Connecting Outlook to Exchange through NAT



  • Hi

    I am setting up Pfsense (2.0.1) at work with three interfaces WAN (Static, Internet), LAN (Offers DHCP to Windows XP PC's) and OPT (Configured using DHCP, connects Corporate network including Exchange (2003) and Active Directory services).
    The LAN is managed using DHCP and static routes direct traffic to either WAN (0.0.0.0/0), or OPT (10.0.0.0/8 and 172.0.0.0/16).

    The first PC on the LAN connects to Windows Server in OPT just fine, but subsequent PC's cannot load 'Personal Settings' and Outlook does not connect.
    It looks like Windows Server is detecting that multiple PCs are using a single IP address and flagging it as a security exception.

    Has anyone come up with a workaround to this.

    Thanks for reading my post.

    JoD



  • You can't NAT a lot of MS protocols without breaking things. If you use only RPC over HTTPS for Outlook to Exchange that will work with NAT.



  • Thanks - this seems to be the problem.
    Our MIS department have blocked https to the Exchange server (!) and locked down the XP systems.

    Looks like I need some way to 1:1 NAT and pass through all the LAN IPs.

    So, raise a bunch of virtual DHCP interfaces on OPT (OPT-V001..OPT-V100)
    Then bridge each address in the LAN DHCP range to its corresponding OPT-Vnnn interface.
    Use routing to redirect Internet traffic via WAN

    Oh dear, this is looking like a nightmare.



  • I don't understand why you are NATing between LAN and OPT1. (I don't think this is default behaviour.)

    @joyofduck:

    Looks like I need some way to 1:1 NAT and pass through all the LAN IPs.



  • Our IT department won't route traffic to our subnet.
    I am using pfSenese to give access to both our corporate LAN, which is restricted to internal traffic and an http proxy, and to the real Internet that our dev's need to reach their cloud hosted dev platforms.
    Any sane solution would use a subnet of the corporate network's address space.

    @wallabybob:

    I don't understand why you are NATing between LAN and OPT1. (I don't think this is default behaviour.)

    @joyofduck:

    Looks like I need some way to 1:1 NAT and pass through all the LAN IPs.



  • Unfortunately can't 1:1 NAT either, translating IPs at all will break those MS services.

    @joyofduck:

    Oh dear, this is looking like a nightmare.

    Afraid so… without being able to use alternatives that NATing doesn't break, like RPC over HTTPS, you're stuck... Most everything will work through NAT, just most MS protocols won't (sounds like that's primarily what you need, go figure). Not really an answer here, you're stuck unless you can get routing put in place.



  • @cmb:

    Afraid so… without being able to use alternatives that NATing doesn't break, like RPC over HTTPS, you're stuck... Most everything will work through NAT, just most MS protocols won't (sounds like that's primarily what you need, go figure). Not really an answer here, you're stuck unless you can get routing put in place.

    Thanks - at least you saved me some time wasting.


Log in to reply