Solved

Wiindows Server 2012 Anywhere Access Setup

Posted on 2015-02-02
15
793 Views
Last Modified: 2015-02-02
My main issue is that in the setup router phase, the following is reported back :

 1. UPnP is not enabled on the router
      It IS enabled in the router, which is a Draytek 2830
 2. There may be more than one router on your network.
      There isn't. only one router is present.
 3. Anywhere Access to your server is blocked.
      I am assuming if i can get the uPnP working, then this will get reconfigured correctly? There are so many configuratiosn in the 2830 regarding management on port 443, and various VPN and SSL config screens, I don't know where to start. I try forwarding port 443 to the server, but it warns me that 443 is already in use by the management screen. I try and change 443 in the management screen to another number, it warns me that SSL VPN needs it to be 443.

 Can somebody please help me get past this!

 Thanks
0
Comment
Question by:j jennings
  • 8
  • 7
15 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
Comment Utility
UPnP in the setup wizard *rarely* works right.
My recommendations are to disable management on the public/WAN interface. That'll free up port 443 *and* leaving it enables is begging for a brute force hack.
You also cannot use a router based SSL VPN and AA at the same time on a simple router like the Draytek. So disable that as well. Then manually configure port forwarding. AA will work. You'll get the warnings about UPnP and, depending on other equipment on your network (like some UPnP capable media devices and printers) will trigger the "maybe multiple routers" warnings. They can be ignored as long as AA starts working.
0
 

Author Comment

by:j jennings
Comment Utility
Thanks Cliff

OK, I will try these. The WAN management is not enabled, but it still has the port numbers specified in the setup page. So i have changed 443 in the HTTPS management to port 442, and then therefore had to change the SSL VPN page to use port 442 also. There is no way of  turning off the SSL VPN setting that I can see. I am hoping this will do it. I am now able to add the port forward for port 443 to the server. The various VPN sections have all now been disabled.

However, i still cant connect to the AA site.

I am assuming I need to also forward port 80? So i have the same issue with port 80 as I did with 443. In the management section, the HTTP port is setup as port 80. I am thinking I will change this to 81 to enable me to forward 80 to the server. Do you see issues with this? I guess i can always still access the router setup page using x.x.x.x:81

Anything else I might need to do?

Thanks
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
You don't actually need to forward port 80 for AA. It just makes it more convenient if users forget to use https, it auto-redirects. So if you are unable to access AA via HTTPS, you still have another configuration problem with the Draytek.
0
 

Author Comment

by:j jennings
Comment Utility
OK

So I've tried all the above and can confirm that AA is now working! So thank you very much.

However, I am not able to get the remote desktop to various workstations working through the AA interface.
It complains about the security certificate not being trusted and will not allow me to bypass this.

I followed a guide some time ago which I used to generate a certificate from the server itself. I've installed this and it enabled me to get past this in the setup of AA some time ago.

I can however remote desktop (ive forwarded 3389) directly from my PC to the server, and it although it again complains the certificate cannot be trusted, it allows me to ignore this and to connect anyway.

We need our users to ne able to connect to their PCs for remote working from home, via the AA site. We're only a small company with 5 people and we don't want the expense of purchasing a real certificate. We used to do this OK with our old 2003 server which this replaces. I am assuming this is going to be possible or do we need to get a *real* certificate? It doesn't matter to us that it comes up as untrusted, because we know what we're connected to.

Thanks for any further advice.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Essentials does not do the self-signed certificates like older SBS servers did. If you did nit use a Microsoft domain when you ran the internet configuration wizard and instead chose to use a custom domain, you'll need to complete the process with a valid rusted 3rd party cert. At $10/year, that is no longer considered a significant enough financial hurdle for continued support of self-signed certificates.
0
 

Author Comment

by:j jennings
Comment Utility
OK

I did choose custom domain. Are you saying I can re-run the website configuration and choose a Microsoft domain?
How will this work? Will it link our AA to a Microsoft based URL? Is this fee paying also? Not looking to scrimp on $10, just wanting to consider options as I don't really know how this works.

Thanks for your continued advice. Much appreciated.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
It does register a new record with Micosoft's domain servers and Essentials runs a dynamic DNS service to keep that record pointed at your public IP. It also requests and generates a publicly trusted certificate. No fee.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:j jennings
Comment Utility
Thanks Cliff

I will try and set that up now then. Will be back to you if I encounter any issues, or close the post accepting your answers.

Thank you very much
0
 

Author Comment

by:j jennings
Comment Utility
Oh, it appears if I do this it may break the email access? Or at least that's what it is suggesting.

"If you do not need advanced features, such as email, you can setup a personalised domain name ..."

Our email is hosted by MS presently, we subscribe to Office 365 Small Business.
Will making this change break anything?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
The O365 integration wizard does also build on th choices made in that wizard. So yes, you can break O365 integration. Given your environment, it sounds like you'll new to buy a certificate.
0
 

Author Comment

by:j jennings
Comment Utility
Ok Thanks.

Any recommendations on a certificate provider?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
I try to avoid recommending vendors. Too many conflicts of interest.
0
 

Author Comment

by:j jennings
Comment Utility
:) well i've never looked into it so i don't know the first place to start
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Google, Bing, altavista....terms like SSL certificate....
0
 

Author Comment

by:j jennings
Comment Utility
right you are ...

thanks for your help
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration. Below I will describe how I wen…
The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now