Advice configuring Firewall/router for Direct MAPI connection

I am moving a company over to a hosted Exchange. The hosting company is asking us to set up a direct MAPI connection to our server. Their instructions suggest :

"Your company Network Administrator should adjust firewall settings to allow connections from Intermedia IP ranges for ALL ports. Also, please make sure the traffic coming in from those ranges is properly NAT-ed to the back-end server"

Th router is an older Draytek device - Vigor 2600. IT doesnt seem to have the option to specify specific ip ranges. How can I therefore NAT their ip range to our Exchange server.

Do I just open the whole range of ports up to the ip address of the server?

Do I put the server in a DMZ? Unlikely I would imagine.

The port redirection table allows me to specify individual ports, but allowing ALL ports would take forever.

Any suggestions?
LVL 1
roy_battyDirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkinsdNetwork AdministratorCommented:
Not exactly familiar with your type of firewall but the following are a standard way of specifying a port range in an access list.

All you need is appending  the appropriate wild card mask for the range in mind eg
permit .............. 10.75.2.0 0.0.0.255 .................... will cover the range 10.75.2.1 to 10.75.2.254
permit .............. 10.75.2.0 0.0.0.63 .................... will cover the range 10.75.2.1 to 10.75.2.62
permit .............. 10.75.2.64 0.0.0.3 .................... will cover the range 10.75.2.65 to 10.75.2.66

• A wildcard mask bit 0 means check the corresponding bit value; they must match.
• A wildcard mask bit 1 means ignore that corresponding bit value; they need not match.

For port range
Permitting the whole IP without specifying ports automatically allows all ports for the IP specified

Hope this helps
0
KimputerCommented:
The port redirection page should have a dropdown menu for Single and Range. You want this Range of course.
The problem is worse though, after you input that, EVERYONE has FULL access to your Exchange server on ALL levels.
You now have to start closing your firewall for everything and slowly build up exceptions (Intermedia IP range to your server). If InterMedia said only port 5000 through 5500, then it would be much easier, only adding this exception was enough.
0
roy_battyDirectorAuthor Commented:
My Draytek router didnt seem to have the option suggested by Kimputer. In the end I had to put the whole server into the DMZ for a short period whilst the the hosted exchange company exported the required data. Not ideal but it did the job.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
roy_battyDirectorAuthor Commented:
The suggestions made did not resolve the issue
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.