VPN and File sharing

Discussion in 'Mac OS X Server, Xserve, and Networking' started by cavi, Aug 5, 2016.

  1. cavi macrumors regular

    cavi

    Joined:
    Sep 19, 2010
    Location:
    Haifa, Israel
    #1
    Hello everyone,

    I want to enable file sharing for users on my local network. In case that someone wants to connect from his/her home (or any other location which is not the office (i.e. the office network)he/she will must use VPN. The thing is that I didn't managed to understand how to set this configuration on the server app... shall I use "privet networks" of "this Mac" option under the "permission" pane? How do I define the only people who are in the office network can connect without VPN?

    Thanks!
    A.
     
  2. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #2
    Depends! What version of is OS X and or server are you using?
     
  3. cavi thread starter macrumors regular

    cavi

    Joined:
    Sep 19, 2010
    Location:
    Haifa, Israel
    #3
    Hi,
    Latest software (10.11 and 5+ [I don't remember the exact number])
     
  4. cavi thread starter macrumors regular

    cavi

    Joined:
    Sep 19, 2010
    Location:
    Haifa, Israel
    #5
    Hi!
    I know this video (I watched all the videos of Todd – highly recommended =]) and I even contacted him about this issue (and he kindly respond to my email, but I didn't understand it...).
    The thing is if I turn on file sharing, the user didn't need a VPN connection to see the files. I want that if the user is in remote location he will use VPN in order to see the shared files...
     
  5. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #6
    Yes he will VPN into a network from outside that network as long as you have a VPN server setup.
     
  6. cavi thread starter macrumors regular

    cavi

    Joined:
    Sep 19, 2010
    Location:
    Haifa, Israel
    #7
    OK, Thanks! I thought that I need to make some changes in order to "force" him/her to use VPN.
    THANKS! :)
     
  7. satcomer, Aug 9, 2016
    Last edited: Aug 11, 2016

    satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #8
    If he is using a Mac the VPN client software is in System Preferences->Network then the + button to for a new VPN setup.
     
  8. cavi thread starter macrumors regular

    cavi

    Joined:
    Sep 19, 2010
    Location:
    Haifa, Israel
    #9
    And if he or she "forget" to connect via VPN. If file sharing is on they have access to the files (which are more exposed...)?
    Sorry of being "annoying", I'm in a middle of setting up my business which contains sensitive data and I want to make sure that everything is protected as much as it can.
     
  9. DJLC macrumors 6502a

    DJLC

    Joined:
    Jul 17, 2005
    Location:
    Mooresville, NC
    #10
    VPN is a "tunnel" from a trusted user outside your network. Thus they can connect to file sharing services on the local network when the connection is active.

    If you're able to connect to the file shares outside when disconnected from VPN, check your firewall. Those ports should not be open to the outside.
     
  10. Altemose macrumors G3

    Altemose

    Joined:
    Mar 26, 2013
    Location:
    Elkton, Maryland
    #11
    No. The VPN is a way to allow a client access into the local network. While the person is halfway across the world, their machine connects in to the server and is just like a local client. Only at that point can they use File Sharing on the server.

    There are two primary protocols for File Sharing: SMB (Server Message Block) and AFP (Apple Filing Protocol). Most ISPs block SMB (ports 139 and 445), but allow AFP (port 548). Those ports should not be open unless you opened them on your router, thereby forcing the user to VPN in before having any File Sharing access.
     
  11. komatsu macrumors 6502

    Joined:
    Sep 19, 2010
  12. cavi thread starter macrumors regular

    cavi

    Joined:
    Sep 19, 2010
    Location:
    Haifa, Israel
  13. komatsu macrumors 6502

    Joined:
    Sep 19, 2010
    #14
    You're welcome.

    Did you find a suitable solution?
     
  14. kiwipeso1 Suspended

    kiwipeso1

    Joined:
    Sep 17, 2001
    Location:
    Wellington, New Zealand
    #15
    VPN is basically a private broadband connection that is like a "dialup" direct to your server.
    Your local network people direct connect by AFP or SMB as usual, by connect to server K. (They don't need VPN)
    The only thing you need do to setup VPN is have a password and address to share to users.
    Then all they do is add the office VPN to their network preferences, and set it to run from the menubar (connect).

    It should only take a couple of minutes on each mac to setup & maybe five minutes on the server to pick a good password.
     
  15. cavi thread starter macrumors regular

    cavi

    Joined:
    Sep 19, 2010
    Location:
    Haifa, Israel
    #16
    I spoke with an advisor which toled me that as long as I use SMB with encrypted connecting I don't really need a VPN (for remote users also)... That is true also to other services like mail and calendar — as long as I use SSL for the service.
     
  16. Altemose macrumors G3

    Altemose

    Joined:
    Mar 26, 2013
    Location:
    Elkton, Maryland
    #17
    SMB is one of the most compromised ports and as a result most ISPs block SMB traffic altogether requiring the use of VPN to get File Sharing running.
     
  17. cavi thread starter macrumors regular

    cavi

    Joined:
    Sep 19, 2010
    Location:
    Haifa, Israel
    #18
    Even if encrypted? :eek:
     
  18. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #19
    Back in the early days of Windows XP, it was possible for the computer to be compromised via these ports even before the user had a chance to install patches that might block it. Consequently, most ISPs blocked these ports back then.
     
  19. kiwipeso1 Suspended

    kiwipeso1

    Joined:
    Sep 17, 2001
    Location:
    Wellington, New Zealand
    #20
    Your advisor knows nothing about basic cryptography, or networking.
    You need a VPN to keep your secrets safe, as SSL is not as reliable for connections.
     
  20. Altemose macrumors G3

    Altemose

    Joined:
    Mar 26, 2013
    Location:
    Elkton, Maryland
    #21
    Yes. SMB is a protocol that is commonly compromised. You NEED VPN instead of trying to work around it if you care about the security of your data.
     
  21. cavi thread starter macrumors regular

    cavi

    Joined:
    Sep 19, 2010
    Location:
    Haifa, Israel
    #22
    OK, so how I enforce the use of VPN on users?
    lets say that I have a user which I allow to him several services, including file sharing. now, this user also has a MacBook which he uses at his home (or iPad, iPhone etc'). when this user enters his username and password he can see all the files and he do not need to use VPN. so, how I create a rule which allow users to see the office files only if they use VPN?

    Thanks a lot!
     
  22. Altemose macrumors G3

    Altemose

    Joined:
    Mar 26, 2013
    Location:
    Elkton, Maryland
    #23
    Easy... Make sure that the AFP and SMB ports are not open on the router. If you created a port forward allowing port 548 to be open, then the Mac can connect without VPN.
     
  23. cavi thread starter macrumors regular

    cavi

    Joined:
    Sep 19, 2010
    Location:
    Haifa, Israel
  24. LC Phil macrumors newbie

    Joined:
    Apr 7, 2016
    Location:
    Vienna
    #25
    Hi Cavi,

    I just read this thread and I'm not too sure this is the best road for you to go down, especially as your technical knowledge may not be sufficient for setting up and troubleshooting a VPN. Plus, you mentioned sensitive data.

    • What is your current upload speed (not download) for the Server?
    • What firewall or router do you have, could it handle the VPN connection instead?
    • Do you have a static IP address with your ISP?
    • If so, is that mapped to a sub-domain for ease of use?
    • How are the files stored? Are they on a drive that mirrors your data in case of a single drive failure, or just a typical external HDD?
    At the end of the day anyone can setup a VPN. But is it actually going to work for your business, it may not. Perhaps have a look at other file sharing solutions such as Dropbox for Business as there is more to consider then just access to the data.

    If cost is an issue make sure your data isn't just stored on an external drive but that it's a proper storage solution that allows for the mirroring of drives for when a drive fails.

    If you must setup a VPN, then I'd recommend opening the ports for 1701, 4500, 500 for L2TP VPN, then the ports for Calendar and Contact DAV if you are using that too. I wouldn't open the ports for AFP and SMB, it will be inviting trouble. Ensure your Firewall will not respond to pings.

    Good luck!

    Regards,

    Phil
     

Share This Page