Something I learned today

Whenever I talk to DW, even for half a minute, I learn a ton. Today,it was about opening ports in one’s firewall, in the NAT (network
address translation) settings. Kind of esoteric stuff, and doesn’t
apply to most of our clients, but here it is, third-hand from one of
Apple’s Open Directory gurus:

It is important – at least in an environment with a large number of
users, say hundreds – for an Open Directory master not to have ports
forwarded directly to it from the Internet. That means, you don’t want
to open, say SSH, or VNC, or FTP, directly from the Internet to your
server. Ports for VPN are apparently an exception, because the server
would see a VPN client as being on the local network anyway. The OD
master doesn’t want to think of itself as being directly on the
Internet. I wonder if this is because of its heavy reliance on DNS.

We don’t service any installations that large, but I saw this as a
coincidence, since I’ve always been very very reluctant to open any
port-forwarded security holes in our clients’ networks, much less
directly to one of their servers. DW has a nice alternative, using a
separate Mac as a Remote Desktop “kiosk” that has ARD permanently
open, and you just forward a port or two to that machine, putting a
couple layers of security between your data and the outside world.

Posted via email from J2 Tech Blog

Author: jjmarcus

Apple Specialist, Mac Whisperer, Cloud Wrangler - Your Remote CTO

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: