Jump to content
RESET Forums (homeservershow.com)

Anywhere Access wizard fails to complete after server move


marky9074
 Share

Recommended Posts

So I eventually moved a client onto the new HP Microserver build I've bee working on for a while. Its been bulletproof for three months whilst I've been offshore, so I thought all was well. However, as soon as I moved the server to the clients office and updated their DNS record to point to the correct IP address Anywhere Access does not work, and now the wizard fails saying that the ports are not open and/or there are multiple routers etc....

This is the topology:

 

            external IP (static IP 80.xxx.xxx.xxx)

                             |

            office VLAN IP (static IP 10.9.109.253 ALL ports open)

                             |

            Draytek router 2920n (WAN static IP 10.9.109.253 / LAN static IP 192.168.1.1 / ports 80 & 443 forwarded to 192.168.1.50)

                             |

            Server (LAN static IP 192.168.1.50) 

 

 

The ports are open, and I have tested them fine (using various online port checkers. I've even disabled/enabled port forwarding on the router to check that it was not-working/working). In addition, I have managed to log in using a VPN, so I know that the routes are OK with nothing being blocked. So I am at a loss as to why Remote Web Access will not complete in the wizard, Is there any way to manually set this up. I've posted on technet, but know you guys will probably have some ideas too...

 

I tried the Draytek in bridged mode, but that did not make any difference. I also tried the autoconfigure using UPnP with the Draytek but that didn't make any difference either (so I went back to manual port forwarding as I am more comfortable with this). The reason I stuck the Draytek in-between is because there was no hardware (or software) firewall on the VLAN segment (plus it added wireless to the office as a bonus).

 

Thanks in advance..

Edited by marky9074
Link to comment
Share on other sites

Oh crap.. I didn't think of that. So the certificate is bound to the IP address and not the domain?

 

Not sure how to get the wizard to start again from scratch. I guess if I go in and delete the cert in MMC maybe it will restart the wizard?

Link to comment
Share on other sites

Guest no-control

A publicly-signed certificate where the CN (common Name) is an IP address not a FQDN (fully-qualified domain name), but that won't magically make the browser compare the CN with the IP address, instead of with the requested hostname. So you need to generate a new certificate from either the domain host (with the correct pub IP) or use your own CA, if you have one.

 

Assuming this is for 2012e go to the dashboard and click the link to configure anywhere access. This should relaunch the wizard.

Edited by no-control
  • Like 2
Link to comment
Share on other sites

Quality post no control, one of those things you just never think about.... Glad I know now so I don't get caught out!

Link to comment
Share on other sites

I don't have access to the server until tomorrow, but will post back the results. This must be the reason though, so thanks in advance  :D

 

I'm assuming that if I restart the configure the domain wizard it will go through the motions, then I can restart the repair for Anywhere Access. Still not found a way to roll back to the original wizard which would have gone through both at the same time (maybe I imagined it!)

Edited by marky9074
Link to comment
Share on other sites

So, this is going to happen every time the WAN IP changes?  I know that most domestic (US) IP addresses do not change nearly as often as they used to, in fact mine has not changed in over a year, but that thought did cross my mind.

 

Seems logical since this is a SMB product and you would think they would have a static IP address.

Link to comment
Share on other sites

This just doesn't sound right at all. It's true that it is possible to send a certificate signing request using an IP address as the common name but not all certification authorities will accept them and those that do are supposed to ensure that you 'own' the IP address by doing some kind of RIPE lookup.

 

Anyway; like everyone else I used the wizard to generate a certificate for my 2012E server (presumably behind the scenes it is actually sending off a CSR and then auto installing the returned certificate). I've taken a look at the certificate using the MMC snap-in and the common name is my ......remotewebaccess.com DNS name, my server's internal name is listed as a SAN, but I can't see any reference to my public IP address and frankly I wouldn't expect to.

 

I'm sure that no-control is probably right and it is certificate related, especially if the OP has already managed to get a standard VPN connection through to it. I've moved a great many SBS 2003 and 2011 servers to new offices without breaking the certificates for Outlook web access, so I'm inclined to think it's just co-incidence. 

 

If still no luck, I'd be tempted to try putting the server onto the office VLAN subnet and trying again - ie take the Draytek out of the equation. Also what is doing the routing between the WAN and the 10... subnet?

 

 

John

Link to comment
Share on other sites

Guest no-control

Was the first thing I though of since he's already port forwarding (NAT?). He sounded knowledgeable so I was making the assumption he's checked the firewall port configuration and ensured proper VLAN tagging. (you did didn't you? ;) ) It's not common but some Domain services will bind the IP to the commom name (along with the DNS record) I've only run into this issue when the ISP WAN is dynamic. This seemed similar so, my suggestion. To cope dynamic WAN IMO the easiest way is to have a DDNS service in place for the remote.domain.com THEN generate the certificate. Helps if the router/firewall/UTM has an option for DDNS as well.

 

This is all based off of my experiences and limited knowledge. Yea there's a limit folks...shocking  :o

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×
×
  • Create New...