WAN to other side of tunnel connection

JoeSch Posts: 4
First Comment
edited April 2021 in Security

I have a MS-Exchange Server running in local company network (
This one is connected via USG310 using NAT on port 443 to WAN/internet, where WAN is static IP.
Everything is fine and working.

Now I need to use a second Exchange Server in same local network.
Each Exchange Server is running on a separate machine, so inside my local network I can address both correct.
But I also need to access the second one from internet and it also should be available on the internet on port 443.
Unfortunately our ISP cannot give us a second IP for the WAN on this site.

So my suggested solution is:
Leave everything on the company site as is.
In home-office I use a USG200, this one is connected to internet as well, and also connect via ipsec-vpn to the company site.
Local network in home-office is and WAN is static IP.
The tunnel is working and I exchange data in both directions.
Now I want to use home-office port 443 from WAN and do a NAT to target IP on port 443 (second Exchange Server).

But I cannot reach the second Exchange server from home WAN.
What is wrong?

Thanks for your help.

All Replies

  • PeterUK
    PeterUK Posts: 2,758  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Are you doing a site to site setup?

    Is the logs showing any blocked traffic that you need to make a rule to allow?
  • JoeSch
    JoeSch Posts: 4
    First Comment
    Yes, it is a site-to-site setup.
    All traffic is allowed inside vpn tunnel (on both sides of firewall rules).
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,073  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @JoeSch

    In your scenario, you may adopt another port(e.q. 11111) to replace WAN external 443 port. 

    And add a NAT rule on your USG310 for second Exchange Server(e.q. WAN IP:11111 NAT to

    You can refer to the following KB tutorial about NAT port forwarding.


    Configuration > Network > NAT > Add a NAT rule and you can create a IP object named LAN_Web with IP address

    Cinfiguration > Security Policy > Policy > Add a “from WAN to LAN” policy 

  • JoeSch
    JoeSch Posts: 4
    First Comment
    Hi Zyxel_Jeff,

    thanks for your answer.
    But this is not working and therefore I need to use a second WAN-IP (home-office) and bring the SSL-port 443 through the tunnel.
    One reason is:
    When using a web-browser to access OWA (Outlook Web Access) on a port like you said 11111 then the second Exchange server redirects the port to 443 and this is the port of the first Exchange server.
    Also -I believe- it is not possible to configure an Outlook to access an Exchange server on another port than 443.

    So, do you have any Idea to use the second WAN-IP (Home-office) and to redirect the port 443 on this WAN through the tunnel as explained above?

    Thank you
  • JoeSch
    To give a better understanding - any ideas?

  • Blabababa
    Blabababa Posts: 151  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Maybe you can try with policy route to redirect all packets "to Static Public IP 2"  to the VPN tunnel so that those packets will be forwarded to the Exchange Server located in Company network (172.16.x.x).

Security Highlight