An Xserve running Mac OS X Server is ideal for all the many jobs that hosting a small business network requires. It can manage networking and users for a local area network of dozens of nodes; connect them all to the Internet via Network Address Translation (NAT); provide firewall security for them; and host file and print services for every node on the network. It can provide incoming and outgoing email service for the company domain, including spam filtering and mailing-list management. The company Web site can live on the Xserve, along with FTP service. It can provide a secure Virtual Private Network (VPN) connection to another remote LAN; accept incoming dial-up connections; automate backups of network data; and much more.

This is the first in a suite of articles on using Xserve for a small business local area network (LAN); here, we take a high-level look at the capabilities of the Xserve and Mac OS X Server, in the context of a hypothetical LAN. Over time, additional articles will be added to fill in the details on using Xserve on a small business LAN for these functions.

Topology and Connections

The Xserve can manage a network of several dozen or more workstations — desktops and laptops—running Mac OS X, Mac OS 9, Windows 98, Windows 2000, and Windows XP, among other operating systems. The easiest setup is for nodes to be connected in a basic star topology, with the nodes all hooked (via CAT5 Ethernet cable) to a central switch, which also connects to the Xserve. There is no real reason to interconnect the workstations to each other.

The Xserve acts as a DHCP server. This function can be turned on, configured, and monitored using the Server Settings utility. Whenever a machine boots up and connects to the network, the Xserve assigns it a "lease" — a temporary IP address in a specified range. Other IP addresses in the namespace can be set aside for other purposes, and never assigned.

The client workstations must be configured to receive these assignments. In OS X's Network Preferences, "Get IP Address Using DHCP" should be selected. On the Windows machines, in the Network control panel, the TCP/IP Properties settings need to show "Obtain an IP address automatically". In Mac OS 9, the TCP/IP Control Panel should be set to "Configure Using DHCP Server". Details of DHCP configuration are given in the "DHCP Service" chapter of the Mac OS X Server Administrator's Guide.

NAT

In order to provide Internet connectivity to the workstation nodes, Network Address Translation can be provided by running natd on the Xserve. When a node sends packets to the outside world, natd translates the source IP address, so that the packets appear to be coming from the Xserve itself, rather than the internal machines. When a response is returned, the translation is reversed, and the packets are routed to the originating machine. The process is completely invisible to the two machines on either end of the connection.

In order to implement this, the Xserve must have (at least) two network cards: one card that plugs into the switch connecting it to the rest of the LAN, and the other card connected to the external Internet connection. The external connection can be a DSL line, a cable modem connection, or a faster leased line. For certain types of connections — Point-to-Point Protocol over Ethernet, for example—special client software may be required to run on the Xserve to manage the connection.

VPN

The Virtual Private Networking capabilities of Mac OS X Server can be used to connect two remote LANs to each other securely. It is designed for situations in which a private line would be ideal, but geography and cost make that impossible, so sensitive data must be transmitted across public infrastructure. Unsecured transmission across a standard Internet connection is not adequate. Mac OS X Server's built-in IPSec functionality can create a permanent Virtual Private Network (VPN) connection. IPSec encrypts both the content and the header of every packet exchanged between the two networks, and additionally verifies each packet's authenticity: that it came from where it purports to have come from. This adds an additional layer of security against attacks and snooping.

Expandability

The topology thus created is flexible and expandable. Workstations can be added and removed with very little configuration required, since addresses on the network are assigned automatically. Thanks to Workgroup Manager, users are not tied to a particular workstation—they can access their files and personalized desktop from anywhere on the network.

When specialized needs are encountered—for example, if a dedicated machine of some type is needed for some particular function, like running a server on a non-Apple platform; or using a separate machine as a high-traffic Web server—such machines can be added to the network simply and easily, with no need to reconfigure the basic topology.

Additionally, wireless networking can be set up by running an AirPort base station in Ethernet bridging mode, so that the Xserve provides the DHCP information to the clients, rather than the base station's built-in DHCP server.

Good Practices

The most crucial part of running a network comes after everything's set up: maintenance. This includes monitoring all the systems involved, running backups, keeping on top of security and software updates, and more. Mac OS X Server and the Xserve simplify these tasks in numerous ways.

Backing Up

As any network administrator knows, running regular comprehensive backups is a crucial component of good administration practices. Xserve provides numerous options for backing up data. Automated scripts, written in AppleScript or Bourne shell, can run a timed backup every day (or more frequently if desired), dumping valuable data to tape, hard drive, RAID storage, or other media. Third-party solutions are available as well, such as the BRU system.

Because backing up is a resource-hungry process, it's best to schedule it at a time when server load is low. Differential backup methods, which back up only the data that has changed since the last backup, are less comprehensive but quicker than full backups. Another advantage of differential backups is that the more often they are done, the less time each one takes (because there is less new data to back up). The type of backup procedure chosen should depend on patterns of data access.

Logging

Every service that runs on a server outputs logging data, either by default or as an option. The system directory /var/log is the standard location for log files:

[X:/var/log] paul# ls

alias.log                    mail.log.0.gz
cups                         mail.log.1.gz
daily.out                    mail.log.2.gz
diskspacemonitor.log         mail.log.3.gz
ftp.log                      mail.log.4.gz
ftp.log.0.gz                 monthly.out
ftp.log.1.gz                 netinfo.log
ftp.log.2.gz                 netinfo.log.0.gz
ftp.log.3.gz                 netinfo.log.1.gz
ftp.log.4.gz                 netinfo.log.2.gz
httpd                        netinfo.log.3.gz
hwmond.log                   netinfo.log.4.gz
hwmond.log.0.gz              ppp
hwmond.log.1.gz              samba
hwmond.log.2.gz              secure.log
hwmond.log.3.gz              servermgrd
hwmond.log.4.gz              statistics
icnotifications.log          system.log
lastlog                      system.log.0.gz
lookupd.log                  system.log.1.gz
lookupd.log.0.gz             system.log.2.gz
lookupd.log.1.gz             system.log.3.gz
lookupd.log.2.gz             system.log.4.gz
lookupd.log.3.gz             system.log.5.gz
lookupd.log.4.gz             system.log.6.gz
lpr.log                      system.log.7.gz
lpr.log.0.gz                 webobjects.log
lpr.log.1.gz                 webobjects.log.1
lpr.log.2.gz                 webperfcache
lpr.log.3.gz                 weekly.out
lpr.log.4.gz                 wtmp
mail.log                     wtmp.0.gz

The Web server outputs its log to /var/log/httpd/access_log; the mail server to /var/log/mail.log; and so forth. The files in the listing that end in ".gz" are compressed archives of older logs, created by the log rolling scripts discussed below. /var/log/system.log contains logging information for a lot of miscellaneous processes, such as cron, ipfw, and SSH, as well as general system information, such as boot-time messages, Ethernet connection status, and much more. These logs are a vital diagnostic and monitoring tool. They can be opened as text files, or viewed in real-time from the command line with the tail command:

tail -f /var/log/system.log

This provides a scrolling display of new log entries as they appear. Tail is very useful for monitoring critical processes on the server as they occur.

There are also some third-party GUI log-analysis tools available which show trends and patterns, although these tools are primarily designed for Web access logs. Webalizer is a popular free choice.

Mac OS X Server has three built-in scripts in /etc/periodic that "roll" log files—that is, when files reach a specified size, the relevant script compresses the file and archives it, and starts logging data to a new file, in order to keep logifle size manageable. The size thresholds can be set by modifying the configuration file:

/etc/diskspacemonitor/daily.server.conf 

Security

When running a server or servers that are exposed to the Internet, maintaining tight security is vital. There are numerous resources on the Web explaining the basics of good security. The Mac OS X Security page points you to documentation on further aspects of OS X security.

There are a number of excellent security features built in to OS X Server. The rules-based firewall software, ipfw, controls the machine's network ports, to filter incoming and outgoing connections. It can be configured from Server Settings, from third-party GUI tools such as BrickHouse, or, for more complex setups, from the command line.

Virtual Private Networking, as detailed above, is possible with the built-in IPSec software.

For secure Web communications, such as credit card transactions, and for other procedures that require encryption of data—secure email, telnet, and other services—Mac OS X Server provides support for the Secure Sockets Layer protocol, or SSL.

Administration

Using an Xserve to administer a LAN provides access to a host of useful administrative tools and techniques. And while it hosts a LAN, the Xserve can simultaneously fulfill many other server functions necessary to a small business.

Adding and Managing Users

Workgroup Manager makes it easy to create and delete users, set their access permissions and characteristics, configure groups for resource sharing, and manage users' personal settings, independent of where they log in.

To create the default configuration for new users, including the contents of their home directories, Preferences settings, and more, a template can be created in the Macintosh Manager tool. Create and save a template in the Imported Users list under the Users tab. The default template is stored in the directory /System/Library/User Template.

User data, such as aliases, group membership, passwords, and so forth must be managed using the NetInfo Manager (PDF) application. Niload provides command-line access to this tool.

The ways in which OS X Server makes client management easy are discussed extensively in the "Client Management" sections of the Mac OS X Administrator's Guide.

Server Functions

Using a constellation of protocols to ensure compatibility with multiple client operating systems, Xserve can facilitate the sharing of files around the local network, as well as offer file services to external clients. OS X Server includes server software for Apple Filing Protocol (AFP), to share with Macintosh clients; Samba/SMB (Server Message Block) shares for Windows clients; Network File System (NFS) for Unix compatibility; and FTP (File Transfer Protocol) for general use. These file services can be configured and controlled from the Server Settings tool.

The Xserve can also provide print services for networked workstations. With one or more printers attached to the network, any of the workstations can use them. The print services software also allows for fine-grained control over print quotas, authorization, queuing, and other management tasks.

Mac OS X Server can also function as a database server. It comes with MySQL, and is compatible with numerous other database platforms, such as PostgreSQL, as introduced in the article PostgreSQL on Mac OS X. An Xserve running a database server can provide data to all sorts of applications that require a database backend, including dynamically driven Web sites, customer relationship management tools, and much more. These applications can run either on the Xserve or on separate machines.

Apple's Open Directory is a standards-based LDAP directory access and server architecture for hosting and integrating with LDAP directories (which implement RFC 2307). It is intercompatible with the LDAP standard and with Microsoft's Active Directory, and is ideal for providing directory services for an Xserve-based network. It can be used to set up an Open Directory Password Server, which provides authentication for users on the network, by validating passwords and enforcing policies. It controls access to network resources—files and directories, printers, mountable media, preferences, group permissions, and more—not just for Mac OS X clients, but for OS 8 and 9 clients as well, and also Windows and Unix clients. Detailed discussion of how to use Open Directory services is available in the Mac OS X Server Administrator's Guide.

OS X has the Apache Web server built in. This server can be easily configured from Server Settings, and is robust enough to host large dynamic Web sites. The article Optimizing an Xserve for Web Hosting discusses how to optimize an Xserve for hosting multiple Web sites. In conjunction with PHP and/or Perl, both of which are also pre-installed, complex Web applications can be created for any need; with a MySQL database backend, this is a powerful, and completely open source, solution.

To provide email access within the network domain, the Xserve's built-in mail server can host, store, and route mail for the network, with an address for each user on the system, and internal LAN mail routed separately from external communication. It allows for IMAP and POP access, which can be secured with SSL as explained above; spam filtering; and the use of alternate mail transfer agents, such as Postfix, Sendmail, and Qmail.

Apple Remote Desktop

Whenever you want to manage an Xserve remotely, consider using Apple Remote Desktop.

Besides using the application to remotely manage your Xserve, you can also use Apple Remote Desktop to configure and administer Macintosh clients that are connected to your Xserve.

Managing your Server

An Xserve can be managed with the Mac OS X Server management applications such as Server Admin and Server Monitor. But you can also use Apple Remote Desktop as a virtual KVM to remotely take control of an Xserve; you can even remotely restart or shutdown your Xserve.

Another task for Apple Remote Desktop is for copying configuration files or installing software packages (such as Mac OS X system updates or security updates) remotely.

But perhaps the greatest power of using Apple Remote Desktop is when you need to update more than one Xserve—whether you have one Xserve or several, with a few clicks you can copy and install software to all of them.

Managing your Clients

You can also use Apple Remote Desktop to remotely manage the Macintosh clients connected to your Xserve—use it for software distribution, desktop support and hardware and software profiling.

Posted: 2003-09-30