Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 6154 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Blocking Office 365 Migration

Leebtish

Hi all,

We're currently experiencing and issue where our XG230 is blocking a migration of public folders to Office 365 from on premise Exchange 2010. The migration works if we place a DNAT rule using port 443 that forwards to our exchange. The only way we can get this to work is if we allow "any" on the source client network.

The problem is, this rule stops all our WAF rules that are using port 443. I assume this is because we are telling any traffic on port 443 to forward to our exchange server. 

If we move the DNAT rule below the WAF rules, then the website traffic is fine but the DNAT rule stops working.I don't quite understand this though as our WAF rules state that traffic destined for a particular web site should be forwarded to the relevant web server and the office 365 traffic is not destined for our web servers.

If we place the DNAT rule above the WAF rules and narrow down the allowed client networks to the relevant Microsoft IP ranges then WAF rules work but the Office 365 migration stops. We are allowing the correct domains and IP ranges from Microsoft according to their documentation so perhaps we're doing something wrong here.

Any suggestions?

Thanks!



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to sachingurung

    Hi there,

    Thanks for the information. Unfortunately every time I have tried to run drop-packet capture I get no information. The command executes but I see nothing. I don't think I'm the only one that has this issue. I have run a tcpdcump on the destination host and there are no dropped packets.

    Thanks

Children
  • +1 in reply to Leebtish

    Hi there,

    Well I feel a bit sheepish. I provided access to any network for the DNAT rule and checked the firewall logs to confirm what the source IP was from Microsoft. I then checked the hosts I had set up to restrict access and the IP address was not listed. So after re-checking the Microsoft URL and IP address article I realised that it was listing networks and not single IPs which in hindsight makes complete sense form Microsoft's point of view :)

    I then realised I could add a network into the DNAT rule and not just and IP address or IP range. As soon as I entered the correct Microsoft IP as a network address it worked fine.

    Apologies for wasting your time but maybe someone might find this useful.

    Thanks for the help!

    Lee