Networking

AppleShare IP

Mac OSbased computers usually can be counted on to rely on the AppleShare IP protocol (although, this is very much at the whim of a network administrator with a modern network, as both Mac OS clients and Mac OS servers support so many other protocols). When connecting Macintosh clients to a server of a different platform, it is often necessary to enable AppleShare services to provide backward compatibility to older workstations, or to provide effective security.

In the classic versions of the Mac OS, AppleShare functionality was provided by a suite of extensions and control panels providing configuration and core services for this networking protocol. As always, when integrating computers using older software onto a newer network, download and install the latest versions of the AppleShare software from Apple Computer's website, and make sure that the operating system is up-to-date. Download the latest version of AppleShare from Apple's support website at http://www.apple.com/support/.Mac OS X computers should be kept up-to-date with the Software Update utility accessible via System Preferences.

Although AppleShare IP provides a secure way for a user and server to exchange names and passwords, it is not an encrypted protocol. It is theoretically possible for an IP packet to be intercepted and its contents read by a third party. Therefore, care should be taken when exchanging sensitive data. Fortunately, AppleShare IP is a pure TCP/IP protocol, so it may be "tunneled" using any variety of encryption methods. The Mac OS itself supports L2TP over IPSec and PPTP, which are capable of encrypting network packets to prevent anyone from reading intercepted packets.

AppleShare Authentication

The most important task to be accomplished between the client and server using the AppleShare protocol is authentication. How is the server to know that the user can be trusted to perform operations on files and folders? What if the user is attempting to connect to a non-Apple file server that supports a unique authentication standard?

On connecting to any AppleShare service on any server, the first thing the client does is try to determine what method of authentication the server supports. Can an Apple protocol be used? What about Kerberos, or the Microsoft authentication protocol? If the server supports more than one authentication method, the user is asked to choose one. The exception is the plain-text method. If the server and client don't have compatible authentication software installed, a username and password can be exchanged via plain text, if the server has been allowed to support it. However, if any more secure method is available, the plain-text option won't be given.

Because various software vendors sell servers that support AppleShare IP, clients need to be able to add authentication methods. Recent versions of AppleShare support user authentication modules, which are simple plug-ins that add authentication methods to a client.

The most common plug-in is the Microsoft UAM, required to connect to Windows 2000 and 2003 servers. This software comes with the server and is also available for download from Microsoft's support website. This module allows AppleShare IP clients to use Microsoft's native Windows authentication protocol, allowing administrators to provide enhanced security by using SMB services with packet signing turned on, as well as providing secure access to Macintosh clients.