When NAT is present in an environment, there are a few special considerations for UIM hub-to-hub tunnels that should be taken into account in order to accommodate the NAT IP addresses.

The following describes the configuration needed for either a tunnel server or a tunnel client behind NAT;  it is possible to configure a tunnel with NAT on "both ends" by simply implementing both sets of recommendations.

How does NAT impact UIM tunnels/

Normally, a tunnel server listens for connections on port 48003, and tunnel clients connect outbound to that port to establish tunnel connections.  The presence of NAT in an environment means two things in the context of UIM tunnels:

1. Tunnel clients will be connecting to an "external" or "public" IP, but the tunnel server itself is listening on an "internal" IP.  Clients connecting to the public IP may experience issues if the server certificate (used to verify the identity of the tunnel server) is issued to the internal/private IP address while the clients are connecting to the external/public address.

2. The tunnel server, when receiving incoming connections from clients that are behind a firewall/NAT, may reject incoming connections if the client certificate being used to authenticate the connection does not match with the IP address the connection is coming from.

Tunnel Server Behind NAT

If the tunnel server is behind NAT, so that the tunnel client is connecting to a public/external IP, the tunnels should be configured as follows:

1. Only DNAT or "destination NAT" is supported here;  in other words, a simple "port forwarding" setup, where traffic to port 48003 to the public/external IP is forwarded directly to the same port on the internal IP;
2. On each tunnel client that connects to the NAT address, ensure the "check server common name" box is unchecked on the tunnel client, so that the client does not reject the server certificate due to an IP mismatch between the certificate and public IP.