Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2294
  • Last Modified:

Terminal Services Gateway on Port other than 443

I am running a Windows Server 2008 server as a member server of a 2003 domain.  I have an apache linux server that needs to use port 443, but I want to have Terminal Services remote web apps configured.  The terminal services gateway keeps trying to use port 443, when I want it to use port 83 (the port we opened to the web for this server)  How can I change this? Thanks
0
xtstech
Asked:
xtstech
  • 14
  • 9
  • 9
2 Solutions
 
NJComputerNetworksCommented:
Oh... i guess the real problem is that you only have one public IP address?  And you firewall is configured already to allow 443 traffic to a Linux server.  

If you have another public IP, associate this to a new A-record on your public domain... then use the firewall to forward traffic to the Terminal Server Gateway server when 443 traffic comes inbound.

0
 
NJComputerNetworksCommented:
0
 
NJComputerNetworksCommented:
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Cláudio RodriguesFounder and CEOCommented:
From what I remember, in one of our monthly calls with the Remote Desktop Services (TS) team in Redmond, this was brought up as there was no way to change that what was (is) a major PITA for smaller customers (i.e. running with a single IP). I can confirm if you want, with the TS developers in Redmond, but again, from what I remember there was no way to change this. :-(

Cláudio Rodrigues
Citrix CTP
0
 
Cláudio RodriguesFounder and CEOCommented:
0
 
xtstechAuthor Commented:
Well I can put the website on port 83 with https (the port we have chosen for this) we can login to the /ts website, but when we try to launch apps, the TS gateway attempts to connect via 443, and we see the SSL cert for the linux server appear?
0
 
Cláudio RodriguesFounder and CEOCommented:
The SSL cert can be any, as long as the TSGateway is configured to use it.

Cláudio Rodrigues
Citrix CTP
0
 
xtstechAuthor Commented:
the point of my last post is that even though IIS is using SSL on 83 the TS gateway tries to connect on 443
That article at http://blogs.msdn.com/saurabh_singh/archive/2008/08/30/troubleshooting-ts-gateway-connectivity-on-windows-2008-iis-7-0.aspx is the solution, or is it demonstraiting that I'm SOL?
0
 
xtstechAuthor Commented:
Ok, so what we have is a forum on apache that runs SSL, but doesnt need to be SSL.  We have OWA proxied through apache using some trick the previous admin setup for God knows what reason.  The TS server is the only server2k8 machine in the domain
both DCs and the Exchange server (which houses exchange, and owa, and all mailboxes, smtp, etc) are server 2k3 enterprise R2

How can I install OWA 2003 on the TS server, so I can just use it for OWA, and TS without having to proxy anything through linux?  We only have one IP assigned by our ISP, and can't afford to change that.

We can't upgrade to exchange 2007 at the moment, and 2003 is all we have.  I don't care about the forum being SSL anymore because it isn't that important.  Thanks
0
 
NJComputerNetworksCommented:
"Ok, so what we have is a forum on apache that runs SSL, but doesnt need to be SSL.  We have OWA proxied through apache using some trick the previous admin setup for God knows what reason. "  Oh... probably because you have two internal apps that use 443 (OWA and the forum).  Therefore, he had to figure out how to make these both work by redirecting traffic to one server.

Now, it seems that you want to introduce a 3rd server that uses port 443.  But you firewall can only redirect port 443 to one server (unless you get more public IP address).

So, you might want to look at the Linix server and see how the old admin redirected traffic for OWA... if you figure this out, you might be able to use the same "trick" for TS.
0
 
Cláudio RodriguesFounder and CEOCommented:
OWA is part of Exchange 2003 so I assume you would have to install it on the TS itself what is usually a bad idea.
http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21129332.html
The problem still remains regarding port 443, unless you configure OWA to use something like 444.
You would need to configure your firewall to send 444 to the Exchange OWA box and 443 to the TS Gateway machine (so ideally, two different boxes).
Can these coexist on the same box on different ports? Probably. Would I do it? No.
Also note that TS Gateway is 2008 only Exchange 2003 (OWA or anything else) is NOT compatible with 2008 so you would need two machines at the end.
http://support.microsoft.com/kb/948680

Assuming OWA does work over any other port, then you would be ok.

Cláudio Rodrigues
Citrix CTP
0
 
xtstechAuthor Commented:
I tried that initially, but it is not working.  Upon further inspection of the configuration I see that this is the setup:
port 80 goes to apache
port 443 tells apache to redirect to owa.example.com instead of www,example.com

in the firewall port 80 goes to apache, and 443 directly goes to owa server
I need to make 443 go to TS server, but only after I get owa working on it.
0
 
NJComputerNetworksCommented:
changing the SSL for OWA is pretty easy... I would leave TS on 443 (based on what tmvp says...changing may not be possible)

http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html

0
 
NJComputerNetworksCommented:
A-Z guide for setting up OWA SSL - http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html

Are you using a self signed SSL certificate? or did you purchase a cert from someone?

If you did not purchase a certificate and you want to update your cert using a custom port, this is an easy way to update it...  http://www.msexchange.org/tutorials/Creating-Certificate-OWA2003-SelfSSL.html
0
 
xtstechAuthor Commented:
wont changing the owa ssl, break syncing with iphones and motorola droids?  Yes we have both groups of cell phone users on our network.
0
 
xtstechAuthor Commented:
ah I see in post via the googles (http://forum.ppcgeeks.com/showthread.php?t=97691) activesync must also be on 443 so I still need to put OWA 2003 on the TS server
0
 
Cláudio RodriguesFounder and CEOCommented:
Yes, that could be an issue. Also with the Outlook Anywhere (RPC over HTTPS).

Cláudio Rodrigues
Citrix CTP
0
 
xtstechAuthor Commented:
So how can I add OWA 2003 to the IIS 7 install on the TS server?
0
 
Cláudio RodriguesFounder and CEOCommented:
If the TS is 2008 you cannot do this. OWA (Exchange 2003) is NOT compatible with 2008 Server. You will need two servers, one for your 2008 TS and one for OWA.

Cláudio Rodrigues
Citrix CTP
0
 
NJComputerNetworksCommented:
You still have the same problem if you put OWA on the TS server..  Two applications using 443.  You will be able to direct the firewall to the TS server when 443 is being used... but you can't have two applications using port 443 (possibly you can do this with host headers) but I don't know how..

0
 
xtstechAuthor Commented:
well I figured server.example.com/ts and server.example.com/exchange would work.  Same virtual server in IIS, just two VDirs.  So I can't have OWA 2003 run in IIS 7?  I'm not sure I could properly upgrade to 2007 on my own, and I don't even know if 2007 runs in a 2003 forest/domain
0
 
Cláudio RodriguesFounder and CEOCommented:
Not to mention 2007 requires 64-bit Windows Server. Even though I have 2007 at the office, it is really a pain in many ways (EXMERGE does not work, Windows Server built-in backup on 2008 cannot backup Exchange natively and so on - this one MS was going to fix). It is really a whole new world with Exchange 2007.
One possibility would be to run a VM under 2008 Hyper-V and that VM would have 2003 with OWA. That would probably allow you to achieve what you want, as long as OWA is not on 443 (as you only have a single IP address on the outside).

Cláudio Rodrigues
Citrix CTP
0
 
xtstechAuthor Commented:
Well if OWA is not on 443 I think it breaks activesync with users cell phones.  Can't have that.  Also besides the linux server, router, and 2 domain controllers, all of our servers (exchange, ts, accounting, etc) are on VMWare ESXi offloaded to IPStor by FalconStor.  If it's on a VM as exchange and TS will be, then it's backed up automatically.  I'm more concerned about getting OWA, and TS to share the same 443 as I know it can be done.
0
 
Cláudio RodriguesFounder and CEOCommented:
As long as the TS is NOT 2008 this can probably be done but on the same 2003 box you would need to load Exchange (to get OWA) and a gateway. The problem is the TS gateway is only available on 2008 and on 2008 you cannot load Exchange 2003. That is your problem.

Cláudio Rodrigues
Citrix CTP
0
 
NJComputerNetworksCommented:
I would double check your ISP IP assignments.  It would be pretty rare now adays to only have ONE public IP address.  If you have two, you could assign one to mail and one to TS.

For example, if your domain name was singer.com

Mail.singer.com = 102.2.36.211  --> firewall redirects to OWA server
ts.singer.com = 102.2.36.212  -->  firewall redirect to TS server

In this way, you can have two servers using the 443 port.

0
 
xtstechAuthor Commented:
Hmm.  That would be nice, but our ISP either provides 1 IP, or 5 IPs, and the 5 IP package is too expensive for our organization.
0
 
NJComputerNetworksCommented:
Maybe you could add another 1IP line from the ISP... not sure...but sometimes its cheaper to buy two 1IP address lines then one 5 IPline..

Possibly even consider getting the IP from a different ISP... this might help you site redundancy a bit... and be a good enhancement for you network.
0
 
xtstechAuthor Commented:
I'll look into that, but as of right now, we are holding off on adding TS until we can get a second admin to help minimize the downtime from an exchange 03 to 07 switch
0
 
xtstechAuthor Commented:
I'm not sure how to select the proper answer to this question as the original goal was not accomplished, and there was no proper solution besides upgrade exchange
0
 
Cláudio RodriguesFounder and CEOCommented:
Well the proper answer for your question is simple. Your questions was basically, resuming, "Can I run OWA 2003 and TS Gateway on a 2008 server sharing a single port, 443?".
The answers provided above show this is not possible unless:
1. You get a second IP address.
Or
2. You setup a second box to be your OWA (under 2003 Server with Exchange 2003) and you setup it to use another port (not 443) but in this case Activesync and Outlook Anywhere are broken.

Cláudio Rodrigues
Citrix CTP
0
 
xtstechAuthor Commented:
Ok. IN that case I'll select the first person who told me about activesync, plus a few points for you for helping me to understand that.
0
 
xtstechAuthor Commented:
Unfortunately my situation cannot be resolved right now.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 14
  • 9
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now