Solved

Wiindows Server 2012 Anywhere Access Setup

Posted on 2015-02-02
15
1,094 Views
Last Modified: 2015-02-02
My main issue is that in the setup router phase, the following is reported back :

 1. UPnP is not enabled on the router
      It IS enabled in the router, which is a Draytek 2830
 2. There may be more than one router on your network.
      There isn't. only one router is present.
 3. Anywhere Access to your server is blocked.
      I am assuming if i can get the uPnP working, then this will get reconfigured correctly? There are so many configuratiosn in the 2830 regarding management on port 443, and various VPN and SSL config screens, I don't know where to start. I try forwarding port 443 to the server, but it warns me that 443 is already in use by the management screen. I try and change 443 in the management screen to another number, it warns me that SSL VPN needs it to be 443.

 Can somebody please help me get past this!

 Thanks
0
Comment
Question by:j jennings
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40585051
UPnP in the setup wizard *rarely* works right.
My recommendations are to disable management on the public/WAN interface. That'll free up port 443 *and* leaving it enables is begging for a brute force hack.
You also cannot use a router based SSL VPN and AA at the same time on a simple router like the Draytek. So disable that as well. Then manually configure port forwarding. AA will work. You'll get the warnings about UPnP and, depending on other equipment on your network (like some UPnP capable media devices and printers) will trigger the "maybe multiple routers" warnings. They can be ignored as long as AA starts working.
0
 

Author Comment

by:j jennings
ID: 40585142
Thanks Cliff

OK, I will try these. The WAN management is not enabled, but it still has the port numbers specified in the setup page. So i have changed 443 in the HTTPS management to port 442, and then therefore had to change the SSL VPN page to use port 442 also. There is no way of  turning off the SSL VPN setting that I can see. I am hoping this will do it. I am now able to add the port forward for port 443 to the server. The various VPN sections have all now been disabled.

However, i still cant connect to the AA site.

I am assuming I need to also forward port 80? So i have the same issue with port 80 as I did with 443. In the management section, the HTTP port is setup as port 80. I am thinking I will change this to 81 to enable me to forward 80 to the server. Do you see issues with this? I guess i can always still access the router setup page using x.x.x.x:81

Anything else I might need to do?

Thanks
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40585174
You don't actually need to forward port 80 for AA. It just makes it more convenient if users forget to use https, it auto-redirects. So if you are unable to access AA via HTTPS, you still have another configuration problem with the Draytek.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:j jennings
ID: 40585180
OK

So I've tried all the above and can confirm that AA is now working! So thank you very much.

However, I am not able to get the remote desktop to various workstations working through the AA interface.
It complains about the security certificate not being trusted and will not allow me to bypass this.

I followed a guide some time ago which I used to generate a certificate from the server itself. I've installed this and it enabled me to get past this in the setup of AA some time ago.

I can however remote desktop (ive forwarded 3389) directly from my PC to the server, and it although it again complains the certificate cannot be trusted, it allows me to ignore this and to connect anyway.

We need our users to ne able to connect to their PCs for remote working from home, via the AA site. We're only a small company with 5 people and we don't want the expense of purchasing a real certificate. We used to do this OK with our old 2003 server which this replaces. I am assuming this is going to be possible or do we need to get a *real* certificate? It doesn't matter to us that it comes up as untrusted, because we know what we're connected to.

Thanks for any further advice.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40585187
Essentials does not do the self-signed certificates like older SBS servers did. If you did nit use a Microsoft domain when you ran the internet configuration wizard and instead chose to use a custom domain, you'll need to complete the process with a valid rusted 3rd party cert. At $10/year, that is no longer considered a significant enough financial hurdle for continued support of self-signed certificates.
0
 

Author Comment

by:j jennings
ID: 40585191
OK

I did choose custom domain. Are you saying I can re-run the website configuration and choose a Microsoft domain?
How will this work? Will it link our AA to a Microsoft based URL? Is this fee paying also? Not looking to scrimp on $10, just wanting to consider options as I don't really know how this works.

Thanks for your continued advice. Much appreciated.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40585203
It does register a new record with Micosoft's domain servers and Essentials runs a dynamic DNS service to keep that record pointed at your public IP. It also requests and generates a publicly trusted certificate. No fee.
0
 

Author Comment

by:j jennings
ID: 40585209
Thanks Cliff

I will try and set that up now then. Will be back to you if I encounter any issues, or close the post accepting your answers.

Thank you very much
0
 

Author Comment

by:j jennings
ID: 40585212
Oh, it appears if I do this it may break the email access? Or at least that's what it is suggesting.

"If you do not need advanced features, such as email, you can setup a personalised domain name ..."

Our email is hosted by MS presently, we subscribe to Office 365 Small Business.
Will making this change break anything?
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40585218
The O365 integration wizard does also build on th choices made in that wizard. So yes, you can break O365 integration. Given your environment, it sounds like you'll new to buy a certificate.
0
 

Author Comment

by:j jennings
ID: 40585230
Ok Thanks.

Any recommendations on a certificate provider?
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40585234
I try to avoid recommending vendors. Too many conflicts of interest.
0
 

Author Comment

by:j jennings
ID: 40585239
:) well i've never looked into it so i don't know the first place to start
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40585243
Google, Bing, altavista....terms like SSL certificate....
0
 

Author Comment

by:j jennings
ID: 40585250
right you are ...

thanks for your help
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question