Topic: 6.0b3: Can't add local network (error"doesn't look like

[Michael Soulier]

Daniele Procida wrote:
>
> OK, stupid question: how do I actually purchase the
> commercial release? Some time spent browsing the Mitel site
> tells me all about it, but not how I purchase it or how much
> it will cost.

Mitel sells via resellers and distributors. Think of purchasing a PC from Dell instead of Microsoft. MS could not possibly provide support to their entire user-base, so they work through retail and OEM channels.

You should have one or more resellers in your area, depending on where you are.

http://www.mitel.com/contact_solution_provider/index.cfm

Feel free to contact Dan York (dan_york@mitel.com) if you have a bad experience with this.

Mike

[Daniele Procida]

> Windows networking (SMB) and Appletalk are not designed as
> "hard" protocols to be exposed to the Internet. Your request
> is very unusual. I'm also not certain that it is possible, as
> netatalk only listens on a single interface (the LAN).

AppleTalk is certainly not designed for the Internet, because it's not an IP-based protocol. However, it's AppleShare (over IP) and not AppleTalk that I'm after (the former is a file-sharing protocol, the latter a networking protocol).

So far as I'm aware it is perfectly possible to have AppleShare running on more than one interface. It is also, again so far as I understand it, very secure, or at least much more secure than many other traditional Internet protocols such as FTP.

Daniele

[Daniele Procida]

Michael Soulier wrote:
>
> > I can understand that, especially in the context of a server
> > system that has been developed and marketed with security as
> > one of its prime considerations. I'd still prefer it to be an
> > option though. Unfortunately VPN simply doesn't really meet
> > all my needs (though it works well enough for me at some
> > levels).
>
> How does a VPN not meet your needs?

What I'm after is a small server in my office to store files on, which I can access from anywhere. My clients only ever use Macs, so AppleShare (which is well integrated into every version of the Mac OS and is very familiar to my clients) is by far the preferred way of accessing those files.

I'd like to be able to create user volumes on the server so particular clients get to see particular things, to have a read-only public access volume for guests, and so on.

Basically, if it's plain old AppleShare, it'll work as a useful resource, but if anything beyond that is required (such as VPN) I'll still be able to use it, but it will simply be a non-starter as far as my clients are concerned.

(There is one more thing that I'm after, which is for my clients to be able to upload things via AppleShare to volume, and their clients to be able to download them via HTTP. But that's further down the road than this.)

Sorry if I seem to be asking the impossible, or even just the undesirable, in all this. I'm not trying to be obstinate, but I do know what I'd like to achieve, and if it turns out that SME can do it then I'll be very pleased.

Regards,

Daniele

[Michael Soulier]

Daniele Procida wrote:
>
> I'd like to be able to create user volumes on the server so
> particular clients get to see particular things, to have a
> read-only public access volume for guests, and so on.
>
> Basically, if it's plain old AppleShare, it'll work as a
> useful resource, but if anything beyond that is required
> (such as VPN) I'll still be able to use it, but it will
> simply be a non-starter as far as my clients are concerned.

I fail to understand why. If you're talking about a remote office, set up a permanent VPN from it to the main office with the fileserver. The entire point of a VPN is that it is transparent to the users. Anything you can do locally from the SME server, you can do over a properly configured VPN.

If this is not a remote office, and you have roadwarriors wishing the same functionality, then it's a small requirement to have them click on an icon and wait for the VPN to be established before accessing the private office network.

> (There is one more thing that I'm after, which is for my
> clients to be able to upload things via AppleShare to volume,
> and their clients to be able to download them via HTTP. But
> that's further down the road than this.)

The second is simple. The former _must_ be secure. Permitting arbitrary uploads from the internet is "not a good thing"!

> Sorry if I seem to be asking the impossible, or even just the
> undesirable, in all this. I'm not trying to be obstinate, but
> I do know what I'd like to achieve, and if it turns out that
> SME can do it then I'll be very pleased.

I don't see why not. I still don't follow why a VPN would be a burden to anyone. Remember, the whole point is that it is transparent.

With the 6000 MAS, we offer a 6042 VPN solution that permits establishment of VPNs to remote offices at the click of a mouse, between as many 6042s as you've purchased (6000 + a software blade).

Regards,
Mike

[Daniele Procida]

Michael Soulier wrote:

> > Basically, if it's plain old AppleShare, it'll work as a
> > useful resource, but if anything beyond that is required
> > (such as VPN) I'll still be able to use it, but it will
> > simply be a non-starter as far as my clients are concerned.
>
> I fail to understand why.

Because it's not what they want, or what they'll manage to use successfully and consistently without my help. If I can give them something that works almost exactly like the normal AppleShare file-sharing they're used to, they'll probably get the hang of it after two or three weeks, though they'll still be phoning me up each time to ask if the server's down because it's not popping up in the Chooser. Each thing that's in any way different from what they normally do when they accessed shared volumes is going to result in frustration. None of them are stupid or anything, but very many of  them have tremendous difficulties with computers.

> I don't see why not. I still don't follow why a VPN would be
> a burden to anyone. Remember, the whole point is that it is
> transparent.

You'll just have to trust me that for many of my clients it simply would be too much trouble to make it worth their while to use.

Daniele

[Michael Soulier]

Daniele Procida wrote:
>
> You'll just have to trust me that for many of my clients it
> simply would be too much trouble to make it worth their while
> to use.

If your clients have no time to use the internet securely, they shouldn't be using it. Ask them how much time they'll have when someone hijacks their data. Seems that people always have time to fight fires, but not enough time to prevent them.

Implemented correctly, it should be invisible. I fail to see how invisible is "too much trouble".

Regards,
Mike

[Daniele Procida]

In SME 6, you can't add a local network which is on the WAN side of the server - that's what the developers consider VPN to be for. Unfortunately, VPN won't be a practicable option for my purposes.

I've found a way round this. I don't doubt that this solution will be severely frowned upon (at best) by the developers of SME (who are after all engaged in trying to put out a secure product), because it defeats some of the security of the server. So, if you do do this, be warned that SME support staff (Michael Soulier) have explicitly said that it is not a "good thing".

Having said that, it *did* provide me with what I needed, which was to enable AppleShare access to the server from anywhere on the Internet without having to use VPN. It does this by making the server consider any Internet address to be on a Local Network. This is the terminal command:

/sbin/e-smith/config setprop local access public

I would prefer to have enabled access to Internet AppleShare clients by modifying the firewall template fragments, so that instead of this rather extreme way of opening things up I could have just enabled access on port 548. Unfortunately, despite much experimenting I was not successful, which is why I had to resort to this.

I hope the SME support people aren't too appalled at this crude bit of hackery.

Daniele

[Michael Soulier]

Daniele Procida wrote:
>
> In SME 6, you can't add a local network which is on the WAN
> side of the server - that's what the developers consider VPN
> to be for. Unfortunately, VPN won't be a practicable option
> for my purposes.

I'll take your word for it, since I still don't understand how something transparent can be unacceptable to your clients.

> /sbin/e-smith/config setprop local access public

For the record, that instructs the server to treat all networks as local. In other words, it is completely open.

> I hope the SME support people aren't too appalled at this
> crude bit of hackery.

It's not hackery, it's a feature. However, it's one that I cannot advise you use on the internet. I suggest you reconsider.

Regards,
Mike

[Daniele Procida]

> > In SME 6, you can't add a local network which is on the WAN
> > side of the server - that's what the developers consider VPN
> > to be for. Unfortunately, VPN won't be a practicable option
> > for my purposes.
>
> I'll take your word for it, since I still don't understand
> how something transparent can be unacceptable to your clients.

I don't know of any freeware, shareware, or moderately-priced VPN client software for earlier versions of the Mac OS. In fact I don't know of *any* VPN client software for versions prior to Mac OS 8. If the VPN clients simply don't exist, or if they're $100 each, it's not going to be viable.

Sometime in the future when everyone has moved to Mac OS X VPN might be an option for them, but it won't be for a few years. Even then, though, the thought of having to provide additional support for VPN (over and above the support for AppleShare over IP) is not one I find attractive.

I know you consider VPN to be a transparent solution. But what's transparent to someone who's experienced with the Internet and networking is not necessarily transparent to someone who has trouble with the very concept of a network. At the very least I will have to install and configure software on dozens of clients' computers.

> It's not hackery, it's a feature. However, it's one that I
> cannot advise you use on the internet. I suggest you
> reconsider.

I just meant that my way round the issue is a crude hack, precisely because of the way it opens things up.

As Michael says, this is a very far from ideal solution. But at least it's making it possible for me to test some of the things I'm trying to do. I'll just have to decide whether I can find a better way within the SME framework, or use something else (which I'd rather not do if I can help it, since I do like  SME very much).

Daniele

[Michael Soulier]

Michael Soulier wrote:
>
> > /sbin/e-smith/config setprop local access public
>
> For the record, that instructs the server to treat all
> networks as local. In other words, it is completely open.

Hmm. I think I was very tired when I posted that. That's not right at all.

In fact, the local record should have nothing to do with any of this, so if it's suddenly working, it must be something else that you did.

Mike

[Michael Soulier]

Daniele Procida wrote:
>
> I don't know of any freeware, shareware, or moderately-priced
> VPN client software for earlier versions of the Mac OS. In

I was thinking of a box in front of the client. Some broadband routers now support IPSec.

> I know you consider VPN to be a transparent solution. But
> what's transparent to someone who's experienced with the
> Internet and networking is not necessarily transparent to
> someone who has trouble with the very concept of a network.
> At the very least I will have to install and configure
> software on dozens of clients' computers.

Not if an upstream box is doing the work. In any event, it's obviously your choice.

Mike

[Nick Critten]

Hi Danielle,

Someone correct me if I'm wrong, But could this be achieved by having 2 SME servers... One with your data on it that you have now, but set it up in server only mode,

Then have another SME server (Or indeed any other free Firewall solution such as the excellent smoothwall) as your gateway and port forward 548 to your server.

For security reasons you could even put your server on the DMZ of the gateway.

Would this do what you're looking for?

Nick

[Dick Morrell]

That is the perfect solution. As the author of SmoothWall I would say that wouldnt I, but... whether you run SW or IPCop or the more excellent MonoWall product (go look it up on the web it rocks) you are far better off.

You should never really ever run your firewall box as anything other than a firewall. It's just asking for trouble as soon as you start running vulnerable services. For the price of a P100 box with 64mb RAM that you can get out of a dumpster you can have piece of mind.

Just build one and portforward necessary ports as you see fit. At home I have a MonoWall server on a P200 with 64mb portforwarding 80 to my DMZ and mail and https to my internal network to an SME 6.03 with ASSP and SpamAssassin mods on it.

Secure