Wiindows Server 2012 Anywhere Access Setup

My main issue is that in the setup router phase, the following is reported back :

 1. UPnP is not enabled on the router
      It IS enabled in the router, which is a Draytek 2830
 2. There may be more than one router on your network.
      There isn't. only one router is present.
 3. Anywhere Access to your server is blocked.
      I am assuming if i can get the uPnP working, then this will get reconfigured correctly? There are so many configuratiosn in the 2830 regarding management on port 443, and various VPN and SSL config screens, I don't know where to start. I try forwarding port 443 to the server, but it warns me that 443 is already in use by the management screen. I try and change 443 in the management screen to another number, it warns me that SSL VPN needs it to be 443.

 Can somebody please help me get past this!

 Thanks
j jenningsownerAsked:
Who is Participating?
 
Cliff GaliherConnect With a Mentor Commented:
UPnP in the setup wizard *rarely* works right.
My recommendations are to disable management on the public/WAN interface. That'll free up port 443 *and* leaving it enables is begging for a brute force hack.
You also cannot use a router based SSL VPN and AA at the same time on a simple router like the Draytek. So disable that as well. Then manually configure port forwarding. AA will work. You'll get the warnings about UPnP and, depending on other equipment on your network (like some UPnP capable media devices and printers) will trigger the "maybe multiple routers" warnings. They can be ignored as long as AA starts working.
0
 
j jenningsownerAuthor Commented:
Thanks Cliff

OK, I will try these. The WAN management is not enabled, but it still has the port numbers specified in the setup page. So i have changed 443 in the HTTPS management to port 442, and then therefore had to change the SSL VPN page to use port 442 also. There is no way of  turning off the SSL VPN setting that I can see. I am hoping this will do it. I am now able to add the port forward for port 443 to the server. The various VPN sections have all now been disabled.

However, i still cant connect to the AA site.

I am assuming I need to also forward port 80? So i have the same issue with port 80 as I did with 443. In the management section, the HTTP port is setup as port 80. I am thinking I will change this to 81 to enable me to forward 80 to the server. Do you see issues with this? I guess i can always still access the router setup page using x.x.x.x:81

Anything else I might need to do?

Thanks
0
 
Cliff GaliherCommented:
You don't actually need to forward port 80 for AA. It just makes it more convenient if users forget to use https, it auto-redirects. So if you are unable to access AA via HTTPS, you still have another configuration problem with the Draytek.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
j jenningsownerAuthor Commented:
OK

So I've tried all the above and can confirm that AA is now working! So thank you very much.

However, I am not able to get the remote desktop to various workstations working through the AA interface.
It complains about the security certificate not being trusted and will not allow me to bypass this.

I followed a guide some time ago which I used to generate a certificate from the server itself. I've installed this and it enabled me to get past this in the setup of AA some time ago.

I can however remote desktop (ive forwarded 3389) directly from my PC to the server, and it although it again complains the certificate cannot be trusted, it allows me to ignore this and to connect anyway.

We need our users to ne able to connect to their PCs for remote working from home, via the AA site. We're only a small company with 5 people and we don't want the expense of purchasing a real certificate. We used to do this OK with our old 2003 server which this replaces. I am assuming this is going to be possible or do we need to get a *real* certificate? It doesn't matter to us that it comes up as untrusted, because we know what we're connected to.

Thanks for any further advice.
0
 
Cliff GaliherCommented:
Essentials does not do the self-signed certificates like older SBS servers did. If you did nit use a Microsoft domain when you ran the internet configuration wizard and instead chose to use a custom domain, you'll need to complete the process with a valid rusted 3rd party cert. At $10/year, that is no longer considered a significant enough financial hurdle for continued support of self-signed certificates.
0
 
j jenningsownerAuthor Commented:
OK

I did choose custom domain. Are you saying I can re-run the website configuration and choose a Microsoft domain?
How will this work? Will it link our AA to a Microsoft based URL? Is this fee paying also? Not looking to scrimp on $10, just wanting to consider options as I don't really know how this works.

Thanks for your continued advice. Much appreciated.
0
 
Cliff GaliherCommented:
It does register a new record with Micosoft's domain servers and Essentials runs a dynamic DNS service to keep that record pointed at your public IP. It also requests and generates a publicly trusted certificate. No fee.
0
 
j jenningsownerAuthor Commented:
Thanks Cliff

I will try and set that up now then. Will be back to you if I encounter any issues, or close the post accepting your answers.

Thank you very much
0
 
j jenningsownerAuthor Commented:
Oh, it appears if I do this it may break the email access? Or at least that's what it is suggesting.

"If you do not need advanced features, such as email, you can setup a personalised domain name ..."

Our email is hosted by MS presently, we subscribe to Office 365 Small Business.
Will making this change break anything?
0
 
Cliff GaliherCommented:
The O365 integration wizard does also build on th choices made in that wizard. So yes, you can break O365 integration. Given your environment, it sounds like you'll new to buy a certificate.
0
 
j jenningsownerAuthor Commented:
Ok Thanks.

Any recommendations on a certificate provider?
0
 
Cliff GaliherCommented:
I try to avoid recommending vendors. Too many conflicts of interest.
0
 
j jenningsownerAuthor Commented:
:) well i've never looked into it so i don't know the first place to start
0
 
Cliff GaliherCommented:
Google, Bing, altavista....terms like SSL certificate....
0
 
j jenningsownerAuthor Commented:
right you are ...

thanks for your help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.