August, 2008

August, 2008

  • Care, Share and Grow!

    Troubleshooting TS Gateway connectivity on Windows 2008, IIS 7.0

    • 9 Comments

    Here is something which is not my domain but had to learn the hard way. I recently encountered an issue while enabling Terminal Services Gateway (TSG) on Windows 2008 server. TSG is coupled with IIS 7.0 hosted on Windows 2k8 server and that's how I came into picture. TSG in simple terms is a feature using which one can connect remotely to an internal network over secure HTTPS port 443 from the Internet. Earlier Remote Desktop Protocol (RDP) connections used TCP port 3389. In many corporate environment this port may be blocked by the firewall. However now with TSG connecting on port 443 (common SSL port for http traffic) user should not get into the common issues of port being blocked. In my case we had the TSG installed as one of the roles on the server. The setup was fine.
    The only concern was that we already were using the Default Web site for some application. It can also happen otherwise, you have the TSG setup on an IIS 7 web site and if you go ahead and install let's say Exchange on top of it under the same site it may break the TSG functionality.

    When you install TSG, it creates two virtual directories called Rpc and RpcWithCert under the web site as shown below.

    image

    Under the hood it appears a call is made for

    http://<server-name>:443/rpc/rpcproxy.dll?localhost:3388 when you try to connect through TSG. So yes IIS is very much involved here.

    Now what can you do to fix this, perhaps you can install your web application (say Exchange) on some other web site and a different SSL port like 444 and have TSG site listening on port 443. Or else just the opposite.

    In my case we went with the 2nd option since we didn't want Exchange to be reinstalled again.
    But even if you use either of the above options it may not go that smoothly as it looks to be.

    You may see the error as shown below when you try to use terminal service through TSG.

    image Click on OK...

    image

    If you are seeing something like this, as a workaround create a new web site and copy the settings for the Virtual directories /Rpc and /RpcwithCert from the previous site to the the new web site. You can do this easily by copying the configuration in the applicationHost.config file.

    Here are the steps:

    1. Copy the following configuration (in the ApplicationHost.config file from C:\<Windows>\System32\inetsrv\config) from the previous site to the new site to add the virtual directories for your new web site.

    <site name="<new-web-site>" id=...>
    ...
    <application path="/Rpc" applicationPool="SomeAppPool">
           <virtualDirectory path="/" physicalPath="C:\Windows\System32\RpcProxy" />
    </application>
    <application path="/RpcWithCert" applicationPool="SomeAppPool">
            <virtualDirectory path="/" physicalPath="C:\Windows\System32\RpcProxy" />
    </application> 
    ...
    </site>

    So this will create two virtual directories in your new web site called Rpc and RpcWithCert.

    image

    Add an SSL binding for the new Web site on port 443 as well. Ensure no other site is listening on port 443.

    2. Copy the following for the previous web site in the ApplicationHost.config file to the new web site.

    This is the section contained in the Location tag for the Virtual directories /Rpc and /RpcWithCert. You need to copy this section from the location tag for the <previous-web-site> and add it to the location tag for the <new-web-site>.

    <location path="<previous-web-site>/Rpc">
            <system.webServer>
                <directoryBrowse enabled="false" showFlags="Date, Time, Size, Extension" />
                <handlers accessPolicy="Execute">
                    <add name="RPCPROXY" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\system32\RpcProxy\RpcProxy.dll" requireAccess="Execute" />
                </handlers>
                <serverRuntime uploadReadAheadSize="0" />
                <defaultDocument enabled="true" />
                <modules>
                    <add name="PasswordExpiryModule" />
                </modules>
                <security>
                    <requestFiltering>
                        <requestLimits maxAllowedContentLength="2147483648" />
                    </requestFiltering>
                    <authentication>
                        <anonymousAuthentication enabled="false" />
                        <basicAuthentication enabled="false" />
                        <windowsAuthentication enabled="true" useKernelMode="false" />
                    </authentication>
                    <access sslFlags="Ssl, Ssl128" />
                </security>
                <httpErrors>
                    <remove statusCode="401" />
                    <error statusCode="401" path="C:\Windows\system32\RpcProxy\Error401.txt" responseMode="File" />
                </httpErrors>
            </system.webServer>
        </location>
    <location path="<previous-web-site>/RpcWithCert">
            <system.webServer>
                <directoryBrowse enabled="false" showFlags="Date, Time, Size, Extension" />
                <handlers accessPolicy="Execute">
                    <add name="RPCPROXY" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\system32\RpcProxy\RpcProxy.dll" requireAccess="Execute" />
                </handlers>
                <defaultDocument enabled="true" />
                <security>
                    <authentication>
                        <anonymousAuthentication enabled="false" />
                        <basicAuthentication enabled="false" />
                        <clientCertificateMappingAuthentication enabled="true" />
                        <digestAuthentication enabled="false" />
                        <windowsAuthentication enabled="false" useKernelMode="false" />
                        <iisClientCertificateMappingAuthentication enabled="true" />
                    </authentication>
                    <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert, Ssl128" />
                    <requestFiltering>
                        <requestLimits maxAllowedContentLength="2147483648" />
                    </requestFiltering>
                </security>
                <serverRuntime uploadReadAheadSize="0" />
                <modules>
                    <add name="PasswordExpiryModule" />
                </modules>
                <httpErrors>
                    <remove statusCode="401" />
                    <error statusCode="401" path="C:\Windows\system32\RpcProxy\Error401.txt" responseMode="File" />
                </httpErrors>
            </system.webServer>
        </location> 


    3. Ensure that we replace <previous-web-site> with the <new-web-site> in the following tags above:

    <location path="<previous-web-site>/RpcWithCert"> -----> <location path="<new-web-site>/RpcWithCert">

    <location path="<previous-web-site>/Rpc">  -----> <location path="<new-web-site>/Rpc">

    4. Run iisreset from the cmd prompt. Or it may also work with just restarting W3SVC service (net stop w3svc, net start w3svc).

    Go ahead and test RDP over TSG from the client. If it still doesn't work you may have to try the 5th step as below.

    5. Add the following registry entry. Run this from the cmd prompt:
    > reg add HKLM\Software\Microsoft\RPC\RpcProxy /v Website /t REG_SZ /d  <new-web-site>

    One last thing, ensure that the certificate issued to the TS server gateway is trusted on the client from where we are doing a terminal login.

    Happy troubleshooting!

    Cheers Martini Glass

  • Care, Share and Grow!

    My IIS 6.0 Mobile Manager - Manage your Web Sites, application Pools through mobile device from anywhere...

    • 0 Comments

    In May this year I had written a Web application using which we can manage basic IIS settings through Web browser from anywhere. Here is another application which I feel brings in more convenience to the end user (meant for Web administrators) since one can manage IIS through a Mobile phone.

    These are the features available through this Mobile web application.

    Application Pool related activities

    . Check the current Application Pool(s) State/Identity

    · Recycle/Start/Stop Application Pool(s)

    · Change Application Pool(s) Identity.

    Web Site related activities

    · Start/Stop Web Site(s)

    · Check features like current Web Site state, and some configuration related settings like Web Site physical path, Server Bindings, Secure Bindings, Authentication method, SSL accessibility, Application Pool etc.

    IISRESET

    · At times the only way to recover from a problem is to restart IIS services. You can restart all IIS services like IISADMIN, SMTP and World Wide Web Publishing service from any where through this application.

     

    Pre-requisites

    · You need to have .Net Framework 2.0 installed on the IIS 6.0 web server.

    Steps to deploy the application

    1. Download the ZIP file from the URL linked with this post.

    2. Extract all the contents to some physical folder on the IIS Web server.

    3. Create a new Web Site (or a new Virtual Directory under any of your existing Internet-facing Web sites) and point it to this physical path for the extracted files/folders.

    4. ***ENSURE that you create a new application Pool for this Web Site/Virtual Directory, and put the application under this application pool. In such a scenario this application will not interfere with any of your existing web applications running on the server.

    5. Open the web.config file associated with this application and modify the <appSettings> to reflect the name of your Application Pool and name of the Web site under which this Mobile Web application is running [Attached ZIP file contains a word document as well with detailed steps for deployment].

    6. This application is built using ASP.Net 2.0 Mobile controls, WMI built on top of .Net and supports most of the WAP enabled browsers.

    Here are some screen captures associated with this application. I have used an Emulator to show the same.

    image

    Application Pool related usage.

     image image

    Web Site related usage.

    image image image

    IISRESET

    image

    When you reset IIS, you won't be able to browse to the Web application for a few seconds to a minute or so, depending upon how long it takes for the IIS services to stop and then start back running.

    In this interval if you try to access the site you will see the following error:

    image

     

    Hope this adds to your convenience when taking care of bare minimum action items for the IIS web sites from anywhere across the world.

    Until next time, cheersMartini Glass

    ***This is provided "AS IS".

     


    Links for download:

    IIS Mobile managerhttp://cid-d6e3b4cd95f9d0f2.skydrive.live.com/self.aspx/Public/Mobile%20IIS%20Mananger%20resources/MobileIISManager.rar

    Steps for deploymenthttp://cid-d6e3b4cd95f9d0f2.skydrive.live.com/self.aspx/Public/Mobile%20IIS%20Mananger%20resources/Steps%20for%20Deployment-Mobile%20IIS%20manager.doc

    *It should also be available in some days @ http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1720

Page 1 of 1 (2 items)