(I’m tempted to just put an <EOM> here!)
I have to admit, I was skeptical that the AV edge server would actually work through NAT. The first I heard of NAT being supported was back in October on Jeff’s blog. But even in Jeff’s post, he pointed out some stuff that left room for uncertainty: "[NAT is] supported if the external firewall can be configured to filter inbound traffic with DNAT and outbound traffic can be configured with SNAT then. There is also a note that if ISA Server 2006 is used as the external firewall then this scenario may not work."
I looked through the docs and it seemed like there were too many "ifs" and hedges from MS here. "DNAT/SNAT blah blah". I wasn’t holding out much hope, but R2 came through in the clutch – it really does work. This is a huge improvement to not need a public IP for the AV edge.
Lesson learned about the Edge and NAT
The proof was came last week when I was working with a client on an R2 edge server. This was the perfect test case because we had already tried NAT with R1 and, of course, it failed… So we were going to try it again with R2 – same firewall and everything.
As we went through the R2 Edge config, there was a little check box on the AV interface that said "This address will be NAT’d". Sweet! We checked the box…and… it failed L. We were kinda puzzled, but the OCS error logs came to the rescue. The error log showed that the edge server was "unable to resolve ‘av.customer.com’ – using 10.x.x.x instead". That’s exactly what I didn’t want: the internal IP being handed out. The helpful hint, though, is that the edge was trying to resolve the name "av.customer.com".
If you ask me, this is a bit odd. It would make more sense to me if OCS just had a parameter that said "external IP address of AV edge". But apparently not – it just does a lookup on the AV edge FQDN.
The client was using split-brain DNS and didn’t have a record for av.customer.com in the internal DNS zone. So we added an A record. But listen up here: you want to add the
PUBLIC IP for av.customer.com in your DNS – even if it’s an internal DNS server. Apparently, this is the mechanism for the edge to figure out what IP to hand out to external clients for AV sessions.
- Check the "use NAT" box in the AV edge configuration properties
- Make sure your internal and external DNS A records for the AV edge server are configured with external addresses.
Big improvement over R1.