Windows Server 2012 R2 Direct Access grabs port 6602 needed by Server Essentials Connector

If Googling brought you here, I hope the title says it all for you. I recently deployed a Server 2012 R2 machine with the Windows Server Essentials role enabled. The Anywhere Access / Remote Web Workplace component was very interesting, but just would not work for me. The Connector would install OK on the client PC, but it was always greyed out and would show “Cannot Connect to [Server]”. Netstat -ano would show SYN_SENT for port 6602 on the client PC, but the server would never respond.

C:\Users\PCUser>netstat -ano|findstr :6602
TCP 10.1.1.229:64811 10.1.1.17:6602 SYN_SENT 2904
TCP 10.1.1.229:64812 10.1.1.17:6602 SYN_SENT 2904

Server Essentials (and by extension the Server Essentials Role) uses port 6602 to communicate with client PCs. By default, Direct Access grabs ports 6000-47000. You see the problem here, right? Port 6602 is right in the middle there, being grabbed by Direct Access, so Server Essentials can’t talk to client PCs.

What you want to do is make sure that Direct Access gives you your one measly port and it can keep the other ~41,000. Run the below command from an elevated powershell prompt, replacing the x.x.x.x with your server’s IP. The extra pinhole for 8192 is to make sure that the PC backup service can talk to the server too. I cared less about that, but I guess it can’t hurt to help it out.

Set-NetNatTransitionConfiguration –IPv4AddressPortPool @("x.x.x.x,6001-6601","x.x.x.x, 6603-8191","x.x.x.x,8193-47000")

After running that, I ran netstat -ano|findstr :6602 again and saw this

C:\Users\PCU>netstat -ano|findstr :6602
TCP 10.1.1.229:59166 10.1.1.17:6602 ESTABLISHED 1636
TCP 10.1.1.229:65002 10.1.1.17:6602 ESTABLISHED 2904
TCP 10.1.1.229:65003 10.1.1.17:6602 ESTABLISHED 2904
TCP 10.1.1.229:65004 10.1.1.17:6602 ESTABLISHED 4228

You shouldn’t even need to reboot anything. That Connector icon should go from grey to green pretty quick. Special thanks to Small Business Susan’s blog post about opening this port in Direct Access.