Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

uVerse and the Small Business Server

Gary ColtharpSr. Systems Engineer
Published:
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these customers were DSL subscribers.

In the past year or so, these customers who are AT&T subscribers have been systematically forced to convert to uVerse. While I am sure this is an amazing service for the home user, it is flat out awful for most business applications. The modem is hard coded to serve DHCP (cannot be disabled) and the service blocks port 25 outbound traffic.

I have never been a fan of using ISP provided equipment as the gateway device and in this case, it is imperitive that you do not. If you know SBS, you know it needs to serve DHCP for things to go smoothly.

So after many hours of searching internet articles, uVerse help pages, etc... I have come up with a method for using uVerse with SBS... assuming a better internet provider is not available.

The resolution is to install a firewall if they don’t already have one and configure uVerse to serve the public addresses and turn off any firewall features. AT&T equipment changes often but the following was documented on a Motorola NVG589.

The things you will need from AT&T:
      PPPoE login and password
      Static IP information
To fix the local network, login in to the uVerse modem using the access information printed on the label. The access code will be printed there as well in order to do advanced tasks.
First if the customer’s subnet is the same as the uVerse default of 192.168.1/24, you will need to change the subnet on AT&T or the customer’s. Changing uVerse would be the easiest. Go to the “Home Network” tab and click “Subnets & DHCP”, enter the access code when prompted. Change the 3rd octet to something different. Document this so that the AT&T equipment can be accessed from behind the firewall if necessary. Save and reboot.
Go back to the uVerse configuration, select “Firewall” and disable packet filtering. Then go to "IP Passthrough" and set allocation to "Passthrough", mode "Manual". Under Firewall Advanced, turn everything off. Save and reboot.
Back to the uVerse configuration,  go back to the "Home Network" page  and under “Public Subnet”, change “Public Subnet Enable” to On and put in the static IP information. AT&T generally gives the customer a /29 block but does not assign their equipment. According to their tech, the last usable in the subnet should be assigned to the uVerse equipment. So by example, a customer is assigned 107.220.47.248/29.  This is a subnet address but you will occasionally get the AT&T tech who tells you this is their IP. If you can’t subnet in your head, get a subnet calculator and plug in the values for subnet addresses. Solarwinds has a good free tool. So for this example, my customer only needed one static and was not using their other publics. Therefore, I placed the additional public IP’s in the Public DHCP pool:

      Public Subnet
      Public Subnet Enable       On
      Public IPv4 Address             107.220.47.254    <last (6th) usable in the subnet
      Public Subnet Mask            255.255.255.248 < /29 mask
      DHCPv4 Start Address      107.220.47.250 < 2nd usable
      DHCPv4 End Address      107.220.47.253<5th usable
      Allow Inbound Traffic      On
      Primary DHCP Pool            () Private (.) Public

Save and reboot. Connect the customer’s firewall to an open port on the uVerse and configure the first usable (in the example 107.220.47.249) as the static IP with /29 mask and the last public as the gateway. Configure standard SBS port forwards to point to the inside IP of your SBS.
Run an ipchicken.com or whatismyip.com and verify that the internet sees your identity as the public IP you assigned in your firewall and that you are surfing.

That gets the internet going…now for email.

Since uVerse is blocking port 25, no direct send or smart hosting will work on port 25. I have not tested but I have been told that even 465 SSL is blocked unless the smart host is an AT&T server. The resolution is to smart host through AT&T. With the DSL credentials in hand, go to http://att.yahoo.com and click the Signin link.. If your PPPoE login has a "static." in it, strip it out. Hover on the "More" link and select "Member Center". They may make you login again. Then click "Update your contact information". For every email address that will be sending email out from the customer's domain, you will need to add them here. Hopefully there aren’t too many. Click "Add email" and enter the user's email such as jdoe@theirdomain.com. Repeat until all are added then click Save. An email will be sent to each user to verify their address. They will not be able to send email until they do this.

The last step is to configure Exchange to smart host. These instuctions are specific to SBS 2011/Exchange 2010. They do not differ much for SBS 2008.

You will need both the console and the shell. From the console, go to Organization Configuration, Hub Transport, Send Connectors and open the properties of the SBS Internet Send connector. Under the network tab, Select Route mail through smart host and click Add…. Enter outbound.att.net , click Change and using basic authentication enter the same AT&T credentials you used to access att.yahoo.com.

Finally we need to use port 587 for outbound connections, so open the Exchange Shell and run the following commands:
      Get-SendConnector
This will list the send connector.  You can copy the full Identity to paste in to quotes in the next command.
      Set-SendConnector –Identity “Identity” -port 587

You should be good to go… wouldn’t switching internet providers have been easier?

Hope this saves somebody some time.

Gary
3
7,572 Views
Gary ColtharpSr. Systems Engineer

Comments (1)

Commented:
Perhaps "Business Uverse" isn't exactly the same all across the country, but I set up a number of customers in the Austin, TX market and it wasn't quite that involved. (Or perhaps I just did it enough times so that I didn't realize all of the steps I was actually performing.)

Here is the outline of my process (from memory.) Gary's article above provides some of the details (e.g. what settings to use for the "Public Subnet") so I won't reiterate here. I.E. The steps below likely won't stand on their own to someone who hasn't done it before, so be sure to read the original article above.

It requires using the uverse gateway AND the customer's own router/firewall.
Use a laptop (DHCP) and go back and forth plugging into to the LAN side of the uverse gateway and the LAN side of the customer network as appropriate.
Don't be afraid to refresh pages, for a release/renew of DHCP IPs, do a power cycle, etc. if something isn't showing up as expected. The uvsere gateway doesn't always update it's "device list" in a timely fashion on its own.

1) Change the "LAN" IP and subnet on the uverse gateway to be outside of the customer's actual LAN subnet. Any two private ranges* that don't overlap will work. But I tend to use, for example, 172.16.0.1/24 (uverse) and 192.168.0.1/24 (customer LAN) to keep things clearly separate.

2) Add the Public Subnet to the uverse gateway as described in the article above. It helps immensely to be talking to a Tier 2 technician at AT&T on the phone to get these settings. I've found that many/most of the installers and Tier 1 support tech's don't even know what this is.

3) Set the customer's router to get the WAN IP via DHCP. Release/renew IP.

4) On the uverse gateway go to the firewall tab and change the settings for the "device" that shows up that is the customer's firewall. (Identify via the uverse LAN IP the customer router's currently has for it's WAN IP, or it's WAN MAC.) Give it a "public fixed" IP and choose the desired public IP from the second drop down. (I typically choose the first usable IP of the "Public Subnet" setup earlier.) Disable the firewall (enable DMZ plus mode) for the device. Save. (I also tend to disable packet filtering in the general firewall setup as mentioned above, but it shouldn't be necessary with DMZ plus mode enabled.)

5) Release/renew WAN IP on customer router, power cycle if needed. It should have the public IP from step 4 now for the WAN IP, rather than a uverse LAN private IP.

(Optional/alternative) I have been successful configuring all the customer's router with a static WAN IP, subnet, etc. And then getting it to show up in the devices of the of the uverse's firewall page so DMZplus mode can be enabled. But, from my experience, leaving the consumer's router WAN set to DHCP (and having the uverse gateway set to always issue it the public IP) tends to be more reliable than the various methods (mentioned a couple of sentences above and in the original article above) of getting it work such that the consumer's router WAN is set statically.


Email:
At least in the Austin, TX market, port 465 is NOT blocked in any way with uverse. And if you are talking to a Tier 2 AT&T tech on the phone they can unblock port 25 for your IP ranges. (Technically, the block is upstream of the uverse gateway, so no matter what your setting are on the gateway you can't get by the block without AT&T turning it off.)

Spending a few minutes on the phone, to me, is much easier than messing with all of the Exchange connectors/smart hosts. (Plus you don't have route your mail through AT&T SMTP servers.)

It bears repeating again. These steps are for "Business Uverse" accounts and assume you are talking to at least Tier 2 support. You're mileage may vary with "Residential Uverse" and it would likely be a lost cause talking to "Consumer/Residential/Tier 1" support.

One final note: Most people won't run into this, but you may if you customer uses multiple public IPs for their network. The uverse gateway has what can be thought of as a hardware limitation that limits one IP (public and/or uverse private LAN) per MAC address of devices connected directly to the uverse gateway (i.e. not NAT'ed behind the consumer router.) So unless you get clever (and/or have clever hardware) you in effect will only have 1 "usable" static Public IP, even though you are paying for 5.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.