Cannot connect to XDataServer from Internet

I have a simple project created with TMS Xdata VCL Server wizard.

It works on the desktop just calling the uri/$model

I cannot figure out how to get it to work from the Internet.


Win10 machine in DMZ of firewall at IP
TMSHTTPConfig set up reservation at HTTP://+:2021/abc/ in that Win10 machine

XdataServer has BaseURL of http://+:2021/abc/
DefaultEntitySetPermissions (list, get, insert, modify, delete all true)
Added middleware cors and set Origin to * (and tried with it blank)

(the database is SQLIte, generated entities from table)

Ran server on Win10 machine, tested with local browser
(http://localhost:2021/abc/ shows expected results)

Set port-forwarding rule in firewall (I have a static external IP):
port 2021 forwarded to

Cannot connect via browser on the "red" side of the firewall to the DMZ/XdataServer.

Stopped xdataserver, deleted url reservation.

Installed TightVNC, changed port forwarding to
port 2021 forwarded to

TightVNC works, therefore port forwarding works.

Restored url reservation (this time granting "everyone" permissions.
Restored port forwarding rule.

Tried different CORS set (blank vs *) - still cannot connect.

I just cannot reach the xdataServer by browsing to http://:2021/abc/

Error message in browser is ERR_CONNECTION_TIMED_OUT

When I had TightVNC configured, I did a port scan - port 2021 responded.

When I have XDataServer configured (with url reservation), the port scan indicates nothing responds on port 2021.

There's something about the url reservation I'm not quite "getting" - it doesn't seem to have bound the port the way I thought it would.

Not sure what to try next...


Got it. It was, of course, the Win10 firewall

Here's a summary for anyone else struggling with this...

My environment:
win10 box with NIC set to static IP

external IP is static IP <a.b.c.d>

firewall port forwarding set to
port 2021 forward to port 2021

TMSHTTPConfig set up reservation at HTTP://+:2021/abc/

The XDataServer BaseURL is http://+2021/abc/

In windows firewall, set up a new PORT rule allowing TCP traffic from specific port 2021 (I also set rules for Scope - only allow from particular remote ip addresses)


1 Like

And Yet Another Thing I Didn't Know...

I'm accessing this web service through a sub-domain on one of my sites.

The domain and sub-domain use shared-ssl and force https access (which is nice - all done by isp).

My local web service does not use SSL (I wanted to get it working first).

I just uploaded the project to the site and tried it out:

Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint '$model'. This request has been blocked; the content must be served over HTTPS.


I followed the instructions from:

And that failed. @wlandgraf

Or rather, "the exact version used " in the direct link in the blog post failed - the process gets partially through, then halts with a notice that "this version is outdated/deprecated".

Using the latest version works just fine.

(Just FYI: this win10 box I'm using does not have IIS installed - nor any other web server.

All I had to do to get the LetsEncrypt script to work was to create a port-forwarding rule sending port 80 traffic to the win10 box's ip address - this is temporary, I've disabled that rule after LetsEncrypt did its validation)

Go to and download the appropriate release.

I used (I've no idea what "pluggable vs trimmed" means, but "trimmed" was the smaller download ).

Extract the files from the download into a folder (as from blog post above), then (from a command terminal with admin permissions) run

wacs --test

The instructions in the blog post/video are still valid (or at least any differences are easily understood) - except that there's no longer a need to change the "CertificateStore" value.

I confirmed a test certificate was installed, then ran


It turns out that WACS runs a powerscript that adds the renewals to the task scheduler - so some of the blog post and video instructions are now redundant. Be sure to go delete the test ("acme-staging") task...

I had to use TMSHTTPConfig to remove the http://+2021/abc/ reservation.

Then add the certificate (again, as per blog post above).

Don't forget to set the port when you do this:
That default of "443" clearly is NOT going to work for a reservation for port 2021!

I then changed my web service's BaseURL to https://+:2021/abc/ and then of course added the reservation for https://+:2021/abc/ with TMSHTTPConfig.

I then disabled the port port forwarding rule for port 80 in the firewall (not needed anymore).

The last bit was to open my web app project, change the XDataWebConnection URL to: and upload the project to the public web server.

Summary of project:

  • I have a static IP on my home internet connection
  • I have a domain hosted by an ISP
  • I added a sub-domain
  • I changed the A records for that sub domain to point to the static IP of my home internet
  • I have a win10 workstation set to a static IP in the DMZ range of my firewall appliance (it's on a separate NIC too)
  • There's a firewall appliance port-forwarding rule sending all traffic on port 2021 to the win10 workstation static IP
  • there's a win10 firewall port rule allowing all traffic on port 2021
  • I temporarily forwarded port 80 to the static IP so the LetsEncrypt scripts could validate the box (close 80 right after)
  • I added the LetsEncrypt certificate to the 2021 port with TMSHTTPConfig
  • I added the http://+2021/abc/ reservation with TMSHTTPConfig
  • my VCL web service app has XDataServer.BaseURL of https://+:2021/abc/
  • my web core web application has XDataWebConnection.URL of:
  • the web app was uploaded to a publicly-visible server:

When a user goes to the "check in " site, a form pops up, they hit "submit" and the responses are gathered into a record to be posted (via XDataWebConnection/XDataWebDataset) to the database hosted in the DMZ at my home.

All over HTTPS.

Getting the website/internet details right was tedious and frustrating - but getting the web app and web services program working was way easier than I expected...

Anyway - HTH anyone else going down this rabbit hole...


1 Like

Thanks for the information Ed.
Yes, the instructions in the blog post actually work well with latest version of Win-Acme.
Note that you don't need to add the certificate manually using TMSHttpConfig tool, because the generated Let's Encrypt certificate is automatically bound via the batch script.

I had to use TMSHttpConfig to bind it to port 2021 rather than the usual 443...

1 Like