TL;DR: is it possible to install some kind of local kms activation proxy, so the clients could only talk to the proxy, and the proxy will forward the activation request to a kms server which can not be reached by the clients themselves?
At our university, we provide two client pools for our students: a hardware pool with 50 Win7 clients, and a virtual VMWare View pool with Win8.1 clients. VMWare View does not support MAK activation, so we have to use kms - we want to use kms activation in the hardware pool as well. These pools are using an ip address pool that can not access the outside, only ports 80 and 443 through a web proxy.
Due to a cooperation between the universities in our state there is one university who is registrated with Microsoft, and all other universities are using there licences. This university has a kms server which we could use, and they do not want us to set up our own kms server - they say microsoft does not like to have too much kms servers in the same licensed organisation.
So what we want to do: our clients in a private subnet and blocked from the outside world with the exceptions http/https want to communicate with the kms server of another institution - since they provide the kms server for different institutions, i don't think they would accept changeing their kms ports...
What i can do ist to put kind of a gateway server in the middle - one foot in the internet, one foot in the private client net, and this "proxy" could then take the activation requests from the clients and pass them to the external kms server.
Is this somehow possible? The only thing i read about proxies in combination of win licensing is a proxy activation for mak keys... But this does not help.
I finaly created my own virtual KMS proxy appliance: simple debian, one NIC in the internal net, one to the outside world. Configured iptables to forward to the external KMS server, enabled NAT.
Now i only have to publish a new route to the external KMS server through this proxy, and activation is working fine.
I am still looking forward to our new network infrastructure...