If Googling brought you here, I hope the title says it all for you. I recently deployed a Server 2012 R2 machine with the Windows Server Essentials role enabled. The Anywhere Access / Remote Web Workplace component was very interesting, but just would not work for me. The Connector would install OK on the client PC, but it was always greyed out and would show “Cannot Connect to [Server]”. Netstat -ano would show SYN_SENT for port 6602 on the client PC, but the server would never respond.
C:\Users\PCUser>netstat -ano|findstr :6602
TCP 10.1.1.229:64811 10.1.1.17:6602 SYN_SENT 2904
TCP 10.1.1.229:64812 10.1.1.17:6602 SYN_SENT 2904
Server Essentials (and by extension the Server Essentials Role) uses port 6602 to communicate with client PCs. By default, Direct Access grabs ports 6000-47000. You see the problem here, right? Port 6602 is right in the middle there, being grabbed by Direct Access, so Server Essentials can’t talk to client PCs.
What you want to do is make sure that Direct Access gives you your one measly port and it can keep the other ~41,000. Run the below command from an elevated powershell prompt, replacing the x.x.x.x with your server’s IP. The extra pinhole for 8192 is to make sure that the PC backup service can talk to the server too. I cared less about that, but I guess it can’t hurt to help it out.
Set-NetNatTransitionConfiguration –IPv4AddressPortPool @("x.x.x.x,6001-6601","x.x.x.x, 6603-8191","x.x.x.x,8193-47000")
After running that, I ran netstat -ano|findstr :6602 again and saw this
C:\Users\PCU>netstat -ano|findstr :6602
TCP 10.1.1.229:59166 10.1.1.17:6602 ESTABLISHED 1636
TCP 10.1.1.229:65002 10.1.1.17:6602 ESTABLISHED 2904
TCP 10.1.1.229:65003 10.1.1.17:6602 ESTABLISHED 2904
TCP 10.1.1.229:65004 10.1.1.17:6602 ESTABLISHED 4228
You shouldn’t even need to reboot anything. That Connector icon should go from grey to green pretty quick. Special thanks to Small Business Susan’s blog post about opening this port in Direct Access.
I know that this is an old post, but thanks for the info.
I did have to make a change to mine as EssentialsTester shows the Client Backups on port 8912, not 8192 as you have listed. I changed the PowerShell command to “Set-NetNatTransitionConfiguration –IPv4AddressPortPool @(“x.x.x.x,6001-6601″,”x.x.x.x, 6603-8911″,”x.x.x.x,8913-47000″)”.
Again, thanks for the info. You got my server back up and running.
Jeez. Thank you so much to the pair of you. Was tearing my hair out wondering why those ports just wouldn’t work.
Now wondering how to disable/reset Direct Access completely. I only need VPN and I know how to do that via RRAS.
Why does it need so many ports and could is mess with other things? I’m finding some other services are acting strangely (like my TV only finding the media server on my HomeServer only occasionally). It would be goo to rule Direct Access out of the equation.