DagwoodBumstead
asked on
Entourage RPC over HTTPS on a Cisco router
Cisco 1921 router... have 2 Macs running Entourage and connecting to Exchange server using rpc/http.
Since Entourage only has one place to enter a server name, you have to enter the public name (http://mail.server1.com), as opposed to Windows, where you enter both the public and the internal (server1.domain.internal).
Entourage works fine when the Macs are outside the network looking in. But they don't connect to the server when they are on the internal network. This requires the Cisco router to pass the internal packet to the public network, and then NAT it back to the inside server.
I was told yesterday by Cisco that this was an unsupported NAT configuration; but that it was possible to do using Virtual NAT (although he hasn't figured out how to get that working).
Obviously, there is a way to do this... does that "unsupported configuration" thing sound right?
Not sure what the difference between NAT and Virtual NAT is, but whatever works is fine.
There are also other services (mail, web, ftp) that are NATed through, and the router will soon have vlans added to it.
Can someone make a suggestion/point me in the right direction?
Thanks,
J.R.
Since Entourage only has one place to enter a server name, you have to enter the public name (http://mail.server1.com), as opposed to Windows, where you enter both the public and the internal (server1.domain.internal).
Entourage works fine when the Macs are outside the network looking in. But they don't connect to the server when they are on the internal network. This requires the Cisco router to pass the internal packet to the public network, and then NAT it back to the inside server.
I was told yesterday by Cisco that this was an unsupported NAT configuration; but that it was possible to do using Virtual NAT (although he hasn't figured out how to get that working).
Obviously, there is a way to do this... does that "unsupported configuration" thing sound right?
Not sure what the difference between NAT and Virtual NAT is, but whatever works is fine.
There are also other services (mail, web, ftp) that are NATed through, and the router will soon have vlans added to it.
Can someone make a suggestion/point me in the right direction?
Thanks,
J.R.
ASKER
Whoa.... that's some heavy reading for a Saturday...
I'm not sure what you mean by your DNS suggestion, but it got me thinking (and maybe this is what you were trying to say): creating a DNS entry on the internel DNS server that points the external name (mail.server.com) to the internal IP address? The problem I see with this is that the security certificate wouldn't match, and would throw errors on the Macs when they were inside.
Can you load two certs on a server to respond to both inside and outside? (This may need to be posed as a diff question if you think the extra DNS entry would work...)
Thanks,
J.R.
I'm not sure what you mean by your DNS suggestion, but it got me thinking (and maybe this is what you were trying to say): creating a DNS entry on the internel DNS server that points the external name (mail.server.com) to the internal IP address? The problem I see with this is that the security certificate wouldn't match, and would throw errors on the Macs when they were inside.
Can you load two certs on a server to respond to both inside and outside? (This may need to be posed as a diff question if you think the extra DNS entry would work...)
Thanks,
J.R.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think I *am* using PAT, as I only have 1 public IP... is that why it isn't working?
So if I create the DNS entries on the internal server to point to the internal server, I guess I'll get an error message about invalid cert... but I guess I could bypass that by connecting over http instead of https.
I'm onsite and about to create the DNS entries and do some other work on the router; not sure if one of the Macs is here to test or not... if so, I'll test it and accept your solution.
Thanks,
J.R.
So if I create the DNS entries on the internal server to point to the internal server, I guess I'll get an error message about invalid cert... but I guess I could bypass that by connecting over http instead of https.
I'm onsite and about to create the DNS entries and do some other work on the router; not sure if one of the Macs is here to test or not... if so, I'll test it and accept your solution.
Thanks,
J.R.
>I think I *am* using PAT, as I only have 1 public IP... is that why it isn't working?
more than likely that is correct
>I guess I'll get an error message about invalid cert
I would not think you would; the cert has the FQDN bound to it and is based on DNS and the host headers that you provide.
I think you will find that specifying an internal DNS record will provide you with an adequate solution.
Good Luck
Billy
more than likely that is correct
>I guess I'll get an error message about invalid cert
I would not think you would; the cert has the FQDN bound to it and is based on DNS and the host headers that you provide.
I think you will find that specifying an internal DNS record will provide you with an adequate solution.
Good Luck
Billy
of course, that is assuming that the DNS record that you are adding is the exact same record that is bound to the cert (you would have issues with the cert and the www.corp.domain.com and www.domain.com if the cert was bound to www.domain.com).
Billy
Billy
http://ccie-in-3-months.blogspot.com/2008/12/nat-hairpinning-using-nat-pools-pbr.html
I would however, honestly advise that you use a internal and external DNS model (One for your corp network and one for your external; something like corp.domain.com and domain.com). This way, instead of your users accessing mail.domain.com, they access mail.corp.domain.com.
Billy