RemoteApps - which port has to be enabled and can I change it somehow?

Posted on 2009-05-15
Last Modified: 2012-05-07

I'd like to ask for an advice - I've setup new Windows Server 2008 and this machine is behind ISA firewall.
Customer's network specialist configured on ISA server opened ports 80 and 443 for web access and port 3399 for remote administration via RDP (I don't know why 3399 instead of 3389, maybe to not use the default port number which could attract potential hacker's attention).

I installed Terminal Services together with TS Web Access and TS RemoteApps. Everything works fine through LAN and WAN except one thing: When I open TS Web Access from the Internet, I can see the page with published RemoteApps, but can not start any of them. There appears an error message stating something like "can not connect to remote server".
So I guess that RemoteApps communicate via port 3389, but I have no idea if this is correct information and if there are some additional ports in use, that must be enabled to allow RemoteApps to the Internet.

Thank you very much in advance
Question by:martin_babarik
  • 5
  • 4
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24401725
Martin, the version of ISA server installed please?
Also, assuming it is ISA 2006, have you also installed the ISA2006 supportability pack and the ISA2006 SP1?

RDP runs on 3389 by default as you say but the ISA publishing rule will just redirect this as it passes through ISA to 3389 on the inside so that is very straight forward and common. Also, the RDP rule is quite basic and uses ip addressing to get to the internal server.

However, web/terminal services usually use names of the targets so DNS becomes a major issue to get it right.

please supply the output of an ipconfig /all of the ISA Server.

LVL 13

Author Comment

ID: 24401960
Hello Keith,

thanks for your sophisticated response, good to see you know what you are talking about:-)

Now to answer your questions and provide some update:
1. Regarding ISA - this server is entirely blackbox for me. The customer gave me just 1 server in the middle of gillion firewalls (something like The Isle of Freedom - Cuba :-)). I'm not allowed to see any config information, not even to ask for it. But I suppose it's the most recent ISA version, as this company is very keen on having the most modern version of anything. You wouldn't find anything older on this network than Windows Server 2003 R2.

2. You gave me an important information regarding the names - that's correct, as I was experiencing problems when trying to connect to the server using it's IP address. Later I realized it's been given a public DNS name and the connection using this DNS name works fine (except the apps).
Yesterday night I receive an email from the network specialist trying to explain the following:
Both protocols (HTTPS and HTTP) are redirected on ISA server to your (my WS2008) server's internal IP address. There is no host header in use.
Neither web service nor terminal services is routed or NATed, but they are published on ISA server using Listener.
I will change the current 3399 port to 3389, but then it will have different IP address.
<end of qutation>

So now I don't know, if this is going to fix the problem with RemoteApps, but I hope so. I think I don't need to care about IP addresses, as users of the server will connect through DNS name anyway.
I also tried to change the terminal server settings to run on 3399 (currently allowed port) instead of default 3389, but didn't notice any change.

I don't want to bother you, as my question is very unclear - just wanted to verify if the planned change of port settings is gonna change something. What do you think?
Thank you very much

LVL 51

Accepted Solution

Keith Alabaster earned 500 total points
ID: 24402506
Firstly their statement is wrong. A publishing rule will not publish the internal IP address of a server. It can't. The reason being that it is ISA that is doing the publishing so that is going to be the destination of any inbound traffic that uses the rule. ISA accepts the traffic and then holds the connection through a session. ISA then initiates a connection from itself to the ip address/name of the internal server that has the service it wants to present to the outside. This being the case, ISA HAS to nat the internal address bu using its external interface IP address as the one that the outside would see.   I am guessing that they have ISA as a firewall/proxy server - two nics - as RDP cannot be published by ISA with only one nic.

take my advice and trust me - leave the internal TS stuff on 3389 and just make the external call to the from the client - much simpler than playing around with changing the inside listening ports.....especially if you want to add additional services later on.

No, the port change is unlikely to make any difference.

If the ISA is a 'black box appliance' install then you could have some issues here. Some real basic stuff for ISA that often catches people out are as follows:

1. Putting a default gateway on both ISA servers. Won't work and buggers things. It's not a network supported option and it certainly isn't supported by Microsoft or its products - including ISA. the DG should only be on the external NIC.
2. DNS. The ISA external nic should either have NO DNS at all or should be the internal DNS server ip addresses. ISA then always queries internal DNS and the internal DNS servers can use their forwarders to resolve outside requests.
3. The default gateway of ANY server that is being published by ISA MUST have its dg pointing back to ISA.


Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

LVL 13

Author Closing Comment

ID: 31582018

thank you very much for this exhaustive amount of information that I should consider with my server setup.
It will take me some time to get myself oriented within given circumstances and your advices, but all you say makes sense and I have no reason to not trust your advices.
I appreciate your help and explanations.

All the best
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24402712
welcome - and we are always here if you need help later.

LVL 13

Author Comment

ID: 24402925
Oh I see now, ISA MVP - that explains everything :-) I was always wondering how to get MVP, but never really understood what I have to do to be nominated...nevermind, maybe it will happen later. Now just to gain those $36.000 to pass MCM :-)
Thank you once again.

LVL 51

Expert Comment

by:Keith Alabaster
ID: 24403031
lol - getting MVP status is not down to you to get but for others to nominate you. Microsoft assess the number of  recommendations you get from other people or organisations and the first you will know about it is when you get the email telling you.

LVL 13

Author Comment

ID: 24403082
Sorry, my note sounds stupid - I understand MVP awards are not given for some exams or "because I want":-)
Just wanted to say that it would be nice to get it sometimes, but at the moment I really don't think I'm the one who should be awarded, don't worry:-)
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24403548
hehehe - not stupid at all. Am sure you will get there - just takes some time and some good luck to get noticed.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question