Solved

RemoteApps - which port has to be enabled and can I change it somehow?

Posted on 2009-05-15
9
945 Views
Last Modified: 2012-05-07
Hello,

I'd like to ask for an advice - I've setup new Windows Server 2008 and this machine is behind ISA firewall.
Customer's network specialist configured on ISA server opened ports 80 and 443 for web access and port 3399 for remote administration via RDP (I don't know why 3399 instead of 3389, maybe to not use the default port number which could attract potential hacker's attention).

I installed Terminal Services together with TS Web Access and TS RemoteApps. Everything works fine through LAN and WAN except one thing: When I open TS Web Access from the Internet, I can see the page with published RemoteApps, but can not start any of them. There appears an error message stating something like "can not connect to remote server".
So I guess that RemoteApps communicate via port 3389, but I have no idea if this is correct information and if there are some additional ports in use, that must be enabled to allow RemoteApps to the Internet.

Thank you very much in advance
Martin
0
Comment
Question by:martin_babarik
  • 5
  • 4
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24401725
Martin, the version of ISA server installed please?
Also, assuming it is ISA 2006, have you also installed the ISA2006 supportability pack and the ISA2006 SP1?

RDP runs on 3389 by default as you say but the ISA publishing rule will just redirect this as it passes through ISA to 3389 on the inside so that is very straight forward and common. Also, the RDP rule is quite basic and uses ip addressing to get to the internal server.

However, web/terminal services usually use names of the targets so DNS becomes a major issue to get it right.

please supply the output of an ipconfig /all of the ISA Server.

0
 
LVL 13

Author Comment

by:martin_babarik
ID: 24401960
Hello Keith,

thanks for your sophisticated response, good to see you know what you are talking about:-)

Now to answer your questions and provide some update:
1. Regarding ISA - this server is entirely blackbox for me. The customer gave me just 1 server in the middle of gillion firewalls (something like The Isle of Freedom - Cuba :-)). I'm not allowed to see any config information, not even to ask for it. But I suppose it's the most recent ISA version, as this company is very keen on having the most modern version of anything. You wouldn't find anything older on this network than Windows Server 2003 R2.

2. You gave me an important information regarding the names - that's correct, as I was experiencing problems when trying to connect to the server using it's IP address. Later I realized it's been given a public DNS name and the connection using this DNS name works fine (except the apps).
Yesterday night I receive an email from the network specialist trying to explain the following:
<quote>
Both protocols (HTTPS and HTTP) are redirected on ISA server to your (my WS2008) server's internal IP address. There is no host header in use.
Neither web service nor terminal services is routed or NATed, but they are published on ISA server using Listener.
I will change the current 3399 port to 3389, but then it will have different IP address.
<end of qutation>

So now I don't know, if this is going to fix the problem with RemoteApps, but I hope so. I think I don't need to care about IP addresses, as users of the server will connect through DNS name anyway.
I also tried to change the terminal server settings to run on 3399 (currently allowed port) instead of default 3389, but didn't notice any change.

I don't want to bother you, as my question is very unclear - just wanted to verify if the planned change of port settings is gonna change something. What do you think?
Thank you very much

Martin
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 24402506
Firstly their statement is wrong. A publishing rule will not publish the internal IP address of a server. It can't. The reason being that it is ISA that is doing the publishing so that is going to be the destination of any inbound traffic that uses the rule. ISA accepts the traffic and then holds the connection through a session. ISA then initiates a connection from itself to the ip address/name of the internal server that has the service it wants to present to the outside. This being the case, ISA HAS to nat the internal address bu using its external interface IP address as the one that the outside would see.   I am guessing that they have ISA as a firewall/proxy server - two nics - as RDP cannot be published by ISA with only one nic.

take my advice and trust me - leave the internal TS stuff on 3389 and just make the external call to the www.domain.com:3399 from the client - much simpler than playing around with changing the inside listening ports.....especially if you want to add additional services later on.

No, the port change is unlikely to make any difference.

If the ISA is a 'black box appliance' install then you could have some issues here. Some real basic stuff for ISA that often catches people out are as follows:

1. Putting a default gateway on both ISA servers. Won't work and buggers things. It's not a network supported option and it certainly isn't supported by Microsoft or its products - including ISA. the DG should only be on the external NIC.
2. DNS. The ISA external nic should either have NO DNS at all or should be the internal DNS server ip addresses. ISA then always queries internal DNS and the internal DNS servers can use their forwarders to resolve outside requests.
3. The default gateway of ANY server that is being published by ISA MUST have its dg pointing back to ISA.

Keith


0
 
LVL 13

Author Closing Comment

by:martin_babarik
ID: 31582018
Keith,

thank you very much for this exhaustive amount of information that I should consider with my server setup.
It will take me some time to get myself oriented within given circumstances and your advices, but all you say makes sense and I have no reason to not trust your advices.
I appreciate your help and explanations.

All the best
Martin
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24402712
welcome - and we are always here if you need help later.

keith
ISA MVP
0
 
LVL 13

Author Comment

by:martin_babarik
ID: 24402925
Oh I see now, ISA MVP - that explains everything :-) I was always wondering how to get MVP, but never really understood what I have to do to be nominated...nevermind, maybe it will happen later. Now just to gain those $36.000 to pass MCM :-)
Thank you once again.

Martin
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24403031
lol - getting MVP status is not down to you to get but for others to nominate you. Microsoft assess the number of  recommendations you get from other people or organisations and the first you will know about it is when you get the email telling you.

:)
0
 
LVL 13

Author Comment

by:martin_babarik
ID: 24403082
Sorry, my note sounds stupid - I understand MVP awards are not given for some exams or "because I want":-)
Just wanted to say that it would be nice to get it sometimes, but at the moment I really don't think I'm the one who should be awarded, don't worry:-)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24403548
hehehe - not stupid at all. Am sure you will get there - just takes some time and some good luck to get noticed.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now