Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 6152 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Blocking Office 365 Migration

Leebtish

Hi all,

We're currently experiencing and issue where our XG230 is blocking a migration of public folders to Office 365 from on premise Exchange 2010. The migration works if we place a DNAT rule using port 443 that forwards to our exchange. The only way we can get this to work is if we allow "any" on the source client network.

The problem is, this rule stops all our WAF rules that are using port 443. I assume this is because we are telling any traffic on port 443 to forward to our exchange server. 

If we move the DNAT rule below the WAF rules, then the website traffic is fine but the DNAT rule stops working.I don't quite understand this though as our WAF rules state that traffic destined for a particular web site should be forwarded to the relevant web server and the office 365 traffic is not destined for our web servers.

If we place the DNAT rule above the WAF rules and narrow down the allowed client networks to the relevant Microsoft IP ranges then WAF rules work but the Office 365 migration stops. We are allowing the correct domains and IP ranges from Microsoft according to their documentation so perhaps we're doing something wrong here.

Any suggestions?

Thanks!



This thread was automatically locked due to age.
Parents
  • +1

    Hi Leebtish,

    Check #1.2 in my troubleshooting guide and PM me the drop packet capture log lines, it will consists a drop reason and the IP that is dropped. If you find any particular IP or service port getting dropped you can add them in the allowed list of the DNAT rule.

    Hope that helps,

  • 0 in reply to sachingurung

    Hi there,

    Thanks for the information. Unfortunately every time I have tried to run drop-packet capture I get no information. The command executes but I see nothing. I don't think I'm the only one that has this issue. I have run a tcpdcump on the destination host and there are no dropped packets.

    Thanks

  • +1 in reply to Leebtish

    Hi there,

    Well I feel a bit sheepish. I provided access to any network for the DNAT rule and checked the firewall logs to confirm what the source IP was from Microsoft. I then checked the hosts I had set up to restrict access and the IP address was not listed. So after re-checking the Microsoft URL and IP address article I realised that it was listing networks and not single IPs which in hindsight makes complete sense form Microsoft's point of view :)

    I then realised I could add a network into the DNAT rule and not just and IP address or IP range. As soon as I entered the correct Microsoft IP as a network address it worked fine.

    Apologies for wasting your time but maybe someone might find this useful.

    Thanks for the help!

    Lee

Reply
  • +1 in reply to Leebtish

    Hi there,

    Well I feel a bit sheepish. I provided access to any network for the DNAT rule and checked the firewall logs to confirm what the source IP was from Microsoft. I then checked the hosts I had set up to restrict access and the IP address was not listed. So after re-checking the Microsoft URL and IP address article I realised that it was listing networks and not single IPs which in hindsight makes complete sense form Microsoft's point of view :)

    I then realised I could add a network into the DNAT rule and not just and IP address or IP range. As soon as I entered the correct Microsoft IP as a network address it worked fine.

    Apologies for wasting your time but maybe someone might find this useful.

    Thanks for the help!

    Lee

Children
No Data