Hi All, my name is Bill and I work in the Windows Server - File Services group. One of my main responsibilities is to enhance the Server Manager user interface. We have just delivered Work Folders as part of the Windows Server 2012 R2 release. I have been following the forum and there have been several questions about Work Folders and port conflicts with other IIS Websites. For this reason I posted this blog for guidance.
Covered in this Article:
Using any web application with Work Folders may create port conflicts between the web application and Work Folders. Work Folders uses by default ports HTTPS=443 and HTTP=80. Most web applications use the same well known ports. In the specific case of Windows Server Essentials and Work Folders, both features use the same default ports. The first feature to initialize the ports will exclusively own them. This creates a port conflict for one of the features, depending on startup and how the features where configured.
Work Folders is available in Windows Server 2012 R2 Essentials as part of the File and Storage Services role. Work Folders uses the IIS Hostable Web Core feature and all management is performed via the Work Folders canvas in Server Manager as well as via Windows PowerShell cmdlets. Windows Server Essentials is managed via its dashboard and the IIS Management UX. Both products assume exclusive access of the SSL port (443) and HTTP port (80). This is the default configuration for both products.
The administrator has the ability to change both feature configurations when both products are enabled. Changing the port conflicts allows for both products to be installed on Windows Server 2012 R2 Essentials. If the administrator does not want to change the default ports, they have the option of enabling either Windows Server Essentials feature or Work Folders. This is at their discretion based on business need.
If the administrator would like to change the ports on either feature, they need to open the firewall on the server for the specific ports they defined for the feature. This can be accomplished by navigating to Control Panel and modifying the Windows Firewall configuration. Further work is necessary in collaboration with a network administrator to configure the routers as well. This document will not cover network configuration.
In the event where both features are enabled on the same server with default port configuration the behavior may be subtle and only one feature will work. In the case of Windows Server 2012 R2 Essentials, Windows Server Essentials is enabled out of the box. This means the ports will have been configured and ownership will be IIS. When you enable Work Folders, the installation will succeed and Server Manager may not be able to manage the Work Folders feature on the Windows Server Essentials server. If the administrator navigates to the SERVICES primary tile they will see the following:
The Sync Share Service will not start if both ports defined in its configuration are being used by another process. This will be a clear indication the default ports are not available to Work Folders. If on the off chance one of the ports is available the Sync Share Service will become operational. There will be no indication there is an error.
Please note if port 443 is used by another process, although Work Folders Service will start and be operational, any SSL traffic will not be directed to Work Folders. SSL=443 is the default secure port used by Work Folders. The administrator would have to look at the port definition in the file c:\windows\system32\SyncShareSvc.config and compare the configuration of websites defined in the IIS UX. Once they check the port information in IIS they can assess the conflict.
In the case both ports are not available the following error can be found in the system event log.
Using Event Viewer (eventvwr.msc) navigate to the Windows Logs, System Channel. The error should be from the Service Control Manager. The error returned will be in the system channel in the form: “The Sync Share Service terminated with the following service-specific error: Cannot create a file when a file already exists” This is the generic message when both ports are not available.
Get-WebBinding is a handy command for showing IIS website port bindings on your server. In this particular case we want to see all the IIS website bindings active on your server.
> get-WebBinding ß command on left will give you the following output:
Example 1 - both ports in use by IIS website:
The Work Folders SyncShareSvc will not start because both default ports are being used by IIS.
Example 2 – one port used by IIS website – SSL PORT:
As mentioned in the previous section, if Work Folders has access to one port the service SyncShareSvc will come up. Work Folders uses port 443 as the default. In example 2 Work Folders service would start and look operational. The output of Get-WebBinding would show the administrator Work Folders would not function as defined in the default configuration.
If neither port is in use by another web application, the list above would be empty.
On the Server Manager Service Primary Tile locate the SERVICES tile. Locate the SyncShareSvc. Verify it is stopped. If it is not stopped, select the SyncShareSvc and stop it.
Navigate to the directory on the server where work folders feature is enabled.
Edit the file with your favorite editor (file name = SyncShareSvc.config)
Locate the section below and make the changes to your port designation
example you want to change SSL Port from 443 to 12345. Change the port number and close the file. Because the sync service does not run under the system designation it does not have the privileges to access different ports other than the default. It runs under LOCAL SERVICE. Because of this designation the administrator has to run another command. In an elevated command window type the following command:
Netsh http add urlacl url=https://*:12345/ user="NT Authority\LOCAL SERVICE"
Navigate to SERVICES tile in Server Manager and start the service SyncShareSvc.
Since the Work Folders configuration on the client defaults to either HTTPS=443 or HTTP=80 there is additional configuration to override the default ports. The administrator will need to change the URL for connecting to the Windows Server hosting the clients sync share. Normally all that would be necessary is the URL of the server. Since the port has changed there is an additional parameter in the URL which is – colon port number “:#”. This number matches the configuration in the configuration file on the server SyncShareSvc.config. See example of the PC client configuration below:
NOTE: When the administrator changes the default ports for Work Folders they cannot use the auto discovery process. They can communicate the new URL using Group Policy or a standard email communication with the URL and new port definition.
IIS References for Configuration Changes
For Windows Server Essentials port configuration see the Windows Server Essentials documentation using the IIS management UX.
The administrator has another option for running both Windows Server Essentials and Work Folders on the same server. There are posts on-line which already recommend an in-place license upgrade from Windows Server Essentials to Windows Server Standard. This has a twofold improvement. It allows for greater usage of Windows Server Essentials and has a license for two Hyper-V machines. The administrator would then disable Windows Server Essentials in the main host and user the two Hyper-V machines one for each feature. Windows Server Essentials in one VM and Work Folders in the other. They can both use their default configurations and work concurrently on the single host.
You can upgrade in place from Windows Server 2012 R2 Essentials to Windows Server Standard. --- Windows Server Standard is the only in-place upgrade. You cannot use the command below to upgrade to Windows Server Storage, Windows Server Datacenter etc. The command for upgrading from Windows Server 2012 R2 Essentials to Windows Server 2012 R2 Standard is:
dism /online /set-edition:ServerStandard /accepteula /productkey:<Product Key>
There are several ways to configure Work Folders in an environment which already has established web applications. You have the ability to change the ports of either application. In the case of an IIS application you can use the existing IIS UX. In the case of WorkFolders you can follow this guide. The administrator also has the ability to run Work Folders in a separate VM which has the benefit of leaving their current configuration as is and installed Work Folders with default settings.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.