OS X Home Server set-up and configuration, help

[ZMacintosh]

Hello, I'm looking for detailed and introspective guidance on setting up a home-based Apple server to serve a few functionalities.

I've done Apple system administration in the past but haven't been fully vested in it for a few years (ACSP and ACTC certifications prior, it seems to make a lot of sense when consulting but when it comes to my own set-up perhaps im a bit timid).


Often I over think concepts and things, so that may be a case in this scenario. I would like this to be as simple as possible without much clutter, but want to be able to granularly control certain functions without interrupting other computers local access, network access, etc.


We're not looking to host a functional website, but would like a FQD to be able to connect directly to the server if possible.



I have a chart with our devices, and I'll list the functionality we'd like to have with the OS X server:

• Access to the server securely from outside our network at anytime

• Manage time machine back-ups

• Manage user access to files and folders stored on the server



Some things I'm concerned about are:

• Naming scheme, if i start OS X Server fresh and name it spacerangerserver.local and want to point a FQD domain over is there an issue there?


• IP address - do I need a static IP at the modem level or can I set the IP of the iMac to a static address and then use Port Mapping on the AirPort to map connections back through to the Server?


• Certificates.... do i need to go through the certificate authority to get one or can a locally signed one suffice? What will I need a certificate for?


• VPN secure access outside our network, what is required of this?


• User access - I want a user to be able to access anything on the server I set permissions for, are these local accounts or is it best to create Open Directory accounts?


• Pointing a domain to the server to access via an FQD....lets say I have my domain ZMACINTOSH.COM, do I create a subdomain such as SERVER.ZMACINTOSH.COM and create an A record to point to my IP address?


• to be able to manage OS X updates across all devices on the network, perhaps even manage a few of the iPads and other Macs (appletvs?) i.e.; remote support, etc.



Our current system info:


• iMac 27-inch 3.3Ghz 3TB Fusion, 16GB RAM, wired to AirPort / Time Capsule


• OS X El Capitan + OS X Server


• AirPort Extreme + AirPort Time Capsule, not sure which we are going to use as the main Networking device


• 12TB RAID Pegasus Thunderbolt array for file storage


• Cable modem on standard internet account, not sure if Cable company supplies static IPs to residential users or if I need a business account

 

[Altemose]

• Naming scheme, if i start OS X Server fresh and name it spacerangerserver.local and want to point a FQD domain over is there an issue there?


• IP address - do I need a static IP at the modem level or can I set the IP of the iMac to a static address and then use Port Mapping on the AirPort to map connections back through to the Server?


• Certificates.... do i need to go through the certificate authority to get one or can a locally signed one suffice? What will I need a certificate for?


• VPN secure access outside our network, what is required of this?


• User access - I want a user to be able to access anything on the server I set permissions for, are these local accounts or is it best to create Open Directory accounts?


• Pointing a domain to the server to access via an FQD....lets say I have my domain ZMACINTOSH.COM, do I create a subdomain such as SERVER.ZMACINTOSH.COM and create an A record to point to my IP address?


• to be able to manage OS X updates across all devices on the network, perhaps even manage a few of the iPads and other Macs (appletvs?) i.e.; remote support, etc.

To address your points:

1. You are going to need to configure a static IP address for your Mac by setting up a DHCP reservation. This is done through the AirPort Utility. If you do not have a static IP through your ISP (Internet Service Provider) then I recommend that you look at a dynamic DNS solution like Dyn or NoIP.
2. Depending on your website hosting, you may need to look into a signed certificate to avoid security warnings.
3. VPN access over L2TP is a very simple configuration. You are going to need either a static IP or dynamic DNS service for this to work consistently.
4. You can create local user accounts and assign them to groups with varying levels of access/privileges. If you do not need users to sign in physically to the Mac or store their home folder on the server then a simple services account will do.

 

[renato3]

Hi,

Let me try to help you out here ;-)

Access to the server from the outside - I would suggest you try the simple but effective VPN server in OSX Server. It requires a FQDN and a good router. Your architecture depicts an Airport extreme and a modem - I don't know which of those 2 you will use in bridge mode, I assume the modem is in bridge mode so the Airport will do DHCP, port forwarding (Apple provides a list of ports that need to be forwarded for all services, also for VPN) and VPN (IPSec) passthrough. Use L2TP, not PPTP.

Configuring the VPN on OSX Server is quite straightforward once the rest is OK. Do not use a .local FQDN but register a domain and point the domain to your (hopefully static) home IP. Your iMac needs a static IP in the router range (but outside the DHCP range of course otherwise you will encounter IP errors).

At this moment, just use self-signed certificates in OSX Server. Later you can always go through the relative hassle of using 'real' certificates. I use one certificate for all services, but YMMV.

I use local accounts (network accounts in OSX Server speak).

If you have registered ZMACINTOSH.COM as a domain, you must produce an A records on your registrar's DNS for that domain and the subdomains that you like to be publicly known, using your home IP. On OSX Server you can do the same (using the local addresses of the machines) to provide a consistent experience i and out of the house ;-)

Remote support: I don't really know but Mobile Device Management is baked into OSX Server. No experience though. ;-)

I think you just should install OSX Server once you have the FQDN and IP addresses arranged.

Grtz,
R.

 

[DJLC]

To your concern points --

1) I would highly recommend using the FQDN from the get-go. While you *can* change the hostname later, it's not necessarily a quick and easy procedure in all cases. Especially if you're using Profile Manager and Open Directory.

2) You'll want a static IP from your ISP, then forward necessary ports on the router and/or place the server in the DMZ. You'll also want it to have a static internal IP.

3) Self-signed will be fine for your needs.

4) If you can get a static IP from your ISP, you're golden. You may or may not choose to point the FQDN to your server from the outside. For me at work, we use a FQDN internally that doesn't exist outside our network. I use the IP address for my VPN connection. There is a VPN service built in to OS X Server, or some routers also have that as an option.

5) I would probably create local accounts if you have no other reason to use Open Directory. That said, if you want to use Profile Manager, you're required to configure OD. If you do end up configuring OD, I would set them up as accounts in OD, bind your client Macs to OD, and use Profile Manager to set them as Mobile Accounts with Home Sync disabled. At the end of the day, users will log in to client machines with their server credentials. Once they've logged in the first time, their home folder is created on the client and they are able to log in with or without network access to the server.

6) Yes -- you would set up something like server.zmacintosh.com with an A record to your static IP from the ISP. That said, you may choose NOT to do this for security reasons. At work we use something like xserve.ourschool.org internally, but ourschool.org isn't actually a registered domain name on the outside and won't resolve to anything outside our network. I use the static IP itself for remote access via VPN, which is handled by our firewall rather than OS X Server.

7) You can use a mix of Profile Manager and Apple Remote Desktop for this type of functionality. Profile Manager will allow you to push configuration profiles to Macs and iOS devices. You can preconfigure SSIDs, restrictions, and a host of other settings. For remote support / control, you can use ARD, but it only works with OS X clients. Finally, you can use Caching Server to keep a local cache of Apple updates on the server so you're not downloading them multiple times for all your devices.

All this said, I would caution you to very strongly consider whether or not this is overkill. OS X Server looks fun and easy, but in practice it may be one of the most irritating and crippled bits of software I've ever had to support. You can achieve file sharing with OS X Client, and many routers have built-in VPN functionality these days. You may find that a new router will provide the access you desire while saving you many headaches.