RemoteApps - which port has to be enabled and can I change it somehow?
Hello,
I'd like to ask for an advice - I've setup new Windows Server 2008 and this machine is behind ISA firewall.
Customer's network specialist configured on ISA server opened ports 80 and 443 for web access and port 3399 for remote administration via RDP (I don't know why 3399 instead of 3389, maybe to not use the default port number which could attract potential hacker's attention).
I installed Terminal Services together with TS Web Access and TS RemoteApps. Everything works fine through LAN and WAN except one thing: When I open TS Web Access from the Internet, I can see the page with published RemoteApps, but can not start any of them. There appears an error message stating something like "can not connect to remote server".
So I guess that RemoteApps communicate via port 3389, but I have no idea if this is correct information and if there are some additional ports in use, that must be enabled to allow RemoteApps to the Internet.
Thank you very much in advance
Martin
I'd like to ask for an advice - I've setup new Windows Server 2008 and this machine is behind ISA firewall.
Customer's network specialist configured on ISA server opened ports 80 and 443 for web access and port 3399 for remote administration via RDP (I don't know why 3399 instead of 3389, maybe to not use the default port number which could attract potential hacker's attention).
I installed Terminal Services together with TS Web Access and TS RemoteApps. Everything works fine through LAN and WAN except one thing: When I open TS Web Access from the Internet, I can see the page with published RemoteApps, but can not start any of them. There appears an error message stating something like "can not connect to remote server".
So I guess that RemoteApps communicate via port 3389, but I have no idea if this is correct information and if there are some additional ports in use, that must be enabled to allow RemoteApps to the Internet.
Thank you very much in advance
Martin
ASKER
Hello Keith,
thanks for your sophisticated response, good to see you know what you are talking about:-)
Now to answer your questions and provide some update:
1. Regarding ISA - this server is entirely blackbox for me. The customer gave me just 1 server in the middle of gillion firewalls (something like The Isle of Freedom - Cuba :-)). I'm not allowed to see any config information, not even to ask for it. But I suppose it's the most recent ISA version, as this company is very keen on having the most modern version of anything. You wouldn't find anything older on this network than Windows Server 2003 R2.
2. You gave me an important information regarding the names - that's correct, as I was experiencing problems when trying to connect to the server using it's IP address. Later I realized it's been given a public DNS name and the connection using this DNS name works fine (except the apps).
Yesterday night I receive an email from the network specialist trying to explain the following:
<quote>
Both protocols (HTTPS and HTTP) are redirected on ISA server to your (my WS2008) server's internal IP address. There is no host header in use.
Neither web service nor terminal services is routed or NATed, but they are published on ISA server using Listener.
I will change the current 3399 port to 3389, but then it will have different IP address.
<end of qutation>
So now I don't know, if this is going to fix the problem with RemoteApps, but I hope so. I think I don't need to care about IP addresses, as users of the server will connect through DNS name anyway.
I also tried to change the terminal server settings to run on 3399 (currently allowed port) instead of default 3389, but didn't notice any change.
I don't want to bother you, as my question is very unclear - just wanted to verify if the planned change of port settings is gonna change something. What do you think?
Thank you very much
Martin
thanks for your sophisticated response, good to see you know what you are talking about:-)
Now to answer your questions and provide some update:
1. Regarding ISA - this server is entirely blackbox for me. The customer gave me just 1 server in the middle of gillion firewalls (something like The Isle of Freedom - Cuba :-)). I'm not allowed to see any config information, not even to ask for it. But I suppose it's the most recent ISA version, as this company is very keen on having the most modern version of anything. You wouldn't find anything older on this network than Windows Server 2003 R2.
2. You gave me an important information regarding the names - that's correct, as I was experiencing problems when trying to connect to the server using it's IP address. Later I realized it's been given a public DNS name and the connection using this DNS name works fine (except the apps).
Yesterday night I receive an email from the network specialist trying to explain the following:
<quote>
Both protocols (HTTPS and HTTP) are redirected on ISA server to your (my WS2008) server's internal IP address. There is no host header in use.
Neither web service nor terminal services is routed or NATed, but they are published on ISA server using Listener.
I will change the current 3399 port to 3389, but then it will have different IP address.
<end of qutation>
So now I don't know, if this is going to fix the problem with RemoteApps, but I hope so. I think I don't need to care about IP addresses, as users of the server will connect through DNS name anyway.
I also tried to change the terminal server settings to run on 3399 (currently allowed port) instead of default 3389, but didn't notice any change.
I don't want to bother you, as my question is very unclear - just wanted to verify if the planned change of port settings is gonna change something. What do you think?
Thank you very much
Martin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Keith,
thank you very much for this exhaustive amount of information that I should consider with my server setup.
It will take me some time to get myself oriented within given circumstances and your advices, but all you say makes sense and I have no reason to not trust your advices.
I appreciate your help and explanations.
All the best
Martin
thank you very much for this exhaustive amount of information that I should consider with my server setup.
It will take me some time to get myself oriented within given circumstances and your advices, but all you say makes sense and I have no reason to not trust your advices.
I appreciate your help and explanations.
All the best
Martin
welcome - and we are always here if you need help later.
keith
ISA MVP
keith
ISA MVP
ASKER
Oh I see now, ISA MVP - that explains everything :-) I was always wondering how to get MVP, but never really understood what I have to do to be nominated...nevermind, maybe it will happen later. Now just to gain those $36.000 to pass MCM :-)
Thank you once again.
Martin
Thank you once again.
Martin
lol - getting MVP status is not down to you to get but for others to nominate you. Microsoft assess the number of recommendations you get from other people or organisations and the first you will know about it is when you get the email telling you.
:)
:)
ASKER
Sorry, my note sounds stupid - I understand MVP awards are not given for some exams or "because I want":-)
Just wanted to say that it would be nice to get it sometimes, but at the moment I really don't think I'm the one who should be awarded, don't worry:-)
Just wanted to say that it would be nice to get it sometimes, but at the moment I really don't think I'm the one who should be awarded, don't worry:-)
hehehe - not stupid at all. Am sure you will get there - just takes some time and some good luck to get noticed.
Also, assuming it is ISA 2006, have you also installed the ISA2006 supportability pack and the ISA2006 SP1?
RDP runs on 3389 by default as you say but the ISA publishing rule will just redirect this as it passes through ISA to 3389 on the inside so that is very straight forward and common. Also, the RDP rule is quite basic and uses ip addressing to get to the internal server.
However, web/terminal services usually use names of the targets so DNS becomes a major issue to get it right.
please supply the output of an ipconfig /all of the ISA Server.