I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these customers were DSL subscribers.
In the past year or so, these customers who are AT&T subscribers have been systematically forced to convert to uVerse. While I am sure this is an amazing service for the home user, it is flat out awful for most business applications. The modem is hard coded to serve DHCP (cannot be disabled) and the service blocks port 25 outbound traffic.
I have never been a fan of using ISP provided equipment as the gateway device and in this case, it is imperitive that you do not. If you know SBS, you know it needs to serve DHCP for things to go smoothly.
So after many hours of searching internet articles, uVerse help pages, etc... I have come up with a method for using uVerse with SBS... assuming a better internet provider is not available.
The resolution is to install a firewall if they don’t already have one and configure uVerse to serve the public addresses and turn off any firewall features. AT&T equipment changes often but the following was documented on a Motorola NVG589.
The things you will need from AT&T:
PPPoE login and password
Static IP information
To fix the local network, login in to the uVerse modem using the access information printed on the label. The access code will be printed there as well in order to do advanced tasks.
First if the customer’s subnet is the same as the uVerse default of 192.168.1/24, you will need to change the subnet on AT&T or the customer’s. Changing uVerse would be the easiest. Go to the “Home Network” tab and click “Subnets & DHCP”, enter the access code when prompted. Change the 3rd octet to something different. Document this so that the AT&T equipment can be accessed from behind the firewall if necessary. Save and reboot.
Go back to the uVerse configuration, select “Firewall” and disable packet filtering. Then go to "IP Passthrough" and set allocation to "Passthrough", mode "Manual". Under Firewall Advanced, turn everything off. Save and reboot.
Back to the uVerse configuration, go back to the "Home Network" page and under “Public Subnet”, change “Public Subnet Enable” to On and put in the static IP information. AT&T generally gives the customer a /29 block but does not assign their equipment. According to their tech, the last usable in the subnet should be assigned to the uVerse equipment. So by example, a customer is assigned 220.127.116.11/29. This is a subnet address but you will occasionally get the AT&T tech who tells you this is their IP. If you can’t subnet in your head, get a subnet calculator and plug in the values for subnet addresses. Solarwinds has a good free tool. So for this example, my customer only needed one static and was not using their other publics. Therefore, I placed the additional public IP’s in the Public DHCP pool:
Public Subnet Enable On
Public IPv4 Address 18.104.22.168 <last (6th) usable in the subnet
Public Subnet Mask 255.255.255.248 < /29 mask
DHCPv4 Start Address 22.214.171.124 < 2nd usable
DHCPv4 End Address 126.96.36.199<5th usable
Allow Inbound Traffic On
Primary DHCP Pool () Private (.) Public
Save and reboot. Connect the customer’s firewall to an open port on the uVerse and configure the first usable (in the example 188.8.131.52) as the static IP with /29 mask and the last public as the gateway. Configure standard SBS port forwards to point to the inside IP of your SBS.
Run an ipchicken.com or whatismyip.com and verify that the internet sees your identity as the public IP you assigned in your firewall and that you are surfing.
That gets the internet going…now for email.
Since uVerse is blocking port 25, no direct send or smart hosting will work on port 25. I have not tested but I have been told that even 465 SSL is blocked unless the smart host is an AT&T server. The resolution is to smart host through AT&T. With the DSL credentials in hand, go to http://att.yahoo.com
and click the Signin link.. If your PPPoE login has a "static." in it, strip it out. Hover on the "More" link and select "Member Center". They may make you login again. Then click "Update your contact information". For every email address that will be sending email out from the customer's domain, you will need to add them here. Hopefully there aren’t too many. Click "Add email" and enter the user's email such as email@example.com. Repeat until all are added then click Save. An email will be sent to each user to verify their address. They will not be able to send email until they do this.
The last step is to configure Exchange to smart host. These instuctions are specific to SBS 2011/Exchange 2010. They do not differ much for SBS 2008.
You will need both the console and the shell. From the console, go to Organization Configuration, Hub Transport, Send Connectors and open the properties of the SBS Internet Send connector. Under the network tab, Select Route mail through smart host and click Add…. Enter outbound.att.net
, click Change and using basic authentication enter the same AT&T credentials you used to access att.yahoo.com.
Finally we need to use port 587 for outbound connections, so open the Exchange Shell and run the following commands:
This will list the send connector. You can copy the full Identity to paste in to quotes in the next command.
Set-SendConnector –Identity “Identity” -port 587
You should be good to go… wouldn’t switching internet providers have been easier?
Hope this saves somebody some time.