Musings of an Apple Systems Administrator
A blog about the day to day tasks of a systems administrator. A how to guide and user tell all about OSX Server systems issues and challenges.
Well if you were like me you were thrilled about the idea of Apples new Snow Leopard Server feature Mobile Access server. So great what is it, what does it do? Well it keeps your private web, ical and mail data secure without the use of a VPN and its really easy to setup. Great I was sold, and I started down the path of figuring out the Mobile Access Server. The more I got down into the nitty gritty of the setup the more I realized just what a 1.0 feature this really is. After some trial and error I decided to share my experience with others in the hopes of fully Understanding the Mobile Access Server.
Alright first thing you have to understand put aside any notion of running mobile access server on any other server you may already have. Mobile access server is meant to run on a gateway server. A gateway server is a server that routes traffic to multiple destinations. Meaning its a stand alone server whose primary function is to keep your private data private.It translates public requests and serves up private content. You must run mobile access server on a separate server from the servers which contain your private data.
The second mental hurdle to get over is that yes, the gateway server or your mobile access server must be on the same subnet as the other private servers for which public requests will be relayed. The server has to have some sort of direct line of communication to the private server or servers in question. The next hurdle is DNS, yes DNS can be a huge headache but here are a few things to understand.
The Public DNS that will be routed through the gateway server should point to the gateway server.
The gateway server in turn should be able to resolve all of those DNS names into private IP addresses meaning you must have internal DNS setup with the appropriate zones and records. I learned this the hard way, the Mobile Access service looks to internal DNS do not point to an external private DNS server for internal DNS it must be running on the same server as the Mobile Access service.
The last hurdle is this once DNS is setup and the service is started and you feel like you have configured everything correctly and when your so exhausted and you go to try your Mobile Access server settings and they do not work the first time, do not be surprised as I said this is a very 1.0 feature. Be prepared to check, and re-check your settings. Be prepared to start and stop DNS multiple times. Mobile Access server is a great service and works great once configured correctly.
I am now open to field questions you may have reagarding setup or ideas for further posts to explain in more detail. I hope this at least clears up some of the misconceptions that I had with the service for you ahead of time.
Do you need system administration assistance? If you like what you are reading please consider subscribing to the RSS feed for comments on this post. If you have feedback you can leave a response, or trackback from your own site.
Comment
By j gropefruit
I am curious – does it ABSOLUTELY have to be on the same subnet as the server to which it is “proxying” requests?
I ask because right now, I have two servers:
* 1 (internal/private) os x server (serving ical, email, dns, etc etc) and …
* 1 Linux server that is PUBLICLY accessible (has a static ip). Public server has a direct 1-to-1 NAT connection to the internal server (all requests go there whether he likes it or not).
This works great, but lacks the robustness of replacing the Linux box with a second os x server (which I plan on doing in a few months).
The idea behind this architecture is that, instead of a link-local connection between the “public” server and the “private” server, a VIP on my firewall provides source-nat exclusively for the public server to communicate over all allowed ports/services with our private server. This VIP is not publicly accessible; it is available only to the public server itself, who only listens on a few ports to begin with.
Is this even an option? While playing with Mobile Access, it “seemed” possible, but as you pointed out, one has to dig a little deeper, which I cannot do until I possess the 2nd os x server.
If a direct link-local connection is unquestionably required, then I’ve got some thinking to do.
Thanks Jon, good article.
Leave a comment
Well it would be interesting to find out for sure, all you really need to do to test lets say your linux server is at ip address 209.201.10.30 and your gateway server, running mobile access is on 206.203.20.42 and lets say you had a website you want to run through the proxy, then you would change your public dns record for the site lets say example1.testsite.com running on your linux box to point to 206.203.20.42 then on the gateway server, you would add a dns record that points example1.testsite.com to 209.201.10.30 and then add the site to the web proxy area of the mobile access server this may or may not work, I am interested to find out though. The issue that you have is that you do not have a server that can act as the gateway, and that is really the sole purpose of the mobile access service. The above scenerio would still require a third server however we are using a used mac mini to do the proxying, but again you could try to enable mobile access server on your current osx server since the request is DNS to OSX Server –> OSX Server –> Login Page –> DNS to Linux Box it may work but, worth a shot, let me know how it goes!!
Reply