Environment
Novell GroupWise 8
Situation
Using C1 you set on a POA, GroupWise | Network Address External C/S, for instance, as required to use SSL, whilst Internal is set to Disabled. Testing external client login does not prompt you for accepting a certificate, nor a connection is secured.
Resolution
Due to a current design, the POA detects a client login request as external only when a source IP address within incoming datagram is different from what client IP address claims to be. This covers only a scenario when you are located within a network that changes your client IP address via any NAT kind of service prior hitting any corporate firewall which then redirects your request to internal servers.
However, in following scenario:
1. Your workstation is within a network that has access to external (public) IP address of the corporate firewall via routing protocol only, no NAT is involved.
2. The public IP address assigned on the firewall is one you specified as external IP address on your POA object.
3. The firewall redirects your external IP request to the internal IP address of your PO server. Even if behind a redirection done by the firewall can be also any address translation between external IP:port -> internal IP:port of the POA, this does not change / affect your original IP address of the client.
such login request is considered by the POA as internal as your original client IP address was never changed on its way to the POA.
There have been few proposals made to our engineering how to cover better also situations when IP address of the client does not get changed on its way to the POA but it comes from a network IP range outside of corporate network located behind the firewall.