RemoteApps - which port has to be enabled and can I change it somehow?


I'd like to ask for an advice - I've setup new Windows Server 2008 and this machine is behind ISA firewall.
Customer's network specialist configured on ISA server opened ports 80 and 443 for web access and port 3399 for remote administration via RDP (I don't know why 3399 instead of 3389, maybe to not use the default port number which could attract potential hacker's attention).

I installed Terminal Services together with TS Web Access and TS RemoteApps. Everything works fine through LAN and WAN except one thing: When I open TS Web Access from the Internet, I can see the page with published RemoteApps, but can not start any of them. There appears an error message stating something like "can not connect to remote server".
So I guess that RemoteApps communicate via port 3389, but I have no idea if this is correct information and if there are some additional ports in use, that must be enabled to allow RemoteApps to the Internet.

Thank you very much in advance
LVL 13
Who is Participating?
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
Firstly their statement is wrong. A publishing rule will not publish the internal IP address of a server. It can't. The reason being that it is ISA that is doing the publishing so that is going to be the destination of any inbound traffic that uses the rule. ISA accepts the traffic and then holds the connection through a session. ISA then initiates a connection from itself to the ip address/name of the internal server that has the service it wants to present to the outside. This being the case, ISA HAS to nat the internal address bu using its external interface IP address as the one that the outside would see.   I am guessing that they have ISA as a firewall/proxy server - two nics - as RDP cannot be published by ISA with only one nic.

take my advice and trust me - leave the internal TS stuff on 3389 and just make the external call to the from the client - much simpler than playing around with changing the inside listening ports.....especially if you want to add additional services later on.

No, the port change is unlikely to make any difference.

If the ISA is a 'black box appliance' install then you could have some issues here. Some real basic stuff for ISA that often catches people out are as follows:

1. Putting a default gateway on both ISA servers. Won't work and buggers things. It's not a network supported option and it certainly isn't supported by Microsoft or its products - including ISA. the DG should only be on the external NIC.
2. DNS. The ISA external nic should either have NO DNS at all or should be the internal DNS server ip addresses. ISA then always queries internal DNS and the internal DNS servers can use their forwarders to resolve outside requests.
3. The default gateway of ANY server that is being published by ISA MUST have its dg pointing back to ISA.


Keith AlabasterEnterprise ArchitectCommented:
Martin, the version of ISA server installed please?
Also, assuming it is ISA 2006, have you also installed the ISA2006 supportability pack and the ISA2006 SP1?

RDP runs on 3389 by default as you say but the ISA publishing rule will just redirect this as it passes through ISA to 3389 on the inside so that is very straight forward and common. Also, the RDP rule is quite basic and uses ip addressing to get to the internal server.

However, web/terminal services usually use names of the targets so DNS becomes a major issue to get it right.

please supply the output of an ipconfig /all of the ISA Server.

martin_babarikAuthor Commented:
Hello Keith,

thanks for your sophisticated response, good to see you know what you are talking about:-)

Now to answer your questions and provide some update:
1. Regarding ISA - this server is entirely blackbox for me. The customer gave me just 1 server in the middle of gillion firewalls (something like The Isle of Freedom - Cuba :-)). I'm not allowed to see any config information, not even to ask for it. But I suppose it's the most recent ISA version, as this company is very keen on having the most modern version of anything. You wouldn't find anything older on this network than Windows Server 2003 R2.

2. You gave me an important information regarding the names - that's correct, as I was experiencing problems when trying to connect to the server using it's IP address. Later I realized it's been given a public DNS name and the connection using this DNS name works fine (except the apps).
Yesterday night I receive an email from the network specialist trying to explain the following:
Both protocols (HTTPS and HTTP) are redirected on ISA server to your (my WS2008) server's internal IP address. There is no host header in use.
Neither web service nor terminal services is routed or NATed, but they are published on ISA server using Listener.
I will change the current 3399 port to 3389, but then it will have different IP address.
<end of qutation>

So now I don't know, if this is going to fix the problem with RemoteApps, but I hope so. I think I don't need to care about IP addresses, as users of the server will connect through DNS name anyway.
I also tried to change the terminal server settings to run on 3399 (currently allowed port) instead of default 3389, but didn't notice any change.

I don't want to bother you, as my question is very unclear - just wanted to verify if the planned change of port settings is gonna change something. What do you think?
Thank you very much

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

martin_babarikAuthor Commented:

thank you very much for this exhaustive amount of information that I should consider with my server setup.
It will take me some time to get myself oriented within given circumstances and your advices, but all you say makes sense and I have no reason to not trust your advices.
I appreciate your help and explanations.

All the best
Keith AlabasterEnterprise ArchitectCommented:
welcome - and we are always here if you need help later.

martin_babarikAuthor Commented:
Oh I see now, ISA MVP - that explains everything :-) I was always wondering how to get MVP, but never really understood what I have to do to be nominated...nevermind, maybe it will happen later. Now just to gain those $36.000 to pass MCM :-)
Thank you once again.

Keith AlabasterEnterprise ArchitectCommented:
lol - getting MVP status is not down to you to get but for others to nominate you. Microsoft assess the number of  recommendations you get from other people or organisations and the first you will know about it is when you get the email telling you.

martin_babarikAuthor Commented:
Sorry, my note sounds stupid - I understand MVP awards are not given for some exams or "because I want":-)
Just wanted to say that it would be nice to get it sometimes, but at the moment I really don't think I'm the one who should be awarded, don't worry:-)
Keith AlabasterEnterprise ArchitectCommented:
hehehe - not stupid at all. Am sure you will get there - just takes some time and some good luck to get noticed.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.