Prizm behind NAT firewall

We would like to run our Prizm Server behind a firewall, like we do with our SNMPc server. We NAT the internal IP of the server to the firewall, but it wont communicate with the APs or SMs. This is a Fortinet firewall we are running. Im not a firewall guy, but our network manager is and he set it up in a way that should have worked, but for whatever reason, it doesnt.

The only thing I can figure is its got to do with the MAC that the units see, their ARP tables show the MAC of the outside interface of the firewall assosiated with the IP of the Prizm Server, So i was wondering if that affects the whole canopy MAC based licensing thing.

Why do you want the prism machine behind NAT? Are you trying to firewall it?