xtstech
asked on
Terminal Services Gateway on Port other than 443
I am running a Windows Server 2008 server as a member server of a 2003 domain. I have an apache linux server that needs to use port 443, but I want to have Terminal Services remote web apps configured. The terminal services gateway keeps trying to use port 443, when I want it to use port 83 (the port we opened to the web for this server) How can I change this? Thanks
see step 4 of Accessing hosted applications
http://searchvirtualdesktop.techtarget.com/tip/0,289483,sid194_gci1370371_mem1,00.html
http://searchvirtualdesktop.techtarget.com/tip/0,289483,sid194_gci1370371_mem1,00.html
search for the word PORT on this document: http://www.itexpertmag.com/server/hosting-remote-applications-over-the-internet-with-terminal-services
From what I remember, in one of our monthly calls with the Remote Desktop Services (TS) team in Redmond, this was brought up as there was no way to change that what was (is) a major PITA for smaller customers (i.e. running with a single IP). I can confirm if you want, with the TS developers in Redmond, but again, from what I remember there was no way to change this. :-(
Cláudio Rodrigues
Citrix CTP
Cláudio Rodrigues
Citrix CTP
Confirmed here:
http://blogs.msdn.com/saurabh_singh/archive/2008/08/30/troubleshooting-ts-gateway-connectivity-on-windows-2008-iis-7-0.aspx
Cláudio Rodrigues
Citrix CTP
http://blogs.msdn.com/saurabh_singh/archive/2008/08/30/troubleshooting-ts-gateway-connectivity-on-windows-2008-iis-7-0.aspx
Cláudio Rodrigues
Citrix CTP
ASKER
Well I can put the website on port 83 with https (the port we have chosen for this) we can login to the /ts website, but when we try to launch apps, the TS gateway attempts to connect via 443, and we see the SSL cert for the linux server appear?
The SSL cert can be any, as long as the TSGateway is configured to use it.
Cláudio Rodrigues
Citrix CTP
Cláudio Rodrigues
Citrix CTP
ASKER
the point of my last post is that even though IIS is using SSL on 83 the TS gateway tries to connect on 443
That article at http://blogs.msdn.com/saurabh_singh/archive/2008/08/30/troubleshooting-ts-gateway-connectivity-on-windows-2008-iis-7-0.aspx is the solution, or is it demonstraiting that I'm SOL?
That article at http://blogs.msdn.com/saurabh_singh/archive/2008/08/30/troubleshooting-ts-gateway-connectivity-on-windows-2008-iis-7-0.aspx is the solution, or is it demonstraiting that I'm SOL?
ASKER
Ok, so what we have is a forum on apache that runs SSL, but doesnt need to be SSL. We have OWA proxied through apache using some trick the previous admin setup for God knows what reason. The TS server is the only server2k8 machine in the domain
both DCs and the Exchange server (which houses exchange, and owa, and all mailboxes, smtp, etc) are server 2k3 enterprise R2
How can I install OWA 2003 on the TS server, so I can just use it for OWA, and TS without having to proxy anything through linux? We only have one IP assigned by our ISP, and can't afford to change that.
We can't upgrade to exchange 2007 at the moment, and 2003 is all we have. I don't care about the forum being SSL anymore because it isn't that important. Thanks
both DCs and the Exchange server (which houses exchange, and owa, and all mailboxes, smtp, etc) are server 2k3 enterprise R2
How can I install OWA 2003 on the TS server, so I can just use it for OWA, and TS without having to proxy anything through linux? We only have one IP assigned by our ISP, and can't afford to change that.
We can't upgrade to exchange 2007 at the moment, and 2003 is all we have. I don't care about the forum being SSL anymore because it isn't that important. Thanks
"Ok, so what we have is a forum on apache that runs SSL, but doesnt need to be SSL. We have OWA proxied through apache using some trick the previous admin setup for God knows what reason. " Oh... probably because you have two internal apps that use 443 (OWA and the forum). Therefore, he had to figure out how to make these both work by redirecting traffic to one server.
Now, it seems that you want to introduce a 3rd server that uses port 443. But you firewall can only redirect port 443 to one server (unless you get more public IP address).
So, you might want to look at the Linix server and see how the old admin redirected traffic for OWA... if you figure this out, you might be able to use the same "trick" for TS.
Now, it seems that you want to introduce a 3rd server that uses port 443. But you firewall can only redirect port 443 to one server (unless you get more public IP address).
So, you might want to look at the Linix server and see how the old admin redirected traffic for OWA... if you figure this out, you might be able to use the same "trick" for TS.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried that initially, but it is not working. Upon further inspection of the configuration I see that this is the setup:
port 80 goes to apache
port 443 tells apache to redirect to owa.example.com instead of www,example.com
in the firewall port 80 goes to apache, and 443 directly goes to owa server
I need to make 443 go to TS server, but only after I get owa working on it.
port 80 goes to apache
port 443 tells apache to redirect to owa.example.com instead of www,example.com
in the firewall port 80 goes to apache, and 443 directly goes to owa server
I need to make 443 go to TS server, but only after I get owa working on it.
changing the SSL for OWA is pretty easy... I would leave TS on 443 (based on what tmvp says...changing may not be possible)
http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
A-Z guide for setting up OWA SSL - http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
Are you using a self signed SSL certificate? or did you purchase a cert from someone?
If you did not purchase a certificate and you want to update your cert using a custom port, this is an easy way to update it... http://www.msexchange.org/tutorials/Creating-Certificate-OWA2003-SelfSSL.html
Are you using a self signed SSL certificate? or did you purchase a cert from someone?
If you did not purchase a certificate and you want to update your cert using a custom port, this is an easy way to update it... http://www.msexchange.org/tutorials/Creating-Certificate-OWA2003-SelfSSL.html
ASKER
wont changing the owa ssl, break syncing with iphones and motorola droids? Yes we have both groups of cell phone users on our network.
ASKER
ah I see in post via the googles (http://forum.ppcgeeks.com/showthread.php?t=97691) activesync must also be on 443 so I still need to put OWA 2003 on the TS server
Yes, that could be an issue. Also with the Outlook Anywhere (RPC over HTTPS).
Cláudio Rodrigues
Citrix CTP
Cláudio Rodrigues
Citrix CTP
ASKER
So how can I add OWA 2003 to the IIS 7 install on the TS server?
If the TS is 2008 you cannot do this. OWA (Exchange 2003) is NOT compatible with 2008 Server. You will need two servers, one for your 2008 TS and one for OWA.
Cláudio Rodrigues
Citrix CTP
Cláudio Rodrigues
Citrix CTP
You still have the same problem if you put OWA on the TS server.. Two applications using 443. You will be able to direct the firewall to the TS server when 443 is being used... but you can't have two applications using port 443 (possibly you can do this with host headers) but I don't know how..
ASKER
well I figured server.example.com/ts and server.example.com/exchang e would work. Same virtual server in IIS, just two VDirs. So I can't have OWA 2003 run in IIS 7? I'm not sure I could properly upgrade to 2007 on my own, and I don't even know if 2007 runs in a 2003 forest/domain
Not to mention 2007 requires 64-bit Windows Server. Even though I have 2007 at the office, it is really a pain in many ways (EXMERGE does not work, Windows Server built-in backup on 2008 cannot backup Exchange natively and so on - this one MS was going to fix). It is really a whole new world with Exchange 2007.
One possibility would be to run a VM under 2008 Hyper-V and that VM would have 2003 with OWA. That would probably allow you to achieve what you want, as long as OWA is not on 443 (as you only have a single IP address on the outside).
Cláudio Rodrigues
Citrix CTP
One possibility would be to run a VM under 2008 Hyper-V and that VM would have 2003 with OWA. That would probably allow you to achieve what you want, as long as OWA is not on 443 (as you only have a single IP address on the outside).
Cláudio Rodrigues
Citrix CTP
ASKER
Well if OWA is not on 443 I think it breaks activesync with users cell phones. Can't have that. Also besides the linux server, router, and 2 domain controllers, all of our servers (exchange, ts, accounting, etc) are on VMWare ESXi offloaded to IPStor by FalconStor. If it's on a VM as exchange and TS will be, then it's backed up automatically. I'm more concerned about getting OWA, and TS to share the same 443 as I know it can be done.
As long as the TS is NOT 2008 this can probably be done but on the same 2003 box you would need to load Exchange (to get OWA) and a gateway. The problem is the TS gateway is only available on 2008 and on 2008 you cannot load Exchange 2003. That is your problem.
Cláudio Rodrigues
Citrix CTP
Cláudio Rodrigues
Citrix CTP
I would double check your ISP IP assignments. It would be pretty rare now adays to only have ONE public IP address. If you have two, you could assign one to mail and one to TS.
For example, if your domain name was singer.com
Mail.singer.com = 102.2.36.211 --> firewall redirects to OWA server
ts.singer.com = 102.2.36.212 --> firewall redirect to TS server
In this way, you can have two servers using the 443 port.
For example, if your domain name was singer.com
Mail.singer.com = 102.2.36.211 --> firewall redirects to OWA server
ts.singer.com = 102.2.36.212 --> firewall redirect to TS server
In this way, you can have two servers using the 443 port.
ASKER
Hmm. That would be nice, but our ISP either provides 1 IP, or 5 IPs, and the 5 IP package is too expensive for our organization.
Maybe you could add another 1IP line from the ISP... not sure...but sometimes its cheaper to buy two 1IP address lines then one 5 IPline..
Possibly even consider getting the IP from a different ISP... this might help you site redundancy a bit... and be a good enhancement for you network.
Possibly even consider getting the IP from a different ISP... this might help you site redundancy a bit... and be a good enhancement for you network.
ASKER
I'll look into that, but as of right now, we are holding off on adding TS until we can get a second admin to help minimize the downtime from an exchange 03 to 07 switch
ASKER
I'm not sure how to select the proper answer to this question as the original goal was not accomplished, and there was no proper solution besides upgrade exchange
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok. IN that case I'll select the first person who told me about activesync, plus a few points for you for helping me to understand that.
ASKER
Unfortunately my situation cannot be resolved right now.
If you have another public IP, associate this to a new A-record on your public domain... then use the firewall to forward traffic to the Terminal Server Gateway server when 443 traffic comes inbound.