Mac OS X Server Network Services Administration For Version 10.5 Leopard Apple Inc. © 2007 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Inc. is not responsible for printing or clerical errors. Apple 1 Infinite Loop Cupertino, CA 95014-2084 408-996-1010 www.apple.com Use of the "keyboard" Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AirPort, AppleScript, AppleShare, AppleTalk, Bonjour, Firewire, iCal, iTunes, Mac, Macintosh, Mac OS, QuickTime, WebObjects, Xgrid, Xsan, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Finder is a trademark of Apple Inc. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. UNIX is a registered trademark of The Open Group. Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products. 019-0941/2007-09-01 1 Contents Preface 11 11 11 12 12 13 14 14 15 15 17 17 18 19 20 22 25 26 26 26 27 27 28 28 28 28 28 29 29 29 30 About This Guide What's New in Version 10.5 What's in This Guide Using This Guide Using Onscreen Help Mac OS X Server Administration Guides Viewing PDF Guides on Screen Printing PDF Guides Getting Documentation Updates Getting Additional Information Linking Your Network to the Internet About the Gateway Setup Assistant Running the Gateway Setup Assistant Connecting a Wired LAN to the Internet Connecting a Wired LAN and Wireless Clients to the Internet Connecting a Wireless LAN to the Internet Working with DHCP Service Setup Overview Before Setting Up DHCP Service Creating Subnets Assigning IP Addresses Dynamically Using Static IP Addresses Locating the DHCP Server Interacting with Other DHCP Servers Using Multiple DHCP Servers on a Network Assigning Reserved IP Addresses Getting More Information About the DHCP Process Turning DHCP Service On Setting Up DHCP Service Creating Subnets in DHCP Service Configuring Log Settings Chapter 1 Chapter 2 3 30 31 31 31 32 32 33 33 34 34 35 36 37 37 37 37 38 41 42 43 Chapter 3 45 46 46 46 46 47 48 48 49 51 52 52 53 54 55 56 56 57 57 58 58 58 Starting DHCP Service Managing DHCP Service Stopping DHCP Service Changing Subnet Settings in DHCP Service Deleting Subnets from DHCP Service Disabling Subnets Temporarily Changing IP Address Lease Times for a Subnet Setting the DNS Server for a DHCP Subnet Setting LDAP Options for a Subnet Setting WINS Options for a Subnet Assigning Static IP Addresses Using DHCP Removing or Changing Static Address Maps Monitoring DHCP Service Checking DHCP Service Status Viewing DHCP Log Entries Viewing the DHCP Client List Common Network Configurations That Use DHCP Configuring DHCP to Use an Extra LDAP Server URL DHCP Service for Mac OS X Clients Using DHCP with a Manual Address Where to Find More Information Working with DNS Service About DNS Zones Primary Zones Secondary Zones Forward Zones About DNS Machine Records About Bonjour Before You Set Up DNS Service Setting Up DNS Service for the First Time Turning DNS Service On Upgrading DNS Configuration Setting Up DNS Service Configuring Zone Settings Configuring Secondary Zone Settings Configuring Bonjour Settings Configuring DNS Settings Starting DNS Service Managing DNS Service Checking DNS Service Status Viewing DNS Service Logs Changing DNS Log Detail Levels Stopping DNS Service 4 Contents 59 59 60 60 61 62 62 62 63 64 64 65 65 66 66 67 67 68 68 69 69 70 70 70 73 73 74 74 75 75 Chapter 4 77 77 79 79 80 80 83 83 84 84 85 86 Enabling or Disabling Zone Transfers Enabling Recursion Managing DNS Zones Adding a Primary Zone Adding a Secondary Zone Adding a Forward Zone Changing a Zone Deleting a Zone Importing a BIND Zone File Managing DNS Records Adding an Alias Record to a DNS Zone Adding a Machine Record to a DNS Zone Adding a Service Record to a DNS Zone Changing a Record in a DNS Zone Deleting a Record from a DNS Zone Securing the DNS Server DNS Spoofing Server Mining DNS Service Profiling Denial of Service (DoS) Service Piggybacking Wide Area Bonjour Service Administration Common Network Administration Tasks That Use DNS Service Configuring DNS for Mail Service Setting Up Namespace Behind a NAT Gateway Network Load Distribution (Round Robin) Setting Up a Private TCP/IP Network Hosting Several Internet Services with a Single IP Address Hosting Multiple Domains on the Same Server Where to Find More Information Working with Firewall Service About Firewall Service Basic Firewall Practices Firewall Startup About Firewall Rules What a Firewall Rule Is Using Address Ranges Rule Mechanism and Precedence Multiple IP Addresses Editing IPv6 Firewall Rules Setup Overview Turning Firewall Service On Contents 5 87 87 88 89 89 89 90 90 90 91 91 92 92 93 94 94 95 95 96 96 97 97 97 98 99 99 100 100 100 101 101 102 103 103 104 104 104 105 108 Chapter 5 111 111 112 Setting Up Firewall Service Configuring Address Groups Settings Configuring Services Settings Configuring Logging Settings Configuring Advanced Settings Starting Firewall Service Managing Firewall Service Stopping Firewall Service Creating an Address Group Editing or Deleting an Address Group Duplicating an Address Group Adding to the Services List Editing or Deleting Items in the Services List Configuring Advanced Firewall Rules Editing or Deleting Advanced Firewall Rules Changing the Order of Advanced Firewall Rules Troubleshooting Advanced Firewall Rules Enabling Stealth Mode Adaptive Firewall Resetting the Firewall to the Default Setting Monitoring Firewall Service Checking the Status of Firewall Service Viewing Firewall Active Rules Viewing the Firewall Service Log Viewing Denied Packets Viewing Packets Logged by Firewall Rules Practical Firewall Examples Using Firewall with NAT Blocking Web Access to Internet Users Logging Internet Access by Local Network Users Blocking Junk Mail Permitting a Customer to Access the Apple File Server Common Network Administration Tasks That Use Firewall Service Preventing Denial of Service (DoS) Attacks Controlling or Enabling Peer-to-Peer Network Usage Controlling or Enabling Network Game Usage Preventing Network Virus Propagation TCP and UDP Port Reference Where to Find More Information Working with NAT Service Using NAT with Other Network Services NAT LAN Configuration Overview 6 Contents 113 113 113 115 116 116 117 118 118 118 118 120 120 123 Chapter 6 125 126 126 126 127 127 128 128 129 129 129 130 132 132 133 133 133 133 135 135 137 139 139 139 140 140 141 141 Turning NAT Service On Configuring NAT Service Configuring Port Forwarding Port Forwarding Examples Testing Port Forwarding Rules Starting and Stopping NAT Service Creating a Gateway Without NAT Monitoring NAT Service Viewing the NAT Status Overview Common Network Administration Tasks That Use NAT Linking a LAN to the Internet Through One IP Address Setting Up a LAN Party for Gaming Setting Up Virtual Servers Where to Find More Information Working with VPN Service VPN and Security Transport Protocols Authentication Method Using VPN Service with Users in a Third-Party LDAP Domain Before You Set Up VPN Service Configuring Other Network Services for VPN Setup Overview Turning VPN Service On Setting Up VPN Service Configuring L2TP Settings Configuring PPTP Settings Configuring Client Information Settings Configuring Logging Settings Starting VPN Service Managing VPN Service Stopping VPN Service Configuring VPN Network Routing Definitions Limiting VPN Access to Specific Users or Groups Limiting VPN Access to Specific Incoming IP Addresses Supplementary Configuration Instructions Monitoring VPN Service Viewing a VPN Status Overview Changing the Log Detail Level for VPN Service Viewing the VPN Log Viewing VPN Client Connections Common Network Administration Tasks That Use VPN Linking a Computer at Home with a Remote Network Contents 7 142 143 147 Chapter 7 149 149 149 150 150 150 152 152 153 153 153 154 154 154 154 155 155 156 157 157 158 158 158 159 161 161 162 163 163 164 164 164 165 165 165 165 166 Accessing a Computing Asset Behind a Remote Network Firewall Linking Two or More Remote Network Sites Where to Find More Information Working with RADIUS Service Before You Set Up RADIUS Service Setting Up RADIUS Service for the First Time Turning RADIUS Service On Setting Up RADIUS Service Configuring RADIUS Using the Configuration Assistant Adding AirPort Base Stations to a RADIUS Server Remotely Configuring AirPort Base Stations Configuring RADIUS to Use Certificates Archiving RADIUS Service Logs Starting or Stopping RADIUS Service Managing RADIUS Service Checking RADIUS Service Status Viewing RADIUS Service Logs Editing RADIUS Access Deleting AirPort Base Stations Editing an AirPort Base Station Record Saving an AirPort Base Station Internet Connect File Working with NTP Service How NTP Works Using NTP on Your Network Setting Up NTP Service Configuring NTP Service on Clients Where to Find More Information Supporting a VLAN Setting Up Client Membership for a VLAN Where to Find More Information Supporting IPv6 IPv6 Enabled Services Support for IPv6 Addresses in Server Admin IPv6 Addresses Notation IPv6 Reserved Addresses IPv6 Addressing Model IPv6 Address Types Creating an IPv4 to IPv6 Gateway Where to Find More Information Chapter 8 Chapter 9 Chapter 10 8 Contents Glossary Index 167 179 Contents 9 10 Contents This guide explains how to configure and administer Mac OS X Server network services. Mac OS X Server version 10.5 includes several network services that help you manage and maintain your network. What's New in Version 10.5 Mac OS X Server v10.5 offers the following major enhancements for network services:  New RADIUS feature: Mac OS X Server v10.5 offers RADIUS for authorizing user access to AirPort Base Stations.  New services configuration assistants: Mac OS X Server v10.5 offers a service configuration assistant for NAT and RADIUS.  Improved Bonjour: Mac OS X Server v10.5 offers Bonjour administration.  Revised and improved firewall: Mac OS X Server v10.5 uses an adaptive firewall that dynamically configures firewall rules and requires no configuration. What's in This Guide This guide includes the following chapters:  Chapter 1, "Linking Your Network to the Internet," tells you how to use Gateway Setup Assistant to link your network to the Internet.  Chapter 2, "Working with DHCP Service," tells you how to configure and use DHCP to assign IP addresses on your network.  Chapter 3, "Working with DNS Service," tells you how to use Mac OS X Server as a domain name server.  Chapter 4, "Working with Firewall Service," tells you how to maintain network security using a firewall.  Chapter 5, "Working with NAT Service," tells you how to configure and use NAT to connect many computers to the Internet with only one public IP address. Preface 11 About This Guide  Chapter 6, "Working with VPN Service," tells you how to configure and use VPN to allow remote users to access your private LAN securely.  Chapter 7, "Working with RADIUS Service," tells you how to configure and use RADIUS service to authorize Open Directory users and groups so they can access AirPort Base Stations on a network.  Chapter 8, "Working with NTP Service," tells you how to enable your server as a time server.  Chapter 9, "Supporting a VLAN," tells you about VLAN support for some server hardware configurations.  Chapter 10, "Supporting IPv6," tells you about IPv6 and the services that support IPv6 addressing. In addition, the Glossary provides brief definitions of the terms used in this guide. Note: Because Apple frequently releases new versions and updates to its software, images shown in this book might be different from what you see on your screen. Using This Guide Each chapter covers a specific network service. Read any chapter that's about a service you plan to provide to your users. Learn how the service works, what it can do for you, strategies for using it, how to set it up for the first time, and how to administer it over time. Also take a look at chapters that describe services with which you're unfamiliar. You might find that some of the services you haven't used before can he ...