Anywhere Access Firewall/Port Error
I am trying to get Anywhere Access configured for remote web access on a newly configured (homelab) 2022 server standard. I have installed WSEE using Mike’s installer. I am trying to configure this using a Microsoft personalized domain. All seems to work well until the end of the setup where things are “verifying”. I get 4 errors at this stage:
- Error in firewall settings
- Verify that port 443 is open
- Certificate not available
- Error in Remote Desktop services settings
I have verified that I have port 80 and 443 forwarded to the servers static ip. I can make a sort of check of this by disabling port 80 forwarding, then the error 2 above also mentions no connectivity and port 443 AND port 80. So it seems the router forwarding is not the issue. Any ideas for what else to try?
- Matt Fuller asked 1 month ago
- last edited 1 month ago
- You must log in to post comments.
Unfortunately, the remotewebaccess.com Microsoft personalized domain names are not currently working in Windows Server Essentials (and haven’t been for quite a while now). I’ve been communicating with Microsoft about the issues, but progress seems to have come to a standstill. Thus, if you want to use the Anywhere Access/Remote Web Access features in Essentials, then you’ll need to manually set up your own custom/vanity domain name instead.
- Mike answered 1 month ago
- last edited 1 month ago
- You must log in to post comments.
Thank you Mike. I went ahead with the manual domain configuration and have made progress. I’ve got my domain and records published. I can get to a generic Windows Server Internet Information Services screen when navigating to my top level domain and remote subdomain from outside my home network (at work for example). Dynamic DNS seems to be working. I have also just purchased an SSL certificate and installed it on the server. I am left with only a single error now when trying to complete Anywhere Access configuration. See attached. I have checked via various online port checking websites (from the server) that ports 443 and 80 are open/accessible (I have forwarded them to the server static IP in my router). I don’t know how else to troubleshoot this error. Would you have any suggestions?
- Matt Fuller answered 3 weeks ago
- last edited 3 weeks ago
- That’s a “known issue” when running Essentials on 2019, 2022, or 2025. See the fourth bullet point listed under the “Suggestions, Limitations, and Known Issues” section of the main tutorial for further details: https://www.TheOfficeMaven.com/news/installing-windows-server-essentials-experience-on-windows-server-2019#SuggestionsLimitationsAndKnownIssues
- You must log in to post comments.
Thank you Mike. Yes, I discovered that notice after further research.
I think I buried the lead though. Seemingly irrelevant to this benign error (I am looking for any “smoking gun” 🙂 ), I am unable to get to the remote web access login screen:
- from any other computer (on the LAN or outside the LAN)
- from the expected web address format from within the server’s browser itself
I’ve been troubleshooting as best as my skills/research allow, and I suspect there must be something going on with IIS bindings (maybe?). I’ve tried to document different access scenarios in the attached screenshots. Note: all of these screenshots are working directly from the server’s browser (not a different computer on the LAN). I can never get anywhere via “customdomain.com” nor “remote.customdomain.com”. I can only get somewhere using other addresses with “/remote” appended (which is not behavior I expected from the tutorial). None of these other methods however allow me to get the web access logon from another machine. Using the same addresses from another machine on the LAN always results in a 403-Forbidden: Access is Denied. I also notice that Edge (on the server) always reports the connections are not secure, as if the SSL certificate is not present.
Any suggestions?
- Matt Fuller answered 3 weeks ago
- last edited 3 weeks ago
- Yeah, those binding for the Default Web Site are not correct… It looks like they’ve been manually edited, and you shouldn’t do that in Windows Server Essentials. The Anywhere Access config wizard automatically configures the bindings in IIS for you (and so there shouldn’t be any reason for you to manually configure/edit them). If you do mess about with them in IIS, then they end up becoming invalid due to an oddity/bug in Essentials. Your best bet would be to use the “Repair” button on the Anywhere Access tab of Settings in the server Dashboard and let it reconfigure all of the bindings for you (if that doesn’t fix them, then use the “Set up” button to completely redo the domain name again). When correct, there should be three bindings listed in IIS and their “Type” should always be shown in all uppercase letters (when they’ve been manually edited in IIS they’ll revert to lowercase letters and that causes issues in Essentials – which is weird I know): 1) HTTP with binding information set to *:80: 2) HTTPS with binding information set to *:443: 3) HTTPS with binding information set to *:443:YOURSERVERNAME (and the HTTPS binding for *:443: should be set to use your “customdomain.com” SSL certificate – again though, do not manually edit this in IIS, rather always use the Anywhere Access wizard to do that for you instead).
- Additionally, it is by Microsoft’s design for you to have to use https://remote.customdomain.com/remote in order to get to the Essentials server’s built-in Remote Web Access website (in prior versions of Essentials, https://remote.customdomain.com would automatically redirect you there, but Microsoft removed that redirection in Essentials 2016 and so it will just go to the default IIS website instead).
- You must log in to post comments.
Thank you very much Mike! Admittedly, I had been mucking about with the bindings, as I didn’t understand why there was originally (after the essentials anywhere access wizard process) a second HTTPS port 443 binding with a certificate pointing back at my SERVERNAME. So I deleted that one and redid the http and https, thinking that’s all I needed. Understood now, I should have let Essentials wizard handle it.
I ran the repair functionality from anywhere access and it re-established the original bindings. A strange thing though, the http/port 80 binding still shows as lowercase. Any idea the impact of this? I can’t tell any negative consequence so far.
I don’t know why I didn’t detect it, but until you’ve pointed it out just now I never noticed the need to append /remote to the end of the URL when trying to navigate to the web access logon page. Must’ve been when I kept reading that sample URL I just figured remote.vanitydomain.com would do the job. The /remote suffix is never entered anywhere else in the Essentials wizard steps on essentials (just looking for excuses to explain why I missed it 🙂 ). I have now been able to navigate to the web access logon page from the server’s browser, from a MAC laptop on the LAN and from my iPhone not on the LAN. All is working now.
One final question; I notice then when I type remote.vanitydomain.com/remote from the Edge browser on the server, it automatically appends the https:// to the beginning of the URL and navigates straight away to the web access logon screen. Almost so fast I miss the URL updating itself. When I try the same action from Safari on my MAC laptop (still on the LAN), I get a 403 forbidden access error, and the https:// has not automatically been appended to the beginning of the URL. However when I specifically type https://remote.vanitydomain.com/remote from either the MAC or iPhone browsers, it navigates perfectly to the web access logon screen (and indicates its a secure connection). Would you think this is just a “feature” difference between Edge and Safari browsers?
Ideally, I’d love to be able to type remote.vanitydomain.com from any browser, and get to the web access logon screen. I am gathering from your last post, that it is not possible to manually create a redirection on the server from this to https://remote.vanitydomain/com/remote without breaking something else in Essentials? Is there anything with CNAME records that could help?
- Matt Fuller answered 3 weeks ago
- last edited 3 weeks ago
- Glad to hear that you got it working. ; -) I’m not exactly sure about the (lowercase) HTTP port 80 binding, but so long as you don’t see any negative consequences, and health alerts about Anywhere Access not being configured correctly don’t start popping up, then I’d imagine you’ll be fine. Personally, I don’t even forward port 80 through the router seeing as it’s not needed (since we only ever access the server securely over HTTPS/port 443).
- For info on why Microsoft stopped redirecting to /remote (and how to re-enable that functionality) see: https://windowspoweressentials.com/2016/10/31/remote-web-access-login-page-redirect and/or https://www.server-essentials.com/support/remote-web-access-does-not-redirect-as-expected
- As for redirecting http to https… You will need to enable something called HTTP Strict Transport Security (HSTS) on your server in order to do that. If you’re running Windows Server 2025 (and maybe 2022 as well, but I don’t recall for that one off the top of my head), then it can easily be enabled via the “HSTS” task in IIS. Otherwise, you’ll have to do it manually via headers, a script, etc. (more info on that can be found by doing an Internet search on enabling that feature in IIS). BTW, I assume that the Edge browser must enable that functionality automatically, whereas Safari does not. See: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- Alternatively, if you have my WSE RemoteApp add-in installed, then you can check the “Redirect ‘Default Web Site’ to ‘/remote'” and “Enable HTTP Strict Transport Security (HSTS)” checkboxes over on the “Security” tab of the “Remote Desktop Session Settings” task/feature (located on the main “WSE REMOTEAPP” page of the server Dashboard) to have it automatically enable both of those features for you. See: https://www.TheOfficeMaven.com/wp-content/uploads/2020/05/RDSessionSettingsSecurity.png
- You must log in to post comments.
