?
Solved

Terminal Services Gateway on Port other than 443

Posted on 2010-01-11
32
Medium Priority
?
2,282 Views
Last Modified: 2013-11-21
I am running a Windows Server 2008 server as a member server of a 2003 domain.  I have an apache linux server that needs to use port 443, but I want to have Terminal Services remote web apps configured.  The terminal services gateway keeps trying to use port 443, when I want it to use port 83 (the port we opened to the web for this server)  How can I change this? Thanks
0
Comment
Question by:xtstech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 9
  • 9
32 Comments
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26284556
Oh... i guess the real problem is that you only have one public IP address?  And you firewall is configured already to allow 443 traffic to a Linux server.  

If you have another public IP, associate this to a new A-record on your public domain... then use the firewall to forward traffic to the Terminal Server Gateway server when 443 traffic comes inbound.

0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26284592
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26284606
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 26284799
From what I remember, in one of our monthly calls with the Remote Desktop Services (TS) team in Redmond, this was brought up as there was no way to change that what was (is) a major PITA for smaller customers (i.e. running with a single IP). I can confirm if you want, with the TS developers in Redmond, but again, from what I remember there was no way to change this. :-(

Cláudio Rodrigues
Citrix CTP
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 26284814
0
 

Author Comment

by:xtstech
ID: 26284892
Well I can put the website on port 83 with https (the port we have chosen for this) we can login to the /ts website, but when we try to launch apps, the TS gateway attempts to connect via 443, and we see the SSL cert for the linux server appear?
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 26284916
The SSL cert can be any, as long as the TSGateway is configured to use it.

Cláudio Rodrigues
Citrix CTP
0
 

Author Comment

by:xtstech
ID: 26284955
the point of my last post is that even though IIS is using SSL on 83 the TS gateway tries to connect on 443
That article at http://blogs.msdn.com/saurabh_singh/archive/2008/08/30/troubleshooting-ts-gateway-connectivity-on-windows-2008-iis-7-0.aspx is the solution, or is it demonstraiting that I'm SOL?
0
 

Author Comment

by:xtstech
ID: 26285023
Ok, so what we have is a forum on apache that runs SSL, but doesnt need to be SSL.  We have OWA proxied through apache using some trick the previous admin setup for God knows what reason.  The TS server is the only server2k8 machine in the domain
both DCs and the Exchange server (which houses exchange, and owa, and all mailboxes, smtp, etc) are server 2k3 enterprise R2

How can I install OWA 2003 on the TS server, so I can just use it for OWA, and TS without having to proxy anything through linux?  We only have one IP assigned by our ISP, and can't afford to change that.

We can't upgrade to exchange 2007 at the moment, and 2003 is all we have.  I don't care about the forum being SSL anymore because it isn't that important.  Thanks
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26285122
"Ok, so what we have is a forum on apache that runs SSL, but doesnt need to be SSL.  We have OWA proxied through apache using some trick the previous admin setup for God knows what reason. "  Oh... probably because you have two internal apps that use 443 (OWA and the forum).  Therefore, he had to figure out how to make these both work by redirecting traffic to one server.

Now, it seems that you want to introduce a 3rd server that uses port 443.  But you firewall can only redirect port 443 to one server (unless you get more public IP address).

So, you might want to look at the Linix server and see how the old admin redirected traffic for OWA... if you figure this out, you might be able to use the same "trick" for TS.
0
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 2000 total points
ID: 26285155
OWA is part of Exchange 2003 so I assume you would have to install it on the TS itself what is usually a bad idea.
http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21129332.html
The problem still remains regarding port 443, unless you configure OWA to use something like 444.
You would need to configure your firewall to send 444 to the Exchange OWA box and 443 to the TS Gateway machine (so ideally, two different boxes).
Can these coexist on the same box on different ports? Probably. Would I do it? No.
Also note that TS Gateway is 2008 only Exchange 2003 (OWA or anything else) is NOT compatible with 2008 so you would need two machines at the end.
http://support.microsoft.com/kb/948680

Assuming OWA does work over any other port, then you would be ok.

Cláudio Rodrigues
Citrix CTP
0
 

Author Comment

by:xtstech
ID: 26285158
I tried that initially, but it is not working.  Upon further inspection of the configuration I see that this is the setup:
port 80 goes to apache
port 443 tells apache to redirect to owa.example.com instead of www,example.com

in the firewall port 80 goes to apache, and 443 directly goes to owa server
I need to make 443 go to TS server, but only after I get owa working on it.
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26285197
changing the SSL for OWA is pretty easy... I would leave TS on 443 (based on what tmvp says...changing may not be possible)

http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html

0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26285278
A-Z guide for setting up OWA SSL - http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html

Are you using a self signed SSL certificate? or did you purchase a cert from someone?

If you did not purchase a certificate and you want to update your cert using a custom port, this is an easy way to update it...  http://www.msexchange.org/tutorials/Creating-Certificate-OWA2003-SelfSSL.html
0
 

Author Comment

by:xtstech
ID: 26285507
wont changing the owa ssl, break syncing with iphones and motorola droids?  Yes we have both groups of cell phone users on our network.
0
 

Author Comment

by:xtstech
ID: 26285536
ah I see in post via the googles (http://forum.ppcgeeks.com/showthread.php?t=97691) activesync must also be on 443 so I still need to put OWA 2003 on the TS server
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 26285708
Yes, that could be an issue. Also with the Outlook Anywhere (RPC over HTTPS).

Cláudio Rodrigues
Citrix CTP
0
 

Author Comment

by:xtstech
ID: 26285724
So how can I add OWA 2003 to the IIS 7 install on the TS server?
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 26285855
If the TS is 2008 you cannot do this. OWA (Exchange 2003) is NOT compatible with 2008 Server. You will need two servers, one for your 2008 TS and one for OWA.

Cláudio Rodrigues
Citrix CTP
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26285864
You still have the same problem if you put OWA on the TS server..  Two applications using 443.  You will be able to direct the firewall to the TS server when 443 is being used... but you can't have two applications using port 443 (possibly you can do this with host headers) but I don't know how..

0
 

Author Comment

by:xtstech
ID: 26285897
well I figured server.example.com/ts and server.example.com/exchange would work.  Same virtual server in IIS, just two VDirs.  So I can't have OWA 2003 run in IIS 7?  I'm not sure I could properly upgrade to 2007 on my own, and I don't even know if 2007 runs in a 2003 forest/domain
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 26285948
Not to mention 2007 requires 64-bit Windows Server. Even though I have 2007 at the office, it is really a pain in many ways (EXMERGE does not work, Windows Server built-in backup on 2008 cannot backup Exchange natively and so on - this one MS was going to fix). It is really a whole new world with Exchange 2007.
One possibility would be to run a VM under 2008 Hyper-V and that VM would have 2003 with OWA. That would probably allow you to achieve what you want, as long as OWA is not on 443 (as you only have a single IP address on the outside).

Cláudio Rodrigues
Citrix CTP
0
 

Author Comment

by:xtstech
ID: 26286077
Well if OWA is not on 443 I think it breaks activesync with users cell phones.  Can't have that.  Also besides the linux server, router, and 2 domain controllers, all of our servers (exchange, ts, accounting, etc) are on VMWare ESXi offloaded to IPStor by FalconStor.  If it's on a VM as exchange and TS will be, then it's backed up automatically.  I'm more concerned about getting OWA, and TS to share the same 443 as I know it can be done.
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 26286149
As long as the TS is NOT 2008 this can probably be done but on the same 2003 box you would need to load Exchange (to get OWA) and a gateway. The problem is the TS gateway is only available on 2008 and on 2008 you cannot load Exchange 2003. That is your problem.

Cláudio Rodrigues
Citrix CTP
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26286182
I would double check your ISP IP assignments.  It would be pretty rare now adays to only have ONE public IP address.  If you have two, you could assign one to mail and one to TS.

For example, if your domain name was singer.com

Mail.singer.com = 102.2.36.211  --> firewall redirects to OWA server
ts.singer.com = 102.2.36.212  -->  firewall redirect to TS server

In this way, you can have two servers using the 443 port.

0
 

Author Comment

by:xtstech
ID: 26286228
Hmm.  That would be nice, but our ISP either provides 1 IP, or 5 IPs, and the 5 IP package is too expensive for our organization.
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 26286411
Maybe you could add another 1IP line from the ISP... not sure...but sometimes its cheaper to buy two 1IP address lines then one 5 IPline..

Possibly even consider getting the IP from a different ISP... this might help you site redundancy a bit... and be a good enhancement for you network.
0
 

Author Comment

by:xtstech
ID: 26287166
I'll look into that, but as of right now, we are holding off on adding TS until we can get a second admin to help minimize the downtime from an exchange 03 to 07 switch
0
 

Author Comment

by:xtstech
ID: 26287179
I'm not sure how to select the proper answer to this question as the original goal was not accomplished, and there was no proper solution besides upgrade exchange
0
 
LVL 31

Assisted Solution

by:Cláudio Rodrigues
Cláudio Rodrigues earned 2000 total points
ID: 26287603
Well the proper answer for your question is simple. Your questions was basically, resuming, "Can I run OWA 2003 and TS Gateway on a 2008 server sharing a single port, 443?".
The answers provided above show this is not possible unless:
1. You get a second IP address.
Or
2. You setup a second box to be your OWA (under 2003 Server with Exchange 2003) and you setup it to use another port (not 443) but in this case Activesync and Outlook Anywhere are broken.

Cláudio Rodrigues
Citrix CTP
0
 

Author Comment

by:xtstech
ID: 26287828
Ok. IN that case I'll select the first person who told me about activesync, plus a few points for you for helping me to understand that.
0
 

Author Closing Comment

by:xtstech
ID: 31675539
Unfortunately my situation cannot be resolved right now.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question