The default checksumming in AppleTalk is not that great, it will occasionally let through an error. Especially now when people are transferring giant archives or disk images that have auto checks for errors in the file, we are seeing more and more errors due to AppleTalk. Turning on DDP Checksumming will slow AppleTalk performance, but will eliminate these file errors.

(1)	Shut down the server
(2)	Open the AppleShare IP Web & File extension using a resource editor like ResEdit
(3)	Open the 'pref' resource
(4)	Edit resource #1700 and set it to be 1
(5)	Save the resource and restart your server.

ON ALL APPLESHARE CLIENTS, you will need to install the "UseChecksums" extension.

Doorstop and AutoPush (back to top)
Since I recommend removing the OT Auto Push file, here is some more info on an alternative TCP filtering software from Open Door Network.

Question:
Is OT Auto Push Support used by any other ASIP function other than TCP filtering? Also, can anyone comment on DoorStop's ability to work without this extension?

Answer:
Yes, OT Auto Push is only used by TCP Filtering. The way filtering works is that we "push" a filter module on top of the TCP module. When packets come in, the filter module gets a chance to look at the packets and determine whether to let them through or not.

The Mentat stack is designed so that you can easily push any module on top of any other, but the particular code for allowing a module to pushed on top of TCP was not included (and no, I dont remember why). So, we needed a workaround and that was the OT Auto Push extension.

Doorstop works without the OT Auto Push extension because it "pushes" itself much lower down in the stack (on top of IP) and the Mentat code for doing that is still in Open Transport. This allows filtering of UDP packets too.

Unistalling ASIP (or how to revert back to slow FileShare) (back to top)
By John T. Zigrang

(1)	Remove all ASIP Extensions
(2)	Remove all User Group file (there were two)
(3)	Restart the computer
(4)	Restart the FileSharing Control panel to check User, Computer name and Password.
(5)	Restart and Rebuild Desktop (just for desktop cleanup)

Single Link, Multihoming Setup (back to top)
Setting up Secondary IP addresses on the ASIP server
See Tech Info article 60019 "AppleShare IP 6.1: Web Server Multi Domain Support"

The second way of configuring the ASIP server for multi domain support is to set up secondary IP addresses at the server, and have the clients' domain names mapped to the secondary addresses. Open Transport 1.3 or later and a PCI-based server is required to support this capability, which is called 'single-link multihoming', 'IP multinode support', or 'IP aliasing.'

This method is needed when clients are using older browsers (such as Mosaic) which may not support HTTP 1.1; in these cases, the domain name the client used in the URL is not passed to the server; only the IP address is. Thus, the ASIP Web Server must use the IP address to determine what home page to send to the client. When using this method, you should use IP addresses, rather than the domain name, in the Multi Domain Settings file.

(1)	Verify that the server's primary IP address is static and configured manually. Open the TCP/IP control panel to verify.
(2)	Create an "IP Secondary Addresses" file; this will be a plain text file that will contain the information on the secondary IP addresses. This file needs to be saved into the Preferences folder of the System Folder. Within this file, each line begins with "ip=" followed by a secondary IP address. If the subnet mask and router address are different from those used by the primary IP address, they should be specified also, preceded by "sm=" and "rt=", respectively. Here is an example; note that the first line which begins with a semicolon is a comment. ;ip address subnet mask router address ip=192.1.1.4 sm=255.255.255.0 rt=192.1.1.1 ip=192.1.1.5 ip=192.1.1.6
(3)	Restart the server and test. Using a ping utility like MacTCP Watcher (you can locate and download this handy utility from various ftp sites on the Internet), try pinging each of the secondary IP addresses you've set up for the server.

Long delays after mounting a sharepoint (back to top)
Your drives are slowly running out of space on them...

(1)	Try emptying the Network Trash folder on your server.
(2)	On the server, use ResEdit to make it visible using Get File/Folder info, then delete its contents

For detailed explanation on emptying the "Network Trash Folder" folder manually, using AShare Helper, or AppleScript, click here.

Network Trash Explanation (back to top)
You will have one network trash folder at the root of every sharepoint. Within that folder will be a file called Trash Can Usage Map which is used by the Finder on the client machine to claim a Trash Can #x folder to use as the trash can for the server volume.

When a client throws a file on a remote volume away the Finder tries to get a lock on the first byte of the Trash Can Usage Map if that byte is locked, it tries to get a lock on the second byte and so on. When it gets the lock it "claims" the corresponding Trash Can folder. It then moves the file to be thrown away into its Trash Can folder. When the User selects Empty Trash, the Finder will empty its Trash Can Folder.

If the client machine breaks the connection via crashing or being disconnected, the Trash Can folder will not be emptied. However when a client Finder claims a Trash Can folder, it will delete anything that was in the folder previously.

For detailed explanation on emptying the "Network Trash Folder" folder manually, using AShare Helper, or AppleScript, click here.

AppleShare Password Authentication & Security (back to top)
A note about authentication from Leland Wallace
OR "I heard that AppleShare passwords are easy to break..."

The algorithms for all of the AppleShare Authentication methods are public. I don't see this as a problem. The security of the method is in the math, not in some secret algorithm. The AppleShare password encryption method he mentions, is probably the method for storing the passwords in the Users & Groups data file on the Server, which is only a problem if you send your attacker that file (AppleShare won't share the System folder on the server). Or, if the attacker has physical access to your server, then he/she could copy the Users & Groups data file; of course your server should ALWAYS be in a secure location.

The most widely used (at this time) auth method is 2 Way random (introduced in 1989) which sends two 8 byte DES encrypted random numbers over the network. From a computational standpoint the algorithm is exactly as strong as 56-bit DES. It is however vulnerable to an off-line password guessing attack (similar to running crack against a unix passwd file), and it has a password length limit of 8 characters.

We have developed a new authentication method that addresses the weaknesses of 2 Way randnum, called DHX. DHX uses Diffie-Hellman key exchange to create a 128 bit session key and then sends a 64 character password to the server encrypted with CAST 128. It's strength is approximately equivalent to 128-bit SSL. (iDisk uses DHX)

So I suppose the answer to the question is, we've been doing 56-bit encryption since 1989, and we're in the process of moving to 128 bit encryption. Both are reasonably safe on the Internet, and infinitely safer than protocols like FTP, POP or HTTP which send passwords in the clear over the network.

Note About Security (back to top)
A short note about Security
(by no means is this a complete list on how to protect your server!!!)

(1)	LOCK YOUR SERVER UP IN A SECURE ROOM!!! No one should have physical access to a server. If someone else has physical access to a server, then forget about trying to make the server secure, you will not be able to.
(2)	Setup a firewall to protect your intranet and servers.
(3)	Disable ClearText logins on the clients!!! See below for instructions on how to create an AppleShare client that does not support cleartext, then PUT IT ON ALL of your workstations. This is not a perfect solution, but it will at least make it harder for hackers/crackers. Here is a good example from Ron Chmara on how to use clear text to get passwords.

	(i)	Scout out site. Set up a linux laptop with netatalk, and sniffers on the wire. Find out the name of the ASIP server (Appleshare is silly enough to _broadcast_ the name to all askers. Feature is Security Hole. Sheesh.) Set up laptop with same name as server, same IP as server. Find unobtrusive way of jacking into the LAN, an easy thing to do in a computer lab, or a "wired" school... they seem to have lots of "live" jacks. If necessary, just use computer lab machine jack, keep laptop in backpack, and pretend to be working. For offsite work, just put it in the ceiling to "bug" the LAN.
	(ii)	Perform standard denial of service attack on server, anything to overload it or crash it. These are network security holes, so there's not much you can do about 'em. ICMP the bugger to death, SYN it into silence, whatever's fashionable this week. This should be timed right before a new class/lab session, for maximum effect.
	(iii)	As users initially try to connect via aliases, and fail, some will go to the chooser. They will select the "ASIP" server name, which, unfortunately is now a netatalk server, which *doesn't support* randnum. Which means it's now open season, as every password used to connect to the fake server is passed in cleartext. To the sniffer. If I'm lucky even the admin. will try to log in remotely, if not the first time, maybe the second or third (to keep from having to walk back to the server room)"

UNSUPPORTED - AppleShare Client that does not support ClearText (back to top)

(1)	Make a copy of the AppleShare Client
(2)	Run ResEdit and open it
(3)	Open the 'FSMNT' resource, then open up "ApShare Mounter"
(4)	Select "Find ASCII" and search on "Cleartxt"
(5)	Highlight just the 'C' character and type 'X' instead. DO NOT DELETE ANY CHARS, just replace the 'C' char!!!
(6)	Close the "ApShare Mounter" and the 'FSMNT' windows.
(7)	Open the 'EXFS' resource, then open up "ApShare ExFS".
(8)	Select "Find ASCII" and search on "Cleartxt".
(9)	Highlight just the 'C' character and type 'X' instead. DO NOT DELETE ANY CHARS, just replace the 'C' char!!!
(10)	Close the "ApShare ExFS" and the 'EXFS' windows.
(11)	Quit ResEdit and save the file.
(12)	Now find every AppleShare client that is on your network and replace it with this version. Maybe give it a special name.

How come I only see XXX GB free on my FileSharing CPU (back to top)
The Mac OS FileSharing code is very, very old and can only display up to 3.99 G of "free or in use" space. Upgrade to ASIP if you need to transfer a lot of files from that cpu and need to access larger HD's.

Installing AppleShare IP 6.3.1 on Mac OS 9.0.4 (back to top)
This document describes one method for installing AppleShare IP 6.3.1 on a computer running Mac OS 9.0.4. Many users have run into difficulty attempting to install Apple's Mac OS server suite AppleShare IP 6.3.1 after a clean installation of Mac OS 9. Specifically, the ASIP installer requires an earlier version of ASIP 6 be installed. Earlier versions of ASIP 6 refuse to install unless an out-of-date version of OpenTransport is installed. Attempting to install the older version of OpenTransport is problematic, leaving the user unable to install ASIP 6 on Mac OS 9 in order to update it to ASIP 6.3.1.

Overview of Installation Procedure

(1)	Perform a clean installation of Mac OS 9 as normal.
(2)	Install the Mac OS 9.0.4 update as normal.
(3)	Downlaod the ASIP 6.3.1 Update.smi to the hard disk.
(4)	Manually install the ASIP extensions from the ASIP 6.3.1 updater.
(5)	Run the ASIP 6.3.1 updater as normal.
(6)	Restart and continue setup using Easy Setup.

Detailed Walkthrough For Steps 4 - 6

-	Double-click the ASIP 6.3.1 Update.smi file to mount the installer disk-image on the desktop.
-	Locate the file AppleShare HD.img within the AppleShare IP 6.3.1 Update image.
-	This can be found in AppleShare IP 6.3.1 Update:Software Installers:Restore AppleShare IP:AppleShare HD.img.
-	Double-click the AppleShare HD.img to mount the AppleShare HD disk-image.
-	Copy the contents of the Extensions folder on the AppleShare HD disk-image to the Extensions folder inside your Mac OS 9 system folder on the hard disk of your server.
-	Drag the AppleShare HD icon from your desktop to the Trash.
-	Double-click the Apple SW Install icon within the AppleShare IP 6.3.1 Upate to begin installing AppleShare IP software on your server hard disk. When installation is finished, restart your server as normal.
-	After restarting, you will be able to proceed with AppleShare IP Easy Setup to configure your ASIP server.

100Mbit Ethernet Notes (most if not all is unconfirmed) (back to top)

(1)	Apple's Zynx card (aka Apple 10/100) 100Mbit card has been reported (but not confirmed ) to not work at Full Duplex, but will report that it can. This can result in terrible performance. Force your switch/hub to half duplex for any computer that is using this card.
(2)	Several people have reported that Cisco Switches work much better if you turn off spanning trees which is on by default.
(3)	Unconfirmed from Asante Three extensions seem to interfere with the connection on the b/w g3s but not necessarily other g3s or g4s, although the folks at Asante suggested I scrub them on all machines. They are: DNSplugin, SLPplugin & WebSharing.
(4)	If you have an aftermarket ethernet card, you should also disable the Apple Enet extension.
(5)	If you are using Asante cards, be absolutely sure you have the latest driver.
(6)	Another unconfirmed report. Try moving your ethernet card to a different PCI slot like A1. Apparantly some customers have reported that this has fixed their problems.

DHX (note that iDisk use DHX) (back to top)
If you use DHX authentication, it is important that you upgrade to AppleShare client 3.8.6 or later. It fixes a crash when you attempt a second login using DHX after the first attempt over DHX failed with a wrong password.

Get the latest client from www.apple.com/appleshareip/text/downloads.html.

Another way to access my iDisk (requires client 3.8.6 or later) (back to top)

(1)	Make sure you have access to the internet.
(2)	Go to Chooser, select AppleShare, click on the "Server IP Address..." button.
(3)	Enter in "idisk.mac.com:suinn".
(4)	For user name, use "suinn", password is "t0sjriah".
(5)	This will give you access to the "Public" part of my iDisk.

AShare Helper (back to top)
AShare Helper is an application that was designed to help AppleShare IP Server Administrators with the upkeep of their Servers by doing a number of minor tasks, then sending notification to remote locations.

-	Detect a System Crash (IE not properly quit) then use Disk Warrior to repair all local non boot or non network volumes.
-	Manually launch the AppleShare IP Web & File Server on startup (after doing repairs). Only works on AppleShare v5.0 - v6.2.
-	Keep a nominated Application running in the foreground and launch it if it is not running.
-	Do regular checks for free space on any mounted volume.
-	Make regular backups of the local Users & Groups Datafile (with an append date).
-	Empty the contents of the invisible Network Trash Folder on each volume (deletes all files more than 24hrs old).
-	Log all it's actions to a local text file plus send email notifications and errors to any remote location.

How to operate it?
When launched, AShare Helper does not show any interface windows or dialogues. You should start by selecting 'Preferences' from the File menu (shortcut is Cmd-P). This window should be self explanatory as it allows you to nominate Tasks, Actions and Warnings plus when you want to have them occur (once a week, daily and at what time of the day).

You can use the Notifications are to setup where to send a copy of the Event Log for both the Actions and Warnings. All email errors are saved in the event log as are the email logs themselves.

The Event Log can viewed at any time by selecting 'View Log' from the File menu (shortcut is Cmd-L). This allows you to scroll through the log and clear it if required.

Where to put AShare Helper?
Probably the Startup Items folder in the System Folder would be a good place, otherwise launch it manually whenever you feel the need.

What are the limitations?

(1)	AShare Helper was written for English language versions of MacOS. It will not experience any major problems running on other language versions of MacOS, but all the windows, dialogs and buttons will not be correct.
(2)	AShare Helper currently does not check to see if the boot volume is full prior to writing it's log. It is a good idea to enable a 'Check for Available Space' Warning for the boot volume.
(3)	AShare Helper is totally free and no warranty is provided or implied. Use it at your discretion.

Questions / Comments
All comments / questions should be directed to dbakkers@ozemail.com.au.

	To download AShare Helper 1.7.2, click here.
	For more details or to download the latest version, click here.

[Documentation - Main Page]