Meraki

SimonReach

We've got multiple sites connected across an SDWAN via Meraki MXs and Meraki switches.

We have our current Server2016 RDWeb server hosted at our head office, it's been working perfectly for years without issue and is accessible via client vpn and also from every other SDWAN site apart from our Data Centre, this has never been an issue before though.

We are configuring a new Server2022 RDWeb Terminal Server in the Data Centre though. We can access the hostnameDC.domain.int/rdweb server without issue when accessing from other DC based servers and it'll redirect to the http://hostnameDC.domain.int/rdweb /Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx

It will give us the login screen and we can login fine.

When we access http://hostnameDC.domain.int/rdweb from outside the Data Centre, it will redirect to the logon page but the logon page will never load and never time out.

We removed all Content Filtering from the DC, all the firewall rules, the ACL rules and still nothing. The only thing different about the DC site is the 2x Cisco 9300X switches that all the servers are plugged into, this Cisco switch stack does not have any traffic filtering at all.

Any ideas please?

Just some additional information. The Server2022 RDWeb server was exported from the DC to the headoffice, we can access the new RDWeb server when it's hosted at the headoffice from every other site, apart from the DC. This rules out a configuration issue with the new server.

SimonReach

Think we've managed to solve it, we need an RD Gateway for it and a certificate.

From what appears to be happening, the new Server 2022 RDS server is seeing every machine on the local LAN, meaning within the Data Centre, as being fine but anything that is across the SDWAN, despite being on the same domain and part of the same network, is external so a certificate and an RD Gateway is needed. Even VPN users connecting to the client vpn the Data Centre MX is being seen as external.

Our Server2016 server doesn't require any of this and picks everything across the SDWAN as being internal.

View solution in original post

Mloraditch

Can you ping the server in question from the remote sites? Can you access other items on the same subnet from the remote sites? Have you verified DNS is returning the proper IP? Have you tested trying to access via IP address?

Those are all things I would want to know when troubleshooting. Depending on the answers I or others may be able to provide some other things to check.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

SimonReach

From my computer at the head office -

I can ping the DCRDWeb server via ip address and hostname, confirming it's not a DNS issue.

I can RDP to the DCRDWeb server.

Accessing via ip address results in the same issue as accessing via hostname.

If i connect to the ClientVPN that's configured on the MX at the DC, that fails with the same issue.

Looking at the IIS logs on the DCRDWeb server, it logs me connecting and i'm getting a successful HELLO, according to the logs.

Mloraditch

Based on all of that it sounds like general connectivity is there. What you've done by turning off firewalls/ips/etc. would be the basic things I would say from a network perspective you can do without involving Meraki support.

You are getting into where you might need to compare a working and non working packet capture or enable additional client or server side debugs. Can you telnet to port 443 and 80 from the remote offices successfully?

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

SimonReach

Telnet hostnamedc 80 and 443, i get blank screen. If i use a port that i know is blocked, i get a "could not open connect to the host, on port 1" error.

PhilipDAth

Smells like an MTU squeeze.

On the server with the issue, find out the name of the Ethernet adaptor:
netsh interface ipv4 show subinterface

Then try temporarily changing the MTU with:

netsh interface ipv4 set subinterface “Ethernet” mtu=1300

Where Ethernet is the name of the adaptor displayed in step 1.

If it works, make the change permanent with:

netsh interface ipv4 set subinterface “Ethernet” mtu=1300 store=persistent

SimonReach

No change i'm afraid, set it to be 1300 and nothing.

The very strange thing is, it now seems to "work" on MS Edge on my computer in the headoffice when i connect through hostname, meaning i can log in but i can't run any of the apps, but if i try the ip address in Edge or either hostname or ip in Google Chrome, they still fail.

SimonReach

Think we've managed to solve it, we need an RD Gateway for it and a certificate.

From what appears to be happening, the new Server 2022 RDS server is seeing every machine on the local LAN, meaning within the Data Centre, as being fine but anything that is across the SDWAN, despite being on the same domain and part of the same network, is external so a certificate and an RD Gateway is needed. Even VPN users connecting to the client vpn the Data Centre MX is being seen as external.

Our Server2016 server doesn't require any of this and picks everything across the SDWAN as being internal.

Meraki

Community

Problems accessing RDWeb site for Microsoft Terminal Server

Problems accessing RDWeb site for Microsoft Terminal Server