Share via

How did windows 2012 R2 essentials use VPN, RDG and RD webaccess on a single 443 port?

Jurgen Verhelst 331 Reputation points
2022-02-13T17:36:35.047+00:00

Hi,

trying to figure out how W2012r2 essentials was able to use the remote desktop access web page on port 443, but also have the RD gateway use that port AND even the VPN access for clients to all use that single port.

especially the VPN is mistic as SSTP also uses port 443. How is the port listener manageing all this?

I am setting up a POC where RDG/RDWA would live together with remote access SSTP VPN (like the sessentials server actually did). anyone tried this or found problems with this setup?

Windows for business | Windows Server | User experience | Other
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,931 Reputation points
    2022-02-14T17:57:22.743+00:00

    Hello @Jurgen Verhelst

    It all depends on the payload information and request that it is being transmitted through that port. Initially RD Gateway can understand and route the Web Application and serve the traffic to the correct service. However, it is always recommended to set a different port in case there is another application that would use it.

    Initially this setting can be done in:

    Open RD Gateway Manager (Server Manager>Tools>Remote Desktop Services>Remote Desktop Gateway Manager):

    1. Right-click the Remote Desktop Gateway server name and select Properties.
    2. Select the Transport Settings tab.
    3. Modify the HTTPS port number and click OK.

    In the next forum thread it is also explained how to achieve it using Powershell:

    https://learn.microsoft.com/en-us/answers/questions/242458/changing-default-rds-web-access-port.html

    Hope this helps with your query,

    ---------
    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments
  2. Jurgen Verhelst 331 Reputation points
    2022-02-15T15:44:12.92+00:00

    Hi @Limitless Technology ,

    Thanks for the reply. I know how to change the port on the RDG/RDWA setup. but do not want to. I am more intrested how RAS/NPS was able to setup SSTP vpn on the same 443 port in the Essentials server role. As I cannot see any information related to TCP ports in the RAS manager

    The reason is that an old 2012R2 Essentials customer with just a microserver is migrating to the cloud with 2019 full servers (essentials is not there anymore). I do not want to setup a server for RDG and a seperate server for VPN. As then, we will need two IP's and two SSL cert otherwise (or a more expensive wildcard). So I want to share the same server, same IP, same port, same SSL cert remote.customer.com as the essentials server managed to do

    So how does RAS/Remote Access/SSTPvpn work on a port already used by RDG/RDWA?

    0 comments
  3. Gary Nebbett 6,216 Reputation points
    2022-02-15T16:19:04.36+00:00

    Hello @Jurgen Verhelst ,

    Any client connecting to a well-known port (like TCP port 443) needs to make some effort to communicate using the application level protocol expected at that port. In the case of TCP port 443, this is TLS and some HTTP version.

    The SSTP client does this and uses the URI /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ to connect to the SSTP server; the other services that you mentioned will use different URIs.

    The command netsh http show urlacl (issued on the server) will show which URLs have been registered.

    Gary

    0 comments
  4. Jurgen Verhelst 331 Reputation points
    2022-02-16T00:14:17.27+00:00

    @Gary Nebbett AMAZING. Never heard of this before. And your netsh parameters did explain a great deal

    the SSTP VPN is indeed shown using 

    Reserved URL            : https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0A  
DCD75}/  
        User: NT SERVICE\SstpSvc  
            Listen: Yes  
            Delegate: Yes

    And the remote desktop gateway shows as 

    Reserved URL            : https://+:443/remoteDesktopGateway/  
        User: BUILTIN\Administrators  
            Listen: No  
            Delegate: Yes
    1. So when a RD connector is connection to that same FQDN on port 443 it also provides "remoteDesktopGateway" as the URI or application level protocol (what is the tech name of that last part) and when a VPN connections trying to it wil use the sra_{BA195980-CD49-458b-9E23-C84EE0A} ?
    2. I do not see any of the Essentials website like /connect /rdweb /remote in that list. Am I correct assuming https webbrowser traffic does not use an URI or application level protocol?
    3. So you think I can go ahead and try to setup the RAS via cert= SSTP on a RDG/RDWA server? And the RAS server will just that URI extension in de urlacl list? Or did the essentials developers still do some other things under the hood stuff to make it work on the same server?
    0 comments
  5. Gary Nebbett 6,216 Reputation points
    2022-02-16T09:17:14.74+00:00

    Hello @Jurgen Verhelst ,

    Yes, each "request" to port 443 on the server includes a path like "remoteDesktopGateway" or "sra_{BA195980-CD49-458b-9E23-C84EE0A" or "connect", etc.

    The command netsh http show servicestate gives more information about the configuration and state of the HTTP service on the server. You probably won't see "connect" or "rdweb" in the output because they are probably part of the URL namespace served by IIS, but you should see a registration for IIS and requests to "connect", etc. will be routed there.

    Yes, I think that you can run all of those services on a single server. Just install or enable the services "normally" (no special steps needed).

    Gary

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.