a_devildog_0331
asked on
Web Hosting / DNS Issues on OS X 10.7.3 - New Install
I'm having some issues properly setting up 10.7.3 to host internal DNS and external Web, Wiki and Mail. Specially, I'm having issues with external web and wiki access. Since those are the most important right now, I haven't really had a chance to fully test the other features. I was able to do some testing of the mail and iCal but it was limited.
Long read below but I thought the specifics would be helpful...
My goals and configuration are:
***GOALS***
Primary:
1) Host a public website: example.org and www.example.org
2) Host a public wiki: main.example.org and www.main.example.org
3) Host a public mail server: username@example.org
4) Host a public, group calendar
4a) Read only to majority - Read/Write to a group
5) Host a global address book for authenticated users
Secondary:
6) Allow anonymous public access to a file share (read only)
7) Allow authenticated access to the same file share (read/write)
8) Do as much of this via GUIs as possible.
The amount of users (if relevant):
On site - 1 (Me)
Off site - 16 (Windows clients - some have iOS devices too)
Web site traffic - less than 50 regular visits per day (avg of 15) with a peek of ~125 once a month.
This is for a 501c3 public nonprofit made of all unpaid volunteers (including the officers and directors). All of us have paying day jobs and I just so happen to be the guy that knows just enough to get myself in trouble here. ANY help would be greatly appreciated!!!
***SETUP AND CONFIGURATION***
Physical:
1) Business class Internet (no blocked ports)
2) A single, public and static IP address
3) Domain name and public DNS via GoDaddy
4) Wildcard Cert: *.example.org from GoDaddy
5) Late 2011 (bought in Jan 2012) MacMini Lion Server (the $1,000 one).
5a) Upgraded the RAM to 16GB (need for VMware Windows clients)
5b) Added two USB to Ethernet adapters.
6) Using a new model AirPort Extreme Base Station (bought w/ the MM) as the main router.
Initial Configuration:
7) Setup a Mac Address reservation for the main and two USB Ethernet ports along with the wireless too.
7a) Main port = 10.0.1.5 / others are .6, .7 and .10
8) During the setup, I chose the Host on the Internet (third) option and named my server: main.example.org
9) After the setup completed, I upgraded the OS & Admin Tool to 10.7.3 from a clean install (on #5 now)
DNS Config
10) I used the admin tool to open DNS and change:
11) "Primary Zone Name" from main.example.org to example.org.
12) In the "Nameservers:" block, I changed the zone name there but left the nameserver name alone (zone: example.org /// Nameserver Hostname: main.example.org).
13) The Machine Name and Reverse Zone was left alone. RZ resolves to main.example.org. sudo changeip -checkhostname is good. dig on the example.org and main.example.org are good to go (NOERROR).
OD Config
14) From the server app, I clicked Manage/Network Accounts and setup the OD - No issues.
SSL
15) From the server app, I created self signed cert, generated a CSR, got a public Cert, then replaced the self-signed with the public one - No issues.
16) Changed any service using the self-signed cert to the public one - No issues.
17) Changed the cert in the OD to the public cert from server admin - No issues.
In order: File Sharing, Mail, AB, iCal, Web, Wiki, Profile Manager, Network Groups, Network Users
18) File Sharing was setup using the server app
19) Setup mail using the server app to start it and the server admin app to configure it - No issues there (I think...)
20) AB - Flipped the switch to on
21) iCal - Flipped the switch to on - I setup the e-mail address to use after I added the network accounts.
22) Web - Flipped the switch to on - Default site worked (main.example.org)
23) Wiki - Flipped the switch to on - Default wiki worked. (main.example.org)
24) PM - Checked the sign config profiles and enabled the device mgt. I then flipped the switch to on - Default settings and pages worked.
External DNS
25) Public DNS settings from GoDaddy with these records:
A records pointing to my static IP:
@
main.example.org
www.main.example.org
CNAME records:
www points to @
***MY PROBLEMS***
Website:
Adding a website for example.org gave me the red dot in the server app. To fix that, I added a Machine Name record to my primary zone (PZ = example.org Machine Name = example.org). I first tried using the same 10.0.1.5 IP as the main.example.org and left the reverse mapping alone (still resolved to the NS of main.example.org).
That gave me the green light in the server app when trying to add the website again. From there, I changed the "Store Site Files In" to the location of my website files (and confirmed "Everyone" has Read Access in the folder's security settings). I left the other info alone (all defaults accepted) and clicked done.
Access to the website works on the server but external access doesn't (Network Error/timed out tcp_error). Checked the AirPort settings using the AirPort utility (version 5.5.3) and the Port Mapping (under the "Advanced" icon) show serveral services all pointing to 10.0.1.5. Thinking it could be DNS I tried main.example.org externally and it failed the same way.
I ran the changeip command (good to go) and dig on example.org and main.example.org and they both resolved to 10.0.1.5 correctly.
I removed the example.org Machine Record from the zone and it now looks like:
PZ=example.org / ZONE=example.org / NS=main.example.org
Machine Record=main.example.org / IP=10.0.1.5
RM=10.0.1.5 / Resolves=main.example.org
PLEASE HELP!
Long read below but I thought the specifics would be helpful...
My goals and configuration are:
***GOALS***
Primary:
1) Host a public website: example.org and www.example.org
2) Host a public wiki: main.example.org and www.main.example.org
3) Host a public mail server: username@example.org
4) Host a public, group calendar
4a) Read only to majority - Read/Write to a group
5) Host a global address book for authenticated users
Secondary:
6) Allow anonymous public access to a file share (read only)
7) Allow authenticated access to the same file share (read/write)
8) Do as much of this via GUIs as possible.
The amount of users (if relevant):
On site - 1 (Me)
Off site - 16 (Windows clients - some have iOS devices too)
Web site traffic - less than 50 regular visits per day (avg of 15) with a peek of ~125 once a month.
This is for a 501c3 public nonprofit made of all unpaid volunteers (including the officers and directors). All of us have paying day jobs and I just so happen to be the guy that knows just enough to get myself in trouble here. ANY help would be greatly appreciated!!!
***SETUP AND CONFIGURATION***
Physical:
1) Business class Internet (no blocked ports)
2) A single, public and static IP address
3) Domain name and public DNS via GoDaddy
4) Wildcard Cert: *.example.org from GoDaddy
5) Late 2011 (bought in Jan 2012) MacMini Lion Server (the $1,000 one).
5a) Upgraded the RAM to 16GB (need for VMware Windows clients)
5b) Added two USB to Ethernet adapters.
6) Using a new model AirPort Extreme Base Station (bought w/ the MM) as the main router.
Initial Configuration:
7) Setup a Mac Address reservation for the main and two USB Ethernet ports along with the wireless too.
7a) Main port = 10.0.1.5 / others are .6, .7 and .10
8) During the setup, I chose the Host on the Internet (third) option and named my server: main.example.org
9) After the setup completed, I upgraded the OS & Admin Tool to 10.7.3 from a clean install (on #5 now)
DNS Config
10) I used the admin tool to open DNS and change:
11) "Primary Zone Name" from main.example.org to example.org.
12) In the "Nameservers:" block, I changed the zone name there but left the nameserver name alone (zone: example.org /// Nameserver Hostname: main.example.org).
13) The Machine Name and Reverse Zone was left alone. RZ resolves to main.example.org. sudo changeip -checkhostname is good. dig on the example.org and main.example.org are good to go (NOERROR).
OD Config
14) From the server app, I clicked Manage/Network Accounts and setup the OD - No issues.
SSL
15) From the server app, I created self signed cert, generated a CSR, got a public Cert, then replaced the self-signed with the public one - No issues.
16) Changed any service using the self-signed cert to the public one - No issues.
17) Changed the cert in the OD to the public cert from server admin - No issues.
In order: File Sharing, Mail, AB, iCal, Web, Wiki, Profile Manager, Network Groups, Network Users
18) File Sharing was setup using the server app
19) Setup mail using the server app to start it and the server admin app to configure it - No issues there (I think...)
20) AB - Flipped the switch to on
21) iCal - Flipped the switch to on - I setup the e-mail address to use after I added the network accounts.
22) Web - Flipped the switch to on - Default site worked (main.example.org)
23) Wiki - Flipped the switch to on - Default wiki worked. (main.example.org)
24) PM - Checked the sign config profiles and enabled the device mgt. I then flipped the switch to on - Default settings and pages worked.
External DNS
25) Public DNS settings from GoDaddy with these records:
A records pointing to my static IP:
@
main.example.org
www.main.example.org
CNAME records:
www points to @
***MY PROBLEMS***
Website:
Adding a website for example.org gave me the red dot in the server app. To fix that, I added a Machine Name record to my primary zone (PZ = example.org Machine Name = example.org). I first tried using the same 10.0.1.5 IP as the main.example.org and left the reverse mapping alone (still resolved to the NS of main.example.org).
That gave me the green light in the server app when trying to add the website again. From there, I changed the "Store Site Files In" to the location of my website files (and confirmed "Everyone" has Read Access in the folder's security settings). I left the other info alone (all defaults accepted) and clicked done.
Access to the website works on the server but external access doesn't (Network Error/timed out tcp_error). Checked the AirPort settings using the AirPort utility (version 5.5.3) and the Port Mapping (under the "Advanced" icon) show serveral services all pointing to 10.0.1.5. Thinking it could be DNS I tried main.example.org externally and it failed the same way.
I ran the changeip command (good to go) and dig on example.org and main.example.org and they both resolved to 10.0.1.5 correctly.
I removed the example.org Machine Record from the zone and it now looks like:
PZ=example.org / ZONE=example.org / NS=main.example.org
Machine Record=main.example.org / IP=10.0.1.5
RM=10.0.1.5 / Resolves=main.example.org
PLEASE HELP!
ASKER
I'm at work right now using a PC (not joined to the server) and accessing the server via Logmein - I say that so you know how I'm testing both on and off lan access.
On LAN worked - Off LAN didn't.
From outside the LAN, NSLOOKUP for both example.org and main.example.org point to my public IP.
Typing my public IP in a browser I get "Network Error (tcp_error) - A comm error occured: Op timed out"
Not familair with telnet... this is what I got when I ran your list on the server:t
telnet main.example.org80 - nodename nor servname provided, or not known
telnet example.org80 - ditto
telnet www.main.example.org80 - ditto
telnet XXX.XXX.XXX.XXX80 - ditto
not knowing telnet, I ran the same with a : before the port - got the same. I tried 443 and 25 too.
On LAN worked - Off LAN didn't.
From outside the LAN, NSLOOKUP for both example.org and main.example.org point to my public IP.
Typing my public IP in a browser I get "Network Error (tcp_error) - A comm error occured: Op timed out"
Not familair with telnet... this is what I got when I ran your list on the server:t
telnet main.example.org80 - nodename nor servname provided, or not known
telnet example.org80 - ditto
telnet www.main.example.org80 - ditto
telnet XXX.XXX.XXX.XXX80 - ditto
not knowing telnet, I ran the same with a : before the port - got the same. I tried 443 and 25 too.
Note that you'll need a space between the FQDN and the port number:
telnet main.example.org 80
not
telnet main.example.org80
telnet main.example.org 80
not
telnet main.example.org80
ASKER
LOL... figures. Told you I didn't know Telnet.
<my command in terminal> - the rest is the response.
<telnet main.example.org 80>
Trying 10.0.1.5...
Connected to main.example.org
--------------------------
<telnet example.org 80>
example.org: nodename nor servname provided, or not known.
--------------------------
<telnet www.main.example.org 80>
fail - s/a
--------------------------
<telnet XXX.XXX.XXX.XXX 80>
Trying XXX.XXX.XXX.XXX...
telnet: connect to address XXX.XXX.XXX.XXX: Connection refused
telnet: Unable to connect to remote host
--------------------------
<my command in terminal> - the rest is the response.
<telnet main.example.org 80>
Trying 10.0.1.5...
Connected to main.example.org
--------------------------
<telnet example.org 80>
example.org: nodename nor servname provided, or not known.
--------------------------
<telnet www.main.example.org 80>
fail - s/a
--------------------------
<telnet XXX.XXX.XXX.XXX 80>
Trying XXX.XXX.XXX.XXX...
telnet: connect to address XXX.XXX.XXX.XXX: Connection refused
telnet: Unable to connect to remote host
--------------------------
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Reworking DNS to match what you laid out worked. For good measure... I deleted the AirPort Ext. port mappings, stopped and started the services a few times, then double checked the APE mappings to ensure they were recreated correctly and all is well.
Thanks for the help.
Thanks for the help.
If internal, LAN access is good to go and it's just the external networks that can't see the server, what happens if you punch in the public IP address, does it render anything in the browser? Can you reach port 80 via telnet outside of your network?
Open terminal and type:
telnet main.example.org 80
telnet example.org 80
telnet www.main.example.org 80
telnet <your static IP address> 80
Do any of these resolve? Which ones fail?