[Update 01/31/18: macOS Server Will Lose Many Services this spring : here Are Alternatives ]
[Update] Find the entire macOS Server series here !
This is the second in a series of Rocket Yard articles in which we take you through the setup of macOS Server. macOS Server is an app that runs on macOS Sierra, providing services such as mail, web hosting, calendar hosting, and more to users in a workgroup.
In Part 1 of this series, we discussed what macOS Server is, how a Mac miniskirt makes a very feasible “ brainless server ”, and how to purchase and install macOS Server. This week, we ’ re going to set up our server for a humble business called “ Astounding Photos ” .
Most companies want their servers to be accessible from outside of the confines of an office. This gives employees the ability to work securely with the network through a virtual individual network ( VPN ) and send/receive e-mail, lets customers visit a web site hosted on the server, and more .
As mentioned in Part 1 of this series, Apple provides an excellent fixed of built-in tutorials for macOS Server that are accessible from the Help menu of the server app. In the following few episodes, I ’ ll be following the lessons outlined under “ Set up for small business ” in the tutorials. ( Related: Get the best performance from your Mac miniskirt server with MacSales.com. )
Getting an Internet Identity
The first step in making our server available to customers and employees is to set up an identity that will be accessible from anywhere on the Internet. The tutorial points out the things that we must do to set up our identity :
1) Get a inactive IP address
2) Give your server a host name
3) Get a world name
4) Set up DNS and reverse-DNS resoluteness
5) Get a sign SSL certificate
6) Get a company Apple ID
Getting a static IP address
There are two ways to get an unchanging IP address that ’ randomness associated with your localization. First, and credibly the easiest, is to work with your internet service provider ( ISP ) to have a electrostatic IP address assigned to you. Note that for home internet service users, many ISPs do not allow static IP addresses ; you may need to switch to a business account or use a moral force DNS ( Domain Name System ) service .
home internet services use DHCP ( Dynamic Host Configuration Protocol ) to assign an IP savoir-faire from a group owned by the ISP to your cable or DSL modem. Since the cover can change each time the cable or DSL modem is rebooted, the IP cover is not static .
A moral force DNS serve watches the IP address that is assigned to a home internet service and if it changes, it reroutes requests to the fresh IP address automatically .
One of the most well-known providers of moral force DNS service is Dyn.com. Their least expensive dynamic DNS service runs $ 40 per class, but that cost allows you to run up to 30 hosts — a bit of overkill if you ’ re setting up one horde name. There are besides detached dynamic DNS services like No-ip.com that are perfect for equitable one master of ceremonies name, but they require confirmation once a month via electronic mail or have early quirks .
If you do have a static IP address but don ’ triiodothyronine know what it is, you can visit whatsmyip.org or search at the home screen for macOS Server and expression at “ Internet ”. It will show that your waiter is available at a specific IP address. For security reasons, I ’ ve blanked out share of the IP address for my waiter in the picture below :
Give your server a host name
A host name is the name that your server has on the local network. When your server is accessed over the internet, it will need to have a fully-qualified domain name that includes the host name ( say “ waiter ” ) and the complete knowledge domain name ( astoundingphotos.com in this example ) .
The server identify is required even if you aren ’ metric ton accessing the server over the internet in order for the server to be uniquely identified on your local network .
Make surely you ’ re happy with the server identify, as it can be difficult to change late on .
Get a domain name
Domain names are the “ written addresses ” where a server resides ( uniquename.tld, where tld is a “ top-level knowledge domain ” such as .com, .org, .info, etc… DNS is used to translate a written savoir-faire — astoundingphotos.com — into a numeric address ( your electrostatic IP address ) when person tries to access your server .
Domain names aren ’ thymine purchased ; you ’ re actually leasing them from a domain register for a menstruation of time. It ’ second drop-dead slowly to register a domain appoint so the serve won ’ thyroxine be covered here. Some domain registrars you may want to consider are GoDaddy.com and Dreamhost.com. The annual cost of your domain name will depend a lot on the top-level domain used .
Whatever knowledge domain registrar you select, make certain that you familiarize yourself with their DNS tools as at one point you ’ ll need to let them know the electrostatic IP at which your server resides.
Read more: Best Hosts for Bootstrap Projects
Set up DNS and reverse-DNS resolution
It ’ south nowadays time to set up DNS and reverse-DNS resoluteness. As notice before, this is the link between the sphere identify you ’ ve leased and the static IP address of your server .
The domain registrar will about always set up an SOA ( Start of Authority ) record for you, which is part of your DNS Zone file. This normally points to the DNS servers operated by the sphere registrar. You can use the nslookup command in Terminal on your Mac to see the radio link between your world name and the DNS server ( see persona below ) :
eminence that the IP address listed here international relations and security network ’ t the electrostatic IP address of my waiter ; since I ’ thousand doing an nslookup from my local network, it ’ s showing the local IP address of my router. To make sure that my domain mention is by rights pointed to the electrostatic IP address, I needed to perform the nslookup over a cellular joining on my iPhone using a unblock app called ( curiously enough ) nslookup .
The future two records you ’ ll indigence to set up are an “ A ” record linking your in full qualified sphere name — in this example it will be astoundingphotos.com — to the static IP address and the reverse DNS submission. In Dreamhost ’ s knowledge domain management tools, the A record is set up as follows ( see picture below, IP address obscured for security reasons ) :
Since I ’ meter thinking about hosting mail, calendars, contacts, messages, a web waiter, a VPN, and a Wiki on this server — all for access inside and outside of my local network — I besides added A records for :
These are subdomains of astoundingphotos.com. I may not need these subdomains, as each serve uses specific TCP or UDP ports to address the server, but I have set them up anyway…just in case .
ultimately, let ’ s add the invert DNS submission. This can be done by adding a arrow criminal record ( AKA “ PTR ” ) for your locate. Apple demonstrates reversion DNS entries by showing that you ’ d have entries that would not only link your world name to a numeral IP address ( i, astoundingphotos.com = 188.8.131.52 ) but besides linking your numeral IP cover to the knowledge domain name ( 184.108.40.206 = astoundingphotos.com ) .
update from an earlier version of this post : the owner of the IP address — most likely your ISP — will need to set up the overrule DNS introduction. previously we had noted that it would be the knowledge domain registrar that would perform this task ; that was wrong .
Get a signed SSL certificate
One of the most crucial things you can do when setting up your waiter is to ensure the security of your users and data. One of the best ways to do this is to get a sign SSL certificate from a Certificate Authority ( CA ) .
A Certificate Authority is a entrust third party that verifies the identity of an SSL certificate. They do this by making sure that you are who you say you are, and then charging you to digitally sign the cryptanalytic keys that are used to encrypt communications to and from your server .
Having the signed SSL certificate installed on your macOS Server means that any users accessing that server for e-mail, network services, and so on can rest easily knowing that their data is encrypted en route .
There are a couple of ways you can get a sign SSL certificate. First, you can act as your own Certificate Authority and digitally sign your own keys deoxyadenosine monophosphate retentive as you have control over all of the machines that will access your web site. That ’ mho improbable, so we won ’ triiodothyronine cover that eventuality .
The following way is to use a popular and trusted CA. Several of these are Comodo, Geotrust, and Digicert. Most of these services provide a complimentary 90-day trial if you ’ re fair setting things improving to learn about servers and SSL, but you ’ ll find that certificates can be a act expensive .
If you ’ re a business, you most probably want to get what ’ s called an “ Extended Validation SSL ” certificate. When person visits your web site, they can tell just how secure the locate is immediately — in both Safari and Chrome, the address shows a “ lock in ” picture and the site owner information appears in green in the address browning automatic rifle .
The time to get an SSL validated depends on merely how much establishment you wish to get. If you merely want sphere establishment ( i, your site or waiter is owned by XYZ ), that can be done by sending sphere ownership information via e-mail in five minutes or so. The requirements for occupation and extensive establishment are more rigorous, where business documents showing your company ’ s location and ownership need to be sent to the CA .
You can besides get a free knowledge domain validated SSL certificate from Let ’ s Encrypt. This is a free, automated, and open CA that is run for the populace ’ randomness benefit by the Internet Security Research Group. Some major knowledge domain registries can provide you with a Let ’ s Encrypt security through their sphere management tools ; that ’ s how I grabbed a Let ’ s Encrypt SSL certificate for this case .
What does your SSL security look like ? In many cases, you ’ ll received four sets of alphanumeric keys. One is called a CSR or Certificate Signing Request, the next is the Certificate itself, the one-third is the Private Key, and the final examination is an intermediate Certificate ( see persona at right for an example ) .
You ’ ll need to have these keys airless by and be able to copy and paste them into the appropriate space in your macOS Server shape. We ’ ll cover how to install the certificate in a future article in this series .
Get a company Apple ID
This is the final footstep in building your internet identity. The Apple ID is used to enable tug telling for services, and a personal Apple ID international relations and security network ’ metric ton recommended. You can use a personal Apple ID if you ’ re an individual setting up a personal server ; for businesses, it ’ s highly recommended to get a company Apple ID since an individual might leave the business or delete their personal Apple ID .
To create an Apple ID, go to this world wide web page. You ’ ll need to have an e-mail address that is not associated with any personal Apple ID. Of course, since we haven ’ thymine yet set up our mail waiter, you can ’ t use an e-mail address on your server…yet .
The Next Step
So, we have a run server…but we ’ rhenium nowhere close to actually being able to access or use any of the services running on it. In the next article, we ’ ll set up the local infrastructure — configuring our local router to pass requests to versatile services on our server, turning on Open Directory to begin adding users to our server, and providing and checking service access over the Internet.
Stay tuned for the approaching Part 3 of the macOS server series, with Part 4 appearing in March. I want to make certain that our readers are able to set up their own macOS Servers successfully, so it will take a bite of clock and attempt for testing .
Related: Understanding macOS Server Part 1 : background and Setup