Chapter 26: Configuring Internet services

Table of contents

Chapter 26

Configuring Internet services



The SCO Internet Manager is used to configure the internet components on an SCO OpenServer Enterprise System or Desktop System. Use the SCO Internet Manager to manage World Wide Web access, e-mail forwarding, remote file transfer access, routing to and from the Internet, point-to-point connections with other systems, and network security (including data packet filtering, and local or remote administrative access).

To properly configure your system, read the instructions on:

NOTE: When you install SCO OpenServer, you are given a choice of MMDF or SendMail as your Mail Transport Agent (MTA). To use the Internet Manager to configure electronic mail, you must choose SendMail. SendMail gives you full access to multihoming and other advanced mail features not available from MMDF.

If you installed MMDF, but now want to use SendMail, use the Software Manager to remove the MMDF package, then add the sendmail package.

See also:

Starting the Internet Manager

NOTE: You must be running an X session to configure Internet services.

To start the Internet Manager on the local system: 

  1. As root, do one of the following:

  2. In the ``User ID'' field, enter admin. In the ``Password'' field, enter the Internet Manager password.

    This is set to the first eight characters of the root password by default. To change the Internet admin password, click on the Security button on the Internet Services page, then choose Set Internet Manager Password (or log in as root and enter /etc/internetpw).

    NOTE: If you defer setting the root password during the initial installation procedure, the admin user's password is set to <Enter>.

To start the Internet Manager from a remote system: 


  1. With a Web browser that supports tables (such as Netscape Navigator), open this URL:

    http://system-name:615/mana/mana/menu.mana

    For system-name, substitute the fully-qualified name of the system that you want to configure.

    NOTE: Only systems which have been specifically permitted remote access can use the Internet Manager remotely.

    To permit remote access by a system, select SYSTEM-WIDE on the Internet Services page of the SCO Internet Manager, click on the Security button, then click on the Control Access From Remote Sites button. (Or add the remote system's IP address to the /usr/internet/admin/access/site file on the local system.)

  2. In the ``User ID'' field, enter admin. In the ``Password'' field, enter the Internet Manager password.

Configuring network connections

Configuring network connections involves:

Accessing the network

When you start the Internet Manager for the first time, it prompts for which interface connects your system to the Internet. The Internet Manager lists all network cards that you have configured and offers you the option of creating a PPP connection. If you are planning to use a network card to connect to the Internet or your LAN, select that card from the list. If you are using a modem to connect your system to the Internet, choose to add a PPP connection.

In addition to selecting an interface, you are given the option of whether the system should test your connection. It will do this by attempting to contact a known system on the Internet. If you do not want the system to perform this test (if, for example, you are configuring your system for use on a LAN that has no Internet connection), deselect the Test Internet connection checkbox.

Once you click OK, the system tests your connection (unless you have chosen not to do so) and configures several system services, such as the Domain Name System (DNS). If the test was successful, your system is on the Internet, and you are ready to configure specific system services, as described in ``Configuring Internet services''. If the test is unsuccessful, you can chose to Reconfigure the settings. If the system timed out before the connection/dial completed, click on Try Again.

Configuring network cards

The Internet Manager does not support the installation or configuration of network cards directly. If you install a new network card or need to reconfigure it (for example, to change its IP address), you need to run the Network Configuration Manager. For more information about installing and configuring network cards, see Chapter 1, ``Configuring network connections'' in Configuring Network Connections and netconfig(ADM).

Using a modem to connect to the Internet

If you plan to use a modem to connect to the Internet, you must configure an outbound PPP connection. To do this, you should have a PPP account with an Internet Service Provider (ISP). Your ISP will provide you with a telephone number to dial as well as other important information necessary to configure your link.

NOTE: The Internet Manager is designed to configure SCO PPP from Morning Star Technologies, which you must install separately after installing SCO OpenServer. See the discussion of Internet Services components. in the installation procedure.

At a minimum, you need the following information to create a PPP connection:

In addition, you must verify that the netmask of 255.255.255.0 is correct.

If your ISP does not provide you with these IP addresses, then the addresses are assigned to you dynamically each time you dial in, and you do not need to know them. However, you must enter the IP addresses when you create the link (the addresses you enter will be replaced with the correct ones when you dial in). If your ISP does not provide you with initial addresses to use, use 127.0.0.2 for the local site and 127.0.0.3 for the remote site.

You might also need to know the following additional security information:

Again, your ISP will give you this information if it is required to create the connection. In many cases, it is not required.

See also:



Creating an outbound PPP connection

Once you have the information described in ``Using a modem to connect to the Internet'', you are ready to create a PPP connection. The information required is the same whether you are connecting to an ISP or if you simply want to dial in to another system.

The Internet Manager page for configuring an outbound PPP connection contains three sections.

Creating a new PPP dial-out connection

If your ISP or network administrator has given you IP addresses for your system and/or the remote system, enter them here; otherwise, choose default addresses and select Dynamic to indicate that IP addresses are to be reassigned dynamically. You must also enter your login name and password. If you are using a modem to make the connection, enter the remote phone number.

Modem and connection type

If you are using a modem to make the connection, select the modem type from the list provided. If your modem does not appear in the list, try one of the generic settings.

You also need to specify whether the line should stay up all the time, or if it should only come up automatically when packets need to be routed across the link. Do this by setting how many seconds the connection needs to be idle before it times out and hangs up. If you are using a part-time connection, the correct timeout value depends on the cost of your phone connection; for many situations, a value of 120 is reasonable. Entering a value of zero (the default) causes the line to stay up continuously. You can also instruct the system to dial the connection every time the system boots.

Optional information

You might also want to specify certain optional parameters. If your ISP or network administrator gives you PAP/CHAP authentication information, enter it here. Finally, you must verify the netmask, which is necessary for the system to properly route packets. A default value of 255.255.255.0 is appropriate for a class C network and is commonly used; you should change it only if your ISP or network administrator instructs you to do so. 

Configuring an inbound PPP Connection

The Internet Manager does not support the creation of a dial-in Morning Star PPP server unless you have an active Ethernet connection. Without Ethernet, the only choice in the Internet Manager for a first connection is dial-out.

In most cases, a LAN connection is desirable for Morning Star PPP servers. If you require a LAN connection for your server, enable it using the Network Configuration Manager before configuring PPP with the Internet Manager. For more information, see Chapter 28, ``Configuring network connections''.

If you do not need LAN access for your Morning Star PPP server, you can work around the Ethernet requirement by creating a non-functional Ethernet configuration file. To do so, enter:

touch /usr/internet/admin/.initdone

Then, restart the ncsa_httpd daemon:

/etc/rc2.d/S91mana http stop
/etc/rc2.d/S91mana http start

Finally, configure dial-in Morning Star PPP connections with the Internet Manager. The .initdone file will be overwritten if you add LAN connections later.

Configuring an inbound PPP connection is similar to creating an outbound connection. You must set the account name and password for each PPP connection, typically one per user. The user account is created for you, using system account defaults (except for the shell, which is specifically for PPP users). You also must specify the IP address used on your system's side of the connection. You can specify that a fixed IP address be used by the remote system each time it connects. If you select the Dynamic checkbox, the system uses the IP address given to it by the remote side of the connection during link negotiation. You must specify a default IP address even if you select the Dynamic checkbox.

Creating an inbound PPP connection

Enter the number of seconds you want to allow the link to be idle before the system drops the connection. If you enter zero, the system will not drop the connection because it is idle; if you want a part-time connection, enter the timeout period (120 seconds is a reasonable value).

If you require that the remote system authenticate itself using PAP/CHAP, enter the PAP/CHAP name and secret. Finally, enter the appropriate netmask to use for this link; a value of 255.255.255.0 is appropriate for class C networks and is commonly used. If your network uses a different netmask, enter it here.

Once you click on OK, the PPP link is ready to use, and a remote system should be able to connect almost immediately. 

Troubleshooting your PPP connection

Even though the configuration of a PPP connection appears to be simple, problems often arise. These are most often the result of making the wrong modem selection for the modem you are using, or of the two sides of the connection not agreeing on all the necessary parameters.

Determine that the configurations for both sides of the connection are consistent. For example, they must agree on the account name and password, and the netmask for the connection must agree. Check your IP addresses to make sure they are consistent. If this is an incoming connection, be sure that you do not make the IP address for a system as specified on both sides of the connection dynamic, as neither system will tell the other which IP address to use.

It is often useful to watch what the PPP daemon is doing on your system when it attempts to make the connection:

  1. If you are configuring an outgoing connection, edit the /usr/lib/mstppp/Autostart file. If you are configuring an incoming connection, edit the /usr/lib/mstppp/Accounts file.

  2. Look for the entry corresponding to the connection you are trying to debug. Incoming entries can be identified by account name. Outgoing connections can be identified by the IP addresses of the local and remote systems (dynamic IP addresses are specified by a ``~'' character).

  3. Add debug # to the end of the line, where # is a number between 1 and 11 (higher numbers produce more debug information). debug 5 is a recommended starting point.

  4. Save and close the file. If you are debugging an outgoing link, you must kill and restart the PPP daemon:

  5. Enter these commands at the UNIX prompt:

    touch /usr/adm/pppd.log
    tail -f /usr/adm/pppd.log

  6. Attempt to bring up the connection. To bring up a outgoing connection, use ping(ADMN) to contact the remote system's IP address. To bring up an incoming connection, have the remote system dial in.

  7. Watch the output of the tail command for debug information.

Particular things to watch for are account names and passwords that are incorrect. Also, if one end of the connection is expecting a string to be sent by the other (for example, login:) and the other side sends something else (for example, username:), this is a problem. If you have such a problem, you can use the Internet Manager to modify the chat script by clicking on the Net button on the Internet Services page, then clicking on the PPP Connections button. If more than one dial-out connection is configured, select the dial-out PPP connection you are debugging, then click on the Advanced button. The login chat script can be modified from that page. Alternatively, you can modify the /usr/lib/mstppp/Systems file, where the chat script is stored. The format of each of the configuration files is described in the corresponding man page: ppp.Accounts(MST_PPP), ppp.Auth(MST_PPP), ppp.Devices(MST_PPP), ppp.Dialers(MST_PPP), or ppp.Systems(MST_PPP). If you have a complicated chat script, the Internet Manager might not be able to configure the connection after the chat script is modified.

Configuring Internet services

Once you have successfully connected to the Internet, the Internet Manager displays its main menu, the Internet Services page.

Internet Manager main menu


When you reach the Internet Services page, important Internet services have already been configured for you:

Caching Domain Name Service
DNS enables your system to act as a name server for your local network, minimizing delay and network traffic.

World Wide Web
The Netscape FastTrack Server serves a default home page on the Web.

E-mail
Your system can send and receive e-mail, and any users on your system have POP accounts automatically set up for them. 

File transfer
The system allows password-protected FTP access for users on the system.

These services can be configured by clicking on the appropriate icon:

Web
Configure Netscape FastTrack Server, as well as Netscape Proxy Server if it is installed. See ``Web''.

Mail
Specify e-mail forwarding, the domain used in addresses, and the postmaster and hostmaster. See ``Mail''.

FTP
Enable and disable file transfer using the FTP protocol. See ``FTP''.

Net
Configure network routing and PPP connections. See ``Net''.

Security
Set the Internet Manager password and specify which systems can use it remotely. If the optional SCO Internet Security Package is installed, control all network traffic flowing in and out of the system. See ``Security''.
The configuration of each of these subsystems has been simplified to make it easy to configure the system for common uses. When configuring any of these subsystems, you can click on the More Help button and the Internet Manager will display more information about how to configure it.

See also:


Web

When you click on the Web button, the Internet Manager displays a list of Web servers you have installed.

Clicking on a server enables you to configure it using the Netscape administration utility for that server. This utility prompts you for a user name and password, which are initially set to be the same as that for the Internet Manager (the user name is always admin and the password is initially set to the first eight characters of the root password set during the initial system load).

NOTE: If you change the password for the Internet Manager, the passwords for the Netscape administration utilities are not changed. To change the passwords for the Netscape administration utilities, you must change them from within those utilities.

The Netscape administration utilities enable you to change many attributes of your servers' behavior. Some attributes, however, should not be changed, or the Internet Manager might not work properly. Specifically, these attributes are:

See also:



Netscape Web server installation defaults

The installation of the SCO OpenServer Netscape Web servers uses the following default values. You can alter these values once you complete the installation.


Server name
The string returned by hostname.
Do not change unless you change the system name (or are configuring multiple servers).

Server IP address
The first (non-loopback) returned by netstat -in, or 127.0.0.1 if TCP/IP is not configured.
Do not change unless you change the system's IP address.

Server port
Netscape FastTrack Server listens on port 80, is administered on port 620.

Netscape Proxy Server listens on port 8080, is administered on port 446.

Server home


Netscape FastTrack Server:
/usr/internet/ns_httpd

Netscape Proxy Server:
/usr/internet/ns_proxy

Server document root


Netscape FastTrack Server:
/usr/internet/ns_httpd/docs

Server processes
Number of server processes: 
 Minimum        2
 Maximum   32 (25 for Netscape Proxy Server)

Home page


Netscape FastTrack Server:
/usr/internet/ns_httpd/docs/index.html

Index files
index.html or home.html recorded in the server's root (rather than syslog).

administration username
Set to admin.

administration password
Set to the root user's password at installation of server product.

The Netscape Proxy Server is set to the following additional defaults: 



Starting and restarting Netscape servers

Once installed, the Netscape FastTrack and Netscape Proxy Servers start automatically on reboot.

NOTE: If you have configured a secure server, starting the server requires a password, and therefore must be done manually.

If you have configured virtual domains, see ``Configuring interfaces''.

To stop and restart the Netscape servers, use the following commands as root:

Netscape FastTrack Server


/usr/internet/ns_httpd/httpd-80/stop and
/usr/internet/ns_httpd/httpd-80/start

If a secure server is configured:

/usr/internet/ns_https/https-443/stop and
/usr/internet/ns_https/https-443/start

Netscape Proxy Server


/usr/internet/ns_proxy/proxy-8080/stop and
/usr/internet/ns_proxy/proxy-8080/start

For more information, see the Netscape FastTrack Server documentation (but note that the server files are installed in /usr/internet/ns-httpd on SCO OpenServer). 

Deferring or reconfiguring network configuration

During SCO OpenServer installation, Netscape servers are configured with settings for Server Name, Hosts, and Addresses by default. If you defer TCP/IP configuration during initial system installation or you reconfigure TCP/IP, any Netscape servers installed on your system might be improperly configured.

To configure your Netscape server after deferring or reconfiguring networking configuration, edit the following files:

Netscape FastTrack Server:

Netscape Proxy Server:
In /usr/internet/ns_proxy/proxy-8080/config/magnus.conf set ``ServerName'' to the string returned by hostname. Then copy this file to /usr/internet/ns_proxy/admserv/proxy-8080/magnus.conf. The timestamp on the former file must be the same or earlier than that on the latter.



Manually configuring Netscape servers



NOTE: Configuring new servers directly with the FastTrack Administration Server might cause them not to be seen by the Internet Manager.

To configure Netscape servers manually without using the Internet Manager:

  1. Start the appropriate administration server by entering one of these commands as root:

    Netscape FastTrack Server
    /usr/internet/ns_httpd/start-admin

    Netscape Proxy Server
    /usr/internet/ns_proxy/start-admin

  2. Access the administration server by opening one of these URLs, on the server being configured, with any forms-capable Web browser:

    Netscape FastTrack Server
    http://localhost:620/

    Netscape Proxy Server
    http://localhost:446/

  3. Log into the administration server as user admin.

    At installation, the admin password was set to the first eight characters of the root password.

  4. Select the server to administer.

  5. When you are finished, stop the administration server by entering:

    Netscape FastTrack Server
    /usr/internet/ns_httpd/stop-admin

    Netscape Proxy Server
    /usr/internet/ns_proxy/stop-admin


Improving Internet server performance

You can improve the performance of your Netscape FastTrack Internet server by increasing the values of:

These variables are tuned with the Hardware/Kernel Manager or the configure(ADM) command; see the Performance Guide for more information.

NSTRPAGES is particularly important if failures are reported by the netstat -m command. Increasing NSTRPAGES until the failures no longer occur is usually appropriate; see ``Tuning STREAMS usage'' in the ``Tuning networking resources'' chapter of the Performance Guide. Remember that increasing NSTRPAGES also affects memory usage.

If you are running a multi-processor system, it might also be helpful to increase the value of the str_pool_size variable by editing the /etc/conf/pack.d/str/space.c file. Make a back-up copy of this file before making any changes. You must relink the kernel before modifications to space.c files take effect. Tuning this variable does not appreciably affect performance on single-processor systems.

NOTE: Determining specific values for these parameters depends on your system hardware, configuration, and usage. We recommend that you experiment with these values according to the suggestions in the Performance Guide.

Mail

When you install SCO OpenServer, you are given a choice of MMDF or SendMail as your Mail Transport Agent (MTA). To use the Internet Manager for configuring electronic mail, you must choose SendMail. SendMail gives you full access to multihoming and other advanced mail features not available from MMDF.

If you installed MMDF, but now want to use SendMail, use the Software Manager to remove the MMDF package, then add the sendmail package.

A Post Office Protocol (POP) server is configured at installation time so that many popular mail programs on PCs and Macintoshes (including Netscape Navigator and other POP clients) can receive mail using your system as the server.

The system is configured so that any incoming mail destined for your system is either delivered locally (if the destination user exists) or is rejected; if the system receives any mail destined for another system, it forwards it on to that system. Any mail addressed to postmaster is delivered to the root user as well as to those users you have designated postmaster.

Outgoing mail is delivered directly to the system to which it is addressed. Mail sent by local users will have the fully qualified domain name of the system shown in the ``From:'' header (user@system.subdomain.domain.com, for example).

By clicking on the Mail button on the Internet Services page, you can change the configuration of e-mail forwarding and host hiding (what gets shown on the ``From:'' header for outgoing mail). If you have a central system that has a full user database for your domain, you can choose to forward ``local mail'' to that host. In addition, you can specify a system to which all mail outside your domain is delivered. It is intended that this system has good Internet connectivity and is well able to handle large amounts of SMTP traffic.

FTP

By default, your system is configured to allow users who have an account on your system to use the File Transfer Protocol (FTP) to transfer files between your system and other systems. The use of FTP by anonymous users is disabled. (So-called ``anonymous FTP'' is commonly used to upload and download files from a system by users that are unknown to that system; no authentication is required. If you have ever downloaded a file from the Internet using your Web browser, you probably have used anonymous FTP.)

By clicking on the FTP button on the Internet Services page, you can determine whether FTP access is permitted at all, as well as whether anonymous users can download or upload files.

Net

By clicking on the Net button on the Internet Services page, you can configure your system's network connections.

By selecting Network Routing, you can change which network interface the system uses as your route to the Internet. If you want to make your default route a PPP connection, you must first configure that connection -- see ``Using a modem to connect to the Internet''. You can also specify that your system is a gateway. If you configure your system as a gateway, it will forward data packets received on one interface to another interface if appropriate. Otherwise, all received data packets not destined for this system are discarded.

You can configure both inbound and outbound PPP connections by selecting PPP Connections. The procedure for adding and configuring PPP connections is described in ``Using a modem to connect to the Internet''.

Security

Because the Internet Manager can be used to configure important services on your system, it is important that access to it be restricted to protect your system from unauthorized users. This is accomplished in two ways. First, the Internet Manager requires that the user enter a user name and password to gain access. Second, the Internet Manager checks that the system from which the user is accessing it is one that you have specifically authorized.

By clicking on the Security button on the Internet Services page, you can change the Internet Manager password and specify which systems are authorized to use the Internet Manager. Initially, the password for the Internet Manager is the same as the root password. You can change the password by clicking Set Internet Manager Password on the Security page.

NOTE: Changing the password for the Internet Manager does not change the passwords for the Netscape server administration utilities. These must be changed from within those utilities.

The Internet Manager uses only the first eight characters of your password.

The system is initially configured to allow access only from the system itself (running the Internet Manager on the console display). To allow another system or systems access to the Internet Manager, select Control Access From Remote Sites on the Security page, then enter the system's IP address.

CAUTION: By allowing another system to access the Internet Manager remotely, system security is decreased and your system is potentially vulnerable to an ``IP spoofing attack''. In an IP spoofing attack, a hacker attempts to gain access to your system by making a remote system appear to be one of your trusted systems by using its IP address. It is also possible that someone monitoring data packets on the network could discover your password. The chance of your system actually being attacked in this manner is small, and chances of a successful security breach are even smaller (the attacker must determine both the IP address of one of your trusted systems as well as the Internet Manager password). You should weigh the benefits of remote administration against the costs of a potential compromise of system security.