remoteapp not answering up from anywhere but localhost

so, first time messing with remoteapp on server 2008 R2

locally, it answers up as https://server.name.com/RDWeb

from other domain servers on the same network in the same switch, it doesnt.
but, from those servers, http://server.name.com/  shows the default IIS7 page, which is correct.

ALL windows firewalls are completely off and disabled.

what am i missing here, why can't my other servers connect to that virtual site?

from all related servers, server.name.com does resolve to the internal ip address of the machine hosting the remoteapp stuff.  they're all in the same domain on the same physical switch and can ping eachother fine, share files by netbios name and by fqdn.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
guys, it's just a virtual web site not answering up - don't be afraid to take a poke at it... someone has to know something...

Top Expert 2010

Commented:
Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
wow digitap, that might seriously work i'll give it a shot this morning - sorry for the late reply, i expected this question to hopelessly die

Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
silly questions... how do i do this stuff they propose?

1. You have to create a HTTPS health monitor, instead of HTTP. Use this monitor to create your pool with your members in it.
2. Set the Server side SSL setting on the virtual IP to use the serverssl setting.


if i go to diagnostics, performance, monitoring tools, performance monitor - nothing really says health monitor, not sure if that's even the right place

what do you suppose they mean by "serverssl setting" ?

Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
i'll attach two wireshark pcap files...

local = from one server to the rdweb host - both servers are in the same domain, same switch, no firewalls, both logged in as domain admin
remote = from a remote ip address traversing the internet, nat thru the router upstream from the rdweb server

notice how it always says https checksum invalid

thoughts?


(wow EE really goes out of their way to block pcap files... even zipped, even zipped with a password)
local.cap.txt
remote.pcap.txt
Top Expert 2010

Commented:
Answering here: http:#a33161859 - If you look on page 16/17 of the manual you'll find where to add the health monitor and the pool spoken of on the link above.  I think you'll find the answer to question number two when you begin to setup the monitor.  If it doesn't, let me know and I'll assimilate more of the manual...>GRIN<!

Here's the manual they mention in the link:

http://www.f5.com/pdf/deployment-guides/windows-terminal-services08-dg.pdf


Answering here: http:#a33162053 - Check out the link regarding the TCP checksum offload errors in Wireshark.

http://www.techsupportforum.com/networking-forum/protocols-routing/248812-wireshark-question-tcp-checksum-offload.html


Hope this helps!



Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
that does - i'll dig deeper in a bit

for what it's worth, if i create a custom RDP file for, say, winword.exe... and copy that to an unrelated machine outside of the network... then launch the rdp file, it connects perfectly fine and spawns winword locally (pulled from the server)

so the only thing not really working is the website that lists all the icons after a user logs in (not even the login page comes up, nothing)
Top Expert 2010

Commented:
when you say, "outside of the network" is that indicating NOT on the domain AND external to the firewall?  Or, is it NOT on the domain AND internal to the server?

Do you have the correct URL?  Our's is http://servername/TS.
Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
outside the network i mean - not on the domain and external to the firewall/router

the url i'm using inside the firewall is https://server.domain.local/RDWeb
(server.domain.local resolves internally to the internal ipv4 address of the correct server)

the url i'm using outside the firewall off the domain is https://server.domain.com/RDWeb
(server.domain.com resolves externally to the outside ip address of this server, the router is natting 80 and 443 (and 3389) to the internal ip address)

the rules for natting 443 and 80 over to that server are identical to the rule for 3389, which does work... and wireshark running on the destination server does show traffic when i hit it from external (traversing the router)
Top Expert 2010

Commented:
So, regardless of where you are, the web site doesn't load, right?

Also, does your fortinet show any log errors when trying to access your TS website externally?
Top Expert 2010

Commented:
Also, from the server type the following in IE:  http://localhost/ts/

Please post what the results are.
Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
http://localhost  =  404
http://localhost/ts/ = 404
https://localhost = redirects to https://server.domain.local/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx - works perfectly
https://servername.domain.local/RDWeb (from itself) same as above, works great
https://localhost/RDWeb = same as above, works great
https://localhost/ts = same as above, works great
https://localhost/randomlettersherefkdjsafdkaswhatever = same as above, works great
http://servername = 404
http://servername.domain.local = redirects to the https above and works fine

from the server right next to it (same domain, same switch, no firewall):
(this is a little different now)
https://servername.domain.local/RDWeb = 404
https://servername/RDWeb = 404
http://servername/ = 404
http://servername.domain.local/ = 404
http://servername/ts = 404
https://servername/ts = 404

from outside the firewall, outside the domain:
http://wan.ip.add.res/ = 404
http://server.domain.com/ = 404
https://server.domain.com/ = 404
https://wan.ip.add.res/RDWeb = 404
https://wan.ip.add.res/ts = 404
Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
sorry the first block above is (obviously) all done from the server itself, unless where indicated in the middle and at the end.

the fortigate i have dialed up to debug logging everything, but the logs dont show anything in "event" except for vpn initiations

for "attack" they're blank
for "antivirus" they show a bunch of really interesting stuff (see code Snippet ID=790840)
* note this is a sandbox environment and nothing should be going in or out of this as it's not published anywhere

for "web filter" it's blank
for "spam filter" it's blank

the rdweb remoteapp site only seems to work from the server itself
2 2010-07-08 08:46:50 notice 192.168.4.20 69.4.231.52 internal external The file wireshark-win64-1.2.9.exe exceeds size limit. 
3 2010-07-06 10:51:31 notice 192.168.4.21 64.208.126.81 internal external The file exceeds size limit. 
4 2010-07-02 02:13:07 notice 192.168.4.22 70.37.129.123 internal external The file E2K7SP3EN64.exe exceeds size limit. 
5 2010-07-02 02:11:56 notice 192.168.4.22 70.37.129.123 internal external The file Exchange2007-KB981383-x64-EN.msp exceeds size limit. 
6 2010-07-01 13:55:40 notice 192.168.4.10 64.211.144.171 internal external The file PCL5e-c_v8.70_WinXP-Win7_x64_INF.exe exceeds size limit. 
7 2010-07-01 13:55:30 notice 192.168.4.10 64.211.144.171 internal external The file PCL5e-c_6_v8.70_v6.70_Setup.exe exceeds size limit. 
8 2010-07-01 13:54:47 notice 192.168.4.10 216.239.116.79 internal external The file PCL5e-c_6_v8.30_v6.30_setup.exe exceeds size limit. 
9 2010-07-01 13:54:46 notice 192.168.4.10 216.239.116.79 internal external The file PCL5e-c_6_v8.30_v6.30_setup.exe exceeds size limit. 
10 2010-07-01 12:40:35 notice 192.168.4.10 64.239.246.15 internal external The file faxmaker14_x64.exe exceeds size limit. 
11 2010-07-01 12:40:29 notice 192.168.4.10 64.239.246.15 internal external The file faxmaker14.exe exceeds size limit. 
12 2010-07-01 11:59:47 notice 192.168.4.10 64.211.144.75 internal external The file AdbeRdrUpd933_all_incr.msp exceeds size limit. 
13 2010-07-01 11:53:00 notice 192.168.4.10 64.211.144.74 internal external The file AdbeRdr930_en_US.exe exceeds size limit. 
14 2010-07-01 11:52:56 notice 192.168.4.10 64.211.144.146 internal external The file gp.cab is infected with Suspicious. ref http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=quickSearchDirectly&virusName=Suspicious. 
15 2010-07-01 11:50:22 notice 192.168.4.10 64.239.246.15 internal external The file faxclient.exe exceeds size limit. 
16 2010-07-01 11:50:16 notice 192.168.4.10 64.239.246.15 internal external The file faxclient_x64.exe exceeds size limit. 
17 2010-07-01 10:43:44 notice 192.168.4.20 63.245.208.152 internal external The file thankyou.ogv exceeds size limit. 
18 2010-06-30 08:43:00 notice 192.168.4.20 63.245.208.152 internal external The file thankyou.ogv exceeds size limit. 
19 2010-06-30 08:42:59 notice 192.168.4.20 63.245.208.152 internal external The file thankyou.ogv exceeds size limit. 
20 2010-06-28 15:14:03 notice 192.168.4.21 167.68.46.140 internal external The file 86523.pdf exceeds size limit. 
21 2010-06-28 15:13:49 notice 192.168.4.21 167.68.46.140 internal external The file 86523.pdf exceeds size limit. 

(those public ip addresses are not mine)

Open in new window

Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
from what i can tell, the "exceeds size limit" means it won't be scanned for viruses.  the device is a fortigate 50a, which is so old i can't buy support for it, the AV definitions are from early 2005

the wan to lan nat policies are not checkmarked for a "protection profile" so not scanned at all
i did find the default LAN to wan policy was checkmarked for the "web" "protection profile" and i disabled that right now, no difference though

besides, the server right next to it, not even touching the fortigate, can't get it :/

imma disable ipv6 on this r2 server and see what happens.  it scares me that it can't call itself localhost.. because localhost resolves to "::1"
Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
ok this is weird... i had previously unchecked ipv6 and as such, ipconfig /all shows no ipv6 anything.

yet, localhost still resolves to ::1 (and replies)

wow?

hosts file is default, no lines are not #commented out

#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost

C:\Windows\System32\drivers\etc>
Top Expert 2010

Commented:
what's the exact error code and the error information?  404.8, 404.5....?
Top Expert 2010

Commented:
what i'm seeing is the removal of iis and TSWA and reinstalling them...what do you think about that?
Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
when i turn off "Friendly http errors" (should be called "useless" instead),

from the outside of the network and off the domain, going to https://server.domain.com/RDWeb
it's not exactly 404 i see now...
"Cannot find server or DNS Error
Internet Explorer "

if i ping server.domain.com, it DOES resolve to the proper outside ip address, so it's not really a dns resolution issue, unless iis7 is telling it to redirect to the internal name maybe, and my dns can't (obviously) resolve the inside name?

from the internal server next do the host, if i go to https://server.domain.local/RDWeb, even after turning off friendly http errors, all it tells me is:

This problem can be caused by a variety of issues, including:
Internet connectivity has been lost.
The website is temporarily unavailable.
The Domain Name Server (DNS) is not reachable.
The Domain Name Server (DNS) does not have a listing for the website's domain.
If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section.

this is while i'm remote desktopped into the neighboring server, so it's not an internet connectivity issue.
this happens even if i use the internal ip address, so not a dns issue
in internet options, all ssl options are checkmarked even ssl 2.0 and tls

rather than remove/reinstall tswa, i'm more apt to just remove it and give up at this point.

i've seen people reporting that under the same circumstances they have the same issue.  the circumstances that fit in this situation are:

- the host is a vmware virtual machine
- the host was "cloned" using sysprep via vmware
- the source for the clone was a straight installed server, no keycode, not activated, not on a domain (these were all added after the clone was alive)

seems something about the SID for the tsweb computer group may be hosed and from what i see basically unfixable, if that's the case

it seems like it should be a really easy fix though, almost like a simple checkmark somewhere, but that might not be the case


Top Expert 2010
Commented:
seems hard to pin down the issue.  i guess i'm thinking that a remove and reinstall of iis/tswa might clear things up.  certainly, when iis is responding to requests, it's not responding properly.
Bryon HSenior Technical Support Analyst
Top Expert 2010

Author

Commented:
yeah i give up - i'm not reinstalling at this point.  no real solution but to reinstall - thanks for trying though
Top Expert 2010

Commented:
sure, sorry we couldn't come up with something positive.  thanks for the points!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial