I am evaluating Untangle Server 4.2 for use in several of my client's SBS 2003 networks, primarily as a web filter. I have an Untangle server installed on my own network for testing. It is configured in a very simple router mode, with Redirects set for ports 80, 443, 444, 25, 21, 3389, 4125, and 1723 (the typical SBS services required for full remote access) to the SBS server's LAN interface. The external interface of the Untangle server is connected directly to my T1 router.

All is working well, including remote access into the test server via RDP (3389) and email flow (25). However, I get a page from the Untangle server that says "the requested resource (/exchange) is not available" if I try to open Outlook Web Access to the server when remote. This also occurs if I attempt to open the SBS server's Remote Web Workplace web page.

What am I missing about port forwarding on the Untangle server?


Thanks,

Andy

OK, I'm posting the solution that I found to my problem. Hopefully this will save others some time and aggravation.

It appears that the default install of Untangle leaves one box checked under Config - Remote Admin - Access - Restrictions. The box that was checked on my system was "Enable Outside Quarantine Access", and defaulted to port 443. It appears that if any "Outside Access" box is checked, it completely prevents any downstream forwarding of port 443 that is configured in the Redirect tab of the Router module. The Untangle server takes over any incoming port 443 traffic as its own, and does not forward it according to the Redirect rules.

Once this box was unchecked, all of my SBS IIS virtual web servers started responding to traffic.


Andy

andywi, good catch. You are correct, by default the Untangle uses the port 443 for the secure access, you can change the port to whatever you like.

OK, I am continuing to have more problems similar to what I posted about last week. I have found that several other applications that are typically used by SBS 2003 customers fail to work correctly with Untangle due to port 443 conflicts in the default configuration. I hope that someone here can help point out how to work around them.

Here's the main problem: several of my SBS customers use Windows Mobile smartphones that are configured for push email from the SBS Exchange server. Email flow to the smartphones works fine until they try to sync files, music, and such with a USB cable when they are in the office. The in-office USB syncs always fail. It appears that the Untangle server is grabbing port 443 traffic when they are inside the protected network, but not when they are outside. The documentation states something about Untangle always using port 443 for internal remote access. The Windows Mobile phones always use port 443 for server syncs, and this cannot be easily changed.

While there appears to be an option to change the Untangle port when configuring outside remote access, I cannot find a way to allow port 443 traffic through the (router configured) Untangle server into the server behind Untangle.

Note that this is also causing havoc with several Apple Mac's that run Entourage in the office as well - they also use port 443 to connect to the internal Exchange server.

Any ideas or recommendations?


Thanks,

Andy

hi andy,

did you try changing the untangle port to 444 or something other than 443?
port forwards for port 443 won't work unless you move the untangle server off port 443 (the administration takes precedence over the port forwards)

-Dirk

Hello Dirk,

I finally had a chance to change the "Outside HTTPS Port" to 446, and this appears to have solved the problem with internal apps that need to connect to the SBS 2003 server on 443 from inside the network.

I must say that the labeling of the Access section of the Untangle server could be improved somewhat, as the entire section called Outside Access is unchecked, but the Outside HTTPS Port still affects a number of internal web sites. It is not obvious to me that changing this setting would also change the Internal remote administration port, which is mentioned and listed right underneath the Outside Access section of the dialog.

Thanks for your help in tracking this down,

Andy

I must say that the labeling of the Access section of the Untangle server could be improved somewhat, as the entire section called Outside Access is unchecked, but the Outside HTTPS Port still affects a number of internal web sites. It is not obvious to me that changing this setting would also change the Internal remote administration port, which is mentioned and listed right underneath the Outside Access section of the dialog.


Agreed - this is actually a filed bug. It shouldn't matter what its set to if everything is turned off. This should be fixed when we reimplement how that stuff works in 5.1