I'm having a similar problem to David M's post yesterday ("Secure
AFP"). I've done a bit of troubleshooting on my own and spoke with
Apple on it, but still no go. I'm pretty sure it's a DNS issue at
this point, but I'm not able to resolve it (so to speak ;-).
The deal:
New Xserve with 10.4.2 Server in corporate DMZ NATed behind a PIX.
That's not really a DMZ then. That's just a separate network, but
being NATed isn't public, or private. So it's not really a DMZ as it
has exposure to neither. But I digress...
Secure AFP (AFP over SSH) works from the inside.
SSH works from the outside.
AFP works from the outside.
Secure AFP doesn't work from the outside.
The connection apparently times out at "Authenticating to [server]
as [user]" Actually,it errors with "incorrect password" after a
while, but I'm pretty sure this is a catchall response. In fact, I
can see that 2 new sshd processes are established on the server (one
for root and one for the user logging in), but the client doesn't
connect to them.
I did my share of packet sniffing to figure out an initial DNS issue
(a matching FQDN). But can't quite make out the encrypted packets
that follow ;-) I also turned on verbose logging for SSH on the
server and client, but found that that the logging prevents a
connection early on, so it's tough to get more data on what's really
happening.
I wasn't able to confirm with the tech I spoke with that anyone was
using secure AFP from a DMZ, but was told it should work.
So, is anyone having success doing this? If so, any pointers? If
not, time to file a bug?
There's probably no bug, the problem is most likely with your PIX,
though this is common with NAT'ed network devices in general (in your
case your "DMZ".) If you take the PIX out of the picture, place your
XServe (on a switch) behind your router but before your PIX, and give
it a public IP (like a real DMZ) it should work just fine.
Knowing the network geometry, routing and address spaces would be
most helpful if you expect a better response.
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.iwiring.net/
email@hidden http://www.ustsvs.com/
iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
