locked
Trunk cannot be activated due to the following: Invalid Internal IP address. Please choose a different IP. RRS feed

  • Question

  • Hi:

    We have applications published in the HTTPS trunk. We have confirmed that the applications published via HTTPS trunk are all working.     When we setup HTTP -> HTTPS redirection for the trunk,  we get an error on activation that  says.

    Error: Trunk 'xxxxx' cannot be activated due to the following: Invalid Internal IP address.  Please choose a different IP.

     

    Once I delete the http -> https redirection I'm able to successfully activate.

     

     Our configuration for this setup.

    * 1 HTTPS  trunk configured with 2 servers in an array configuration.  

    * We are not using integrated NLB.

     

    I'm kinda stumped on where to start troubleshooting.   Could you help figure this out?

     

    Thanks in advance for your help.

     

    Friday, August 6, 2010 4:30 PM

Answers

  • Fine print at the bottom of this article: http://technet.microsoft.com/en-us/library/dd861443.aspx

    "If you create a redirect trunk based on an HTTPS trunk configured in an array that does not have Forefront UAG integrated load balancing enabled (and the trunk has IP addresses assigned and activated for each array member), after creating the trunk, you must manually assign an IP address for the redirect trunk on each array member."


    Shijaz Abdulla | http://www.microsoftnow.com
    • Proposed as answer by Shijaz Abdulla Sunday, August 8, 2010 1:32 PM
    • Edited by Shijaz Abdulla Sunday, August 8, 2010 1:35 PM outdated signature
    • Unproposed as answer by superNaraen Monday, August 9, 2010 1:43 AM
    • Marked as answer by superNaraen Wednesday, August 11, 2010 5:11 AM
    Sunday, August 8, 2010 1:32 PM

All replies

  • Fine print at the bottom of this article: http://technet.microsoft.com/en-us/library/dd861443.aspx

    "If you create a redirect trunk based on an HTTPS trunk configured in an array that does not have Forefront UAG integrated load balancing enabled (and the trunk has IP addresses assigned and activated for each array member), after creating the trunk, you must manually assign an IP address for the redirect trunk on each array member."


    Shijaz Abdulla | http://www.microsoftnow.com
    • Proposed as answer by Shijaz Abdulla Sunday, August 8, 2010 1:32 PM
    • Edited by Shijaz Abdulla Sunday, August 8, 2010 1:35 PM outdated signature
    • Unproposed as answer by superNaraen Monday, August 9, 2010 1:43 AM
    • Marked as answer by superNaraen Wednesday, August 11, 2010 5:11 AM
    Sunday, August 8, 2010 1:32 PM
  • Shijaz:  Thank you for the response. 

    It partially fixed the problem.  I had to set it to the internal IP address, activate, change to external ip address, activate to make the problem go away.

    Now I'm able to activate successfully.  

    However when we try to browse to http://hostFQDN,   instead of being redirected to https://hostFQDN,  we get a 403.14 indicating the directory listing is denied on the web server.     The URL of this error page is still http://hostFQDN.   Using an HTTP sniffer on the client  I'm seeing that no http redirect being issued by the UAG(IIS?)

    I'm guessing these are related problems.   Could you help?

    Thx.

    -Naraen

     

    Monday, August 9, 2010 1:52 AM
  • Do you have any other software on the UAG box that is listening on port 80?

    To find out, type this on command prompt:

    netstat -ano |findstr ":80"

    and see the Process ID


    Shijaz Abdulla | Microsoft Qatar http://www.microsoftnow.com
    Monday, August 9, 2010 11:26 AM
  • Restart your iis server that will fix the directory listing error.
    Monday, August 9, 2010 11:45 AM
  • Shijaz:  There wasn't anything else listening on that port.  Other thoughts?
    Wednesday, August 11, 2010 5:08 AM
  • Ashish:   Thank you for the suggestion.    That didn't really fix the issue.   I tried a restart of all he members in the array,  to no avail.

    Other thoughts?

    You have got me thinking about IIS specific settings.   I'm hoping to compare the IIS settings between this server and a different setup we have where this works.

    Wednesday, August 11, 2010 5:11 AM
  • The same issue here. I'm new with UAG, but I do have some experience with TMG, and I believe that I know what is going on:

    1. HTTPS Trunk creates listeners on WAN IP, but for some reason it creates both HTTP (on port 80), and HTTPS (on port 443) listeners. 
    2. Newly created HTTP redirect trunk tries to create its own listeners on the same WAN IP, and again on both HTTP (80) and HTTPS (443) ports, and of course it won't succeed since ports are occupied.

    Message "...Please choose different IP." is misleading. There's no sense in changing IP, since we are talking about HTTP-HTTPS redirection. Even if we have two public IPs we can't define DNS so that http://portal.domain.com points to IP1 and https://portal.domain.com points to IP2. The thing which should be changed is PORT! Million dollar question is why, for a God sake HTTPS trunk listens port 80, and why HTTP trunk listens port 443???

    So what you'll get if you change IP address of HTTP Trunk to Internal? Your configuration may activate, but UAG will listen for HTTP requests from internal network - in other words the Trunk will be useless. 

    I've tried to trick UAG by setting HTTP port of HTTPS Trunk to 8081, and I planned to set HTTPS port of HTTP Trunk to 4443, but no luck. After changing HTTP port of HTTPS Trunk to 8081 I was unable even to create HTTP redirect trunk.

    For Microsoft stuff: Guys, great product! Really great! It really does great magic in securely exposing everything need in a so simple and elegant way. But how you can make so simple thing as HTTP-HTTPS redirection so problematic?

    Thanks!

    Fat Dragon


    Fat Dragon

    Thursday, December 12, 2013 4:22 AM
  • Hi Fat Dragon,

    I'm sorry but your assumptions are not correct.

    You are correct that when creating an HTTPS trunk, UAG creates two "listeners" (in TMG jargon), one for port 443 and one for port 80 (assuming your trunk uses the default ports). However, you are not correct in believing that when configuring a redirect trunk UAG attempts to create additional "listeners".

    What actually happens is that UAG created virtual sites in the underlying IIS, for each one of its trunks, and each of those virtual sites has its own UAG ISAPI filter handling the traffic that reaches it. However, for redirect trunks, UAG does not create a new virtual site in IIS, instead it simply uses the already created site for the HTTPS trunk to which it needs to redirect. And, as you mentioned, that site is already configured to listen on port 80.

    HTH,


    -Ran


    • Edited by Ran [MSFT] Thursday, December 12, 2013 9:32 AM
    Thursday, December 12, 2013 9:32 AM
  • Thanks for answering!

    I'm aware that the mechanism is different than TMG listeners (I've checked in TMG console already). But I believe that actual mechanism is not so important. According to the error message the problem lays in fact that newly created HTTP redirect trunk can't be created due to ip/port occupation (no matter if it wants to use listeners or new IIS app). I believe that you agree that message "...Please choose different IP." is nonsense for HTTP to HTTPS redirection, right? So no matter actual mechanism used - setting HTTP to HTTP redirection shouldn't be so tricky right?

    Btw. The problem took me few days already. In the first attempt I had the same problem with the message "...Invalid external IP address..." After some attempts I've decided to reinstall everything and in the new setup I have the same problem , but now the message says "...Invalid internal IP address..."

    Thanks again!


    Fat Dragon

    Thursday, December 12, 2013 2:15 PM