[Update 01/31/18: macOS Server Will Lose Many Services this Spring: Here Are Alternatives]
[Update] Find the entire macOS Server series here!
This is the second in a series of Rocket Yard articles in which we take you through the setup of macOS Server. macOS Server is an app that runs on macOS Sierra, providing services such as mail, web hosting, calendar hosting, and more to users in a workgroup.
In Part 1 of this series, we discussed what macOS Server is, how a Mac mini makes a very workable “headless server”, and how to purchase and install macOS Server. This week, we’re going to set up our server for a small business called “Astounding Photos”.
Most companies want their servers to be accessible from outside of the confines of an office. This gives employees the ability to work securely with the network through a virtual private network (VPN) and send/receive email, lets customers visit a website hosted on the server, and more.
As mentioned in Part 1 of this series, Apple provides an excellent set of built-in tutorials for macOS Server that are accessible from the Help menu of the server app. In the next few episodes, I’ll be following the lessons outlined under “Set up for small business” in the tutorials. (Related: Get the best performance from your Mac mini server with MacSales.com.)
Getting an Internet Identity
The first step in making our server available to customers and employees is to set up an identity that will be accessible from anywhere on the Internet. The tutorial points out the things that we must do to set up our identity:
1) Get a static IP address
2) Give your server a host name
3) Get a domain name
4) Set up DNS and reverse-DNS resolution
5) Get a signed SSL certificate
6) Get a company Apple ID
Getting a static IP address
There are two ways to get an unchanging IP address that’s associated with your location. First, and probably the easiest, is to work with your internet service provider (ISP) to have a static IP address assigned to you. Note that for home internet service users, many ISPs do not allow static IP addresses; you may need to switch to a business account or use a dynamic DNS (Domain Name System) service.
Home internet services use DHCP (Dynamic Host Configuration Protocol) to assign an IP address from a group owned by the ISP to your cable or DSL modem. Since the address can change each time the cable or DSL modem is rebooted, the IP address is not static.
A dynamic DNS service watches the IP address that is assigned to a home internet service and if it changes, it reroutes requests to the new IP address automatically.
One of the most well-known providers of dynamic DNS service is Dyn.com. Their least expensive dynamic DNS service runs $40 per year, but that cost allows you to run up to 30 hosts — a bit of overkill if you’re setting up one host name. There are also free dynamic DNS services like No-ip.com that are perfect for just one host name, but they require verification once a month via email or have other quirks.
If you do have a static IP address but don’t know what it is, you can visit whatsmyip.org or look at the home screen for macOS Server and look at “Internet”. It will show that your server is available at a specific IP address. For security reasons, I’ve blanked out part of the IP address for my server in the image below:
Give your server a host name
A host name is the name that your server has on the local network. When your server is accessed over the internet, it will need to have a fully-qualified domain name that includes the host name (say “server”) and the complete domain name (astoundingphotos.com in this example).
The host name is required even if you aren’t accessing the server over the internet in order for the server to be uniquely identified on your local network.
Make sure you’re happy with the host name, as it can be difficult to change later on.
Get a domain name
Domain names are the “written addresses” where a server resides (uniquename.tld, where tld is a “top-level domain” such as .com, .org, .info, etc… DNS is used to translate a written address — astoundingphotos.com — into a numeric address (your static IP address) when someone tries to access your server.
Domain names aren’t purchased; you’re actually leasing them from a domain registry for a period of time. It’s drop-dead easy to register a domain name so the process won’t be covered here. Some domain registrars you may want to consider are GoDaddy.com and Dreamhost.com. The annual cost of your domain name will depend a lot on the top-level domain used.
Whatever domain registrar you select, make sure that you familiarize yourself with their DNS tools as at one point you’ll need to let them know the static IP at which your server resides.
Set up DNS and reverse-DNS resolution
It’s now time to set up DNS and reverse-DNS resolution. As noted before, this is the link between the domain name you’ve leased and the static IP address of your server.
The domain registrar will almost always set up an SOA (Start of Authority) record for you, which is part of your DNS Zone file. This usually points to the DNS servers operated by the domain registrar. You can use the nslookup command in Terminal on your Mac to see the link between your domain name and the DNS host (see image below):
Note that the IP address listed here isn’t the static IP address of my server; since I’m doing an nslookup from my local network, it’s showing the local IP address of my router. To make sure that my domain name is properly pointed to the static IP address, I needed to perform the nslookup over a cellular connection on my iPhone using a free app called (oddly enough) nslookup.
The next two records you’ll need to set up are an “A” record linking your fully qualified domain name — in this example it will be astoundingphotos.com — to the static IP address and the reverse DNS entry. In Dreamhost’s domain management tools, the A record is set up as follows (see image below, IP address obscured for security reasons):
Since I’m thinking about hosting mail, calendars, contacts, messages, a web server, a VPN, and a Wiki on this server — all for access inside and outside of my local network — I also added A records for:
These are subdomains of astoundingphotos.com. I may not need these subdomains, as each service uses specific TCP or UDP ports to address the server, but I have set them up anyway…just in case.
Finally, let’s add the reverse DNS entry. This can be done by adding a pointer record (AKA “PTR”) for your site. Apple demonstrates reverse DNS entries by showing that you’d have entries that would not only link your domain name to a numeric IP address (i.e., astoundingphotos.com = 126.96.36.199) but also linking your numeric IP address to the domain name (188.8.131.52 = astoundingphotos.com).
Update from an earlier version of this post: the owner of the IP address — most likely your ISP — will need to set up the reverse DNS entry. Previously we had noted that it would be the domain registrar that would perform this task; that was incorrect.
Get a signed SSL certificate
One of the most important things you can do when setting up your server is to ensure the security of your users and data. One of the best ways to do this is to get a signed SSL certificate from a Certificate Authority (CA).
A Certificate Authority is a trusted third party that verifies the identity of an SSL certificate. They do this by making sure that you are who you say you are, and then charging you to digitally sign the cryptographic keys that are used to encrypt communications to and from your server.
Having the signed SSL certificate installed on your macOS Server means that any users accessing that server for email, web services, and so on can rest easy knowing that their data is encrypted en route.
There are a couple of ways you can get a signed SSL certificate. First, you can act as your own Certificate Authority and digitally sign your own keys as long as you have control over all of the machines that will access your website. That’s unlikely, so we won’t cover that eventuality.
The next way is to use a popular and trusted CA. Several of these are Comodo, Geotrust, and Digicert. Most of these services provide a free 90-day trial if you’re just setting things up to learn about servers and SSL, but you’ll find that certificates can be a bit expensive.
If you’re a business, you most likely want to get what’s called an “Extended Validation SSL” certificate. When someone visits your website, they can tell just how secure the site is immediately — in both Safari and Chrome, the address shows a “lock” icon and the site owner information appears in green in the address bar.
The time to get an SSL validated depends on just how much validation you wish to get. If you just want domain validation (i.e., your site or server is owned by XYZ), that can be done by sending domain ownership information via email in five minutes or so. The requirements for business and extended validation are more stringent, where business documents showing your company’s location and ownership need to be sent to the CA.
You can also get a free domain validated SSL certificate from Let’s Encrypt. This is a free, automated, and open CA that is run for the public’s benefit by the Internet Security Research Group. Some major domain registries can provide you with a Let’s Encrypt certificate through their domain management tools; that’s how I grabbed a Let’s Encrypt SSL certificate for this example.
What does your SSL certificate look like? In many cases, you’ll received four sets of alphanumeric keys. One is called a CSR or Certificate Signing Request, the next is the Certificate itself, the third is the Private Key, and the final is an Intermediate Certificate (see image at right for an example).
You’ll need to have these keys close by and be able to copy and paste them into the appropriate space in your macOS Server configuration. We’ll cover how to install the certificate in a future article in this series.
Get a company Apple ID
This is the final step in building your internet identity. The Apple ID is used to enable push notification for services, and a personal Apple ID isn’t recommended. You can use a personal Apple ID if you’re an individual setting up a personal server; for businesses, it’s highly recommended to get a company Apple ID since an individual might leave the business or delete their personal Apple ID.
To create an Apple ID, go to this web page. You’ll need to have an email address that is not associated with any personal Apple ID. Of course, since we haven’t yet set up our mail server, you can’t use an email address on your server…yet.
The Next Step
So, we have a running server…but we’re nowhere close to actually being able to access or use any of the services running on it. In the next article, we’ll set up the local infrastructure — configuring our local router to pass requests to various services on our server, turning on Open Directory to begin adding users to our server, and providing and checking service access over the Internet.
Stay tuned for the upcoming Part 3 of the macOS server series, with Part 4 appearing in March. I want to make sure that our readers are able to set up their own macOS Servers successfully, so it will take a bit of time and effort for testing.