the recipient
to verify receipt of all of the data.
| | 03:26 | If data is lost in transit, TCP
transmission will automatically be
| | 03:30 | retransmitted until a perfect
transmission is verified by the recipient.
| | 03:36 | TCP is very reliable and is used when
the data being sent must arrive at its
| | 03:41 | destination perfectly.
| | 03:43 | This is typically used for documents or
images, things that must be stored and
| | 03:47 | reused at the destination.
| | 03:50 | UDP on the other hand doesn't really care if
the recipient gets the package in its entirety.
| | 03:56 | UDP cares more about how much data it can
shove out the door as quickly as possible.
| | 04:03 | A great use for UDP, for
example, is video streaming.
| | 04:07 | If there's a glitch in the video stream,
a viewer would probably rather see a
| | 04:12 | dropped video frame or pixelated images
than have to sit and wait for every
| | 04:16 | perfect frame to come in.
| | 04:18 | This has to do with how video is
perceived, and the fact that a stream of video
| | 04:23 | is being consumed in real time
and not saved for future use.
| | 04:27 | It evaporates immediately upon playback.
| | 04:29 | So if it isn't perfect, don't worry about it.
| | 04:32 | Just keep shoving the data out the
door. Because different services use
| | 04:36 | either TCP or UDP or both,
| | 04:39 | we have to specify the intended
protocol in our firewall settings.
| | 04:44 | So we almost have all of our firewall
bits and pieces figured out, but there is
| | 04:49 | one more important thing to understand.
| | 04:52 | A firewall can apply different rules to
traffic depending upon where it's coming
| | 04:57 | from and where it's going.
| | 04:59 | So you can set your firewall to allow
absolutely anything at all into and out of
| | 05:04 | your server as long as it's coming
from your internal network, but not allow
| | 05:09 | anything at all if it's
coming from anywhere else.
| | 05:13 | This is done by setting up address
groups and then using those groups to
| | 05:17 | organize different sets of rules.
| | 05:20 | Once you have your firewall configured
and ready to go, you turn it on and bingo.
| | 05:26 | The bouncer is at the door standing
there, arms crossed and looking mean.
| | 05:30 | Now, now that you know what a firewall
is, you're probably already thinking of
| | 05:35 | ways you could use one.
| | 05:37 | Let's get into Server Admin and see
how to set this up on Mac OS X Server.
| | Collapse this transcript |
| Firewall prerequisites| 00:01 | For this chapter, please remember that
you will have to have Snow Leopard Server
| | 00:05 | preinstalled, a basic Snow Leopard
Server already set up, and you will have to
| | 00:10 | have a monitor, keyboard, and
mouse already connected to your server.
| | 00:15 | A basic Snow Leopard client would
also help you out a lot to complete this chapter.
| | Collapse this transcript |
| Deploying the firewall| 00:01 | To configure the server-side firewall,
we begin by enabling the firewall service
| | 00:04 | so we can configure it, and we do
that in the Server Admin application.
| | 00:09 | We open Server Admin, click on the
server name, go to Settings > Services,
| | 00:15 | click the check box next to the Firewall,
click Save, and it pops up here in the sidebar.
| | 00:20 | When we select Firewall, the first
place it's going to take us is to
| | 00:24 | Settings and Address Groups.
| | 00:26 | So, we're going to start our
configuration by deleting any address groups that
| | 00:30 | we will not use, and then we'll add
back in any groups that we will use.
| | 00:34 | We will not be using the
192.168-net or the 10-net.
| | 00:38 | 10-net, because we don't have that
anywhere near us, and 192.168 because it's
| | 00:43 | just a little too open.
| | 00:46 | So we're going to get rid of both of these.
| | 00:48 | We do so by clicking the minus sign,
same thing there, and then we click the
| | 00:54 | Plus button in order to get a new group.
| | 00:56 | Now, we just name the group based on
whatever we think might make sense.
| | 01:01 | Following Apple's model, I've just
chosen to say 192.168.12-net, but then I need
| | 01:07 | to actually change the addresses
in the group to match what I said.
| | 01:10 | By the way, if you want to create a
firewall rule that will only affect one
| | 01:14 | machine, you can specify one specific
IP address that will have specific rules.
| | 01:19 | But we're not going to do that.
| | 01:20 | We're going to click the Plus button
here and we will put in exactly the CIDR
| | 01:25 | notation for the group we want.
| | 01:27 | Now, you'll need to know basic CIDR
notation, and by the way that's spelled
| | 01:30 | CIDR, to do this, but that's not so
bad, because you really only need to
| | 01:35 | remember the numbers 16, which gives you
about 65,000 addresses, 22, which gives
| | 01:40 | you about a thousand addresses, 24,
which gives you about 254 addresses, and 31,
| | 01:46 | which gives you one usable address.
| | 01:48 | There are others in there, and we'll
actually use a couple of different ones.
| | 01:50 | But you'll have most of what
you need with those numbers.
| | 01:53 | So, you can see that's
not that much to remember.
| | 01:56 | With the additional ones that I'm
going to throw in here, you'll probably end
| | 01:58 | up with six or seven that you'll want to
memorize, because they are very useful to know.
| | 02:03 | Because of the math involved in
addressing, you'll also have to be aware of
| | 02:06 | where the network ranges
are allowed to begin and end.
| | 02:09 | A great tool to help with
that is a CIDR calculator.
| | 02:12 | Many are available on the Internet.
| | 02:14 | Some are web apps, others are widgets.
| | 02:15 | I even have an iPhone app that does it.
| | 02:17 | Whatever tool you like,
there are lots out there.
| | 02:20 | The CIDR notation relates directly to
the way you have configured your network.
| | 02:25 | For example, we're going to set up
an address group just for our internal
| | 02:29 | DHCP address pool right now, and we
know that that will be set up for DHCP
| | 02:33 | later on in this class.
| | 02:34 | So we sort of have that planned out.
| | 02:36 | The pool is going to be from
192.168.12.64 to 192.168.12.127.
| | 02:46 | That's only 62 addresses, I know, but
you can make yours whatever you want.
| | 02:49 | For us, that's going to be enough.
| | 02:51 | We do that like this.
| | 02:55 | So as you can see, once you've got
your CIDR notation in there, the address
| | 02:59 | range is calculated for you below and
you can double-check your work to make
| | 03:02 | sure that it is, in fact, going to
be the numbers that you've specified.
| | 03:06 | Due to the math involved again with
CIDR notation, your address ranges have to
| | 03:09 | end and begin at certain numbers, so it
doesn't always work out exactly the way
| | 03:12 | that you would want to.
| | 03:13 | But this is a great way to configure
groups and have your firewall specifically
| | 03:18 | control those groups.
| | 03:20 | So, this is going to hit 64 through 127.
| | 03:23 | What I could do here is I could add a .
64 right there, and I could just make it
| | 03:30 | the exact CIDR notation,
so I see that in my list.
| | 03:36 | Once you have it, click OK, double
-check your work, all looks good.
| | 03:40 | Let's make another one.
| | 03:42 | Click the Plus button.
| | 03:44 | This one is going to be for our VPN
range and in this one I'll just use a
| | 03:48 | different option here.
| | 03:49 | I'm just going to say VPN Range 192.168.12.
| | 03:51 | What I'm pointing out here is that it
doesn't have to be in that format that we
| | 03:59 | were showing before.
| | 04:00 | It can really be just about
anything as long as it fits into this box.
| | 04:03 | What's really important as far as your
mathematical configurations go is down
| | 04:07 | here in the Addresses in group section.
| | 04:09 | Click the Plus button, 192.168.12,
and this one we want to be a little bit
| | 04:14 | higher in our range.
| | 04:15 | Now, I know I'm going to be using a VPN
later in this title, so the ranges for
| | 04:19 | the clients I want to be
different from my DHCP range.
| | 04:22 | So my VPN range is going to be 192.168.12.
128, and that's going to go out through 159.
| | 04:30 | So, that one is going to
be a /27 notation, right?
| | 04:35 | 128 to 159, and again, it
doesn't give us that many addresses.
| | 04:39 | That's 30 IPv4 addresses and that, by
the way, corresponds to a subnet mask that
| | 04:45 | could be written that would say
basically the same thing of 255.255.255.224.
| | 04:52 | So, if you're more used to doing subnet
masks, understand that CIDR notation has
| | 04:56 | a direct correlation there.
| | 04:57 | It's just a different way
of writing the same thing.
| | 05:00 | Click OK and so now we've got our DHCP
range which we've written in this way,
| | 05:04 | and we've got our VPN range
which we've written in this way.
| | 05:07 | If you want to include the names of the
groups in your groups, you can do that.
| | 05:11 | I just use the two different ones so
we have an example of each. Click Save.
| | 05:15 | We've got our IP address groups.
| | 05:16 | Now we go over to Services and when
Editing services for, now we see our custom
| | 05:21 | edited groups here in this list.
| | 05:24 | Now, here in the Services section, we
want to enable only the protocols and
| | 05:29 | services that we really need for
the groups where they're necessary.
| | 05:33 | The default behavior for the "any" group,
which is basically anyone that's not
| | 05:37 | included in the two other groups we
specified, is to let all traffic out but
| | 05:42 | only the necessary ports for
Server Admin, etcetera, to come in.
| | 05:46 | Anything else you want to let in you
have to turn on yourself in this any
| | 05:51 | address group, and then be as
restrictive or as open as you deem appropriate,
| | 05:55 | given your organization and your data and the
security level you need with the other groups.
| | 05:59 | I recommend a cautious approach here.
| | 06:02 | In any new group, always turn on the ports
that are in Apple's any group, by default.
| | 06:06 | So, for example, you see here, we've
got these top four TCP (outgoing), TCP
| | 06:10 | (established), UDP Fragments, and UDP
outbound and responses, and then IGMP.
| | 06:15 | If we scroll down, we've got a few others.
| | 06:18 | We've got SSH, we've got Mail:
| | 06:19 | SMTP, and Server Admin and Server Preferences.
| | 06:23 | You really want to be certain that
you go through this list, DNS Directory
| | 06:26 | Access, and make sure that all of these
services are not only enabled in the any
| | 06:32 | group, but also in your other groups,
because when you create a new group, those
| | 06:36 | services are not turned on by default.
| | 06:39 | Now, I'm going to configure these
while we let time pass here, because
| | 06:44 | this takes some time.
| | 06:45 | I'm going to go through
and check these check boxes.
| | 06:48 | For you, it will just be a flip of a
second, but in real time here, we're going
| | 06:51 | to take some time and turn on
all the appropriate services.
| | 06:54 | All right, so I have now gone through
and basically duplicated the allowed
| | 06:59 | traffic in each of these areas.
| | 07:01 | In the any group, these things were
turned on and I've turned them on here in
| | 07:06 | our second group, and our third
group which is going to be for VPN users.
| | 07:10 | What this ensures me of is that
anything that is required to do incoming
| | 07:14 | traffic will be allowed, and anything
that's required for server administration
| | 07:18 | will also be allowed.
| | 07:20 | Now, once I've got this thing up and
running and everything works properly, I
| | 07:23 | can go back into my VPN Range, for
example, and I can turn off Server Admin
| | 07:28 | access, or I can turn off
SSH access from that range.
| | 07:31 | Same thing from the DHCP
Range that we've set up here.
| | 07:35 | But I like to start things off with
the same access that was available in our
| | 07:39 | original any group, because that's
going to ensure that we don't lose our
| | 07:44 | server administration capabilities once we
turn this thing on, which is really important.
| | 07:48 | Once you have your ports configured
for access the way you want them here in
| | 07:51 | Services, you can turn on
Stealth Mode over here in Advanced.
| | 07:56 | So, your server won't respond to pings,
and if you wish, you can change the
| | 08:00 | low-priority routing rules in the Advanced tab.
| | 08:03 | Just remember, usually there's no
reason to change these default behaviors,
| | 08:07 | but if you're an old hand at
firewall administration and you have a good
| | 08:09 | reason to do so, you can change the priority
of these rules or enable and disable them here.
| | 08:14 | Just remember, the firewall rules are
numbered and prioritized with the largest
| | 08:17 | numbers having the lowest priority here.
| | 08:20 | Tread lightly here, and when you're done,
save your work and start the firewall.
| | 08:24 | Now, once that's done, it's important
to understand that you aren't seeing
| | 08:28 | everything that could be
considered a firewall here in Server Admin.
| | 08:31 | The adaptive firewall is a monitor
called Emond that watches traffic coming into
| | 08:37 | the server and then can create and
disable firewall rules, like these, on the
| | 08:42 | fly, completely automatically.
| | 08:45 | It does this when certain
preset conditions are met.
| | 08:48 | So by default, the behavior that is
turned on that most of you will find
| | 08:51 | interesting is the failed login attempt
monitor, which will block login attempts
| | 08:56 | from a given IP address after 10
failed login attempts from that IP address.
| | 09:01 | After a 15-minute wait, login attempts
can made from that IP address again.
| | 09:04 | So, this basically just provides you
with some protection from automated
| | 09:10 | attempts to guess users' passwords.
| | 09:12 | Now that we've looked at the server-side of
firewalling, I'm going to quit Server Admin.
| | 09:16 | We'll switch back over to our client system.
| | 09:19 | Here on our client system, I wanted to show
you some stuff about firewalling on the client.
| | 09:23 | Even though this course isn't really
about the Mac OS X client, I wanted to
| | 09:27 | show you how you can turn on and
configure the client-side firewall to work on
| | 09:30 | your client machine.
| | 09:32 | While IPFW, the firewall we just
configured on Mac OS X Server, is actually
| | 09:36 | present in the kernel on Mac OS X
client as well, the application firewall
| | 09:40 | is not IPFW, and you get to that from System
Preferences, in Security, under the Firewall tab.
| | 09:47 | You'll have to
authenticate in order to get in here.
| | 09:50 | To get to the Advanced button over
here, you're going to have to click the
| | 09:53 | Start button and then once you click
Advanced, your system will already have
| | 09:58 | Automatically allow signed software to
receive incoming connections checked and enabled.
| | 10:04 | Depending upon what services you've
already got running on your client, you
| | 10:07 | may, whenever you click that Advanced button,
receive a bunch of allow or deny access queries.
| | 10:13 | Just respond with those according
to what you think is appropriate.
| | 10:17 | Once you're in here, I'd like
to point out a couple of things.
| | 10:20 | This box here is where you can
allow or deny access to the network for
| | 10:25 | specific applications.
| | 10:28 | You can see because we already have
some services turned on, they've been
| | 10:31 | Allowed incoming connections by
default completely automatically.
| | 10:35 | If we click the Plus button, we can
find others that are sitting here,
| | 10:39 | like this, for example. Click Add.
| | 10:41 | And that will now be
allowed incoming connections.
| | 10:43 | Of course, we can also select here and
block those incoming connections for that
| | 10:47 | application if we wish to do so.
| | 10:49 | Now, this would be only necessary
if this application were not a signed
| | 10:54 | application that was signed
digitally by the application developer.
| | 10:59 | As long as this check box here is
checked, there is a certain amount of
| | 11:02 | automation to the allowing or the denying
of access for applications to the network.
| | 11:09 | As you can see down here, we have the
ability to enable stealth mode, just like
| | 11:13 | we did on the server.
| | 11:14 | This again, will allow this system to not
respond to ping traffic whenever it receives it.
| | 11:20 | If you're in a place with a
network that you don't necessarily trust,
| | 11:29 | [00:11:30.401 coffee shop, trade show, someplace where you don't necessarily
know everybody that's going to be there, you can always just raise all shields.]
| | 11:29 | You can just bring your Block all
incoming connections on, and that will just
| | 11:34 | supersede everything that you've got
configured here and block everything except
| | 11:38 | for outgoing traffic.
| | 11:40 | Remember that even with shields
raised to full, you can still make outgoing
| | 11:41 | requests for things like web pages and
those web pages will come back to you.
| | 11:42 | It's just that services you might
turn on like iChat won't be able to
| | 11:44 | automatically signify to others on
the network that you have come online.
| | 11:45 | Essentially, requests that are
allowed to come in to you must result from a
| | 11:46 | request you made through the firewall.
| | 11:47 | All other attempts to
connect to your computer will fail.
| | 11:48 | To enable that, you just click the
OK button and firewall is already on,
| | 11:49 | so you're all set up.
| | 11:50 | Now, to turn that off whenever you
get back from that trade show or coffee
| | 11:53 | shop, all you need to do is come
back in here, uncheck Block all incoming
| | 11:56 | connections, and click OK.
| | 12:00 | If you wanted to, you could even
click Stop and just turn off the firewall
| | 12:03 | entirely right here.
| | 12:04 | Of course, if you have any problems
with the firewall on your server or your client,
| | 12:08 | you're going to need to
troubleshoot that firewall, which is what
| | 12:11 | we're going to do next.
| | Collapse this transcript |
| Troubleshooting server-side firewall issues| 00:00 | The way we configured the firewall in
the last movie left your client in the
| | 00:04 | awkward position of being
unable to access the server remotely.
| | 00:08 | That's okay because right now you're
experiencing what happens if you set up a
| | 00:12 | firewall rule and it blocks your access.
| | 00:15 | It really isn't possible to get past it, is it?
| | 00:17 | It's rather annoying.
| | 00:19 | Well, this is why we advised you to
have a monitor, keyboard and mouse
| | 00:22 | attached to the server, because this is where
you're going to actually really, really need it.
| | 00:27 | On the server, we want
you to open up Server Admin.
| | 00:30 | When you open up Server Admin, you're
going to go to the Server, go to Firewall,
| | 00:35 | and under Settings, in Address Groups,
what we're going to do is we're going to
| | 00:40 | create a new rule that has the
IP address of our client machine.
| | 00:46 | We're going to allow it full access. Okay?
| | 00:50 | So we're going to click the Plus
button, we're going to give it a name that
| | 00:54 | makes sense to us, and we're going to put in
exactly its IP address, and we're using 12.20.
| | 01:03 | If you're using a different IP address,
feel free to put it in here now, and click OK.
| | 01:08 | So now, we've got our Server Admin
client, we click Save, and we can now come
| | 01:13 | over here to the Server Admin client,
which by default is going to only Allow
| | 01:18 | traffic to these ports, which is nothing,
and we're going to allow all traffic
| | 01:22 | to the Server Admin client.
| | 01:23 | When we click Save, now you'll be able to
access your server from your client system.
| | 01:29 | So, there we are.
| | 01:30 | We have basically gone through the
troubleshooting process here of realizing
| | 01:33 | that we have disabled our access to
the server using the firewall and we've
| | 01:38 | gone in directly using the keyboard and
mouse and monitor to turn on that access.
| | 01:43 | So, now that that's done and we have
the firewall rules configured the way we want,
| | 01:47 | you have changed your rules
either incrementally or dramatically to get
| | 01:52 | them exactly the way that you want them,
and you're going to want to use IPFW to
| | 01:58 | list all those rules that
are configured on the firewall.
| | 02:01 | Now, you could obviously look at
that list here and kind of combine the
| | 02:07 | combination of all the rules that
you've got available here to you, but this
| | 02:10 | isn't as slick and convenient
as doing it in the Terminal.
| | 02:14 | So, that's what we're going to do.
| | 02:15 | I'm going to quit Server Admin.
| | 02:16 | We're going to go to the
Utilities folder and open up Terminal.
| | 02:19 | When we get in there, we're just going
to type sudo -s, so that the rest of our
| | 02:25 | section here will be done as root,
then we're going to type ipfw list.
| | 02:30 | What results here is a list of all of the
rules that we have configured in our firewall.
| | 02:36 | So, all I'm going to do is I'm going
to select all of this and I'm going to
| | 02:40 | Command+C to copy it. Come
back over here into the Finder.
| | 02:43 | I'm going to go into TextEdit, change
this to Plain Text, and I'm going to paste
| | 02:49 | the contents into this TextEdit
document, and then I'm going to save this
| | 02:53 | document right here to my
Desktop as Firewall Rules.
| | 02:59 | This is going to be very useful in a
little bit, but for right now, let's stay
| | 03:03 | right here in Terminal, and we'll
talk about what this here is doing.
| | 03:07 | The first column of numbers you're
seeing there are the firewall rule numbers,
| | 03:12 | which is an important thing to have
because in the future there's going to be
| | 03:16 | some stuff we need to do that can
only identify these rules by that number.
| | 03:20 | So, that's why we have that text
document copied off to the side there.
| | 03:24 | We also have the traffic type and the
service port number, which will be how you
| | 03:28 | identify which service is enabled.
| | 03:30 | The ipfw list doesn't help you out the
way Server Admin does and that it won't
| | 03:35 | list the server associated with a given port.
| | 03:37 | You have to either know the port and
what service it's associated with or have
| | 03:41 | a reference nearby to
consult, so you know what's what.
| | 03:44 | A very good reference is available at
Apple's web site in the well-known TCP
| | 03:48 | ports KB article, which is
available at support.apple.com.
| | 03:51 | It can be useful to copy and paste
this list of rules into a text document or
| | 03:55 | somewhere else for later access.
I put it in a text document, but keep in mind
| | 03:59 | you could put this list on a
password-protected blog page or Wiki page
| | 04:03 | in your IT department.
| | 04:04 | There are several places where you
could put it obviously, but you just want to
| | 04:07 | make sure that your rules are documented here.
| | 04:09 | If you want to turn off the firewall,
but can't access Server Admin for some
| | 04:13 | reason, you could just use the
sysctl command in the Terminal.
| | 04:17 | So, let's go ahead and do that now.
| | 04:19 | I'm going to type clear in order to
clear out the space and I'm going to type
| | 04:22 | sysctl -w net.inet.ip.fw.enable.
| | 04:32 | If it works successfully,
you'll get this as a response.
| | 04:34 | We can turn it back on again simply
by replacing that 0 with the number 1,
| | 04:40 | and hit Return.
| | 04:41 | That turns it back on.
| | 04:43 | Now, if the firewall is running on
your server and you're sure the rules are
| | 04:47 | configured correctly, but you still
can't log in, for example, from a remote
| | 04:51 | system, there is another possibility.
| | 04:53 | It's possible that the Adaptive
Firewall has kicked in, because someone's tried
| | 04:57 | to log in too many times from your
IP address and failed every time.
| | 05:01 | In that case, just wait for
more than 15 minutes and try again.
| | 05:04 | The Adaptive Firewall will have
expired its temporary rule by then and
| | 05:08 | it should let you in.
| | 05:09 | Of course, if you can't wait, you
could always try logging in from a
| | 05:12 | different IP address too.
| | 05:14 | If your firewall on the server is still
misbehaving, you can find out why fairly
| | 05:18 | easily, by opening up the log file for
ipfw in Console and watching the traffic.
| | 05:24 | We can do that easily from
right here by typing open /var/log/.
| | 05:29 | That's the path to it and then
just typing the name, ipfw.log.
| | 05:35 | By doing that, it tells the Console
application to open that log file and as
| | 05:38 | you can see, right here we've got the log file.
| | 05:42 | While watching that log, you can keep an eye
open for the rule numbers that are being logged.
| | 05:46 | They might just be the most
useful thing to look for it.
| | 05:48 | First, because you can focus your
search down on a specific rule, which of
| | 05:52 | course means a specific
service that you're concerned about.
| | 05:55 | If you find a lot of denies for
something, it might be worth looking into
| | 05:59 | a little more deeply.
| | 06:01 | If you have a rule that's blocking
traffic erroneously in IPFW, you can delete
| | 06:05 | just that rule rather than
shut down the whole firewall.
| | 06:08 | Ss long as you have the rule number
documented somewhere, and let's get back to
| | 06:12 | our text document right here.
| | 06:15 | If you have your documented rules still
available from before, you can just find
| | 06:18 | a rule in that list that you want to delete.
| | 06:21 | When you find the number you want to remove,
just use that number to delete the rule.
| | 06:24 | So let's find something that we can
delete without hurting any of our services
| | 06:27 | that we're using right now.
| | 06:29 | We know that port 25 is used for SMTP,
and we're not doing any mail at this
| | 06:32 | time so we can kill this one pretty easily.
| | 06:35 | So, this rule number is 12307, so all
I need to do is go back into Terminal.
| | 06:42 | I'm going to flip over to Terminal
right here and we type ipfw del and then
| | 06:50 | that rule number, which is 12307.
| | 06:53 | Type that, hit Return, and that
firewall rule is now no longer there.
| | 06:58 | It's no longer a part of the
rules that we've put in place.
| | 07:01 | If we wanted to be really thorough
about it and kill everything going to port
| | 07:04 | 25, we could kill, look at that, 307 is
killing the UDP as well. So there we are.
| | 07:09 | We've got TCP and UDP both gone.
| | 07:12 | This is what we've saved.
| | 07:14 | So, we can check to make sure that the
rule was removed by going into Terminal again.
| | 07:17 | We can just up arrow to get back to
where we did our original ipfw list.
| | 07:23 | Hit Return and our rule should be deleted now.
| | 07:27 | 12307 and 12307 is now gone.
| | 07:33 | Now, keep in mind, port 25 traffic
from other rules were not deleted here,
| | 07:37 | because we only deleted the rule
number we specified and not all rules that
| | 07:40 | reference that port. So there we are.
| | 07:42 | That's how you delete a specific
rule from your IPFW configuration.
| | 07:48 | Now, in the DNS Servers, I've found
that it's useful to know the location.
| | 07:52 | I'll just clear this out, so we got
some more space to us, and I'll clean this
| | 07:56 | up, so we can see what
we're doing a little bit better.
| | 07:58 | Get out of Console.
| | 08:00 | In DNS, it's sometimes useful to
know where the locations of those
| | 08:03 | configurations files are, because
you want to double-check that they
| | 08:06 | were written correctly.
| | 08:07 | With the firewall, that's not so
necessary, but it's still useful to know where
| | 08:11 | those configuration files are located.
| | 08:13 | So we're just going to pop
into Terminal and locate them now.
| | 08:16 | Here in Terminal, we're just going to
cdover to /etc/ipfilter/ and run list.
| | 08:23 | While I'm here, I want you to make
note of, but please don't edit anything in
| | 08:28 | this directory, especially
if it has a .APPLE extension.
| | 08:32 | If you edit .APPLE extended files, your
firewall could become unresponsive, or
| | 08:36 | you could lose the ability to
control it with Server Admin.
| | 08:39 | But if you want to hand-edit a file in
this directory, a good candidate would be
| | 08:43 | the ipfw.conf file which
could be used to add rules.
| | 08:48 | If we type less and open ipfw.conf, you
can see here we have a lot of commented
| | 08:57 | stuff out here, but anything that you
add into this file that's not commented
| | 09:01 | will be respected by the IPFW system.
| | 09:05 | Just be very careful here whenever
you're making edits to this file, because
| | 09:09 | if you mistype something and save it, IPFW
is going to try to load and run with that.
| | 09:15 | As we've already experienced,
a misconfigured yet active firewall is a cruel
| | 09:19 | and unforgiving thing.
| | 09:20 | In our next movie, we're going to look
at how to troubleshoot firewalls from
| | 09:23 | the client side.
| | Collapse this transcript |
| Troubleshooting client-side firewall issues| 00:01 | Since I showed you how to configure the
application firewall and turn it on,
| | 00:04 | I think it's only fair that I show you
where its log file is and how to read it.
| | 00:08 | So, to do that, we're going to go into
Terminal once again and we're just going
| | 00:12 | to type open /var/log/alf.log.
| | 00:19 | When that opens, it'll open up in
console and we'll see here that we have our
| | 00:24 | application firewall log.
| | 00:27 | One of the last things that it
mentions is that it's creating
| | 00:29 | the appfirewall.log.
| | 00:31 | So, we're going to go down here and
look at the rest of what it lists.
| | 00:35 | So, when you read that log, it's
simply going to tell you about allowed or
| | 00:38 | denied traffic associated with an
application name and where the traffic came from.
| | 00:43 | If the log is telling you that it's
denying traffic you didn't intend, take a
| | 00:47 | look at that application firewall
configuration again to make sure it's what you wanted.
| | 00:51 | If your system is blocked from
administering the server still at this point,
| | 00:56 | you're going to want to go back to your
server using the local connection that
| | 01:00 | we recommended in the
Understanding This Title movie.
| | 01:04 | Check your computer group to make
sure that the address is the same as the
| | 01:08 | static IP address that you have
configured here on your client system.
| | 01:13 | You want to be sure that you
have full access at this point.
| | 01:17 | Go ahead and do that now, as you're
going to need your server to be fully
| | 01:20 | accessible from at least the client
computer from this point forward in the title.
| | 01:26 | In some organizations, there are
entire groups of people dedicated to
| | 01:30 | configuring and monitoring
the organization's firewall.
| | 01:33 | If you're in a small
organization or maybe it's just you,
| | 01:36 | it's still worthwhile to open up the
logs especially on your server and in
| | 01:41 | Console, filter on the word Deny,
and scan through it quickly for large
| | 01:46 | chunks of deny activity.
| | 01:48 | You can do that easily by going into
your server, just as we are here on the
| | 01:51 | client, and just typing the word
deny here and what will result will be
| | 01:55 | anything that was denied traffic.
| | 01:57 | If someone is trying to break into your
server, it's better to find out about it
| | 02:01 | before they succeed, than to react to
the break-in once it's already happened.
| | Collapse this transcript |
|
|
3. DHCPWhat is DHCP and how does it fit into your server puzzle?| 00:00 | DHCP stands for Dynamic
Host Configuration Protocol.
| | 00:06 | Sounds intimidating,
doesn't it? It's not that bad.
| | 00:09 | Actually, you use DHCP everyday.
| | 00:12 | So, you probably should know
what it is and how it works.
| | 00:15 | A DHCP server, when enabled on a
computer network, will assign IP addresses
| | 00:21 | and network configuration information
to computers when they come onto the
| | 00:25 | network and request it.
| | 00:27 | If you think of a computer network as
a cruise ship, a DHCP server sits there
| | 00:33 | like the cruise director with a
clipboard, handing out temporary name tags to
| | 00:37 | guests as they arrive.
| | 00:39 | The cruise director greets them,
provides them with a number, and some rules
| | 00:43 | about what rooms they can get in to and
what they can't. The kids, for example,
| | 00:48 | get a special wristband that lets
them into the kids' area, and adults get
| | 00:52 | another wristband that
let them into other areas.
| | 00:55 | Maybe the ship's staff come in and get
exactly the same name tag every time,
| | 01:00 | because the cruise director needs them to
be consistently identifiable by the guests.
| | 01:05 | Now, if we flip this analogy over to a
computer network, that works in a similar way.
| | 01:10 | The DHCP server can hand out all the
information the guest devices need to
| | 01:15 | function on the network.
| | 01:17 | The server can give them
different information, depending upon what
| | 01:21 | network they've connected to, or
it can even give a client system the
| | 01:25 | exact same address, every time it
connects, based on some predefined
| | 01:29 | identification information.
| | 01:30 | The benefit of this is that a network
administrator doesn't have to keep track
| | 01:35 | of a bunch of static IP addresses.
| | 01:38 | Instead, the DHCP server can just hand
out necessary information as it's needed.
| | 01:45 | This also makes it really easy to
change network information, as you only have
| | 01:50 | to change the information on the
DHCP server and perhaps a few manually
| | 01:55 | addressed devices if you need
to change your network design.
| | 01:58 | So, super cool, right? All right!
| | 02:01 | So, let's get a few terms out of the way,
and then we'll get to configuring it.
| | 02:05 | If you need to set up DHCP, you can
do so with many different devices.
| | 02:09 | For example, using an AirPort Base Station, any
commercial residential router, or using a server.
| | 02:17 | We're going to look at how to
do this using Mac OS X Server.
| | 02:21 | But many of the principles will still
apply regardless of which device you
| | 02:25 | use to set up DHCP.
| | 02:27 | DHCP hands out a bunch of network information.
| | 02:31 | But the most important thing that most
people think about is the IP address.
| | 02:37 | We defined what an IP
address is in the DNS chapter.
| | 02:41 | But basically, it's a number that
provides an address other computers can use to
| | 02:47 | find your computer on a network.
| | 02:50 | The word Dynamic in DHCP indicates
that the IP will be dynamic or changing.
| | 02:57 | Now, I understand, change is scary,
but that's okay, because any machine
| | 03:01 | getting a dynamic address probably doesn't need
to be at the same address all the time anyway.
| | 03:08 | By the way, that's why you generally
want to put printers and servers on static
| | 03:14 | IP addresses, whether
configured with DHCP, or manually.
| | 03:18 | You don't want them moving around on you.
| | 03:20 | DHCP also hands out subnet information,
which is important, because the subnet
| | 03:26 | tells your computer how many
other devices might be in the area.
| | 03:31 | It, in conjunction with your IP address,
defines where your computer is on the
| | 03:36 | network, and how many other addresses
your computer should look for to find
| | 03:41 | stuff that's close to you.
| | 03:43 | You can set up DHCP on many
different devices, in many different ways.
| | 03:47 | Though many of the principles of what we're
about to do will apply to any DHCP server.
| | 03:53 | What we're going to do now is look at
how to do this using Mac OS X Server.
| | Collapse this transcript |
| DHCP prerequisites| 00:00 | Here in the DHCP chapter, we're
going to still need to have the Snow
| | 00:04 | Leopard Server installed.
| | 00:05 | We'll have to have the basic Snow
Leopard Server set up already, but most
| | 00:09 | importantly, please make sure you're
disconnected from any other network, other
| | 00:14 | than the one we are working on,
in this class. I'm not kidding.
| | 00:17 | This is really, really important.
| | 00:19 | Because if you turn on your DHCP
server during this chapter on an existing
| | 00:23 | network, you're going to mess stuff up
for other people and we want to play
| | 00:27 | nice with others, right? Okay!
| | 00:29 | Also, it could be helpful for you to
have a Snow Leopard client set up already
| | 00:32 | as well, just so you can test out
your DHCP once you do get it running.
| | Collapse this transcript |
| Deploying DHCP| 00:00 | If you've been following along in this
class from the beginning, you know by now
| | 00:03 | that we went out and purchased a very
inexpensive router to host our network.
| | 00:08 | We left NAT on, but turned DHCP off.
| | 00:11 | Now admittedly, this is a rare
configuration option, because DHCP is on by
| | 00:15 | default in just about
every router for sale today.
| | 00:18 | I say just about because nothing is
100%, but it's probably all of them.
| | 00:22 | Anyway, if you have been doing this
title up until now with DHCP on in your
| | 00:27 | router, go ahead and turn
it off now. Don't worry.
| | 00:30 | I'll wait. Oh!
| | 00:33 | If you have an AirPort Base Station,
and you want to use that as your router,
| | 00:36 | don't. Not for this chapter anyway.
| | 00:38 | You can't turn on NAT and turn off
DHCP at the same time on those devices.
| | 00:43 | So, for the purpose of this chapter,
the Apple AirPort Extreme or Express Base
| | 00:48 | Stations, though excellent
products overall, just won't work here.
| | 00:53 | Now that we have that out of the way,
open Server Admin and go to Services.
| | 00:57 | We have Server Admin right here in the
dock and yes, we are actually getting
| | 01:02 | onto this from the client, so
all of this is happening remotely.
| | 01:06 | We're going to go to Settings >
Services > DHCP and we'll click Save and then
| | 01:14 | come over and click on DHCP in the sidebar.
| | 01:18 | Configuring DHCP is pretty easy, but
you have to know your IP ranges before
| | 01:22 | you start the service.
| | 01:23 | Otherwise, if you get it wrong,
you'll just end up coming back in here and
| | 01:26 | doing it all over again.
| | 01:28 | In our planning, we decided that we
would have a DHCP range from 192.168.12.64
| | 01:35 | to 192.168.12.127, and that that would
be the range that would be handed out to
| | 01:41 | computers using the DHCP service.
| | 01:44 | Now, I know that I'm also going to be
using a VPN later in this title and I
| | 01:48 | want different ranges for those
clients to be handed out by the VPN server.
| | 01:53 | My VPN range will be 192.
168.12.12 through 192.168.12.159.
| | 02:01 | So, I can't interfere with those
addresses here in the DHCP settings.
| | 02:04 | Since our DHCP range is 192.168.12.64
through 192.168.12.127, but our router is at
| | 02:13 | 192.168.12.1, our server is at 192.168.
12.2, and we want our DHCP clients to be
| | 02:21 | able to see the entire 254
nodes subnet as a local network,
| | 02:26 | we will not be using the CIDR notation that
we used in the firewall to configure this.
| | 02:32 | We start by going into subnets.
| | 02:35 | We click on the name of the
default subnet and we delete it.
| | 02:39 | We click Save and we click the Plus button.
| | 02:42 | This gives us a brand-new one.
| | 02:43 | Now this subnet name, I'm
just going to call Internal DHCP.
| | 02:50 | The starting IP address, as we said, is
going to be 192.168.12.64. Our ending IP
| | 02:58 | address, 192.168.12.127.
| | 03:03 | Now, this is where this becomes important.
| | 03:05 | What I just said about the subnet mask,
if we were using the CIDR notation from
| | 03:08 | our firewall rule, we would be doing this.
| | 03:14 | And that would be bad, because in this case,
if we were to set that up, the only
| | 03:19 | computers that any of our DHCP clients
would be able to see would be computers
| | 03:24 | between 64 and 127, which means they
wouldn't be able to get to our router.
| | 03:27 | The router is at 192.168.12.1.
| | 03:34 | That wouldn't work, because these
systems wouldn't be able to see the router,
| | 03:37 | because it's outside of the subnet.
| | 03:39 | So, we have to make this the 255.255.
255.0 subnet. That would give us full
| | 03:45 | access to that 254-node range.
| | 03:49 | We also want to configure the correct
Ethernet interface for the network that
| | 03:53 | will be sending out that DHCP information.
| | 03:55 | So, we're going to go with en0, and once
again that we got this, we'll go 192.168.12.1.
| | 04:02 | A lease time typically is
actually close to 4 hours.
| | 04:06 | Once we have that in place,
we can go over here to DNS.
| | 04:09 | DNS is currently configured
as the local loopback address.
| | 04:12 | That clearly won't work for our clients
though, because they're not hosting DNS servers.
| | 04:16 | So, what we need to do is put in our
DNS server as the DNS server that's
| | 04:22 | handed out via DHCP.
| | 04:24 | We can also take this opportunity to
put in our network's search domain, which
| | 04:31 | means that this will be handed out into
the network settings, and this will be
| | 04:34 | handed out into the network settings,
and all of the clients will receive an IP
| | 04:38 | address from 64-127, as
they come on the network.
| | 04:43 | With that, we can click Save.
| | 04:44 | Now with your DHCP range configured
and assigned to the correct network
| | 04:48 | interface, you can move on to
configure the LDAP options that are available here,
| | 04:52 | and you could also configure
your WINS options available here.
| | 04:56 | But there are two problems with this.
| | 04:58 | First, as a security best practice, you
generally don't want to let your client
| | 05:03 | machines pick up LDAP information for
authentication and contacts via DHCP,
| | 05:08 | because they will do that on every
network then connect with, potentially
| | 05:11 | opening the client after being
compromised by a rogue DHCP server.
| | 05:16 | A rogue DHCP server is one that is
functioning on a network where it shouldn't exist.
| | 05:21 | A malicious rogue DHCP server could
be used to pass out LDAP information to
| | 05:26 | clients to allow a hacker to log in to
those client machines, because LDAP has
| | 05:31 | the capability of sending that
information out, and then the client system would
| | 05:36 | use that information to look back at a
directory of user accounts that are able
| | 05:40 | to log into it. Because that
would be a bad thing, generally,
| | 05:44 | you probably want to turn off the
ability to receive that kind of auto-configured
| | 05:48 | LDAP information on all of your clients.
| | 05:51 | If you turn it off on all of your
clients, it's off by defau on 10.6, then
| | 05:54 | there is really no point in
configuring it in OS X Server's DHCP settings.
| | 05:59 | So, I would leave this blank.
| | 06:01 | If you're on a network where WINS isn't
used, you can add those settings to the
| | 06:05 | WINS tab, and the Windows clients
will pick up that autoconfiguration
| | 06:08 | information as well, which will
make it easier for them to find network
| | 06:11 | services on your network.
| | 06:12 | We don't have any network services
here offered up in the WINS format.
| | 06:17 | We don't in fact have any Windows
clients right now, so that's not going to
| | 06:21 | be configured either.
| | 06:22 | We're going to leave both LDAP and WINS blank.
| | 06:24 | Configure General and DNS, both as
we've shown already, and we've already
| | 06:29 | clicked Save, so all we need to do now is
click the Enable check box next to Internal DHCP.
| | 06:35 | And that once saved will be an enabled
DHCP range that will be served out over
| | 06:42 | the en0 network interface.
| | 06:45 | Before you start DHCP, it can be
useful to go to Settings and turn your
| | 06:48 | Log Levels up to High.
| | 06:50 | That way you'll get full logs on
everything that's going on with DHCP, which is
| | 06:55 | being handled by the BOOTP service.
| | 06:57 | I click save there and I click Start DHCP.
| | 07:03 | We're now handing out DHCP
over that network interface.
| | 07:08 | All we need to do now is open up a
client and have it attached to the network.
| | 07:13 | We can see if clients have attached to
the network by clicking over here on the
| | 07:17 | Clients interface and as people come
on the network, we'll see the computer name,
| | 07:21 | their Mac address, their client
ID, their IP address that we've given
| | 07:25 | them, and the lease time
remaining on their DHCP lease.
| | 07:29 | So, we've opened up a laptop,
and there we go! Excellent!
| | 07:33 | We just click Refresh a few
times and it's popped right up.
| | 07:36 | So, we see the computer's name, we see
its Mac address, we see the IP address
| | 07:40 | that it's been handed, and
how much lease time now remains.
| | 07:44 | Now the nifty thing about this is that
once we've got somebody that's received
| | 07:48 | an IP address, this gives us an
opportunity to create a static map.
| | 07:51 | All we have to do is click the Create
Static Map button and come up here and
| | 07:56 | click Create Map, flip down the
triangle, and here you've got all of the
| | 08:02 | information that the client just received.
| | 08:04 | If we want to change any of that
information, we click the Edit button,
| | 08:08 | leave the Computer Name exactly what it is
unless you want to mess with the client.
| | 08:13 | Leave the Mac Address exactly as it is.
| | 08:15 | But we can change this IP Address.
| | 08:17 | We can say, I don't want
this to receive the 64-address.
| | 08:21 | I want this one to always receive the
127-address, and we just do that by coming
| | 08:26 | out here to the end and giving it an
IP address that's in the DHCP range.
| | 08:31 | This is a really handy way of using DHCP,
but still providing a device with the
| | 08:36 | same address all the time.
| | 08:38 | It's sort of a mixture between this
dynamic addressing and static addressing,
| | 08:41 | making it easy to locate the
device over and over again.
| | 08:45 | This could be a really cool trick
to use with printers, where they are
| | 08:48 | configured to pick up a DHCP address,
when new without any local configuration
| | 08:53 | right out of the box.
| | 08:54 | Once the device is in the table, just
use that information to get into this
| | 08:58 | interface to set the IP address information
you want for that printer and bam! You're done!
| | 09:03 | Click OK and that device will always get
that same address every time. Click Save.
| | 09:08 | It will ask you if you want to restart DHCP,
but that's no big deal, and you're done.
| | 09:15 | DHCP is a solid technology that's been
around for years, but there are still
| | 09:19 | plenty of things that can go wrong with it.
| | 09:21 | Let's look at ways to
troubleshoot DHCP in the next movie.
| | Collapse this transcript |
| Troubleshooting DHCP| 00:00 | When troubleshooting DHCP, there are
a few places you can look to see if the
| | 00:04 | problem is local to the server or in
the client or in the network in between.
| | 00:09 | If you think about it, DHCP
functions properly when the client asks if a
| | 00:14 | DHCP server is present.
| | 00:16 | The server responds that it is, then
the DHCP client requests an address, then
| | 00:21 | the server provides all the configuration info
that it has for the system on the leased basis.
| | 00:26 | When the client comes to the end of
its lease, it renews and usually will get
| | 00:30 | the same IP address upon renewal of the lease.
| | 00:32 | And when the client leaves the network,
it tells the server that the address
| | 00:35 | has been leased and that it's being
returned to it and is available now for
| | 00:40 | someone else to use.
| | 00:41 | The first thing that can get in the
way of that is that the server might not
| | 00:45 | hear the client's query about
whether the server is out there or not.
| | 00:49 | Then that communications process can
be interrupted by a network disconnection
| | 00:53 | like an unplugged cable or a damaged
network interface, or by access control
| | 00:57 | lists on a switch that forbid the
client from accessing the service, or by a
| | 01:02 | firewall rule that prevents the
traffic from breaching the server.
| | 01:05 | I'm going to open Server Admin, here we
are on the server, and I'm going to take
| | 01:12 | us back over to the firewall.
| | 01:15 | Now we've got our various groups, and
I'm going to go into our DHCP range and
| | 01:23 | what I want to do here is I want to
make sure that the ports that are necessary
| | 01:28 | for DHCP are enabled in all necessary groups.
| | 01:36 | I am going to sort by Description and
this is where Mac OS X Server's Server
| | 01:45 | Admin interface really shines.
| | 01:47 | The ports that are necessary are 68 and
67 and all you have to do to find them
| | 01:51 | is sort out DHCP and you've got them.
| | 01:53 | Those are the only two ports that are necessary.
| | 01:55 | I'm going to just be doubly secure here.
| | 01:59 | That one's allowing all traffic, and I
think we've got the any of rules set to
| | 02:02 | Allow all right now, which
is fine for what we're doing.
| | 02:06 | So the point being that you're for
sure that you're allowing 68 and 67 for
| | 02:10 | absolutely everyone.
| | 02:12 | You can check your active rules over
here, but once you've done that,
| | 02:16 | your client should be able to receive a DHCP address.
| | 02:21 | So that's accessing the Firewall and
changing the way it is configured to allow
| | 02:25 | your DHCP to function properly.
| | 02:27 | And even if it's not your firewall, if
it's someone else's, you can go to them
| | 02:30 | and say hey, turn on Port 67 and 68.
| | 02:33 | We need that to be available because DHCP
has to work, and that's what they can do.
| | 02:38 | Another easy thing to fix is to find
out if the service is actually running.
| | 02:41 | Let's say you can't get into
Server Admin for some reason.
| | 02:46 | Lo and behold, yes, there is.
| | 02:48 | There is a Terminal way to do this.
| | 02:50 | If we open up Terminal here from the
server, and we just type sudo -s to make us
| | 02:56 | root, and we just type
serveradmin fullstatus dhcp,
| | 03:03 | what we get back is a really
detailed list of what's going on with DHCP.
| | 03:09 | We know that it's running.
| | 03:10 | We know it's backendVersion.
| | 03:12 | We know how many active clients it's got.
| | 03:14 | We have a lot of information that can
all be very useful for troubleshooting.
| | 03:18 | So that's a very important thing to
remember, and it's good thing to memorize.
| | 03:21 | It's serveradmin fullstatus dhcp.
| | 03:25 | BOOTP is the name of the service
that runs DHCP on Mac OS X server.
| | 03:29 | So, when you look at logs for useful
troubleshooting information, what we want to
| | 03:33 | look at is the system log.
| | 03:35 | So I'm going to go into Utilities, and
I'm going to go to Console and open it.
| | 03:40 | And what we're going to do now
is we're going to close this down.
| | 03:43 | We're going to find the system log.
| | 03:45 | The system log is right here.
| | 03:46 | And if we do a filter on BOOTP, what
we'll find is all of the traffic that has
| | 03:52 | been generated by our DHCP server.
| | 03:54 | And here you can see the offering and
the replying and all of the transaction
| | 03:59 | information that's in place here
between our server and our client system.
| | 04:04 | If there is a problem, if, for example,
a request is being received, but a
| | 04:08 | reply is not being sent, you'll see
that here and you can troubleshoot that
| | 04:12 | from this position.
| | 04:14 | So this is a great log to look at right here.
| | 04:17 | Just remember to filter on BOOTP
when you come in here and look.
| | 04:21 | If you haven't done so already, this
would be a great time to try to access the
| | 04:25 | network using a device that can pick up DHCP.
| | 04:29 | We already did that in our
Configuring movie, so we know it's
| | 04:32 | functioning properly.
| | 04:34 | But it's a fairly easy thing to do.
| | 04:35 | You plug any device into the network
and if it receives an IP address in the
| | 04:39 | range that you specified,
your DHCP server is working.
| | 04:43 | We have success then and we can move
on to our next subject, which is VPN.
| | Collapse this transcript |
|
|
4. VPNWhat is a VPN and how does it fit into your server puzzle?| 00:00 | You need to say something very
important and very private to someone else.
| | 00:06 | You're a spy, and your secret
could mean life or death for millions.
| | 00:12 | The security of what you're
about to say cannot be compromised.
| | 00:17 | You're watched, you're bugged, and
every word you say is heard instantly by
| | 00:23 | everyone you must evade.
| | 00:26 | You need some way to communicate
securely and accurately with someone in another
| | 00:32 | room in another country,
thousands of miles away.
| | 00:38 | You step very carefully into a dark box
about the size of an old wooden phone booth.
| | 00:47 | You close the door behind you, and
you're encased in darkness and silence.
| | 00:55 | The sounds from the room you just
left are gone. The light is gone.
| | 01:01 | Everything is gone.
| | 01:04 | You say your name and a password, and
the box transmits a secret only the box
| | 01:10 | knows to another box in another
room, thousands of miles away.
| | 01:16 | Suddenly, you're bathed in light
and the sounds from that distant room
| | 01:21 | thousands of miles away.
| | 01:22 | You're not there, but you see and
hear and can interact with others in that
| | 01:29 | room as if you are there.
| | 01:32 | You have entered a VPN.
| | 01:36 | You may not be a secret agent, you
may not even be the IT guy who supports
| | 01:40 | spies, but you probably want to protect
yourself from the prying eyes of hackers
| | 01:46 | or other snoopers who would just
love to know what you're doing.
| | 01:50 | A lot of hackers would be very happy to
sniff your username and password off a
| | 01:56 | public network, so they can
access your accounts later.
| | 02:00 | You'd be surprised how easy it
is to eavesdrop on a network.
| | 02:05 | If you have ever connected to a wireless
network in a coffee shop, a hotel, or a
| | 02:11 | library, your data was exposed to every
one else on that network at that time.
| | 02:19 | If you logged into chat or check your
e-mail or make an online purchase, your
| | 02:25 | personal information was
probably exposed on that network.
| | 02:30 | There are only a few ways to protect
yourself from the people who want to
| | 02:33 | collect your information.
| | 02:36 | One of those ways is using SSL, and
you may remember that we tackled the
| | 02:41 | subject of SSL in Snow Leopard Server
New Features, and in Snow Leopard Server
| | 02:47 | Essential Training.
| | 02:49 | But for all of your stuff that
isn't or can't be protected using SSL,
| | 02:56 | there's really only one black box you can
step into to protect yourself, and that's a VPN.
| | 03:02 | Encryption is a cool technology,
and it's been around for centuries.
| | 03:07 | From Julius Caesar to the US military
employing Native American code talkers to
| | 03:12 | speak in their native language to create
an unbreakable code in World War II, to
| | 03:17 | the James Bond's spy novels, encryption
has been in our collective culture for
| | 03:22 | what seems like forever.
| | 03:24 | Encryption is code.
| | 03:27 | When you encrypt data, you wrap up
something that anyone could read in a
| | 03:33 | wrapper that changes it.
| | 03:34 | So it cannot be read until it gets to
its destination where a code can be used
| | 03:40 | to unravel the mystery of the context.
| | 03:43 | This makes it readable again.
| | 03:45 | When you activate a VPN, you can send
all of your network traffic from your
| | 03:50 | computer to your VPN server in an encrypted
form that can only be unrevealed by the VPN server.
| | 03:58 | As a result, you can send and receive
information to and from your trusted
| | 04:04 | network without any fear of
interception by the bad guys.
| | 04:08 | To prove you are who you say you are,
you have to authenticate, and this process
| | 04:13 | is simple and should be straightforward
for any person who can use a computer.
| | 04:18 | All the person must do to
authenticate is enter their unique username and
| | 04:22 | the correct password.
| | 04:24 | In our analogy above, the black box
transmitted its own secret to another
| | 04:29 | black box as the final step in the process,
before our hero was transported safely away.
| | 04:36 | In a real VPN, at least sometimes,
a shared secret must be present in addition
| | 04:43 | to the authentication information
to complete a secure transaction.
| | 04:48 | Sometimes the VPN server is embedded on
a piece of network equipment, but OS X
| | 04:53 | server has VPN server software
included and it's really very good.
| | 04:58 | So let's get into Server Admin
and configure our VPN server.
| | Collapse this transcript |
| VPN prerequisites| 00:00 | Here in the VPN chapter, again, we will
need Snow Leopard Server installed and set up.
| | 00:05 | We will also want to connect a client
machine to the Internet via some other
| | 00:11 | network, other than what we have got
set up, and this is a really different
| | 00:14 | reason than the stuff we
were talking about over in DHCP.
| | 00:19 | The point of the VPN is that you
have to make a remote connection.
| | 00:21 | Well, if your client is connected to
the same network as the VPN server, it sort
| | 00:25 | of misses the point.
| | 00:26 | So, get yourself a client, hook it up
to something on the outside world if you can.
| | 00:31 | A Wi-Fi card from a cell provider
is a good choice here, or you can go over
| | 00:36 | to a friend's house and try it
from there. That would work too.
| | 00:39 | One way or the other you are going to
need to have that connection outside.
| | 00:42 | If you want to use the fully
qualified domain name of your server from the
| | 00:46 | Internet in your VPN configuration,
you'll have to have that ISP level DNS set
| | 00:51 | up correctly. Otherwise from the outside,
| | 00:53 | you are just not going to be
able to connect your server.
| | 00:55 | Now you could always use your external IP
address so just remember that is possible too.
| | 01:00 | Be sure to have Firefox or whatever
program is necessary to work with your
| | 01:05 | router available for you to use,
because we do actually go in and make changes
| | 01:10 | to the router in this chapter.
| | 01:12 | So it's important to have whatever
prerequisites are necessary for your router
| | 01:16 | in place before we get started.
| | Collapse this transcript |
| Deploying a VPN| 00:00 | When deploying a VPN you have to
think about three things right away,
| | 00:04 | your network router, which contains a
firewall of some sort and is performing NAT
| | 00:08 | most likely, your server, and its
firewall settings and your client, and its
| | 00:14 | compatibility with your available technologies.
| | 00:16 | The first place we need to go is the router.
| | 00:21 | We access that usually through a web interface.
| | 00:24 | Yours may go through a Telnet
session on a command line client.
| | 00:28 | They are all different.
| | 00:29 | So we are just going to do this
here in our web browser. Log in.
| | 00:38 | Usually this is going to be under some
sort of an advanced configuration area.
| | 00:43 | In ours this is under Advanced and then
Firewall Settings over here in the sidebar.
| | 00:50 | Your router must support passing
VPN traffic through to a VPN server.
| | 00:56 | This mean that the router must
support something called ESP, which is not
| | 00:59 | Extrasensory Perception, but that will be funny.
| | 01:02 | It's actually Encapsulating Security
Payload Protocol, and it has to be passed
| | 01:08 | for L2TP to work, which is one of the
types of VPN supported by OS X Server.
| | 01:14 | Also necessary but somewhat out
there is GRE or Generic Routing
| | 01:19 | Encapsulation Protocol.
| | 01:21 | That's necessary for PPTP to work.
| | 01:24 | So our router calls all that
stuff down here at the bottom ALG, or
| | 01:28 | Application Level Gateway.
| | 01:31 | You can see that they have
labeled PPTP and IPsec VPN right here.
| | 01:36 | We have got both of those already turned on.
| | 01:38 | You need to find your router's analogy for this.
| | 01:41 | Or if you've got this exact same thing,
turn this on, because your router has
| | 01:45 | to be able to pass this stuff through
for the traffic to get through the router
| | 01:49 | over to the server.
| | 01:51 | Now some routers will pass this
automatically and not have an option to turn on
| | 01:55 | or off, so you don't need to
necessarily see something like this.
| | 02:00 | It may be worth trying anyway.
| | 02:01 | It might be turned on in the background.
| | 02:03 | Just give it a shot.
| | 02:04 | If your router doesn't support either
of those, then you can't do VPN unless
| | 02:09 | you put your OS X Server outside of
your router and pass traffic through a
| | 02:14 | second Ethernet port to your internal network.
| | 02:16 | That would mean you'd be setting up
your server as an Internet gateway and we
| | 02:21 | covered that in Snow
Leopard Server New Features.
| | 02:24 | Also, on your router you're going to
have to port forward the necessary ports
| | 02:28 | from the WAN side of the router to
the IP address of your VPN server.
| | 02:31 | So we are going to go over here to
Advanced again, and then we are going to come
| | 02:35 | over here to Port Forwarding.
| | 02:37 | Now under Port Forwarding we need to
add rules for L2TP and PPTP to work.
| | 02:44 | So let's do that now.
| | 02:45 | We are going to start by
adding 1701, and that's the name.
| | 02:51 | I'm just duplicating the name of the port
| | 02:53 | so I know what's what here.
| | 02:54 | 1701 is going over UDP.
| | 03:00 | So actually I need to take that
out and come down here in 1701.
| | 03:05 | Your configuration may allow you to put
it in a number and then select whether
| | 03:09 | or not it's TCP, UDP, or both.
| | 03:12 | In this interface this whole section is one
rule and if you put in TCP, it will do TCP.
| | 03:18 | If you put in UDP, it will do that,
and if you put in both, it will do both.
| | 03:22 | You also have to configure the IP
address that this stuff is going to on the
| | 03:25 | inside of your network.
| | 03:26 | So ours is our server, which is 192.168.12.2.
| | 03:31 | So instead of 1701 if I wanted to I
could say L2TP, because 1701 is one of the
| | 03:37 | ports necessary for L2TP.
| | 03:40 | It's really up to you.
| | 03:41 | You could even do something like this where
you put in 1701 and then type L2TP, if you want.
| | 03:46 | It's really again up to you.
| | 03:48 | It's important to make sure that you
are allowing this and not denying the
| | 03:51 | traffic in your Port Forwarding
configuration and that you click the check box.
| | 03:55 | We are going to fast-forward through
this so that you don't have to wait through it,
| | 03:58 | but just so you know we are doing
1701, 4500, and 500 over UDP when we want
| | 04:07 | to do LT2P VPN, and we are going
to do 1723 over TCP for PPTP VPN.
| | 04:14 | Now be very careful to get the port
number and the protocol just right here.
| | 04:24 | Once you're done, go ahead and scroll
back up and save your settings. Make sure
| | 04:28 | you've saved these settings before you
get out of the interface. Otherwise of
| | 04:32 | course they won't take effect.
| | 04:33 | Once that's completed, we are going to
go back into Server Admin so that we can
| | 04:38 | configure our firewall to do
pretty much the same thing.
| | 04:41 | We are simply going to
allow traffic from those ports.
| | 04:44 | Click Continue. Double-check to make sure that
everything saved, and it did. So we are good.
| | 04:51 | So what I am going to do now is I am going to
quit Firefox, and we will now open Server Admin.
| | 04:57 | Something else to consider would
be deploying a router that has a VPN
| | 05:00 | server embedded in it.
| | 05:02 | I recommend using the VPN server built-
in OS X Server instead, because your OS X
| | 05:08 | Server can use your Open
Directory users and passwords for access.
| | 05:12 | If you use your router as the VPN
server, you may have to re-enter all of the
| | 05:17 | names and passwords into that device,
which is time-consuming and inefficient
| | 05:22 | for you, the administrator.
| | 05:24 | Once in Server Admin click on the
Firewall Service, go to Settings, come over to
| | 05:28 | Services, and we've got our various groups.
| | 05:32 | I am going to go to any and I am
going to select Allow only traffic to these
| | 05:36 | ports, and what we are going to
do is just sort on Description.
| | 05:39 | This is a very cool trick.
| | 05:41 | Let's come all the day down here and
you will see that all the VPN services are
| | 05:45 | neatly grouped in the same area.
| | 05:47 | We are just going to click
Allow on all of them and click Save.
| | 05:51 | Now the reason we're doing this is your
firewall will block the VPN traffic if
| | 05:55 | you don't enable all of the ports in
the appropriate firewall address groups
| | 05:59 | that are necessary for VPN.
| | 06:01 | Now those would be ESP plus Port 1701,
4500, and 500 over UDP for L2TP and
| | 06:10 | GRE plus 1723 for PPTP.
| | 06:14 | If you're only using one of those
protocols, don't just enable the firewall for
| | 06:17 | the other just because. Be specific,
but if you're going to be supporting both
| | 06:21 | which may frequently be the
case, go ahead and up them all.
| | 06:25 | Now we don't need to open those up for
the DHCP group, because the DHCP group is
| | 06:30 | not going to be outside of our firewall.
| | 06:32 | But I am going to open up the VPN range in
here for the group that will be on the VPN.
| | 06:38 | Of course, for our Server Admin
client everything is always allowed.
| | 06:43 | So we are all good as far as that's concerned.
| | 06:46 | To configure VPN, you'll need
to start with a user account.
| | 06:49 | And while you can do that in
Workgroup Manager, we are going to do it in
| | 06:52 | Server Preferences.
| | 06:55 | When we open up Server Preferences,
it may ask us to allow or authenticate
| | 06:59 | access and eventually it will
come up and show us our interface.
| | 07:04 | Now what we can do here is we can add
our user accounts and you'll notice right
| | 07:09 | here that we have not yet been
set up to manage users and groups.
| | 07:13 | So I am going to click the Set Up
button right here and it's asking if we want
| | 07:18 | to host Users and Groups on the server.
| | 07:19 | We want to say yes.
| | 07:20 | We are going to say OK.
| | 07:23 | Now, because the Server Preferences
application assumes that you'll be using
| | 07:27 | an Open Directory master for your users,
it's going to create that for you automatically.
| | 07:31 | Since we've already got DNS setup
properly, this won't be a problem.
| | 07:34 | It will be created just fine, and it
won't alter our DNS settings because
| | 07:38 | everything is configured properly.
| | 07:41 | One Server Preferences sets up your
Open Directory master, at least in 10.6.3
| | 07:44 | there is a bug where you need to
restart your server at this point.
| | 07:48 | So if you're at a later version where
they've fixed that, you can just continue with me.
| | 07:52 | If you're at 10.6.3 you may want to
restart your server at this point so that
| | 07:55 | you can create a user.
| | 07:58 | Assuming that you've restarted, if you
needed to, let's create that first user now.
| | 08:02 | We will click the Plus button
and we will type in the user's name.
| | 08:05 | I am just going to use me for now, and
a password and verify that password.
| | 08:13 | Click Create Account and
it will create that user.
| | 08:16 | Now, what I want to show you here is
over under the Services tab you can enable
| | 08:21 | any of the available services for that
user and while this won't set up those
| | 08:26 | services for the user if you don't
have them already configured, what it will
| | 08:30 | do is add your user to the
access control list for that service.
| | 08:35 | So we are just going to use VPN.
| | 08:38 | So I'm going to turn on VPN.
| | 08:40 | So that will be putting this
user into that access control.
| | 08:44 | In addition to that, remember we
were going to set up a group here.
| | 08:48 | So we're going to have to do that as well.
| | 08:49 | Right now, we have a group named
Workgroup because that group is set up
| | 08:53 | automatically during the initial
setup of the Open Directory master here
| | 08:56 | in Server Preferences.
| | 08:57 | Let's go to Show All, let's go back
here to Groups, and let's create a new group,
| | 09:02 | and we will call this
group VPN Users and Create Group.
| | 09:08 | We are not going to have a File
Sharing Folder or iChat Auto Buddies.
| | 09:13 | Under Members we will click Edit, put a
check mark right there, unclick the Edit
| | 09:18 | Membership button, and we are set.
| | 09:20 | So we have our VPN users group.
| | 09:22 | We have our new user, which has access to VPN.
| | 09:25 | We are almost done with Server
Preferences, but I am going to leave it open,
| | 09:29 | because we are going to come back to
this a little later on, and you will
| | 09:32 | see it's pretty cool.
| | 09:34 | So let's go back over into Server
Admin where we were in our firewall and
| | 09:38 | looking at our firewall ports and services.
| | 09:41 | Before we move on to configuring the
VPN, I do want to show you what the
| | 09:46 | Server Preferences did.
| | 09:47 | We are going to click on the name of
our server, come over here to Access and
| | 09:51 | underneath Services,
| | 09:52 | if we come down here and click on VPN,
you can see that it added the Sean Colins
| | 09:56 | user to the VPN group.
| | 09:58 | This is what I meant whenever I was talking
about the access controls here for the service.
| | 10:03 | Let's click over here on Settings >
Services and then all the way down here at
| | 10:07 | the bottom, we've got VPN.
| | 10:09 | Let's click on that.
| | 10:10 | Click Save and then when it appears
in the sidebar click on VPN and it will
| | 10:16 | take you straight to Settings.
| | 10:17 | We are going to start here in L2TP.
| | 10:20 | Now remember we specified what our VPN
address ranges were going to be back
| | 10:25 | when we were planning our
firewall address groups and DHCP range.
| | 10:28 | So we know that we have 192.168.12.128 through
159 available for both L2TP and PPTP services.
| | 10:38 | I am going to turn this on and I'm
going to assign 192.168.12.128 through
| | 10:47 | 192.168.12.143 to L2TP, and I'm
going to assign under PPTP 192.168.12.144
| | 11:04 | through 192.168.12.159.
| | 11:10 | So that splits that roughly in half.
| | 11:12 | Now, when configuring L2TP back over
here, you have some decisions to make.
| | 11:17 | Will you use a shared secret?
| | 11:19 | Will you use Kerberos for authentication?
| | 11:21 | I am going to assume you're going to use
a Directory Service for authentication.
| | 11:26 | You can select either MS-CHAPv2
or Kerberos for authentication.
| | 11:30 | Thing is, you're not going to be able
to use Kerberos unless your VPN server is
| | 11:35 | sitting on an external IP address, and
that has to do with the way that Kerberos
| | 11:40 | needs DNS and its IP address and
everything to match up properly. If your
| | 11:45 | Kerberos is on an internal network,
once you leave that network Kerberos isn't
| | 11:49 | going to function properly.
| | 11:50 | So, you will probably end up needing to
use MS-CHAPv2 in the Directory Services,
| | 11:56 | and then for the IPSec
Authentication here in L2TP you have the option of
| | 12:00 | putting in either a shared secret,
or you can use a certificate.
| | 12:04 | Now we talked about creating certificates
back in previous Snow Leopard Server classes.
| | 12:09 | So I am going to talk to you about
the shared secret and how that works.
| | 12:13 | The shared secret is my personal
favorite, because it's secure, and it's easy.
| | 12:17 | This will probably be the most popular
solution, and I recommend it highly as
| | 12:21 | an option for L2TP VPN authentication, as
it's very secure and easy for you to implement.
| | 12:27 | For that reason I am going to show
you how to use a shared secret now.
| | 12:31 | In the Shared Secret box type a
relatively long sequence of numbers, letters,
| | 12:35 | and characters that make up a
password that will be shared between your
| | 12:38 | server and the VPN clients on each machine
that will be configured to connect to your server.
| | 12:44 | So I am going to put one
in now and I'll click Save.
| | 12:51 | In our SPI analogy this was the part of
the process where the black box sent a
| | 12:55 | password only it knows to
a black box far, far away.
| | 12:59 | You are setting that password
here when you add the shared secret.
| | 13:02 | Now I said we were going to go back to
Server Preferences, and this is where we
| | 13:06 | are going to do that.
| | 13:06 | I am going to flip back to Server Preferences now.
| | 13:08 | Now when you enter the Server
Preferences application, you can save the L2TP
| | 13:13 | VPN settings to a file right in here,
which can be imported into a client
| | 13:18 | system and used without ever revealing
the shared secret to the person using
| | 13:22 | the client-side VPN.
| | 13:24 | We simply click here and save
this in a place where we can find it.
| | 13:28 | I am going to put it on the
desktop and there is the file.
| | 13:31 | This is what you'll end up with and
this is the file that you will send to the
| | 13:35 | client system to be imported later.
| | 13:37 | Now, if you want to configure your PPTP
settings as well, we just go back here
| | 13:42 | to Server Admin. Click on PPTP.
| | 13:45 | Once you have the IP range in the IP
boxes, you click the check box to either
| | 13:51 | Allow 40-bit encryption for
compatibility only or not.
| | 13:55 | I recommend leaving this off unless
you have a very old PPTP client that
| | 14:00 | needs to connect to this.
| | 14:02 | You select whether you are
using Kerberos or MS-CHAPv2.
| | 14:05 | Again, I recommend the MS-CHAPv2 option
here, or again you could use your RADIUS
| | 14:09 | server if you have one.
| | 14:10 | And once you have that
configured, you click Save.
| | 14:13 | Now pay attention, because
there is no shared secret here.
| | 14:17 | I mentioned that the shared secret
is available in some types of VPN, and
| | 14:23 | this is not one of them.
| | 14:24 | There really isn't an option for
increased security beyond the basic password
| | 14:29 | configured in Workgroup Manager.
| | 14:31 | That's entered at the client-side in
the VPN Settings in System Preferences.
| | 14:35 | Let's click Start VPN, and now we can go
configure a client to use the software.
| | 14:43 | Once you've configured L2TP and PPTP,
it's important to put client information
| | 14:48 | into the interface and also configure logging.
| | 14:50 | So let's click on Client Information next.
| | 14:53 | You'll automatically have the DNS
server set to your server and that's
| | 14:58 | important, because you'll need to be
able to pick up authentication information
| | 15:02 | and locate services on
the inside of the network.
| | 15:05 | It's good to have this configured in this way.
| | 15:07 | So please leave it alone.
| | 15:09 | Under Search Domains, you can add
your own server's domain so that you can
| | 15:14 | autocomplete connections easily just
using the host name or the first part of
| | 15:19 | the name of a resource.
| | 15:20 | So, if you want to do
that it would look like this.
| | 15:25 | You can also add network routing
definitions in order to determine what IP
| | 15:30 | address and subnet masks are going to
be routed privately or publicly whenever
| | 15:35 | someone is connected over a VPN.
| | 15:38 | If you leave this unconfigured, however,
everything will go through the VPN as
| | 15:42 | long as you configure all traffic to
go over the VPN from the client side,
| | 15:46 | which I recommend you do.
| | 15:49 | Under Logging, it's a good idea
especially at the beginning when you're first
| | 15:52 | turning on your service
to enable verbose logging.
| | 15:56 | Click Save and when you've got
that finished, click Start VPN.
| | 16:00 | Next, we need to go over to a client,
configure it, test it, and if it doesn't work,
| | 16:04 | troubleshoot it.
| | Collapse this transcript |
| Troubleshooting your VPN| 00:00 | On your client machine it's best to do
this while connected to a device that is
| | 00:04 | outside of your network, and we have
accomplished that by connecting via a
| | 00:08 | cellular modem attached
directly to this computer.
| | 00:11 | This will allow you to VPN into
your network and test your settings.
| | 00:14 | Now, if you have a client machine, but
you don't quite know how to do that, just
| | 00:18 | be sure that your router has an
active public IP address, and that it's
| | 00:21 | configured as I suggested in the last movie.
| | 00:24 | So go to the Network pane.
| | 00:28 | Here we are, and you can see we
already have our Access Card Active, and it's
| | 00:32 | got an outside IP address that's not on
the network we're on, and it's sending
| | 00:35 | and receiving traffic.
| | 00:36 | The first step is we're going to
click the Plus button to add a new
| | 00:39 | network configuration.
| | 00:40 | When we do this, we get to a
selection where we can add all sorts of
| | 00:46 | different connections.
| | 00:47 | We're going to add a VPN here, and the first
one we're going to select is L2TP over IPSec.
| | 00:52 | I'm selecting this first, because it's
not going to work, and I want to show you
| | 00:54 | what that looks like.
| | 00:57 | It's not going to work because the
router we have-- again we said we bought an
| | 01:00 | inexpensive router to do this class--
doesn't support passage of this and
| | 01:03 | yours may not either.
| | 01:04 | I want to show you what that looks like.
| | 01:06 | So we have our VPN connection here
and what I'm going to do is I'm going to
| | 01:10 | click Import Configurations.
| | 01:13 | What I've done in the Exercise
Files here in a folder called VPN,
| | 01:17 | I've saved the configuration file that I pulled
off of the Server Preferences in the last movie.
| | 01:23 | I'll open that up and because I only have
one VPN connection available here it just
| | 01:28 | pulls it right into the one that I've got.
| | 01:30 | If you didn't have one of these, it
would create a new one for you and if
| | 01:34 | you already had a bunch, it would ask
you which one you wanted to import the
| | 01:37 | configuration into.
| | 01:38 | So anyway, now that we are here, you'll
note that we're using the server address.
| | 01:42 | I'm going to show you how that works right now.
| | 01:44 | We know that this server does actually
work out here with DNS on the Internet.
| | 01:48 | So that's fine from where we are right now.
| | 01:50 | I'm going to put in my account name.
| | 01:52 | Under Authentication Settings, I'm going
to put in my password for that account.
| | 01:56 | Remembe, how I said the shared
secret would be imported for you
| | 01:59 | automatically? Well there it is.
| | 02:01 | Click OK, click Apply, and click Connect.
| | 02:04 | Now, while it's doing that, you'll
notice then in the upper corner here we've
| | 02:07 | got a VPN icon here with the word Connecting.
| | 02:11 | If we go to Utilities and we go to
the Console, click OK, it's warning us
| | 02:16 | that it didn't connect.
| | 02:17 | If we open up Console and we look
at All Messages, we can see right here
| | 02:20 | that we've got pppd and the racoon
process, and those processes are showing
| | 02:27 | us what they're doing.
| | 02:28 | They're initiating the
attempt of the connection.
| | 02:30 | We can see here that server.
groundswellgear.com is where it's going to and that
| | 02:34 | the DNS is working properly,
because we have the IP address right here.
| | 02:38 | So we know that's functioning.
| | 02:39 | If we pull this out, we can get a
better view of the entire window here.
| | 02:43 | The IPSec connection is started.
| | 02:45 | It's trying to make its connection.
| | 02:46 | The IKE Packets are being transmitted
successfully, but the IPSec connection
| | 02:50 | is failing every time.
| | 02:52 | So if we look at the server logs, if we
come over here to Server Admin, we can
| | 02:57 | see that during that
time code in the 1:50 range,
| | 03:01 | there is just nothing there.
| | 03:02 | The last stuff that we had was when we
were doing some stuff before we started
| | 03:05 | this recording that was about 10 minutes ago.
| | 03:07 | So it's not even hearing these requests.
The server is not seeing this traffic at all.
| | 03:13 | What that indicates for us is that our
router or something in between us and our
| | 03:17 | router is not letting us get through
to the server or our firewall is not
| | 03:21 | configured properly.
| | 03:23 | But if we go back to our Firewall and
we look at our Settings, we know that
| | 03:26 | this is hitting the any group.
| | 03:27 | So if we just sort on Description, and
scroll down to where it says VPN, all of
| | 03:32 | the VPN stuff is active.
| | 03:34 | There is just not much else that we can do here.
| | 03:37 | So the firewall is configured
correctly, our router we know we've got every
| | 03:41 | option turned on that we can turn on,
and we've got our port forwarding
| | 03:45 | configured properly.
| | 03:46 | L2TP looks like it is not going to work for us.
| | 03:49 | So this is a really good example of a
time when it's a good idea to fall back to
| | 03:54 | that PPTP configuration.
| | 03:56 | So let's do that one next.
| | 03:58 | I'm going to click the Plus button, go in
to select VPN, and I am going to select PPTP.
| | 04:04 | Now, you might also notice
here that we have Cisco IPSec.
| | 04:07 | Now, in 10.6, the client has a
really good Cisco IPSec client.
| | 04:13 | So if your server is running Cisco VPN
software, you can connect to it right from here.
| | 04:18 | You don't need the Cisco third-party
VPN client anymore, which is nice, but
| | 04:22 | we're not teaching that.
| | 04:23 | We're teaching OS X Server.
| | 04:24 | So we're going to PPTP, and I'm going to
name this lynda PPTP VPN and click Create.
| | 04:31 | Now, when you do that, I'm not going to
be able to import the configuration as I
| | 04:36 | did before because the configuration
that's exported from the Server Preferences
| | 04:40 | is only for the L2TP
service. Keep that in mind.
| | 04:44 | We click on PPTP.
| | 04:46 | We put in the server address.
| | 04:47 | I'm going to go by the name again,
but you can go by your IP Address.
| | 04:52 | Nice thing about using the IP
address is that your DNS isn't working from
| | 04:56 | whatever remote location you're in,
| | 04:57 | the IP Address will still go through,
but we are going to use DNS right now.
| | 05:01 | And put our account name in. Under
Authentication Settings we'll put in our password.
| | 05:07 | Again, no opportunity here to
put in anything beyond a password.
| | 05:11 | There is no additional machine
level authentication. So that's it.
| | 05:15 | That's all you need to do and whenever
we do that, we can also come into here
| | 05:20 | into Advanced and we can tell it to
send all traffic over the VPN connection.
| | 05:25 | This is really useful.
| | 05:26 | It does tax your Internet connection,
and it also taxes your server a little bit
| | 05:31 | more than it would if you left this off.
| | 05:33 | But the plus side of this is that you
know when you're connecting remotely that
| | 05:38 | all of the traffic coming off of your
remote machine into your server is going
| | 05:42 | to be in that encrypted private
tunnel, and that's a really good thing.
| | 05:46 | So I am going to leave
the rest of this as default.
| | 05:49 | VPN on Demand is possible here, and this
can be another thing that's really cool.
| | 05:55 | You can configure this for clients
that perhaps don't always remember to
| | 05:59 | activate the VPN when they should.
| | 06:01 | What you can do here is say, "hey!
| | 06:03 | Anytime I'm going to access corequick.
com as a domain, I'm going to have that
| | 06:09 | automatically connect up to the VPN."
| | 06:12 | Nifty thing there is once you hit OK
on that, if you go to corequick.com,
| | 06:16 | the VPN will automatically start to connect
before it makes that connection to that
| | 06:19 | domain, and that would be for e-mail
or to get to the web site, or for any
| | 06:23 | traffic that goes to that domain.
| | 06:25 | It's a useful thing to put in place.
| | 06:26 | I'm going to take that out right now,
because I don't want to test that at the moment.
| | 06:30 | We want to leave IPv6 off and this
is going to be true until we get IPv6
| | 06:34 | straightened out across the board,
across all of our network devices everywhere.
| | 06:38 | So for now I'm just recommending you
turn this off on just about everything.
| | 06:41 | Under DNS, we're going to pick this up
from the VPN server, so we don't need to
| | 06:45 | reconfigure anything here.
| | 06:47 | We're not using any proxies.
| | 06:48 | So these are all solid.
| | 06:50 | Since it's our first connection, it could
be useful to turn on verbose logging however.
| | 06:54 | So let's just leave that on
there, and we'll hit OK and Apply.
| | 06:59 | Then when we're done, we click Connect.
| | 07:02 | So you see, PPTP is pretty quick and it
makes that connection and once you have
| | 07:07 | a connection you'll get a counter up
here in the upper-right corner that gives
| | 07:10 | you how long you've been connected to the VPN.
| | 07:13 | Once you're in the Network System
Preferences, you can come here and look at a
| | 07:16 | little bit more detailed information
about what your IP address is once you've
| | 07:20 | got into the network.
| | 07:22 | Again, this is one of those IP addresses
in that VPN range that we set up in our
| | 07:26 | VPN settings of Server Admin.
| | 07:28 | So this is how you get VPN to work on
the client system, and we went into the
| | 07:35 | logs just briefly here on the client.
| | 07:37 | This is a great place to go for troubleshooting.
| | 07:39 | And remember, look for these pppd and
racoon processes to give you an idea of
| | 07:45 | what's going on, on your client's side.
| | 07:48 | When you want to check your VPN logs
over here for the server, just come into
| | 07:52 | the Server Admin VPN service if you
don't have immediate access to your server,
| | 07:56 | and you can see the VPN D log right here.
| | 08:00 | It's telling you exactly where that's located.
| | 08:02 | It's in var/log/PPP, and it's in the
vpnd.log and of course like you did in
| | 08:08 | the other services that we showed
during this title, you can always go into
| | 08:12 | the server and just double-click on
that log, and it will open up in Console
| | 08:15 | on the server itself.
| | 08:16 | So I hope this helps you to configure VPN so
that it functions well for your environment.
| | 08:22 | One side note.
| | 08:23 | We've been mentioning throughout this
title that we did not use an AirPort
| | 08:26 | Base Station because we couldn't get NAT
and DHCP to work independently of one another.
| | 08:31 | But one of the cool things about an
AirPort Base Station would be that it does
| | 08:35 | indeed support the L2TP VPN protocol very,
very nicely and configuring that port
| | 08:41 | forwarding is extremely easy in that device.
| | 08:43 | So if you prefer to have that and you
want to go out and buy a device that is
| | 08:47 | sure to work, that AirPort Base Station
either the Extreme or the Express would
| | 08:52 | work very well for that.
| | 08:54 | So that's it for VPN client and troubleshooting.
| | Collapse this transcript |
|
|
ConclusionGoodbye| 00:01 | I have had a lot of fun with this
course and though the subject is really
| | 00:03 | complicated, I hope the way I
approached it felt fun, easy, and natural to you.
| | 00:08 | If you want to find more information
about DNS and networking services,
| | 00:13 | please remember that Apple has several
great books and PDFs out on the subject.
| | 00:18 | Hopefully, you have what you need now
to configure the services we discussed in
| | 00:22 | the course and you understand the
principles involved so you're primed to take
| | 00:26 | your learning to the next level.
| | Collapse this transcript |
|
|
