Terminal Services Gateway on Port other than 443

Oh... i guess the real problem is that you only have one public IP address?  And you firewall is configured already to allow 443 traffic to a Linux server.  

If you have another public IP, associate this to a new A-record on your public domain... then use the firewall to forward traffic to the Terminal Server Gateway server when 443 traffic comes inbound.

see step 4 of Accessing hosted applications

http://searchvirtualdesktop.techtarget.com/tip/0,289483,sid194_gci1370371_mem1,00.html

search for the word PORT on this document:  http://www.itexpertmag.com/server/hosting-remote-applications-over-the-internet-with-terminal-services

From what I remember, in one of our monthly calls with the Remote Desktop Services (TS) team in Redmond, this was brought up as there was no way to change that what was (is) a major PITA for smaller customers (i.e. running with a single IP). I can confirm if you want, with the TS developers in Redmond, but again, from what I remember there was no way to change this. :-(

Cláudio Rodrigues
Citrix CTP

Confirmed here:
http://blogs.msdn.com/saurabh_singh/archive/2008/08/30/troubleshooting-ts-gateway-connectivity-on-windows-2008-iis-7-0.aspx

Cláudio Rodrigues
Citrix CTP

Well I can put the website on port 83 with https (the port we have chosen for this) we can login to the /ts website, but when we try to launch apps, the TS gateway attempts to connect via 443, and we see the SSL cert for the linux server appear?

The SSL cert can be any, as long as the TSGateway is configured to use it.

Cláudio Rodrigues
Citrix CTP

the point of my last post is that even though IIS is using SSL on 83 the TS gateway tries to connect on 443
That article at http://blogs.msdn.com/saurabh_singh/archive/2008/08/30/troubleshooting-ts-gateway-connectivity-on-windows-2008-iis-7-0.aspx is the solution, or is it demonstraiting that I'm SOL?

Ok, so what we have is a forum on apache that runs SSL, but doesnt need to be SSL.  We have OWA proxied through apache using some trick the previous admin setup for God knows what reason.  The TS server is the only server2k8 machine in the domain
both DCs and the Exchange server (which houses exchange, and owa, and all mailboxes, smtp, etc) are server 2k3 enterprise R2

How can I install OWA 2003 on the TS server, so I can just use it for OWA, and TS without having to proxy anything through linux?  We only have one IP assigned by our ISP, and can't afford to change that.

We can't upgrade to exchange 2007 at the moment, and 2003 is all we have.  I don't care about the forum being SSL anymore because it isn't that important.  Thanks

"Ok, so what we have is a forum on apache that runs SSL, but doesnt need to be SSL.  We have OWA proxied through apache using some trick the previous admin setup for God knows what reason. "  Oh... probably because you have two internal apps that use 443 (OWA and the forum).  Therefore, he had to figure out how to make these both work by redirecting traffic to one server.

Now, it seems that you want to introduce a 3rd server that uses port 443.  But you firewall can only redirect port 443 to one server (unless you get more public IP address).

So, you might want to look at the Linix server and see how the old admin redirected traffic for OWA... if you figure this out, you might be able to use the same "trick" for TS.

I tried that initially, but it is not working.  Upon further inspection of the configuration I see that this is the setup:
port 80 goes to apache
port 443 tells apache to redirect to owa.example.com instead of www,example.com

in the firewall port 80 goes to apache, and 443 directly goes to owa server
I need to make 443 go to TS server, but only after I get owa working on it.

changing the SSL for OWA is pretty easy... I would leave TS on 443 (based on what tmvp says...changing may not be possible)

http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html

A-Z guide for setting up OWA SSL - http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html

Are you using a self signed SSL certificate? or did you purchase a cert from someone?

If you did not purchase a certificate and you want to update your cert using a custom port, this is an easy way to update it...  http://www.msexchange.org/tutorials/Creating-Certificate-OWA2003-SelfSSL.html

wont changing the owa ssl, break syncing with iphones and motorola droids?  Yes we have both groups of cell phone users on our network.

ah I see in post via the googles (http://forum.ppcgeeks.com/showthread.php?t=97691) activesync must also be on 443 so I still need to put OWA 2003 on the TS server

Yes, that could be an issue. Also with the Outlook Anywhere (RPC over HTTPS).

Cláudio Rodrigues
Citrix CTP

So how can I add OWA 2003 to the IIS 7 install on the TS server?

If the TS is 2008 you cannot do this. OWA (Exchange 2003) is NOT compatible with 2008 Server. You will need two servers, one for your 2008 TS and one for OWA.

Cláudio Rodrigues
Citrix CTP

You still have the same problem if you put OWA on the TS server..  Two applications using 443.  You will be able to direct the firewall to the TS server when 443 is being used... but you can't have two applications using port 443 (possibly you can do this with host headers) but I don't know how..

well I figured server.example.com/ts and server.example.com/exchange would work.  Same virtual server in IIS, just two VDirs.  So I can't have OWA 2003 run in IIS 7?  I'm not sure I could properly upgrade to 2007 on my own, and I don't even know if 2007 runs in a 2003 forest/domain

Not to mention 2007 requires 64-bit Windows Server. Even though I have 2007 at the office, it is really a pain in many ways (EXMERGE does not work, Windows Server built-in backup on 2008 cannot backup Exchange natively and so on - this one MS was going to fix). It is really a whole new world with Exchange 2007.
One possibility would be to run a VM under 2008 Hyper-V and that VM would have 2003 with OWA. That would probably allow you to achieve what you want, as long as OWA is not on 443 (as you only have a single IP address on the outside).

Cláudio Rodrigues
Citrix CTP

Well if OWA is not on 443 I think it breaks activesync with users cell phones.  Can't have that.  Also besides the linux server, router, and 2 domain controllers, all of our servers (exchange, ts, accounting, etc) are on VMWare ESXi offloaded to IPStor by FalconStor.  If it's on a VM as exchange and TS will be, then it's backed up automatically.  I'm more concerned about getting OWA, and TS to share the same 443 as I know it can be done.

As long as the TS is NOT 2008 this can probably be done but on the same 2003 box you would need to load Exchange (to get OWA) and a gateway. The problem is the TS gateway is only available on 2008 and on 2008 you cannot load Exchange 2003. That is your problem.

Cláudio Rodrigues
Citrix CTP

I would double check your ISP IP assignments.  It would be pretty rare now adays to only have ONE public IP address.  If you have two, you could assign one to mail and one to TS.

For example, if your domain name was singer.com

Mail.singer.com = 102.2.36.211  --> firewall redirects to OWA server
ts.singer.com = 102.2.36.212  -->  firewall redirect to TS server

In this way, you can have two servers using the 443 port.

Hmm.  That would be nice, but our ISP either provides 1 IP, or 5 IPs, and the 5 IP package is too expensive for our organization.

Maybe you could add another 1IP line from the ISP... not sure...but sometimes its cheaper to buy two 1IP address lines then one 5 IPline..

Possibly even consider getting the IP from a different ISP... this might help you site redundancy a bit... and be a good enhancement for you network.

I'll look into that, but as of right now, we are holding off on adding TS until we can get a second admin to help minimize the downtime from an exchange 03 to 07 switch

I'm not sure how to select the proper answer to this question as the original goal was not accomplished, and there was no proper solution besides upgrade exchange

Ok. IN that case I'll select the first person who told me about activesync, plus a few points for you for helping me to understand that.

Unfortunately my situation cannot be resolved right now.