User manual APPLE LEOPARD - NETWORK SERVICES ADMINISTRATION

Mac OS X Server Network Services Administration For Version 10.5 Leopard Apple Inc. © 2007 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Inc. is not responsible for printing or clerical errors. Apple 1 Infinite Loop Cupertino, CA 95014-2084 408-996-1010 www.apple.com Use of the "keyboard" Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AirPort, AppleScript, AppleShare, AppleTalk, Bonjour, Firewire, iCal, iTunes, Mac, Macintosh, Mac OS, QuickTime, WebObjects, Xgrid, Xsan, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Finder is a trademark of Apple Inc. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. UNIX is a registered trademark of The Open Group. Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products. 019-0941/2007-09-01 1 Contents Preface 11 11 11 12 12 13 14 14 15 15 17 17 18 19 20 22 25 26 26 26 27 27 28 28 28 28 28 29 29 29 30 About This Guide What's New in Version 10.5 What's in This Guide Using This Guide Using Onscreen Help Mac OS X Server Administration Guides Viewing PDF Guides on Screen Printing PDF Guides Getting Documentation Updates Getting Additional Information Linking Your Network to the Internet About the Gateway Setup Assistant Running the Gateway Setup Assistant Connecting a Wired LAN to the Internet Connecting a Wired LAN and Wireless Clients to the Internet Connecting a Wireless LAN to the Internet Working with DHCP Service Setup Overview Before Setting Up DHCP Service Creating Subnets Assigning IP Addresses Dynamically Using Static IP Addresses Locating the DHCP Server Interacting with Other DHCP Servers Using Multiple DHCP Servers on a Network Assigning Reserved IP Addresses Getting More Information About the DHCP Process Turning DHCP Service On Setting Up DHCP Service Creating Subnets in DHCP Service Configuring Log Settings Chapter 1 Chapter 2 3 30 31 31 31 32 32 33 33 34 34 35 36 37 37 37 37 38 41 42 43 Chapter 3 45 46 46 46 46 47 48 48 49 51 52 52 53 54 55 56 56 57 57 58 58 58 Starting DHCP Service Managing DHCP Service Stopping DHCP Service Changing Subnet Settings in DHCP Service Deleting Subnets from DHCP Service Disabling Subnets Temporarily Changing IP Address Lease Times for a Subnet Setting the DNS Server for a DHCP Subnet Setting LDAP Options for a Subnet Setting WINS Options for a Subnet Assigning Static IP Addresses Using DHCP Removing or Changing Static Address Maps Monitoring DHCP Service Checking DHCP Service Status Viewing DHCP Log Entries Viewing the DHCP Client List Common Network Configurations That Use DHCP Configuring DHCP to Use an Extra LDAP Server URL DHCP Service for Mac OS X Clients Using DHCP with a Manual Address Where to Find More Information Working with DNS Service About DNS Zones Primary Zones Secondary Zones Forward Zones About DNS Machine Records About Bonjour Before You Set Up DNS Service Setting Up DNS Service for the First Time Turning DNS Service On Upgrading DNS Configuration Setting Up DNS Service Configuring Zone Settings Configuring Secondary Zone Settings Configuring Bonjour Settings Configuring DNS Settings Starting DNS Service Managing DNS Service Checking DNS Service Status Viewing DNS Service Logs Changing DNS Log Detail Levels Stopping DNS Service 4 Contents 59 59 60 60 61 62 62 62 63 64 64 65 65 66 66 67 67 68 68 69 69 70 70 70 73 73 74 74 75 75 Chapter 4 77 77 79 79 80 80 83 83 84 84 85 86 Enabling or Disabling Zone Transfers Enabling Recursion Managing DNS Zones Adding a Primary Zone Adding a Secondary Zone Adding a Forward Zone Changing a Zone Deleting a Zone Importing a BIND Zone File Managing DNS Records Adding an Alias Record to a DNS Zone Adding a Machine Record to a DNS Zone Adding a Service Record to a DNS Zone Changing a Record in a DNS Zone Deleting a Record from a DNS Zone Securing the DNS Server DNS Spoofing Server Mining DNS Service Profiling Denial of Service (DoS) Service Piggybacking Wide Area Bonjour Service Administration Common Network Administration Tasks That Use DNS Service Configuring DNS for Mail Service Setting Up Namespace Behind a NAT Gateway Network Load Distribution (Round Robin) Setting Up a Private TCP/IP Network Hosting Several Internet Services with a Single IP Address Hosting Multiple Domains on the Same Server Where to Find More Information Working with Firewall Service About Firewall Service Basic Firewall Practices Firewall Startup About Firewall Rules What a Firewall Rule Is Using Address Ranges Rule Mechanism and Precedence Multiple IP Addresses Editing IPv6 Firewall Rules Setup Overview Turning Firewall Service On Contents 5 87 87 88 89 89 89 90 90 90 91 91 92 92 93 94 94 95 95 96 96 97 97 97 98 99 99 100 100 100 101 101 102 103 103 104 104 104 105 108 Chapter 5 111 111 112 Setting Up Firewall Service Configuring Address Groups Settings Configuring Services Settings Configuring Logging Settings Configuring Advanced Settings Starting Firewall Service Managing Firewall Service Stopping Firewall Service Creating an Address Group Editing or Deleting an Address Group Duplicating an Address Group Adding to the Services List Editing or Deleting Items in the Services List Configuring Advanced Firewall Rules Editing or Deleting Advanced Firewall Rules Changing the Order of Advanced Firewall Rules Troubleshooting Advanced Firewall Rules Enabling Stealth Mode Adaptive Firewall Resetting the Firewall to the Default Setting Monitoring Firewall Service Checking the Status of Firewall Service Viewing Firewall Active Rules Viewing the Firewall Service Log Viewing Denied Packets Viewing Packets Logged by Firewall Rules Practical Firewall Examples Using Firewall with NAT Blocking Web Access to Internet Users Logging Internet Access by Local Network Users Blocking Junk Mail Permitting a Customer to Access the Apple File Server Common Network Administration Tasks That Use Firewall Service Preventing Denial of Service (DoS) Attacks Controlling or Enabling Peer-to-Peer Network Usage Controlling or Enabling Network Game Usage Preventing Network Virus Propagation TCP and UDP Port Reference Where to Find More Information Working with NAT Service Using NAT with Other Network Services NAT LAN Configuration Overview 6 Contents 113 113 113 115 116 116 117 118 118 118 118 120 120 123 Chapter 6 125 126 126 126 127 127 128 128 129 129 129 130 132 132 133 133 133 133 135 135 137 139 139 139 140 140 141 141 Turning NAT Service On Configuring NAT Service Configuring Port Forwarding Port Forwarding Examples Testing Port Forwarding Rules Starting and Stopping NAT Service Creating a Gateway Without NAT Monitoring NAT Service Viewing the NAT Status Overview Common Network Administration Tasks That Use NAT Linking a LAN to the Internet Through One IP Address Setting Up a LAN Party for Gaming Setting Up Virtual Servers Where to Find More Information Working with VPN Service VPN and Security Transport Protocols Authentication Method Using VPN Service with Users in a Third-Party LDAP Domain Before You Set Up VPN Service Configuring Other Network Services for VPN Setup Overview Turning VPN Service On Setting Up VPN Service Configuring L2TP Settings Configuring PPTP Settings Configuring Client Information Settings Configuring Logging Settings Starting VPN Service Managing VPN Service Stopping VPN Service Configuring VPN Network Routing Definitions Limiting VPN Access to Specific Users or Groups Limiting VPN Access to Specific Incoming IP Addresses Supplementary Configuration Instructions Monitoring VPN Service Viewing a VPN Status Overview Changing the Log Detail Level for VPN Service Viewing the VPN Log Viewing VPN Client Connections Common Network Administration Tasks That Use VPN Linking a Computer at Home with a Remote Network Contents 7 142 143 147 Chapter 7 149 149 149 150 150 150 152 152 153 153 153 154 154 154 154 155 155 156 157 157 158 158 158 159 161 161 162 163 163 164 164 164 165 165 165 165 166 Accessing a Computing Asset Behind a Remote Network Firewall Linking Two or More Remote Network Sites Where to Find More Information Working with RADIUS Service Before You Set Up RADIUS Service Setting Up RADIUS Service for the First Time Turning RADIUS Service On Setting Up RADIUS Service Configuring RADIUS Using the Configuration Assistant Adding AirPort Base Stations to a RADIUS Server Remotely Configuring AirPort Base Stations Configuring RADIUS to Use Certificates Archiving RADIUS Service Logs Starting or Stopping RADIUS Service Managing RADIUS Service Checking RADIUS Service Status Viewing RADIUS Service Logs Editing RADIUS Access Deleting AirPort Base Stations Editing an AirPort Base Station Record Saving an AirPort Base Station Internet Connect File Working with NTP Service How NTP Works Using NTP on Your Network Setting Up NTP Service Configuring NTP Service on Clients Where to Find More Information Supporting a VLAN Setting Up Client Membership for a VLAN Where to Find More Information Supporting IPv6 IPv6 Enabled Services Support for IPv6 Addresses in Server Admin IPv6 Addresses Notation IPv6 Reserved Addresses IPv6 Addressing Model IPv6 Address Types Creating an IPv4 to IPv6 Gateway Where to Find More Information Chapter 8 Chapter 9 Chapter 10 8 Contents Glossary Index 167 179 Contents 9 10 Contents This guide explains how to configure and administer Mac OS X Server network services. Mac OS X Server version 10.5 includes several network services that help you manage and maintain your network. What's New in Version 10.5 Mac OS X Server v10.5 offers the following major enhancements for network services:  New RADIUS feature: Mac OS X Server v10.5 offers RADIUS for authorizing user access to AirPort Base Stations.  New services configuration assistants: Mac OS X Server v10.5 offers a service configuration assistant for NAT and RADIUS.  Improved Bonjour: Mac OS X Server v10.5 offers Bonjour administration.  Revised and improved firewall: Mac OS X Server v10.5 uses an adaptive firewall that dynamically configures firewall rules and requires no configuration. What's in This Guide This guide includes the following chapters:  Chapter 1, "Linking Your Network to the Internet," tells you how to use Gateway Setup Assistant to link your network to the Internet.  Chapter 2, "Working with DHCP Service," tells you how to configure and use DHCP to assign IP addresses on your network.  Chapter 3, "Working with DNS Service," tells you how to use Mac OS X Server as a domain name server.  Chapter 4, "Working with Firewall Service," tells you how to maintain network security using a firewall.  Chapter 5, "Working with NAT Service," tells you how to configure and use NAT to connect many computers to the Internet with only one public IP address. Preface 11 About This Guide  Chapter 6, "Working with VPN Service," tells you how to configure and use VPN to allow remote users to access your private LAN securely.  Chapter 7, "Working with RADIUS Service," tells you how to configure and use RADIUS service to authorize Open Directory users and groups so they can access AirPort Base Stations on a network.  Chapter 8, "Working with NTP Service," tells you how to enable your server as a time server.  Chapter 9, "Supporting a VLAN," tells you about VLAN support for some server hardware configurations.  Chapter 10, "Supporting IPv6," tells you about IPv6 and the services that support IPv6 addressing. In addition, the Glossary provides brief definitions of the terms used in this guide. Note: Because Apple frequently releases new versions and updates to its software, images shown in this book might be different from what you see on your screen. Using This Guide Each chapter covers a specific network service. Read any chapter that's about a service you plan to provide to your users. Learn how the service works, what it can do for you, strategies for using it, how to set it up for the first time, and how to administer it over time. Also take a look at chapters that describe services with which you're unfamiliar. You might find that some of the services you haven't used before can help you run your network more efficiently and improve performance for your users. Most chapters end with a section called "Where to Find More Information." This section points you to websites and other reference material containing more information about the service. Using Onscreen Help You can get task instructions on screen in Help Viewer while you're managing Leopard Server. You can view help on a server or an administrator computer. (An administrator computer is a Mac OS X computer with Leopard Server administration software installed on it.) To get help for an advanced configuration of Leopard Server: m Open Server Admin or Workgroup Manager and then:  Use the Help menu to search for a task you want to perform.  Choose Help > Server Admin Help or Help > Workgroup Manager Help to browse and search the help topics. 12 Preface About This Guide The onscreen help contains instructions taken from Server Administration and other advanced administration guides described in "Mac OS X Server Administration Guides," next. To see the most recent server help topics: m Make sure the server or administrator computer is connected to the Internet while you're getting help. Help Viewer automatically retrieves and caches the most recent server help topics from the Internet. When not connected to the Internet, Help Viewer displays cached help topics. Mac OS X Server Administration Guides Getting Started covers installation and setup for standard and workgroup configurations of Mac OS X Server. For advanced configurations, Server Administration covers planning, installation, setup, and general server administration. A suite of additional guides, listed below, covers advanced planning, setup, and management of individual services. You can get these guides in PDF format from the Mac OS X Server documentation website: www.apple.com/server/documentation. This guide... Getting Started and Mac OS X Server Worksheet Command-Line Administration File Services Administration iCal Service Administration iChat Service Administration Mac OS X Security Configuration Mac OS X Server Security Configuration Mail Service Administration Network Services Administration Open Directory Administration Podcast Producer Administration tells you how to: Install Mac OS X Server and set it up for the first time. Install, set up, and manage Mac OS X Server using UNIX commandline tools and configuration files. Share selected server volumes or folders among server clients using the AFP, NFS, FTP, and SMB protocols. Set up and manage iCal shared calendar service. Set up and manage iChat instant messaging service. Make Mac OS X computers (clients) more secure, as required by enterprise and government customers. Make Mac OS X Server and the computer it's installed on more secure, as required by enterprise and government customers. Set up and manage IMAP, POP, and SMTP mail services on the server. Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall, NAT, and RADIUS services on the server. Set up and manage directory and authentication services, and configure clients to access directory services. Set up and manage Podcast Producer service to record, process, and distribute podcasts. Preface About This Guide 13 This guide... Print Service Administration QuickTime Streaming and Broadcasting Administration Server Administration tells you how to: Host shared printers and manage their associated queues and print jobs. Capture and encode QuickTime content. Set up and manage QuickTime streaming service to deliver media streams live or on demand. Perform advanced installation and setup of server software, and manage options that apply to multiple services or to the server as a whole. Use NetBoot, NetInstall, and Software Update to automate the management of operating system and other software used by client computers. Use data and service settings from an earlier version of Mac OS X Server or Windows NT. Create and manage user accounts, groups, and computers. Set up managed preferences for Mac OS X clients. Set up and manage web technologies, including web, blog, webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV. Set up and manage computational clusters of Xserve systems and Mac computers. Learn about terms used for server and storage products. System Imaging and Software Update Administration Upgrading and Migrating User Management Web Technologies Administration Xgrid Administration and High Performance Computing Mac OS X Server Glossary Viewing PDF Guides on Screen While reading the PDF version of a guide onscreen:  Show bookmarks to see the guide's outline, and click a bookmark to jump to the corresponding section.  Search for a word or phrase to see a list of places where it appears in the document. Click a listed place to see the page where it occurs.  Click a cross-reference to jump to the referenced section. Click a web link to visit the website in your browser. Printing PDF Guides If you want to print a guide, you can take these steps to save paper and ink:  Save ink or toner by not printing the cover page.  Save color ink on a color printer by looking in the panes of the Print dialog for an option to print in grays or black and white. 14 Preface About This Guide  Reduce the bulk of the printed document and save paper by printing more than one page per sheet of paper. In the Print dialog, change Scale to 115% (155% for Getting Started). Then choose Layout from the untitled pop-up menu. If your printer supports two-sided (duplex) printing, select one of the Two-Sided options. Otherwise, choose 2 from the Pages per Sheet pop-up menu, and optionally choose Single Hairline from the Border menu. (If you're using Mac OS X v10.4 or earlier, the Scale setting is in the Page Setup dialog and the Layout settings are in the Print dialog.) You may want to enlarge the printed pages even if you don't print double sided, because the PDF page size is smaller than standard printer paper. In the Print dialog or Page Setup dialog, try changing Scale to 115% (155% for Getting Started, which has CDsize pages). Getting Documentation Updates Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides.  To view new onscreen help topics for a server application, make sure your server or administrator computer is connected to the Internet and click "Latest help topics" or "Staying current" in the main help page for the application.  To download the latest guides in PDF format, go to the Mac OS X Server documentation website: www.apple.com/server/documentation Getting Additional Information For more information, consult these resources:  Read Me documents--important updates and special information. Look for them on the server discs.  Mac OS X Server website (www.apple.com/server/macosx)--gateway to extensive product and technology information.  Mac OS X Server Support website (www.apple.com/support/macosxserver)--access to hundreds of articles from Apple's support organization.  Apple Training website (www.apple.com/training)--instructor-led and self-paced courses for honing your server administration skills.  Apple Discussions website (discussions.apple.com)--a way to share questions, knowledge, and advice with other administrators.  Apple Mailing Lists website (www.lists.apple.com)--subscribe to mailing lists so you can communicate with other administrators using email.  OpenLDAP website (www.openldap.org)--learn about the open source software that Open Directory uses to provide LDAP directory service. Preface About This Guide 15  MIT Kerberos website (web.mit.edu/kerberos/www/)--get background information and specifications for the protocol that Open Directory uses to provide robust single sign-on authentication.  Berkeley DB website (www.oracle.com/database/berkeley-db/)--investigate feature descriptions and technical documentation for the open source database that Open Directory uses to store LDAP directory data.  RFC3377, "Lightweight Directory Access Protocol (v3): Technical Specification" (www.rfceditor.org/rfc/rfc3377.txt)--lists a set of eight other Request for Comment (RFC) documents with overview information and detailed specifications for the LDAPv3 protocol. 16 Preface About This Guide 1 Linking Your Network to the Internet 1 Use the Gateway Setup Assistant to guide you through the initial setup of your server to serve as a gateway between your private network and the Internet. The Gateway Setup Assistant guides you through configuring your server to connect to the Internet. You make further changes to the service configuration using Server Admin. For network services, see the relevant section in this book for instructions. About the Gateway Setup Assistant The Gateway Setup Assistant helps you quickly and easily set up Mac OS X Server v10.5 to share your Internet connection with your local network. After you configure a few settings, the assistant can start sharing the server connection. Depending on your configuration choices, the assistant performs the following when it sets up the server:  Assigns the server a static IP address for each internal network interface. The address assigned is 192.168.x.1. The value used for x is determined by the network interface's order in the Network System Preference pane. For example, for the first interface on the list, x is 0; for the second interface, x is 1.  Enables DHCP to allocate addresses on the internal network, removing existing DHCP subnets.  Sets aside specific internal (192.168.x.x) addresses for DHCP use. Without VPN started, each interface can allocate addresses from 192.168.x.2 to 192.168.x.254.  (Optional) Enables VPN to permit authorized external clients to connect to the local network. VPN L2TP is enabled, so you must enter a shared secret (a passphrase) for client connections to use.  Sets aside specific internal addresses (192.168.x.x) for VPN use. 17 If VPN is selected, half of the allotted IP addresses in the DHCP range are reserved for VPN connections. The addresses 192.168.x.128­192.168.x.254 are allotted to VPN connections.  Enables the firewall to help secure the internal network. Address groups are added for each internal network interface, with all traffic permitted from the newly created DHCP address ranges to any destination address.  Enables network address translation (NAT) on the internal network and adds a NAT divert rule to the IP firewall to direct network traffic to the correct computer. This also protects the internal network from unsolicited external connections.  Enables DNS on the server, configured to cache lookups, to improve DNS response for internal clients. Before configuring these settings, you can review the proposed changes before committing to them and overwriting existing settings. You can make further changes to the service configuration using Server Admin. For network services, see the relevant section in this book for information. If you run the Gateway Setup Assistant again, it overwrites manual settings you made. Running the Gateway Setup Assistant You run the Gateway Setup Assistant from the NAT service Overview pane in Server Admin. To run the Gateway Setup Assistant: 1 Open Server Admin and connect to the server. 2 Click Settings, then click Services. 3 Select the NAT checkbox, then click Save. 4 Click the triangle to the left of the server. The list of services appears. 5 From the expanded Servers list, select NAT. 6 Click Overview. 7 Click Gateway Setup Assistant. 8 Follow the directions in the assistant, click Continue after each page, read the final configuration summary carefully, and make sure you approve of the settings before finalizing the configuration. WARNING: Although you can use Service Configuration Assistant to configure remote servers, you can accidentally cut off your administrator access to the remote server. 18 Chapter 1 Linking Your Network to the Internet Connecting a Wired LAN to the Internet You can use the Gateway Setup Assistant to connect a wired LAN to the Internet. Your LAN can consist of any number of computers connected to each other through Ethernet hubs and switches, but the LAN must have one point of contact with the Internet (the gateway). Your gateway has one connection to the Internet and one connection to the LAN. All other computers access the Internet through your gateway. You can configure your Mac OS X server to be a gateway to the Internet, which requires that your server have two Ethernet ports (en0 and en1). Ethernet en0 should be connected to the Internet and en1 should be connected to your LAN. After this process, computers on the LAN:  Can get IP addresses and network settings that were configured using DHCP.  Can access the Internet if the gateway is connected to the Internet.  Can't be accessed by unauthorized network connections originating from the Internet.  Can be accessed over the Internet by authorized VPN clients (if VPN is configured).  Can benefit from DNS lookup caching in the gateway, which speeds DNS resolution. To connect a wired LAN to the Internet: 1 Plug the connection to the Internet into the Ethernet 1 (en0) port. 2 Plug the connection to your LAN into the Ethernet 2 (en1) port. 3 Open Server Admin and connect to the server. 4 Click Settings, then click Services. 5 Select the NAT checkbox. 6 Click Save. 7 Click the triangle to the left of the server. The list of services appears. 8 From the expanded Servers list, select NAT. 9 Click Overview, then click Gateway Setup Assistant. 10 Click Continue. If your server has existing DHCP, DNS, NAT, and VPN configurations, you are prompted to overwrite those configurations. If you want to overwrite existing configurations, click Overwrite to continue. 11 From the Gateway WAN Interface pop-up menu, choose Ethernet 1 (en0) for you WAN interface, then click Continue. 12 From the list of network interfaces, select the Ethernet 2 checkbox for you LAN interface and click Continue. Chapter 1 Linking Your Network to the Internet 19 Your LAN interface is the one connected to your local network. All computers on the LAN share the server's Internet connection through the server's WAN interface. If your server has more than one interface available (Ethernet port 2, Ethernet port 3, and so on), choose those you want to enable. 13 (Optional) If you want to make your gateway server a VPN entry point to your LAN, select the Enable VPN for this server checkbox. If you enable VPN, you need a shared secret. A shared secret is a passphrase that users must provide to securely connect to the VPN gateway. It should be a very secure passphrase, not the password of a user or administrator on the gateway server. To set a very secure passphrase, use Password Assistant in Account Preferences. For more information, see Mac OS X Server Security Configuration. For more information, see Chapter 6, "Working with VPN Service." 14 Click Continue. 15 Inspect and confirm your setup. 16 Click Continue. NAT and all dependent services will be configured and started. 17 Click Close. Options You can fine-tune the settings of this base configuration, but you perform additional configuration in Server Admin. For example, you can use Server Admin to assign IP addresses to specific computers. To do this, add static address mappings in the DHCP service settings. For more information, see Chapter 2, "Working with DHCP Service." You can also change firewall settings to permit connections from the Internet to the LAN. To do this, change the firewall settings, open up IP ports as needed, and configure port forwarding (by editing UNIX files from the command line) to designate which computer on the LAN is to accept incoming traffic. Connecting a Wired LAN and Wireless Clients to the Internet You can use the Gateway Setup Assistant to connect a wired LAN and wireless clients to the Internet. Your LAN can consist of any number of computers connected to each other through Ethernet hubs and switches, but the LAN must have one point of contact with the Internet (the gateway). Your LAN must also have an AirPort Base Station to connect the wireless computers to the wired network. Your wireless clients must be able to connect to the AirPort Base Station's wireless network to be linked to the wired LAN. 20 Chapter 1 Linking Your Network to the Internet After this process, computers on the LAN and those connected to the AirPort Base Station:  Can get IP addresses and network settings configured using DHCP.  Can access the Internet, if the gateway is connected to the Internet.  Can't be accessed by unauthorized network connections originating from the wired connection to the Internet.  Can be accessed over the Internet by authorized VPN clients (if VPN is configured).  Can benefit from DNS lookup caching in the gateway, which speeds DNS resolution. To connect a wired LAN and wireless clients to the Internet: 1 Plug the connection to the Internet into the Ethernet 1 (en0) port. 2 Plug the connection to your LAN into the Ethernet 2 (en1) port. 3 Connect the AirPort Base Station port (the WAN port, if there are two) to the wired network. 4 Using the AirPort Utility, configure the Base Station to connect using Ethernet and to get its address using DHCP. You can open it from the /Applications/Utilities/ folder. 5 Select your base station, and then choose Manual Setup from the Base Station menu. 6 Enter the base station password if necessary. 7 Click Internet in the toolbar, then click Internet Connection. 8 From the Connect Using pop-up menu choose Ethernet. 9 From the Configure IPv4 pop-up menu choose Using DHCP. 10 From the Connection Sharing pop-up menu choose Off (Bridge Mode). 11 To change Base Station settings, click Update. 12 Open Server Admin and connect to the server. 13 Click Settings, then click Services. 14 Select the NAT checkbox. 15 Click Save. 16 Click the triangle to the left of the server. The list of services appears. 17 From the expanded Servers list, select NAT. 18 Click Overview, then click Gateway Setup Assistant. 19 Click Continue. 20 For your WAN (Internet) interface, designate Ethernet 1. 21 For your LAN (sharing) interface, designate Ethernet 2. Chapter 1 Linking Your Network to the Internet 21 Your LAN interface is the one connected to your local network. All computers on the LAN share the server's Internet connection through the server's WAN interface. If your server has more than one interface available (Ethernet port 2, Ethernet port 3, and so on), choose those you want to enable. 22 Choose whether to make this gateway a VPN entry point to your LAN. If you enable VPN, you need a shared secret. A shared secret is a passphrase that users must provide to securely connect to the VPN gateway. It should be a very secure passphrase, not a password of a user or administrator on the gateway server. To set a very secure passphrase, use Password Assistant in Account Preferences. For more information, see Mac OS X Server Security Configuration. For more information about VPN, see Chapter 6, "Working with VPN Service." 23 Inspect and confirm the changes. Options You can fine-tune the settings of this base configuration, but you perform additional configuration in Server Admin. For example, you can use Server Admin to assign IP addresses to specific computers. To do this, add static address mappings in the DHCP section's Settings tab. For more information, see Chapter 2, "Working with DHCP Service." You can also change firewall settings to permit connections from the Internet to the LAN. To do this, change the firewall settings, opening up IP ports as needed, and configure port forwarding in the NAT pane to designate which computer on the LAN is to accept incoming traffic. Connecting a Wireless LAN to the Internet Connecting wireless clients to the Internet through a Mac OS X Server gateway provides the following advantages over using AirPort Base Station built-in functions:  Advanced firewall control  DHCP allocation of static IP addresses  DNS caching  Incoming VPN connections to the LAN If you do not need these advanced functions, use the AirPort Base Station to connect your wireless clients to the Internet without using a Mac OS X Server between the Base Station and the Internet. To take advantage of the gateway's features, you use the Base Station as a bridge between your wireless clients and the gateway. Each client connects to the Base Station, and the Base Station sends network traffic through the gateway. 22 Chapter 1 Linking Your Network to the Internet All wireless clients must be able to connect to the AirPort Base Station's wireless network to be linked to the gateway. After this process, computers connected to the AirPort Base Station:  Can get IP addresses and network settings configured using DHCP.  Can access the Internet if the gateway is connected to the Internet.  Can't be accessed by unauthorized network connections originating from the wired connection to the Internet.  Can be accessed over the Internet by authorized VPN clients (if VPN is configured).  Can benefit from DNS lookup caching in the gateway, which speeds DNS resolution. To connect a wired LAN and wireless clients to the Internet: 1 Plug the connection to the Internet into the Ethernet 1 (en0) port. 2 Connect the AirPort Base Station port (the WAN port, if there are two) to the Ethernet 2 (en1) port. 3 Using the AirPort Utility, configure the Base Station to connect using Ethernet and to get its address using DHCP. You can open it from the /Applications/Utilities/ folder. 4 Select your base station, and then choose Manual Setup from the Base Station menu. 5 Enter the base station password if necessary. 6 Click Internet in the toolbar, then click Internet Connection. 7 From the Connect Using pop-up menu choose Ethernet. 8 From the Configure IPv4 pop-up menu choose Using DHCP. 9 From the Connection Sharing pop-up menu choose Off (Bridge Mode). 10 To change Base Station settings, click Update. 11 Open Server Admin and connect to the server. 12 Click Settings, then click Services. 13 Select the NAT checkbox. 14 Click Save. 15 Click the triangle to the left of the server. The list of services appears. 16 From the expanded Servers list, select NAT. 17 Click Overview, then click Gateway Setup Assistant. 18 Click Continue. 19 For your WAN (Internet) interface, designate Built-In Ethernet 1. 20 For your LAN (sharing) interface, designate Built-In Ethernet 2. Chapter 1 Linking Your Network to the Internet 23 Your LAN interface is the one connected to your local network. Computers on the LAN share the server's Internet connection through the server's WAN interface. If your server has more than one interface available (Ethernet port 2, Ethernet port 3, and so on), choose those you want to enable. 21 Choose whether to make this gateway a VPN entry point to your LAN. If you enable VPN, you need a shared secret. A shared secret is a passphrase that users must provide to securely connect to the VPN gateway. It should be a very secure passphrase, not a password of a user or administrator on the gateway server. To set a very secure passphrase, use Password Assistant in Account Preferences. For more information, see Mac OS X Server Security Configuration. For more information about VPN, see Chapter 6, "Working with VPN Service." 22 Inspect and confirm the changes. Options You can fine-tune the settings from this base configuration but you perform additional configuration in Server Admin. For example, you can use Server Admin to assign IP addresses to specific computers. To do this, add static address mappings in the DHCP section's Settings tab. For more information, see Chapter 2, "Working with DHCP Service." You can also change firewall settings to permit connections from the Internet to the LAN. To do this, change the firewall settings, opening up IP ports as needed, and configure port forwarding in the NAT pane to designate which computer on the LAN is to accept incoming traffic. 24 Chapter 1 Linking Your Network to the Internet 2 Working with DHCP Service 2 This chapter describes how to set up and manage DHCP service in Mac OS X Server. If your organization has more clients than IP addresses, you can benefit from using Dynamic Host Configuration Protocol (DHCP) service. IP addresses are assigned as needed, and when they're not needed, they can be used by other clients. You can use a combination of static and dynamic IP addresses for your network. DHCP service lets you administer and distribute IP addresses to computers from your server. When you configure the DHCP server, you assign a block of IP addresses that can be made available to clients. Each time a computer configured to use DHCP starts up, it looks for a DHCP server on your network. If it finds a DHCP server, the client computer then requests an IP address. The DHCP server checks for an available IP address and sends it to the computer with a lease period (the length of time the client computer can use the address) and configuration information. For more information about static and dynamic allocation of IP addresses, see "Before Setting Up DHCP Service" on page 26. Organizations can benefit from the features of DHCP service, such as the ability to set Domain Name System (DNS) and Lightweight Directory Access Protocol (LDAP) options for computers without needing to configure each client. You can use the DHCP module in Server Admin to:  Configure and administer DHCP service  Create and administer subnets  Configure DNS, LDAP, and Windows Internet Naming Service (WINS) options for client computers  View DHCP address leases 25 Setup Overview Here is an overview of the basic steps for setting up DHCP service. Note: If you used the Gateway Setup Assistant to configure ports on your server when you installed Mac OS X Server, some DHCP information is already configured. Follow the steps in this section to finish configuring DHCP service. You can find more information about settings for each step in "Managing DHCP Service" on page 31. Step 1: Before you begin For issues to keep in mind when you setup DHCP service, read "Before Setting Up DHCP Service" on page 26. Step 2: Turn DHCP service on Before configuring DHCP service, turn on DHCP. See "Turning DHCP Service On" on page 29. Step 3: Create subnets Use Server Admin to create a pool of IP addresses that are shared by the client computers on your network. You create one range of shared addresses per subnet. These addresses are assigned by the DHCP server when a client issues a request. See "Creating Subnets in DHCP Service" on page 29. Step 4: Configure DHCP log settings You can log the activity and errors in your DHCP service to help you identify use patterns and problems with your server. The DHCP service records diagnostic messages in the system log file. To keep this file from growing too large, you can suppress most messages by changing your log settings in the Logging pane of the DHCP service settings. See "Configuring Log Settings" on page 30. Step 5: Start DHCP service After you configure DHCP, start the service to make it available. See "Starting DHCP Service" on page 30. Before Setting Up DHCP Service This section provides information about creating subnets, assigning static and dynamic IP addresses, locating your server on the network, and avoiding reserved IP addresses. Creating Subnets Subnets are groupings of computers on a network that simplify administration. You can organize subnets any way that is useful to you. For example, you can create subnets for different groups in your organization or for different floors of a building. 26 Chapter 2 Working with DHCP Service After you group computers into subnets, you can configure options for all computers on a subnet at one time instead of setting options for individual computers. Each subnet needs a way to connect to other subnets. A hardware device called a router typically connects subnets. Assigning IP Addresses Dynamically With dynamic address allocation, an IP address is assigned for a limited period of time (the lease time) or until the computer doesn't need the IP address, whichever comes first. By using short leases, DHCP can reassign IP addresses on networks that have more computers than IP addresses. Leases are renewed if the address isn't needed by another computer. Addresses allocated to Virtual Private Network (VPN) clients are distributed much like DHCP addresses, but they don't come out of the same range of addresses as DHCP. If you plan on using VPN, be sure to leave some addresses unallocated by DHCP for use by VPN. To learn more about VPN, see Chapter 6, "Working with VPN Service," on page 125. Using Static IP Addresses Static IP addresses are assigned to a computer or device once and then don't change. You can assign static IP addresses to computers that must have a continuous Internet presence, such as web servers. Other devices that must be continuously available to network users, such as printers, can also benefit from static IP addresses. Static IP addresses can be set up manually by entering the IP address on the computer (or other device) that is assigned the address, or by configuring DHCP to provide the same address to a specific computer or device on each request. Manually configured static IP addresses avoid potential issues that some services can have with DHCP-assigned addresses, and they don't suffer from the delay that DHCP requires to assign an address. DHCP-assigned addresses permit address configuration changes at the DHCP server rather than at each client. Don't include manually assigned static IP address ranges in the range distributed by DHCP. You can set up DHCP to always serve the same address to the same computer. For more information, see "Assigning Static IP Addresses Using DHCP" on page 35. Chapter 2 Working with DHCP Service 27 Locating the DHCP Server When a computer looks for a DHCP server, it broadcasts a message. If your DHCP server is on a different subnet from the computer, make sure the routers that connect your subnets can forward the client broadcasts and the DHCP server responses. A relay agent or router on your network that can relay BootP communications will work for DHCP. If you don't have a means to relay BootP communications, place the DHCP server on the same subnet as your client. Interacting with Other DHCP Servers You might already have DHCP servers on your network, such as AirPort Base Stations. Mac OS X Server can coexist with other DHCP servers as long as each DHCP server uses a unique pool of IP addresses. However, you might want your DHCP server to provide an LDAP server address for client autoconfiguration in managed environments. Because AirPort Base Stations can't provide an LDAP server address, if you want to use the autoconfiguration feature, you must set up AirPort Base Stations in Ethernet-bridging mode and have Mac OS X Server provide DHCP service. If the AirPort Base Stations are on separate subnets, your routers must be configured to forward client broadcasts and DHCP server responses as described previously. To provide DHCP service with AirPort Base Stations. You must manually enter LDAP server addresses of computers. You can't use the client autoconfiguration feature. Using Multiple DHCP Servers on a Network You can have multiple DHCP servers on the same network. However, they must be configured properly to prevent interference with each other. Each server needs a unique pool of IP addresses to distribute. Assigning Reserved IP Addresses Some IP addresses can't be assigned, including addresses reserved for loopback and for broadcasting. Your ISP won't assign these addresses to you. If you try to configure DHCP to use these addresses, you're warned that the addresses are invalid and you must enter valid addresses. Getting More Information About the DHCP Process Mac OS X Server uses a daemon process named bootpd that is responsible for the DHCP Service's address allocation. For more information about bootpd and its advanced configuration options, see the bootpd man page. 28 Chapter 2 Working with DHCP Service Turning DHCP Service On Before you can configure DHCP settings, you must turn on DHCP service in Server Admin. To turn DHCP service on: 1 Open Server Admin and connect to the server. 2 Click Settings. 3 Click Services. 4 Select the DHCP checkbox. 5 Click Save. Setting Up DHCP Service Set up DHCP service by configuring the following items in Server Admin:  Subnet. Create a pool of IP addresses that are shared by computers on your network.  Log Level. Configure the DHCP event log level. The following sections describe the tasks for configuring these settings. A final section tells you how to start DHCP service when you finish. Creating Subnets in DHCP Service Subnets are groupings of computers on the same network that can be organized by location (for example, different floors of a building) or by usage (for example, all eighth-grade students). Each subnet has at least one range of IP addresses assigned to it. To create a subnet: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Subnets. 5 Click the Add (+) button. 6 Enter a descriptive name for the new subnet. 7 Enter a starting and ending IP address for this subnet range. Addresses must be contiguous and they can't overlap with other subnet ranges. 8 Enter the subnet mask for the network address range. 9 From the pop-up menu, choose the network interface that will host DHCP service. 10 Enter the IP address of the router for this subnet. Chapter 2 Working with DHCP Service 29 If the server you're configuring is the router for the subnet, enter this server's internal LAN IP address as the router's address. 11 Define a lease time in hours, days, weeks, or months. 12 If you want to set DNS, LDAP, or WINS information for this subnet, enter these now. For more information, see "Setting the DNS Server for a DHCP Subnet" on page 33, "Setting LDAP Options for a Subnet" on page 34, and "Setting WINS Options for a Subnet" on page 34. 13 Click Save. 14 To enable the subnet, select the Enable checkbox. 15 Click Save. Configuring Log Settings You can choose the level of detail you want for DHCP service logs:  Low (errors only): Indicates conditions where you must take immediate action (for example, if the DHCP server can't start up). This level corresponds to bootpd reporting in quiet mode, with the "-q" flag.  Medium (errors and warnings): Alerts you to conditions where data is inconsistent but the DHCP server can still operate. This level corresponds to default bootpd reporting.  High (all events): Records all activity by the DHCP service, including routine functions. This level corresponds to bootpd reporting in verbose mode with the "-v" flag. To set up the log detail level: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Settings. 5 From the Log Level pop-up menu, choose the logging option you want. 6 Click Save. Starting DHCP Service You start the DHCP service to provide IP addresses to your users. You must have at least one subnet created and enabled. To start DHCP service: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. 30 Chapter 2 Working with DHCP Service The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click the Start DHCP button (below the Servers list). If the Firewall service is running, a warning appears asking you to verify that all ports used by DHCP are open. Click OK. The service runs until you stop it. It restarts when your server is restarted. From the Command Line You can also start the DHCP service using the serveradmin command in Terminal. For more information, see the file services chapter of Command-Line Administration. Managing DHCP Service This section describes how to set up and manage DHCP service on Mac OS X Server. It includes starting the service, creating subnets, and setting optional settings such as LDAP or DNS for a subnet. Stopping DHCP Service When starting or stopping DHCP, you must have at least one subnet created and enabled. To stop DHCP service: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click the Stop DHCP button (below the Servers list). 5 Click Stop Now. Changing Subnet Settings in DHCP Service Use Server Admin to change DHCP subnet settings. You can change IP address range, subnet mask, network interface, router, or lease time. To change subnet settings: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Subnets. 5 Select a subnet. Chapter 2 Working with DHCP Service 31 6 Make the changes you want. These changes can include adding DNS, LDAP, or WINS information. You can also redefine address ranges or redirect the network interface that responds to DHCP requests. 7 Click Save. If DHCP is running you are prompted to restart DHCP for your change to take effect. Otherwise, your changes take effect the next time you start DHCP. Deleting Subnets from DHCP Service You can delete subnets and subnet IP address ranges so they are no longer distributed to computers. To delete subnets or address ranges: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Subnets. 5 Select a subnet. 6 Click the Delete (­) button. 7 Click Save. If DHCP is running you are prompted to restart DHCP for your change to take effect. Otherwise, your changes take effect the next time you start DHCP. Disabling Subnets Temporarily You can temporarily shut down a subnet without losing its settings. No IP addresses from the subnet's range are distributed on the selected interface to any computer until you reenable the subnet. To disable a subnet: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Subnets. 5 Deselect Enable next to the subnet you want to disable. 6 Click Save. 32 Chapter 2 Working with DHCP Service If DHCP is running, you are prompted to restart DHCP for your change to take effect. Otherwise, your changes take effect the next time you start DHCP. Changing IP Address Lease Times for a Subnet You can change how long IP addresses on a subnet are available to computers. To change the lease time for a subnet: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Subnets. 5 Select a subnet. 6 From the Lease Time pop-up menu, choose a time scale (hours, days, weeks, or months). 7 In the Lease Time field, enter a number. 8 Click Save. If DHCP is running you are prompted to restart DHCP for your change to take effect. Otherwise, your changes take effect the next time you start DHCP. Setting the DNS Server for a DHCP Subnet You can determine the DNS servers and default domain name a subnet should use. DHCP service provides this information to computers in the subnet. To set DNS options for a subnet: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Subnets. 5 Select a subnet. 6 Click DNS. 7 Enter the primary and secondary name server IP addresses you want DHCP clients to use. 8 Enter the default domain of the subnet. 9 Click Save. If DHCP is running you are prompted to restart DHCP for your change to take effect. Otherwise, your changes take effect the next time you start DHCP. Chapter 2 Working with DHCP Service 33 Setting LDAP Options for a Subnet You can use DHCP to automatically provide your clients with LDAP server information rather than manually configuring each client's LDAP information. The order in which the LDAP servers appear in the list determines their search order in the automatic Open Directory search policy. If you are using this Mac OS X Server as an LDAP master, LDAP options are populated with the necessary configuration information. If your LDAP master server is another computer, you must know the domain name or IP address of the LDAP database that you want to use, and you must know the LDAP search base. To set LDAP options for a subnet: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Subnets. 5 Select a subnet. 6 Click LDAP. 7 Enter the domain name or IP address of the LDAP server for this subnet. 8 Enter the search base for LDAP searches. 9 If you're using a nonstandard port, enter the LDAP port number. 10 If necessary, select LDAP over SSL. Use this option to secure LDAP communication. 11 Click Save. If DHCP is running you are prompted to restart DHCP for your change to take effect. Otherwise, your changes take effect the next time you start DHCP. Setting WINS Options for a Subnet You can give more information to computers running Windows on a subnet by adding Windows-specific settings to the DHCP-supplied network configuration data. These Windows-specific settings permit Windows clients to browse their Network Neighborhood. You must know the domain name or IP address of the Windows Internet Naming Service/NetBIOS Name Server (WINS/NBNS) primary and secondary servers (usually the IP address of the DHCP server), and the NetBIOS over TCP/IP (NBT) node type. The following are possible node types:  Hybrid (h-node): Checks the WINS server and then broadcasts 34 Chapter 2 Working with DHCP Service  Peer (p-node): Checks the WINS server for name resolution  Broadcast (b-node): Broadcasts for name resolution (most commonly used)  Mixed (m-node): Broadcasts for name resolution and then checks the WINS server The NetBIOS Datagram Distribution (NBDD) server works with NBNS to route datagrams to computers on a different subnet. The NetBIOS Scope ID isolates NetBIOS communication on a network. The NetBIOS Scope ID is appended to the NetBIOS name of the computer. All computers that have the same NetBIOS Scope ID can communicate. NBDD Server and the NetBIOS Scope ID are typically not used, but you might need to use them depending on your Windows clients' configuration and Windows network infrastructure. To set WINS options for a subnet: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Subnets. 5 Select a subnet. 6 Click WINS. 7 Enter the domain name or IP address of the WINS/NBNS primary and secondary servers for this subnet. 8 Enter the domain name or IP address of the NBDD server for this subnet. 9 From the pop-up menu, choose the NBT node type. 10 Enter the NetBIOS Scope ID. 11 Click Save. If DHCP is running you are prompted to restart DHCP for your change to take effect. Otherwise, your changes take effect the next time you start DHCP. Assigning Static IP Addresses Using DHCP You can assign the same address to the same computers. This helps simplify configuration when using DHCP and lets you have some static servers or services. To keep the same IP address for a computer, you must know the computer's Ethernet address (also known as the MAC address or hardware address). Each network interface has its own Ethernet address. Chapter 2 Working with DHCP Service 35 If a computer is connected to a wired network and a wireless network, it uses a different Ethernet address for each network connection. To assign static IP addresses: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Static Maps. 5 Click Add Computer. 6 Enter the name of the computer. 7 In the Network Interfaces list, click the column to enter the following information: MAC Address of the computer that needs a static address. IP address you want to assign to the computer. 8 If your computer has other network interfaces that require static IP addresses, click the Add (+) button and enter the IP address you want to assign for each interface. 9 Click OK. 10 Click Save. If DHCP is running you are prompted to restart DHCP for your change to take effect. Otherwise, your changes take effect the next time you start DHCP. Removing or Changing Static Address Maps You can change the static mappings or remove them as needed. To change the static address map: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Static Maps. 5 Select a mapping to Edit or Remove. 6 Click the Edit button or the Remove button. If you are editing the mapping, make changes you want, then click OK. 7 Click Save. If DHCP is running you are prompted to restart DHCP for your change to take effect. Otherwise, your changes take effect the next time you start DHCP. 36 Chapter 2 Working with DHCP Service Monitoring DHCP Service You can use the following methods to monitor and troubleshoot DHCP service:  Monitor the computers that are using the service by viewing the client list.  Monitor the log files generated by the service.  Use service logs to troubleshoot network problems. The following sections discuss these aspects of DHCP service. Checking DHCP Service Status The status overview shows the following summary of the DHCP service.  Whether the service is running  How many clients it has  When the service was started  How many IP addresses are statically assigned from your subnets  The last time the client database was updated To view DHCP service status: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Overview to view whether the service is running, when it started, the number of clients connected, and the when the last database update occurred. Viewing DHCP Log Entries If you've enabled logging for DHCP service, you can check the system log for DHCP errors. The log view is the system.log file filtered for bootpd. Use the Filter field to search for specific entries. To view DHCP log entries: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Log. 5 To search for specific entries, use the Filter field (upper right corner). Viewing the DHCP Client List The DHCP Clients window gives the following information for each client: Chapter 2 Working with DHCP Service 37  The IP address served to the client  The number of days of lease time left (or the number of hours and minutes, if less than 24 hours)  The DHCP client ID (usually the same as the hardware address)  The computer name  The hardware address To view the DHCP client list: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select DHCP. 4 Click Clients. To sort the list by different criteria, click a column heading. Common Network Configurations That Use DHCP The following section contains example DHCP configurations for different network uses. These include a workgroup configuration, a student lab configuration, and a coffee shop configuration. When you set up a private network, you choose IP addresses from the blocks of IP addresses reserved by the Internet Assigned Numbers Authority (IANA) for private intranets:  10.0.0.0­10.255.255.255 (10/8 prefix)  172.16.0.0­172.31.255.255 (172.16/12 prefix)  192.168.0.0­192.168.255.255 (192.168/16 prefix) Using DHCP to Provide IP Addresses Behind a NAT Gateway You use DHCP to provide IP addresses to computers behind a Network Address Translation (NAT) gateway. Although not strictly necessary (because NAT can be used with static IP addresses instead of DHCP), this enables easy configuration of computers. For more information, see "Linking a LAN to the Internet Through One IP Address" on page 118. Workgroup Configuration Imagine you have a small workgroup with its own DHCP address group. You can have an IP-connected printer, a file server, and an Open Directory server (on or off the subnet) for user management purposes. 38 Chapter 2 Working with DHCP Service To use DHCP in this setting, you must already have:  A working, configured firewall that permits LDAP and printer (IP printing) connections. For more information, see Chapter 4, "Working with Firewall Service."  A working, configured Open Directory or LDAP server with users defined. For more information, see Open Directory Administration and User Management. For this example, configuring DHCP involves static IP address mapping and additional client network settings. You could configure it like this:  For a printer that must be given a static IP address, make sure the allocated DHCP address range does not include the truly static IP address of the printer. If the printer can be configured to accept an address using DHCP, don't worry about an overlap. For more information, see "Using Static IP Addresses" on page 27.  For a file server that must always be assigned the same address, use Mac OS X Server's static IP mapping to always assign the same IP address to its Ethernet address. For more information, see "Assigning Static IP Addresses Using DHCP" on page 35.  For DHCP configuration, set the LDAP options for DHCP clients. This automatically gives computers their needed directory information. For more information, see "Setting LDAP Options for a Subnet" on page 34.  For client configuration on Mac OS X client computers, make sure the IPv4 configuration method in the Network pane of System Preferences is set to DHCP. This configuration allows computers to be managed by an LDAP or Open Directory server, getting their network configuration information from DHCP. They can have access to truly static IP address or consistently assigned IP addresses on the same network. You also get centralized configuration for all computers. Student Lab Configuration The student lab configuration example is very much like the workgroup configuration example, but it adds NetBoot as an extra service that uses DHCP. Along with DHCP providing centralized networking configuration, NetBoot standardizes startup environments by having each computer start up from a disk image on a central NetBoot server. The configuration would be like the workgroup configuration example, with the following differences:  There might be static-address resources. This depends on the lab composition. You might have a class printer or file server, but if you use a mobile cart that moves from classroom to classroom, you won't take a server and printer to each class. Chapter 2 Working with DHCP Service 39  NetBoot must be enabled and configured, along with firewall settings to support it. Any client on the network can be set to start up from the NetBoot server. New computers can be deployed by setting the startup disk of the computer to the NetBoot image. No further configuration is necessary, and computers can be repurposed easily, because the hard disk can remain unchangeable. With this configuration, computers on the network can be managed with an LDAP or Open Directory server, getting their network configuration information from DHCP. The computing environment is also centrally configured for all computers. New computers can be added or swapped out with minimal effort. Coffee Shop Configuration The coffee shop configuration is an example configuration for a dynamic addressing environment, one that requires no user management and provided no services other than web access, DNS access, or other service. This example is characterized by lots of mobile users who pass through, use the Internet access, and move on. This configuration can easily be used in situations like a college-commons wireless network or a wired courtesy office for visiting consultants. WARNING: If you host temporary unauthenticated users, make sure sensitive information on your LAN is protected behind a firewall on another network. To use DHCP in this setting, you must have a working firewall configured for web access outbound traffic and DNS outbound lookups only. You might need to place this network outside your firewall and make sure the DHCP allocated IP addresses' network traffic is strictly controlled and monitored. For more information, see Chapter 4, "Working with Firewall Service." In this example, you might want to configure the DHCP service like this:  Make networking configuration automatic. Set DHCP clients to get network configuration through DHCP.  Don't set options that clients shouldn't have. Don't give DHCP clients more information about your organization than necessary using LDAP. You might want to configure Windows clients to have more network options. For more information, see "Setting WINS Options for a Subnet" on page 34.  Limit resource use. Having many users on a subnet can lead to a lot of bandwidth use, so reduce the number of DHCP clients that can be connected simultaneously by restricting the number of addresses to be allocated. For more information, see "Creating Subnets in DHCP Service" on page 29. 40 Chapter 2 Working with DHCP Service  Keep address turnover high. Make the lease times on addresses as short as practical. This way, as users come and go, the addresses can be quickly reallocated. For more information, see "Creating Subnets in DHCP Service" on page 29.  Monitor your traffic. Keep a close eye on DHCP connections and clients, firewall rule packet logging, or other monitoring tools. Open access points can be a liability if they are not guarded vigilantly. Configuring DHCP to Use an Extra LDAP Server URL The Server Admin application's DHCP module enables administrators to specify a single LDAP server URL for each subnet. If you want to specify multiple LDAP server URLs, you can edit the /etc/bootpd.plist file or use the serveradmin command-line tool (from a Terminal window). Editing the /etc/bootpd.plist file to add multiple LDAP server URLs After you create a subnet using Server Admin DHCP and specify a single LDAP server URL, you can inspect and modify the settings by editing the /etc/bootpd.plist file: 1 Open the /etc/bootpd.plist file in an editor. 2 Locate the tag in between the tag of the dhcp_ldap_url key. dhcp_ldap_url ldap://server.example.com/dc=server,dc=example,dc=com 3 Add another LDAP server URL by inserting a tag below the existing tag and entering your LDAP server URL between the open and closed tags. dhcp_ldap_url ldap://server.example.com/dc=server,dc=example,dc=com ldap://server2.example.com/dc=server2,dc=example,dc=com 4 Save the bootpd.plist file and exit your editor. 5 If DHCP is running, restart the DHCP service so it can pick up the revised configuration. Using the Terminal you would enter: $ sudo serveradmin stop DHCP $ sudo serveradmin start DHCP Using serveradmin to multiple LDAP server URLs After you create a subnet using Server Admin DHCP and specify a single LDAP server URL, you can inspect and modify the settings using serveradmin. Do the following. 1 Inspect all DHCP subnet settings in the Terminal by entering: $ sudo serveradmin settings dhcp:subnets Example result (excerpt): Chapter 2 Working with DHCP Service 41 ... dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C14D96F317447:dhcp_ldap_url:_array_index:0 = "http://ldapxxx:123/ basename1" ... 2 Prepare a file with the serveradmin commands to add a second LDAP Server URL. Because the individual elements of the dhcp_ldap_url array are not individually accessible, you cannot use the serveradmin create/delete idiom. Example file contents: dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C14D96F317447:dhcp_ldap_url:_array_index:0 = "http://ldapxxx:123/ basename1" dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C14D96F317447:dhcp_ldap_url:_array_index:1 = "http://ldapyyy:234/ basename2" Note: The array indexes start with 0. The old URL entry must be present even though you are just adding a second one. The entries must be in order. 3 Use the serveradmin tool to apply the settings from the file by entering: $ sudo serveradmin settings < filename Example result (the settings are confirmed): dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C14D96F317447:dhcp_ldap_url:_array_index:0 = "http://ldapxxx:123/ basename1" dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C14D96F317447:dhcp_ldap_url:_array_index:1 = "http://ldapyyy:234/ basename2" 4 If DHCP is running, restart the DHCP service so it can pick up the revised configuration by entering: $ sudo serveradmin stop DHCP $ sudo serveradmin start DHCP DHCP Service for Mac OS X Clients Using DHCP with a Manual Address The DHCP section of Server Admin permits each subnet address range to be enabled or disabled. When the subnet is enabled, the DHCP server allocates addresses in its range and dispenses other network information to clients that are configured as "Using DHCP." When the subnet is disabled, the DHCP server does not allocate addresses from the subnet address range pool, but it does dispense other network information (such as DNS and LDAP server addresses) to clients that are configured as "Using DHCP with manual address" (static maps), as long as the client address is in the subnet range. 42 Chapter 2 Working with DHCP Service Enabling and disabling the subnet disables automatic address allocation for the address range, and not DHCP server responses to clients whose address is in the subnet range. Where to Find More Information Request for Comments (RFC) documents provide an overview of a protocol or service and explain how the protocol should behave. If you're a novice server administrator, you'll probably find the background information in an RFC helpful. If you're an experienced server administrator, you can find technical details about a protocol in its RFC document. You can search for RFC documents by number at www.ietf.org/rfc.html. For details about DHCP, see RFC 2131. For more information about advanced configuration options, see the bootpd man page. Chapter 2 Working with DHCP Service 43 44 Chapter 2 Working with DHCP Service 3 Working with DNS Service 3 This chapter describes how to set up, secure, and manage DNS service on your network. When your clients want to connect to a network resource such as a web or file server, they typically request it by its domain name (such as www.example.com) rather than by its IP address (such as 192.168.12.12). The Domain Name System (DNS) is a distributed database that maps IP addresses to domain names so your clients can find the resources by name rather than by numerical address. A DNS server keeps a list of domain names and the IP addresses associated with each name. When a computer needs to find the IP address for a name, it sends a message to the DNS server, which is also known as a name server. The name server looks up the IP address and sends it back to the computer. If the name server doesn't have the IP address locally, it sends messages to other name servers on the Internet until the IP address is found. Setting up and maintaining a DNS server is a complex process. Therefore, many administrators rely on their Internet Service Provider (ISP) for DNS services. In this case, you only need to configure your network preferences with the IP address of the name server, which is provided by your ISP. If you don't have an ISP to handle DNS requests for your network and any of the following are true, you must set up your own DNS service:  You can't use DNS from your ISP or other source.  You plan on making frequent changes to the name space and want to maintain it yourself.  You have a mail server on your network and you have difficulties coordinating with the ISP that maintains your domain.  You have security concerns because your network's computer names and addresses are accessible to an outside organization (your ISP). 45 Mac OS X Server uses Berkeley Internet Name Domain (BIND) v9.4.1 for its implementation of DNS protocols. BIND is an open source implementation and is used by most name servers on the Internet. About DNS Zones Zones are the basic organizational unit of DNS. Zones contain records and are defined by how they acquire those records and how they respond to DNS requests. There are three basic zones:  Primary  Secondary  Forward There are also several other kinds of zones not covered here. Primary Zones A primary zone has the master copy of the zone's records and provides authoritative answers to lookup requests. Secondary Zones A secondary zone is a copy of a primary zone and is stored on a secondary name server. It has the following characteristics:  Each secondary zone has a list of primary servers that it contacts for updates to records in the primary zone. Secondaries must be configured to request the copy of the primary zone data.  Secondary zones use zone transfers to get copies of the primary zone data.  Secondary name servers can take lookup requests like primary servers. By using several secondary zones linked to one primary, you can distribute DNS query loads across several computers and make sure that lookup requests are answered if the primary name server is down. Secondary zones also have a refresh interval. This interval determines how often the secondary zone checks for changes from the primary zone. You can change the zone refresh interval by using BIND's configuration file. For more information, see the BIND documentation. Forward Zones A forward zone directs lookup requests for that zone to other DNS servers. Forward zones don't do zone transfers. 46 Chapter 3 Working with DNS Service Often, forward zone servers are used to provide DNS services to a private network behind a firewall. In this case, the DNS server must have access to the Internet and a DNS server outside the firewall. Forward zones also cache responses to queries they pass on. This can improve the performance of lookups by clients that use the forward zone. Server Admin does not support creation or modification of a forward zone. To create a forward zone, you must configure BIND manually at the command line. For details, see the BIND documentation. About DNS Machine Records Each zone contains a number of records. These records are requested when a computer translates a domain name (like www.example.com) to an IP number. Web browsers, mail clients, and other network applications rely on zone records to contact the correct server. Primary zone records are queried by others across the Internet so they can connect to your network services. There are several kinds of DNS records available for configuration by Server Admin:  Address (A): Stores the IP address associated with a domain name.  Canonical Name (CNAME): Stores an alias in connection with the real name of a server. For example, mail.apple.com might be an alias for a computer with a real canonical name of MailSrv473.apple.com.  Mail Exchanger (MX): Stores the domain name of the computer used for mail in a zone.  Name Server (NS): Stores the authoritative name server for a zone.  Pointer (PTR): Stores the domain name of an IP address (reverse lookup).  Text (TXT): Stores a text string as a response to a DNS query.  Service (SRV): Stores information about the services a computer provides.  Hardware Info (HINFO): Stores information about a computer's hardware and software. Mac OS X Server simplifies the creation of these records by focusing on the computer being added to the zone rather than the records themselves. When you add a computer record to a zone, Mac OS X Server creates the zone records that resolve to a computer address. With this model, you can focus on what your computers do in your domain, rather than which record types apply to its functions. If you need access to other kinds of records, you must edit the BIND configuration files manually. For details, see the BIND documentation. Chapter 3 Working with DNS Service 47 About Bonjour With Bonjour, you can share nearly anything, including files, media, printers, and other devices, in innovative and easier ways. It simplifies traditional network-based activities like file sharing and printing by providing dynamic discoverability of file servers and Bonjour-enabled network printers. Bonjour begins by simplifying the otherwise complex process of configuring devices for a network. To communicate with other devices using IP, a device needs special information like an IP address, a subnet mask, DNS addresses, a DNS name, and preconfigured search paths. Understanding these cryptic details and performing the subsequent configuration can be daunting for the average user. When a new computer or device is added to a network by means of autoconfiguration, like a DHCP server, Bonjour configures the device using a technique called link-local addressing. (If a DHCP server is available, Bonjour uses the assigned IP address.) With link-local addressing, the computer randomly selects an IP address from a predefined range of addresses set aside by the Internet Assigned Numbers Authority (IANA) for link-local addressing and assigns that address to itself. Addresses are in the range 169.254.xxx.xxx. The device then sends a message over the network to determine whether another device is using the address. If the address is in use, the device randomly selects addresses until it finds one that is available. When the device has assigned itself an IP address, it can send and receive IP traffic on the network. Before You Set Up DNS Service This section contains information to consider before setting up DNS on your network. Because the issues involved with DNS administration are complex and numerous, do not set up DNS service on your network unless you're an experienced DNS administrator. A good source of information about DNS is DNS and BIND, 5th edition, by Paul Albitz and Cricket Liu (O'Reilly and Associates, 2006). Note: Apple can help you locate a network consultant to implement DNS service. You can contact Apple Professional Services and Apple Consultants Network on the web at www.apple.com/services or consultants.apple.com. Consider creating a mail alias, such as "hostmaster," that receives mail and delivers it to the person that runs the DNS server at your site. This permits users and other DNS administrators to contact you regarding DNS problems. 48 Chapter 3 Working with DNS Service You should set up at least one primary and one secondary name server. That way, if the primary name server shuts down, the secondary name server can continue to provide service. A secondary server gets its information from the primary server by periodically copying all domain information from the primary server. After a name server is provided with the name/address pair of a host in another domain (outside the domain it serves), the information is cached, ensuring that IP addresses for recently resolved names are stored for later use. DNS information is usually cached on your name server for a set time, referred to as a time-to-live (TTL) value. When the TTL value for a domain name/IP address pair has expired, the entry is deleted from the name server's cache and your server requests the information as needed. Setting Up DNS Service for the First Time If you're using an external DNS name server and you entered its IP address in the Gateway Setup Assistant, you don't need to do anything else. If you're setting up your own DNS server, follow the steps in this section. Step 1: Register your domain name Domain name registration is managed by IANA. IANA registration makes sure that domain names are unique across the Internet. (For more information, see www.iana.org.) If you don't register your domain name, your network can't communicate over the Internet. After you register a domain name, you can create subdomains as long as you set up a DNS server on your network to track the subdomain names and IP addresses. For example, if you register the domain name example.com, you could create subdomains such as host1.example.com, mail.example.com, or www.example.com. A server in a subdomain could be named primary.www.example.com or backup.www.example.com. The DNS server for example.com tracks information for its subdomains, such as host (computer) names, static IP addresses, aliases, and mail exchangers. If your ISP handles your DNS service, you must inform them of changes you make to your domain name, including added subdomains. The range of IP addresses used with a domain must be clearly defined before setup. These addresses are used exclusively for one specific domain, never by another domain or subdomain. Coordinate the range of addresses with your network administrator or ISP. Chapter 3 Working with DNS Service 49 Step 2: Learn and plan If you're new to DNS, learn and understand DNS concepts, tools, and features of Mac OS X Server and BIND. See "Where to Find More Information" on page 75. When you're ready, plan your DNS Service. Consider the following questions:  Do you need a local DNS server? Does your ISP provide DNS service? Can you use multicast DNS names instead?  How many servers do you need? How many additional servers do you need for backup DNS purposes? For example, should you designate a second or third computer for DNS service backup?  What is your security strategy to deal with unauthorized use?  How often should you schedule periodic inspections or tests of DNS records to verify data integrity?  How many services or devices (such as intranet websites or network printers) need a name? There are two ways to configure DNS service on Mac OS X Server:  Use Server Admin. This is the recommended method. For instructions, see "Setting Up DNS Service" on page 52.  Edit the BIND configuration file. BIND is the set of programs used by Mac OS X Server that implements DNS. One of those programs is the name daemon, or named. To set up and configure BIND, you must change the configuration file and the zone file. The configuration file is /etc/named.conf. The zone file name is based on the name of the zone. For example, the zone file example.com is /var/named/example.com.zone. If you edit named.conf to configure BIND, don't change the inet settings of the controls statement. Otherwise, Server Admin can't retrieve status information for DNS. The inet settings should look like this controls { inet 127.0.0.1 port 54 allow {any;} keys { "rndc-key"; }; }; Important: In Mac OS X Server v0.5, the configuration and zone files used by Server Admin have changed. If you edit the named.conf and any zone files manually from Terminal, the information is used by DNS. However, the information does not appear in the DNS zones pane of Server Admin. Also, changes made in Server Admin are not made to the named.conf file. Step 3: Turn DNS service on Before configuring DNS service, turn on DNS. See "Turning DNS Service On" on page 51. 50 Chapter 3 Working with DNS Service