Freigeben über


Installing Direct Access in WIN2008R2+TMG machine broke SSL publishing rules

If you install Direct Access(Calling it DA) in a TMG machine you should be aware that by default Direct Access is going to bound port 443 to all interfaces.

You get a specific event on eventvwr application log because of this:

Event Source: Microsoft Firewall
Event ID: 14090
Server publishing rule [HTTPS] that maps IP:443 TCP to
IP:443 for protocol [HTTPS Server] was unable to bind a socket for the server. The server publishing rule cannot be applied.

By doing in command line:

netstat -ano |findstr :443

you are going to get displayed:
0.0.0.0:443
[::]:443

System with PID 4 is the owner for these entries.

You should make sure that DA is configured specifically to an External IP not used by any TMG listener otherwise you are going to get the error.

How to do that?

https://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-How-configure-Forefront-TMG-DirectAccess-Server.html

https://blogs.technet.com/b/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx

 What was the problem we faced:

IP-HTTPS creates a listener that bounds port 443 to all interfaces. We need to make sure that IP-HTTPS uses a specific IP.

This is achieved by doing:

netsh http add iplisten ipaddress=<non-conflicting IP address>”

Q. Can I configure IP-HTTPS and Forefront TMG SSL publishing on the same machine?

A. Both IP-HTTPS and Forefront TMG SSL publishing use port 443 (HTTPS). In order to prevent a port conflict you need to make sure that IP-HTTPS is configured to listen to a different IP address than Forefront TMG.

This can be done by running the following command: “netsh http add iplisten ipaddress=<non-conflicting IP address>

==

If you want to remove the DA and have TMG publishing rules working as fast as possible:

make sure you have the console installed for DA.

Unconfigure DA.

Make sure listener for IP-HTTPS is deleted:

netsh http del sslcert 0.0.0.0:443

netsh http del sslcert [::]:443