Mac OS X Server - Preparing Your Network and Internet Connection

32

Chapter 2

Getting Ready for Mac OS X Server

Conditions that affect DNS setup

If users will only access your server from your local network
Your server can provide DNS service for your local network (IP subnet). This local DNS service is
configured automatically during initial server setup if no existing DNS service can be found for
your server. The local DNS service has an entry for the DNS name and IP address you specify for
your server during initial setup.
In order for your clients to use the local DNS service that your server provides, you may need to
configure this local DNS service and your DHCP server (usually your network router) after you
finish initial server setup. If this applies to you, you’ll find more information in the Mac OS X Server
Next Steps document that’s generated and placed on the server’s desktop after initial setup.
If your server’s local DNS service is all you need, you can skip to the next topic, “Setting Up DHCP
for Your Server” on page 35.

If you don’t have a domain name like example.com
You need a registered Internet domain like example.com if you want to allow Internet users to
access services by name. You can purchase one through your ISP or from a public registrar of
domain names. Ask the registrar to configure the domain to point to your server’s IP address.
For information about domain name registrars, search the web.

If your server doesn’t have a registered DNS name like myserver.example.com
Work with your ISP, the IT department in your organization, or the public registrar where you
obtained your domain to assign your server a meaningful DNS name. The server’s DNS name is
the basis for the addresses of all services that users get from the server, including email, iChat, iCal,
address book, wiki, file sharing, blog, webmail, and VPN.

33

Chapter 2

Getting Ready for Mac OS X Server

Conditions that affect DNS setup

If you’re setting up a server for a small organization
Ask your ISP or the public registrar for your domain to add a DNS entry for your server’s DNS
name that resolves to your server’s public IP address. Also ask for a reverse lookup entry that
resolves the public IP address to the DNS name. Your ISP provides a public IP address as part of
your Internet service.
For Internet users to be able to use your domain name to get services from your server, your
domain name must always point to your server. You can ensure this by obtaining a static (fixed)
IP public address for your server. If your ISP hasn’t provided a static IP address, you can usually
upgrade to one for a fee. If you don’t have a static IP address, then your server’s IP address may
change, and Internet users may no longer be able to reach your server by name.

If you’re setting up a server for a department or workgroup in a larger organization
Ask your IT department or DNS server administrator for a static (fixed) IP address for your server.
Ask them to add a DNS entry for your server’s DNS name that resolves to your server’s public IP
address, and also ask for a reverse lookup entry that resolves the public IP address to the DNS
name. If your organization doesn’t have its own DNS servers, add these entries through your ISP or
with the public registrar for your domain.

34

Chapter 2

Getting Ready for Mac OS X Server

Conditions that affect DNS setup

If your server will provide mail or web services
If your server will provide mail service or web services, you can provide easier access to
them by requesting DNS entries for names like mail.example.com and www.example.com.
If your server will provide mail service, request an MX (mail exchanger) entry for your server.
An MX entry (or record) allows users to have an email address like mchen@example.com.
Without an MX entry, email addresses must include your server’s full DNS name (for example,
mchen@myserver.example.com).

If mobile users will access some services from the Internet
Your server’s DNS name needs to be the same on your local network and on the Internet if you
want to allow mobile users to access some services without using VPN. You need to obtain a
registered Internet DNS name for your server as described above.

ÂIf you don’t have a DNS server for your network, Mac OS X Server will provide a minimal DNS

service for your local network. This DNS service is set up automatically for the DNS name you
enter and the private IP address you specify during server setup.

ÂIf your organization has a DNS server for your local network, ask your IT department or DNS server

administrator to add an entry that resolves your server’s DNS name to your server’s IP address
on the local network, and also ask for a reverse lookup entry that resolves the IP address to the
DNS name.

Private IP addresses begin with 192.168., 10., or 172.16. through 172.31.254. For example, 192.168.1.12,
10.0.1.12, and 172.16.1.12 are private IP addresses.

35

Chapter 2

Getting Ready for Mac OS X Server

Setting Up DHCP for Your Server

Most users’ computers are configured by default to get network addresses from a DHCP
server on the local network. The DHCP server for your network needs to be configured
to provide network addresses, including an IP address for each computer, the IP
address of the router or gateway for your network, and IP addresses of one or two
DNS servers for your network. If your DHCP server needs any configuration changes,
you’ll find information about them in the Mac OS X Server Next Steps document that’s
generated and placed on the server’s desktop after initial setup.

Protecting a Small Network

If you have an AirPort Extreme Base Station (802.11n), a Time Capsule, a cable router,
a DSL router, another network router, or a gateway that shares an Internet connection
among computers on your local network, that device isolates your local network
from the Internet. These Internet-sharing devices protect your local network against
malicious attacks from the Internet by blocking communications that originate outside
the local network. Computers on the Internet can’t access your server unless you
configure your AirPort Extreme Base Station, Time Capsule, router, or gateway to allow
access to specific services.

Note: You can allow users with accounts on your server to get secure remote access to
all its services via the Internet. After finishing initial server setup, use Server Preferences
to turn on VPN service. For more information, see “Managing VPN Service” on page 145.

36

Chapter 2

Getting Ready for Mac OS X Server

Protecting Your Network with AirPort Extreme

If you have an AirPort Extreme Base Station (802.11n) or a Time Capsule, Mac OS X
Server can automatically manage it to protect your local network while allowing access
to selected services from the Internet. After initial setup, you can use Server Preferences
to specify individual services that you want to be accessible from outside your local
network. Mac OS X Server will configure your AirPort Extreme Base Station or Time
Capsule to allow incoming requests for those services to pass to your server.

Your AirPort Extreme Base Station or Time Capsule must have its Connection Sharing
option set to “Share a public IP address” (that is, an Internet connection) in order for
Mac OS X Server to manage it. In addition, the advanced option IPv6 Mode must be set
to Tunnel.

You should also make sure the AirPort Extreme Base Station or Time Capsule has a
secure password instead of the default password, which is public. You’ll need to know
the base station or Time Capsule password—not the wireless network password—to
turn on automatic AirPort management.

Protecting Your Network with a Router

If you have a cable router, DSL router, or other network router configured as a NAT
device, you can manually configure it to protect your local network while allowing
access to selected services from the Internet. You configure your router to forward
requests for individual services to your server. This process is called port forwarding or
port mapping, because each service communicates through an abstract, numbered
communication port. These ports are not physical like the Ethernet port on your
computer.

37

Chapter 2

Getting Ready for Mac OS X Server

You can manually configure port mapping on most Internet routers by using their
configuration software. Usually the configuration software consists of several
webpages. Using a web browser on any computer connected to your local network,
you go to the webpage with settings for port mapping or port forwarding. In some
cases, you can select standard services such as web or VPN and specify that each be
mapped to your server’s IP address. In other cases, you must enter port numbers for
services and enter your server’s IP address for each one.

For a list of services and the corresponding ports for which you might want to set up
port mapping or forwarding, see “Services and Ports” on page 175.

Protecting Your Network by Making Your Server a Gateway

If you don’t have an AirPort Base Station or other router, but your server has two
Ethernet ports, you can make the server a gateway to share an Internet connection
with other computers on your local network. The server’s Ethernet ports must be
configured as follows before you begin initial Mac OS X Server setup:

One Ethernet port must have a public IP address on the Internet (not a private IP

Â

address like 10.0.0.1 or 192.168.1.1). This port is connected to your DSL modem, cable
modem, or other Internet source. Usually, you use the server’s first built-in Ethernet
port for this.
Another Ethernet port must be connected to a functional network switch or hub in

Â

your local private network. This Ethernet port must be unconfigured, have a manual
IP address, or have a self-assigned IP address beginning with 169.254.

38

Chapter 2

Getting Ready for Mac OS X Server

If this port has an IP address assigned by a DHCP server, you won’t be able to make
the server a gateway during initial Mac OS X Server setup. This is because, as a
gateway, the server would provide DHCP service that might conflict with an existing
DHCP server on the same network.
Other computers connected to this local network will share the server’s Internet
connection.

For Internet users to be able to use your domain name to get services from your server,
your domain name must always point to your server. You can ensure this by obtaining
a static (fixed) IP address for your server. If your ISP hasn’t provided a static IP address,
you can usually upgrade to one for a fee. If you don’t have a static IP address, then your
server’s IP address may change, and Internet users may no longer be able to reach your
server by name.

Setting up your server as a gateway does the following:

Assigns the Ethernet port connected to the local network the private IP address

Â

192.168.1.1.
Turns on DHCP service and configures it to provide IP addresses 192.168.1.100

Â

through 192.168.1.199 to computers on the local network. DHCP service assigns these
addresses to computers whose Ethernet ports are configured with the “Using DHCP”
option.
You can also give users addresses 192.168.1.2 through 192.168.1.99, to use to configure
their Ethernet ports with the “Using DCHP with manual address” option. Addresses
192.168.1.200 through 192.168.1.220 are reserved for your server’s VPN service.
Sets up NAT service to share the server’s Internet connection with computers on the

Â

local network.