Why can't PCs and iPhones access Exchange from our Guest Network?
I'm probably overlooking something simple. Previously, any employee could use our guest network to access Exchange via Outlook's "Outlook Anywhere" feature by entering their user name and password, or from their iPhone which has an Exchange mail account. However, now iPhones can't send or receive emails from the Exchange account, of if it manages to get the email, you can't open it. Using Outlook Anywhere will prompt for the user name and password, but will take forever to launch Outlook and then say "trying to connect" in the bottom bar. (iPhones and Outlook Anywhere works fine from outside the building.)
Because the guest network requires no password and offers only internet access, most employees use this for their iPhones and laptops (when not docked) because it's easier than putting in a password. Laziness wins! The guest network works for any other internet related tasks, including using VPN to connect back to the domain. Yes... employees sit in the conference room, use the guest network, and then VPN in to get their email and files because it's "easier" than connecting to the domain!
It doesn't matter if the access is via wi-fi or wired. Obviously, I can't plug an iPhone into a wired switch, but I get the same Outlook problems with a laptop on either the wi-fi or wired networks. The network is set up as such:
Comcast cable modem supplies DHCP to guest network only. One port from modem goes to guest network switch where all wired connections are made. Another port from the modem goes to the domain network. The main domain switch has a VLAN set up with two ports - one to the guest switch, and one to the wireless AP. The wireless AP provides access to both networks via VLAN.
I don't know exactly when the problem began. The only thing I can think of having changed was Comcast replaced the modem. They took out a 4-port business modem which I think was made by Cisco and replaced it with a 4-port Netgear business modem. I wonder if some configuration settings were never transferred.
Because the guest network requires no password and offers only internet access, most employees use this for their iPhones and laptops (when not docked) because it's easier than putting in a password. Laziness wins! The guest network works for any other internet related tasks, including using VPN to connect back to the domain. Yes... employees sit in the conference room, use the guest network, and then VPN in to get their email and files because it's "easier" than connecting to the domain!
It doesn't matter if the access is via wi-fi or wired. Obviously, I can't plug an iPhone into a wired switch, but I get the same Outlook problems with a laptop on either the wi-fi or wired networks. The network is set up as such:
Comcast cable modem supplies DHCP to guest network only. One port from modem goes to guest network switch where all wired connections are made. Another port from the modem goes to the domain network. The main domain switch has a VLAN set up with two ports - one to the guest switch, and one to the wireless AP. The wireless AP provides access to both networks via VLAN.
I don't know exactly when the problem began. The only thing I can think of having changed was Comcast replaced the modem. They took out a 4-port business modem which I think was made by Cisco and replaced it with a 4-port Netgear business modem. I wonder if some configuration settings were never transferred.
ASKER
No... and that might be the problem.
From a PC on the guest network, if I ping mail.mydomain.com, I get "pinging mail.mydomain.com [xxx.xxx.xxx.xxx]". The IP is one of our static public IP addresses provided by Comcast. I think the old modem must have had a 1-to-1 NAT mapped to our Exchange server's IP. The NAT is not listed on the Netgear modem. And I can't add it! When I try, the Netgear tells me it's an invalid IP address. Probably because it's not on the same subnet as the guest network. Crap!
Okay then... but why is mail working when I'm outside the building on the cellular network, home networks, etc.? You'd think mail would be calling the same external IP and without the NAT, it's finding the Exchange server anyway. I'm confused even more now.
From a PC on the guest network, if I ping mail.mydomain.com, I get "pinging mail.mydomain.com [xxx.xxx.xxx.xxx]". The IP is one of our static public IP addresses provided by Comcast. I think the old modem must have had a 1-to-1 NAT mapped to our Exchange server's IP. The NAT is not listed on the Netgear modem. And I can't add it! When I try, the Netgear tells me it's an invalid IP address. Probably because it's not on the same subnet as the guest network. Crap!
Okay then... but why is mail working when I'm outside the building on the cellular network, home networks, etc.? You'd think mail would be calling the same external IP and without the NAT, it's finding the Exchange server anyway. I'm confused even more now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is my 2 cents.
You are not able to access your server because simple DNS. You most make sure your mail.domain.com resolves to the internal IP address. If your wired network resolves properly to the server then you just have to make sure your DNS server is part of the configuration for your wireless access devices.
Example:
Wired LAN:
Subnet: 192.168.1.50-254
Mask: 255.255.255.0
Gateway: 192.168.1.30
DNS1: 192.168.1.1
DNS2: 192.168.1.2
Wireless Device:
Router - Wired port (INTERTET/WAN) attached to the LAN.
WAN Config: Static
Device IP: 192.168.1.5
Mask: 255.255.255.0
Gateway: 192.168.1.30
DNS1: 192.168.1.1
DNS2: 192.168.1.2
DHCP Enabled
Subnet: 192.168.2.0-254
Mask: 255.255.255.0
Gateway: 192.168.1.30
DNS1: 192.168.1.1
DNS2: 192.168.1.2
Hope that helps!!!
You are not able to access your server because simple DNS. You most make sure your mail.domain.com resolves to the internal IP address. If your wired network resolves properly to the server then you just have to make sure your DNS server is part of the configuration for your wireless access devices.
Example:
Wired LAN:
Subnet: 192.168.1.50-254
Mask: 255.255.255.0
Gateway: 192.168.1.30
DNS1: 192.168.1.1
DNS2: 192.168.1.2
Wireless Device:
Router - Wired port (INTERTET/WAN) attached to the LAN.
WAN Config: Static
Device IP: 192.168.1.5
Mask: 255.255.255.0
Gateway: 192.168.1.30
DNS1: 192.168.1.1
DNS2: 192.168.1.2
DHCP Enabled
Subnet: 192.168.2.0-254
Mask: 255.255.255.0
Gateway: 192.168.1.30
DNS1: 192.168.1.1
DNS2: 192.168.1.2
Hope that helps!!!
I thought the original poster's problem is that the router isolates the GUEST network from internal DNS addresses. He could specify them all he wants, but the router's guest network, for security reasons, puts up a barrier between the office LAN and the guest LAN. That's why he needs to access internal resources through the WAN in the first place.
ASKER
The only thing that changed was the cable modem. Which I suppose is acting as a router for the guest network. So I'm guessing there a setting I need to make that is now missing on the Netgear modem. Or the Netgear modem isn't capable of something the other modem (Cisco?) was.
What model of Netgear modem is it?
You might be better of replacing it with an industrial one if it's a cheapo 'home' type modem. More features and will probably fix your problem instantly.
You might be better of replacing it with an industrial one if it's a cheapo 'home' type modem. More features and will probably fix your problem instantly.
ASKER
It is a CG3000DCR. It is a "business class" modem provided by Comcast for our "business class" Internet account. It even has Comcast's name/logo plastered on it. That doesn't mean I can't go out and replace it, but if I can make what they provided work, all the better.
Suggestion on the following page is to remove 1-to-1 NAT and that should fix it:
http://forums.businesshelp.comcast.com/t5/Equipment-Modems-Gateways/Web-server-behind-Comcast-modem-Loopback-issue/m-p/18938
How you do it - I have no idea as I haven't found a manual (yet).
Alan
http://forums.businesshelp.comcast.com/t5/Equipment-Modems-Gateways/Web-server-behind-Comcast-modem-Loopback-issue/m-p/18938
How you do it - I have no idea as I haven't found a manual (yet).
Alan
Thanks akahan - just helping someone with an Office 365 migration in the US - will RTFM later and post suggestions if someone doesn't beat me to it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Apparently removing the 1-to-1 NAT should - as per the link I posted earlier, but I haven't read the manual so who knows if that can be done. Still in migration mode - back in a while.
Not sure I would want to be disabling NAT personally! Me thinks its time to get a different router.
This table showing a selection of routers that allow loopback may prove helpful:
http://opensimulator.org/wiki/NAT_Loopback_Routers
http://opensimulator.org/wiki/NAT_Loopback_Routers
ASKER
I can't turn off 1-to-1, as I have equipment on both my guest network and on my LAN that need to be accessed from the outside static public IPs. Such as a customer demo unit, my web/teleconference system, etc.
Looks like the Netgear is just an inferior unit to the previous model. I'll contact Comcast (again...) and see what I can do to get the modem changed. If they can't/won't, I will be forced to purchase my own.
Looks like the Netgear is just an inferior unit to the previous model. I'll contact Comcast (again...) and see what I can do to get the modem changed. If they can't/won't, I will be forced to purchase my own.
Sorry :( Not sure what to recommend in terms of a replacement being in a different county, but hopefully they will come up with something or you can find something that handles cable and doesn't hinder you.
Worst case a Cable Modem and a decent router should suffice.
Worst case a Cable Modem and a decent router should suffice.
"Worst case a Cable Modem and a decent router should suffice."
Yes, as long as the cable modem does not, itself, block loopback.
Yes, as long as the cable modem does not, itself, block loopback.
ASKER
Trying to get a hold of a technician at Comcast who has a clue...
Usually an uphill struggle. Hope you get lucky soon.
ASKER
Well, much to my amazement, I called Comcast and they sent a tech out only a few hours later. Better yet, he brought with him a replacement modem. Out went the Netgear CD3000DCR and in went an SMC SMCD3G, which is the same model we used to have originally when everything worked fine.
And lo and behold... everything worked fine again!
So, yes... just to confirm; the Netgear modem was the cause of the problems. It seems that its features and capabilities are just not up to par with the SMC modem that Comcast also provides. Traffic from the Guest Network could not "loopback" through the Netgear modem to reach the Exchange server on the LAN. I am also able to set 1-to-1 NATs in different subnets, which the Netgear was incapable of doing.
Thank you for the thoughts and suggestions which helped me understand the root of the problem and getting Comcast to give me a modem that is actually worth a damn.
And lo and behold... everything worked fine again!
So, yes... just to confirm; the Netgear modem was the cause of the problems. It seems that its features and capabilities are just not up to par with the SMC modem that Comcast also provides. Traffic from the Guest Network could not "loopback" through the Netgear modem to reach the Exchange server on the LAN. I am also able to set 1-to-1 NATs in different subnets, which the Netgear was incapable of doing.
Thank you for the thoughts and suggestions which helped me understand the root of the problem and getting Comcast to give me a modem that is actually worth a damn.
Glad you resolved the problem - shame that apparently nothing I said helped you in any way.
ASKER
Sorry, Alan. I'm still new here at EE, so I'm not sure what the "protocols" are for voting for answers. I chose the answers that seemed to be the closest to what the actual problem/resolution was. That being the modem was incapable of supporting loopback.
I've requested moderator review, as i think Alan's response ID: 40676434 was correct - I was just putting it "layman's terms" for the OP. I am fine with sharing credit w/Alan, or Alan getting full credit.
ASKER
Replacing the modem with one that allows loopback was the solution.
Is HTTPS being blocked on the Guest network?
If the name can be resolved and HTTPS isn't blocked, then it may be a problem whereby the connection has to exit the router and re-enter itself and the Netgear (being a piece of crap) probably can't handle this whereas the Comcast modem could.