locked
Remote Web Access suddenly stopped working! RRS feed

  • Question

  • Hi guys,

    I've been running WHS2011 for a number of years and Remote Web Access hasn't presented a problem at all - until a few weeks ago, when it suddenly stopped working.

    To my knowledge, I hadn't changed anything around the time it stopped working.

    However, over the years, I have changed the following:

    1. Upgraded to new hardware but retained the same xxxxx.homeserver.com domain name

    2. Upgraded to a new router (Netgear R7000 flashed with dd-wrt).

    3. Changed ISP, as well as physical technology (from Optus Cable to FTTC NBN via Aussie Broadband)

    4. Installed various pieces of software while forwarding the ports necessary - all worked

    None of these things have ever caused me any issues.  So what could have happened?

    I have tried every option available in the "Remote Web Access" section in the WHS2011 Dashboard, and have tried everything I can find via google.

    I thought it might be easiest if I start again with suggestions from people with knowledge of this issue.  Please let me know what to do and I'll do it and post logs!

    Any help is much appreciated!

    Saturday, June 22, 2019 1:57 AM

Answers

  • Looking at the entirety of the Carrier-grade NAT article at Wikipedia, I see the below paragraph. If your ISP has recently implemented CGN, maybe that's why your problem began??

    Carrier-grade NAT usually prevents the ISP customers from using port forwarding, because the network address translation (NAT) is usually implemented by mapping ports of the NAT devices in the network to other ports in the external interface. This is done so the router will be able to map the responses to the correct device; in carrier-grade NAT networks, even though the router at the consumer end might be configured for port forwarding, the "master router" of the ISP, which runs the CGN, will block this port forwarding because the actual port would not be the port configured by the consumer. In order to overcome the former disadvantage, the Port Control Protocol (PCP) has been standardized in the RFC 6887.

    Don

    • Marked as answer by benro2 Wednesday, July 3, 2019 1:53 PM
    Saturday, June 29, 2019 3:35 PM

All replies

  • Not much detail on the symptoms here. What does 'stopped working' mean?

    1. Does your homeserver.com name resolve to your home address? Check https://www.whatismyip.com/ to find your ip then ping your xxx.homeserver.com domain to see if it matches up.

    2. Do you have any other device on your LAN that answers to web page requests? You could temporarily forward http/s requests through your router to see if that works?

    3. Did you set a static address on the WHS, maybe via a DHCP reservation?  Perhaps it's changed from where the port forwarding is going.  Enter ipconfig at a command prompt on the WHS.

    4. I'd look at the router very carefully. You can try Shieldsup at https://www.GRC.com to verify that the ports are open. Once you get to the ShieldsUp page, click on the 'common ports' button just under the dark blue bar.

    5. Here's a link to info on setting up your router to forward ports: https://portforward.com/netgear/nighthawk-r7000/

    Don

    Saturday, June 22, 2019 6:44 PM
  • Hi Don,

    Apologies, I deliberately kept the detail level low initially so that I could start again clean.  Otherwise, my post would've been 10 pages long :) Thanks for the reply BTW!

    1. So I have tried whatismyip.com and tried pinging the IP address it displays, plus my homeserver.com address. I tried this both from this PC and my server (both on same LAN). Pinging my homeserver.com address resolved to the IP address reported on whatismyip.com, but neither the address or the IP returned the ping from either computer.

    2. I don't believe so. My server is the only computer on the network setup to respond to my homeserver address - I don't run any other webpages etc from any other computer - if this is what you meant? For your 2nd question, do you mean to forward the 80 and 443 ports through to my server? If so, this is already done.

    3.Yes, I have a static IP set on the WHS, and it is done on the WHS itself, not the router. It is outside the DHCP IP address range on the router. I can ping this IP from my local PC.

    4. I tried the "Common Ports" link as requested and this is the result:

    Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113, 
                                119, 135, 139, 143, 389, 443, 445, 
                                1002, 1024-1030, 1720, 5000
    
        0 Ports Open
        0 Ports Closed
       26 Ports Stealth
    ---------------------
       26 Ports Tested
    
    ALL PORTS tested were found to be: STEALTH.
    
    TruStealth: FAILED - ALL tested ports were STEALTH,
                       - NO unsolicited packets were received,
                       - A PING REPLY (ICMP Echo) WAS RECEIVED.

    5. Thanks for the link, but I am sure the port forwards are not the problem, as these have all been working previously. I have number of web services that were accessible from outside my LAN prior to this sudden loss of remote connectivity, and I never touched the port forwards.  The ONLY thing I have changed AFTER this connectivity problem was to add the forwarding of ports 80 and 443 to my WHS, as the MS doco says to do.  However, prior to adding these 2 port forwards, I was able to navigate to my homeserver.com address and see the webpage that WHS publishes that displays a login screen, which then allows me to look through the shared files on the WHS, etc.  I had also forwarded the 3389 RDP port and thus could RDP directly into my WHS using the homeserver.com address.  After the connectivity loss, I tried enabling UPnP on my router and re-ran the Remote Web Access router wizard on my WHS, and could see the 80 and 443 ports it added to my router (only in the UPnP forward forwarding section).  This obviously didn't help, so I removed its entries from the UPnP section and manually forwarded those ports in my "regular" port forwarding area, which is where they remain now.

    At a guess, it seems to me that somehow my external IP hasn't correctly been associated with my homeserver.com address - if this is even possible?

    Thanks again for the help!

    Sunday, June 23, 2019 1:26 AM
  • Hi,

    Please try to open Remote Web Access webpage via IE, separately from different devices, external client system, internal client system and WHS itself, please confirm that if one of them can successfully access the webpage.

    If failed, please provide the detail error message on the webpage, or, capture a screenshot if possible.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 24, 2019 7:46 AM
  • Hi Eve, thanks for your reply.

    As you have suggested, I have tried accessing my homeserver webpage via IE on the WHS itself, from a PC on the same network, and from a PC outside the network, and none of them resolved the page!  There was no error message either - it just says "This page can't be display".

    I am not sure if this is of any use to you?

    Tuesday, June 25, 2019 1:15 PM
  • So your homeserver.com dynamic name is correctly resolving to your home's external address - that's good. But the GRC scan showed that neither http or https ports are open - not good. Can you browse to the WHS LAN IP address from your PC inside your LAN? If you can, then the port forwarding is wrong. If you can't, then maybe there's a firewall issue or something else on the WHS.

    My suggestion about another web server was to change the port forwarding temporarily to another device inside your LAN that answers to a web request.  This would see if the routers firewall and port forwarding would allow that type of traffic in.  Maybe you have a Raspberry Pi, a Windows machine with IIS enabled, or anything with a web server.

    Update: I just saw your previous response to the MS contingent staff.  This answers my question above.  So you need to get the WHS open to web accesses again.  If you can't get to the web page from inside your LAN, you'll never get there from outside.  You might eventually have to reinstall WHS if you can't identify a firewall or other issue.

    Don


    • Edited by Don A. _ Tuesday, June 25, 2019 7:37 PM improvement
    Tuesday, June 25, 2019 7:35 PM
  • Hi,

    If possible, try to manually re-start World Wide Web Publishing Service and check the result.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 26, 2019 7:03 AM

  • I think I did something a bit stupid last time I checked my homeserver address from within my network!  I was using my homeserver.com address... but when I use the WHS IP address (using https), the webpage does show up.  Both from the WHS itself and another PC on my LAN.

    So it looks like this is a port forwarding or firewall issue - which is what has me baffled - nothing has changed!  I will have to try a web service on another PC another time as it's quite late here.

    I have just tried re-entering the HTTP and HTTPS port forwards in the "port forwarding" area (rather than the "port range forwarding" area) and rebooted the router. But no change.  I have left UPnP disabled.  I have tried rerunning the RWA wizard but same thing as before, no luck.

    Eve, I also restarted the WWW Publishing Service, thanks.

    Edit: I also just tried temporarily disabling the Windows Firewall on all types of networks.  Still nothing!
    • Edited by benro2 Wednesday, June 26, 2019 1:48 PM
    Wednesday, June 26, 2019 1:46 PM
  • Here's a link to dd-wrt's port forwarding troubleshooter. Those suggestions should help.  I'll also list the page about setting it up although I'm sure you've looked at it recently - I would compare their screen shots against your setup.

    https://forum.dd-wrt.com/wiki/index.php/Port_Forwarding_Troubleshooting

    https://forum.dd-wrt.com/wiki/index.php/Port_Forwarding


    Don

    Wednesday, June 26, 2019 8:02 PM
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang  

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 28, 2019 3:26 AM
  • Hi Eve, thanks for the assistance.  I'm still stuck, but have gotten a little further.  I've done some more testing and will reply to Don's message shortly.  Thanks!
    Saturday, June 29, 2019 1:26 AM
  • Hi again Don,

    Thanks for the links.  I read through both, and have attempted some of the tests in the Port Forward Troubleshooting page.  I think I have uncovered something interesting...

    So I'll go through my results to the suggestions on that page.

    Checking WAN IP: in my router, it showed up as 119.18.0.100.  This has now changed - I rebooted my NBN device which gave me a new IP, which is now displaying on the WAN page of the router.  It is now 100.92.64.100.

    Testing loopback: I installed nmap on a PC on the same LAN as my WHS and did the suggested tests, for e.g. "nmap -sT -sU -p 8989 100.92.64.100.  This comes back with TCP being "open" and UDP being "closed", which are the results I'm expecting, looking at one of my forwarded ports.

    Then I tried the same test but using my homeserver.com address, and it always comes back with "filtered" for TCP and "open|filtered" for UDP, no matter whether I try a forwarded port or not.  I can try any random port, same result.

    I tried disabling the router's fire wall with/without disabling the WHS' firewall - no difference.

    Note that I tried nmap pointing to my homeserver.com address *before* rebooting my NBN device and getting a new external IP (i.e. when my external IP was 119.18.0.100 - and had been for some weeks).  Same result - nothing open.

    So to summarise the nmap results:

    1. Old IP address: open

    2. Old IP address, testing homeserver.com address: filtered

    3. New IP address: open

    4. New IP address, testing homeserver.com address: filtered

    5. New IP address, disabling port forwarding to port 8989: closed

    6. New IP address, re-enabling port forwarding to port 8989: open

    I also tried ports 80, 443 and a random port (say 444 for example).  It correctly shows "open" for 80 and 443, and "filtered" for port 444.  It always displays "closed" for any UDP tests, as I haven't forwarded any UDP ports - so this is correct.

    I can also confirm that is neither the router's firewall or the WHS firewall that are causing any problems - all tests above done with both enabled.

    I also tried navigating to the web service running on port 8989, plus my WHS page using IE, using my new external IP (100.92.64.100) - I can see both!  I then tried my homeserver.com address for both 8989 and the WHS page (https or port 443 obviously) - nothing.

    So would you agree that my port forwarding is correct, and that it is the DDNS to my homeserver.com address that is failing?

    Now - if you agree, I am unsure what to do about the DDNS part :)  I cannot get the WHS RWA wizard to configure anything without errors!  However, interestingly, *after* my RWA had broken, but *before* I had written on this forum, the RWA wizard was displaying the incorrect external IP address (at the time, 119.18.0.100, which I think hadn't changed for some weeks beforehand).  I did something (cannot remember) and I did have the external IP displaying correctly, but of course, RWA still wouldn't work.  My domain name was also displaying the correct homeserver.com address.  I suspect there is some disconnect in there - and now the wizard never completes anyway.

    The only thing I can think of, if the WHS RWA wizard cannot be fixed, if I want to retain my homeserver.com address, is that I could use my router to do this for me.  I have found the part that does this (Setup > DDNS) and have found the relevant wiki config instructions page however I cannot really understand what I would put where.  Are you able to help with this?  Here's the wiki page: https://forum.dd-wrt.com/wiki/index.php/DDNS#Custom_.28URL_Updates.29

    Thanks again for your help and patience!

    Edit: interestingly, both before and after rebooting my NBN device and getting a new external IP, whatismyipaddress.com displays "119.18.0.100".  Note that this is still the same even after getting a new external IP.  My router did also display "119.18.0.100" prior to the new IP, and now it displays "100.92.64.100", which is correct.  I assume this is just because there may be some sort of delay that is causing the discrepancy between the whatismyipaddress.com website and my router?
    • Edited by benro2 Saturday, June 29, 2019 1:57 AM
    Saturday, June 29, 2019 1:51 AM
  • You had a lot of info there but I'm going to go back to the beginning and repeat this route that I've noted earlier:
    1. Identify your LAN internal address for the WHS which you say you have statically configured. Let's say it's 192.168.1.20. From a browser PC inside your LAN try https://192.168.1.20/. You should get a warning message because you're accessing it not using the domain name that the security certificate shows. Continue past the warning to get the login page. This will show that the WHS is working and will access remote access. If you can't get this far, you'll never have remote access from the Internet.
    2. Find your actual WAN address using whatismyip.com (or another similar site). Let's say it's 68.23.24.xx.
    3. From a command prompt, ping your WHS domain name. Let's say it's example.homeserver.com. The output will show the ip address that domain resolves to and should be the same as from step 2. If it differs, then the dynamic name setup in WHS is messed up. Maybe whatever method MS uses to update the address gets trapped by a firewall in WHS or your router or your ISP has some kind of proxy server that's confounding things.
    4. From a browser outside your LAN (maybe a friend's PC or your smartphone while using wireless network) try https://example.homeserver.com/. If step 1 worked but this doesn't, then the port forwarding or a firewall would seem to be to blame even though you've stated that you have checked it.

    You mentioned 100.92.64.100; this is in a reserved, private network block that is labeled Carrier-grade NAT. From tracerouting from me to 119.18.0.100, it appears that you are near Sydney AU. I'm using Comcast in the US and am not familiar with Carrier-grade NAT (see Wikipedia article) so cannot tell you what that represents. But it is a non-routable address that wouldn't be your WAN address.

    I don't know why you're discussing port 8989. That is listed as Sun Web Server SSL Admin Service. Maybe you have a Sun server on your network?? I don't think it's of interest here.

    As far as an alternate DDNS service, I don't think you can replicate in your router what MS is doing to trigger the homeserver.com domain update as it isn't publicly documented. You could set up another DDNS - I use subdomains at no-ip.com and changeip.com - both offer free DDNS accounts. I have my router (ASUS RT-AC86U) set to keep both updated via an account at DNS-o-matic. But, remember that since you would not be using the homeserver.com address on which the SSL certificate is based, you would always get the security warnings you saw in step 1 above. It would be much better to solve your problem.

    I'm not familiar with dd-wrt but maybe it keeps access logs that would show that the https request was received and then properly forwarded. I doubt that I can be of further help and would refer you back to the dd-wrt troubleshooting page. Perhaps there's a dd-wrt forum that could advise you. And you could always try reinstalling WHS although that would be a pain.

    Lastly, I'll remind you that WHS 2011 will stop getting security updates early in 2020 so you should be working now on finding a replacement for it. (I'm experimenting with FreeNAS.)

    Don

    Saturday, June 29, 2019 3:22 PM
  • Looking at the entirety of the Carrier-grade NAT article at Wikipedia, I see the below paragraph. If your ISP has recently implemented CGN, maybe that's why your problem began??

    Carrier-grade NAT usually prevents the ISP customers from using port forwarding, because the network address translation (NAT) is usually implemented by mapping ports of the NAT devices in the network to other ports in the external interface. This is done so the router will be able to map the responses to the correct device; in carrier-grade NAT networks, even though the router at the consumer end might be configured for port forwarding, the "master router" of the ISP, which runs the CGN, will block this port forwarding because the actual port would not be the port configured by the consumer. In order to overcome the former disadvantage, the Port Control Protocol (PCP) has been standardized in the RFC 6887.

    Don

    • Marked as answer by benro2 Wednesday, July 3, 2019 1:53 PM
    Saturday, June 29, 2019 3:35 PM
  • Hi Don,

    Good news!  It's all back working now!  You were right - my ISP had converted me over to CG-NAT... without warning and without explaining that it would break port forwarding!

    I wrote to them explaining the situation and they have now given me back a non-CG-NAT IP address :)  Within half a day I could start to see notifications coming through from one of my messaging apps that runs on a VM on my WHS.  I got home, rebooted the router etc. to make sure I had a clean start, and it's been fine ever since.

    Regarding EOL for WHS2011, thanks for the heads up.  I've actually bought a more serious "proper" rackmount Supermicro server with ESXi installed on it and will run Server 2016 Essentials as one of the VMs.

    Port 8989 is just a port that one of my web services listens on.  It was just the easiest for me to check, that's all.

    Just wanted to thank you for your help and patience - it's much appreciated!  I'm not sure I would've even thought about CG-NAT if you hadn't have mentioned it.

    Ben

    Tuesday, July 2, 2019 1:41 PM
  • Glad it's all working for you now.  Please mark my reply as an Answer.

    Server Essentials 2016 will be an interim fix for you; Here's a head's up about Server Essentials 2019 from an MS page:

    Windows Server Essentials Experience Role has been deprecated
    The Windows Server Essentials Experience Role has been removed from all server SKUs, including Windows Server 2019 Essentials. This means that the Administrative Dashboard that used to be the core feature for Essentials Experience Role is no longer accessible and all management and configuration must be completed manually.

    With Server Essentials Experience Role deprecation, the following features are no longer available:

    Client backup
    Remote web access

    These are features I depend on. As I said, I'm looking at FreeNAS for file sharing and backups. My ASUS RT-AC86U router has a built in OpenVNP server that will let me do remote accesses from any client anywhere.  Good luck to you.


    • Edited by Don A. _ Tuesday, July 2, 2019 3:09 PM formatting
    Tuesday, July 2, 2019 3:07 PM
  • Hi Don, I've marked the CG-NAT reply as the answer as requested.

    Yes, I did see the Essentials Experience Role has been deprecated from Server 2019, hence my choice to go with 2016 Essentials!

    I did find a post where someone managed to extract the 2016 Essentials Role and install into 2019, however it sounds like a whole lot of hassle so can't really be bothered... :)

    Wednesday, July 3, 2019 1:55 PM