EBS 2008 domain users can't RWW to other domains

Sorry, I think you misunderstood what I was trying to say (I'm french, trying my best to write something understandable haha)

I am in the EBS 2008 network and I'm trying to use the RWW of another domain under SBS 2003 which is working perfectly from any other computer than mine behind EBS 2008.

So Basically,
Me = EBS 2008 domain user
trying to connect to client = SBS 2003 domain computer
Using their RWW of SBS 2003 = Not able to connect to computer (even logged in as Administrator)
And this happend to all my clients! They all have SBS 2003 and I can't use their RWW to connect to remote computer but I can use RDP (MSTSC) to connect to their DC.

Before we merge to EBS 2008 we were on SBS 2003 and everything was fine so I'm pretty sure it has something to do with TMG or the new TS Gateway of 2008.

Thanks for the reply anyway!

@TechSoEasy:
Just tried the fixmyrww.com, Re-registered DLL, put in Thrusted Site, Install Certificate and it's still a no go... The ActiveX is installed since I can see the computer in the list and try to connect to them.

A couple of things
1.      Getting rdp to work eternally into ebs is a real pain.  Still have not found the magic sauce.  So work-in progress (not simple ).


2.     Getting rdp to work going eternal from ebs 2008 domain and outward is a function of changing the rules on TMG.  Keep in mind that they are two sets of rules that you need to change.  Going to the sec server (local host) and Sec server (local host)  to  external.  The default only allows mgmt, sec and msg servers.


3.     Typically what we do for admin in more on controlled network, is use rww to attach to a remote server in the ebs domain from the https://..../remote using rww.  Ocne you have attached to the remote server, then you rdp to where every you want to go.


4.     Change your RDP allow rule in the TMG
 
Matt k.

Hi mkatzer,
I guess by "eternal" you mean "external" right? As for testing the couple things you said:
1: RDP from Internet to my EBS2008 works fine I managed to configure this without problem. You need to publish, in TMG, the computers you want to be able to RDP to.

2: RDP from EBS2008 to Internet works fine too as I can RDP to my client's server by using MSTSC

3: What do you mean by attaching? I can actually browse the RWW of my clients but cannot connect to their computer from there...

4: I tried many change/add/remove of RDP rules but it seems I didn't find the right way to do it. Can you give my some hint about what rule to modify or create?

Thanks for the comment!

I really need to resolve this problem

Does anyone have some hint or path to look for? It's really bugging me having to log onto my client server to log into their computer. I really need to do this via RWW

Thank you

Sounds like the problem may be the RWW configuration on the SBS domain, not the EBS domain.  I haven't worked with SBS much so I'm not sure how the configuration should be.  Are you logging in with an SBS domain account?  Does RWW on SBS allow you to configure which IP's or Hostnames allowed to connect?  You indicated that other computers in the EBS domain can connect through RWW to the SBS domain but your computer cannot.  This implies the problem is your computer or the SBS domain or RWW config is blocking your computer.

I would check the SBS RWW configuration more closely.  

Hey DNadon57,

Thanks for the reply. I doesn't think it's the SBS configuration since it's working perfectly from everywhere outside my EBS domain. Maybe I didn't specified it but ALL the computers behind my EBS domain CAN'T use RWW of all my clients. I do use administrator account to log onto RWW and it's still not functionning.

I'm pretty sure it's down to 3 things:
-TMG (ISA)
-Terminal Service Gateway
-NPS Server

Now I just need to know what to configure and where!

GIP,

Here's a copy of all the rules I have configured in TMG.  I've never attempted to connect to an SBS domain from EBS.  One method I use to test my RWW gateway is to connect to the external interface of the security server from the internal network by using the external address of the gateway.  In other words connect to https://remote.mydomain.com/remote from a computer within "mydomain.local".  This forces the TMG rules to get processed for the connection even though you are inside the network.

RWW works fine on my network and I've also got RDP working from external to internal as well as internal to external hosts.   I even have a second firewall between my EBS security server and the internet and still no problems.  One thing to check is the Windows Advanced Firewall configuration in Administrative tools on the security server.  I recall having problems with RDP in the initial setup and I believe it was because of the servers Windows firewall configuration, not TMG.  

Anyways, here's the RWW / RDP configuration in my TMG setup.

Name:      Remote Web Workplace Robots.txt Publishing Rule
Action:    Allow
Protocols: HTTP, HTTPS
From:      Anywhere
To:        EBSserver2 (Messaging Server)
Users:     All Users
Listener:  External Web Listener
Bridging:  Web Server (Redirect to SSL port enabled only)


Name:      Remote Web Workplace Publishing Rule
Action:    Allow
Protocols: HTTP, HTTPS
From:      Anywhere
To:        EBSserver2 (Messaging Server)
Users:     All Users
Listener:  External Web Listener
Bridging:  Web Server (Redirect to SSL port enabled only)


Name:      Allow RDP from internal addresses to the external NIC on EBSserver3 (Gateway server)
Action:    Allow
Protocols: RDP
From:      Internal
To:        LocalHost
Users:     All Users


Name:      Allow RDP on the Internal network to all hosts
Action:    Allow
Protocols: RDP
From:      Internal
To:        Internal
Users:     All Users


Name:      Allow RDP (Terminal Services) from Messaging Server
Action:    Allow
Protocols: RDP
From:      EBSserver2 (messaging server)
To:        LocalHost
Users:     All Users

DNadon57,

Thank you for your reply! As I said my RWW here works fine. I can https://remote.mydomain.com/remote from Internal AND External and it's fine. I can use OWA and Sharepoint with no problems.I can RDP to all my servers and my computers from both internal and external by using MSTSC and configuring Publishing in TMG. The ONLY problem I have is when I'm accessing the RWW of my clients. It won't allow me to connect to a computer. I can get to the point that I see all the computers but it won't let me connect. I still can use their OWA and Sharepoint.

As for the rules you gave me. I have very similar configuration. I'll give a try to this one:

Name:      Allow RDP (Terminal Services) from Messaging Server
Action:    Allow
Protocols: RDP
From:      EBSserver2 (messaging server)
To:        LocalHost
Users:     All Users

But will change "To: LocalHost" for "To: External"
Maybe my TS Gateway is trying to communicate with my client TS Gateway and I need to create a rule for this... Anyway I'll let you know about this.

BTW, when I say My Clients I mean My Customers that I sold and setuped a SBS Server myself.

RDP uses port 3389, while RWW uses a combination of 80, 443 and 4125.  Have you checked your firewall rules on your domain?

By firewall rules on my domain you mean creating a GPO for these ports? If so I'll do this right now and gives you a feedback soon! Thanks for the hint

There is an issue that you may run into with EBS.  when you have an external firewall, and you NAT from the firewall to an EBS domain (security server),  you may run into a situation where you lose the security "token' or context once you login into teh TMG server, and that token is passed to the mangement or messaging server.  

I simply call this the "double authentication problem" for single login.  If you access your ebs network remotely, to rww,  and login everything appears fine.  If you then try to access owa, SharePoint or the desktop,  and are asked to login in again you have this problem.  It is a known issue in EBS 2008 that they are trying to resolve for single login.

There are two ways I know of to work around this..
1.  use  vpn to access the internal network and go from there
2.  remove the external firewall

Not sure if you have this problem, but you should check. MS PSS has some work arounds for some cases, but so far this issue has not been resolved (unless you remove the external firewall)
 
Matt k.

GIP, one other thing to consider is that while normally RWW uses 443, for authentication, it can use a range between 443-445, in case the port is in use by another process, such as Sharepoint.  Additionally, your clients should have the same range opened up in their firewalls as well.

Oh, and not just the GPO, but also your firewall device (unless you're using Windows as your firewall... which most people don't do anymore).

juanfermin,

Thanks for all the tips you give me and please continue!
As for the ports to open, I have a router between my Internet and TMG, and I have Symantec Endpoint as an antivirus/firewall but Endpoint wasn't a problem before when I was on SBS 2003. And same thing for the router, just tried pluging a computer right into the router (so not on the EBS domain and not behind TMG) and the RWW works perfectly to my client. So it's really the security on my Domain that keeps me for using their RWW.

Ports 80, 443, 4125, 3389 are all forwarded to the Server of my clients.

@Mkatzer:
It seems like I'm having this problem too. But we don't use OWA or Sharepoint at my job only RWW for Remote Desktop. I'll give this problem some time another day when bigger problems will be fixed.

Ok, I opened port 443, 4125 and 3389 almost everywhere and it's still a no go...

But there is one thing I found. I sold a SBS 2008 to one of my client and I just tried to log in his server via his RWW and IT'S WORKING!!! So I can use RWW of SBS 2008 but I CAN'T for SBS 2003... Maybe this could help us a bit. The only difference between SBS2k3 and SBS2k8 for the RWW is that 2k8 use TSGateway and port 80 to connect via RWW... Well... I think...

And I wanted to know if there is some log I could search to see where is the problem... I didn't find anything specific. Could you guys please point me on a good log to check?

Thank you

You are right, Windows SBS 2008 uses TS Gateway to redirect traffic from port 443 to a selected desktop or server for RDP connections. You do not need 3389 opened on SBS 2008.

I'm pretty sure the problem has nothing to do with your EBS network, at least nothing to do with the firewall or TMG.  If you are able to establish a session with the SBS 2003 server and run OWA, then there's no reason EBS would block your RDP connection.  The outbound RDP works as you stated, you can RDP to the SBS 2003 server, and from there to the clients.  Once the session has been established with RWW on SBS 2003, TMG should not block returned packets from SBS.  

I feel you're problem is more likely in the SBS network.  What OS are the client computers running?  There may be some issues with the version of the RDP client you use and the RDP server on the client machines.  Have you tried using Sysinternals TCP connection viewer to see which ports are opened between you and the client?  It may give you some clues.  There are a number of hits with regarding issues with RDP and the RDP ActiveX control in IE.  This may be your issue as well.  Also, as previously stated, make sure port 4125 is not blocked on the SBS 2003 site's firewall.  You indicated that you opened everything on TMG and still no connection so it's not blocking in TMG.

This site provides some good hints.  http://www.sbslinks.com/fixmyrww.htm

A network packet trace from your PC, the SBS server and the remote client might give you clues as well.  Look to see what protocols and ports are used and who fails to respond to the RDP request.  This is a good way of determing if the firewall is indeed blocking ports.  

Try pinging with large packets (1500+ bytes) to see if MTU size is a problem.  I've read posts that indicate large packets can be a problem which RDP probably uses.  If you traverse a router with DF set, the packets will fail to go anywhere.  

One other possibility is the SNP feature that was enabled in SP2 on Server 2003.  It caused a lot of networking problems including failing RDP sessions if the server had TCP/IP offload feature enabled on the NIC.  I've run into a few sites with problems due to TCP/IP offload not working properly.

BTW, Forefront TMG logs are stored here "C:\Program Files (x86)\Microsoft ISA Server\ISALogs" on the EBS security server.

Just to double check... Sharepoint is not running on this server?  Sharepoint is usually set to use 443, and so you might have to set RWW to use 444 instead.
When I'm setting up a SBS, I usually open up 443-445, to cover different possibilities between Sharepoint, RWW and OWA.  Some people think that 445 is a NetBios security risk, but that's only if the accompanying TCP ports 135-139 are open as well.

Hey! Thanks for your answer.

I don't think the problem is at the SBS network. As I said. if I plug a computer right into MY router (so not on the EBS network and not joined to the domain) I can access perfectly the RWW of the SBS2003 and connect to a computer. Employee of the compagny that has the SBS2003 actually use the RWW to work remotly from home and they don't have any issues. They have been running like this for 2 years now. And I sold many SBS2003 since 2 years and none of my clients are experiencing issue using their RWW, just me now when behind EBS2008.

As I said before I was able to use their RWW when I was on SBS2003 but now I switched to EBS2008 and it's no more working. I can only use the RWW of my client that has SBS2008.

Sharepoint is installed on the SBS2003 but not used. I don't remember changing the port of RWW for 444, should be 443 by default.

I have like 6 PCs at my place that are joined to the EBS2008 and all of them can't use the RWW of SBS2003 with the same problem.

I saw somewhere on experts-exchange a question of someone who had a similar problem to me. And the solution was to add a "Allow all domains" rule in TS Gateway or NPS but I don't remember what I was searching for and I can't see a place to put that rule in.

Thanks for the log path, I'll give this a try.

Well, just tried to read log of TMG and they are all in SQL Server format... And I can't even open them because they are "in use"...

Now I just wanted to check my TMG and I get an 0x80090005 error "Invalid Data"... I don't have time to check for this atm I must go on another client. I'll be back this afternoon

Ok some news.

As my last reply said I messed up my TMG server badly... It doesn't want to save my setting nor modify... When I start the console it says Error 0x80090005 Bad Data which mean bad encryption key or whatever... Tried many many thing to none available so started uninstalling TMG for a reinstall and it failed during the uninstall and now I'm stuck with a non-functionning TMG server and I can't reinstall only TMG so gonna have to completly reinstall the OS + TMG... ho well that's gonna be fun!

Anyway, now since my TMG server is out of order I "replaced" it by a Router so my EBS Server + Computer can still go on Internet. So right now without the TMG server filtering everything, I CAN access RWW of all my clients that use SBS2003. So if it's not the TMG that was the problem then I don't know what it could be !!

I will post a reply as soon as I got my TMG up and working again.

Thank!

So, I just re-installed the whole OS of the security server and reconfigured TMG from scratch and the problem reappeared. I can't logging to the SBS2003 RWW of my clients.

This mean the real problem is with the TMG server! Because without it I was able to log into their RWW without any troubles.

Now I must find how to make it work but it seems like no one ever tried to log into a sbs2003 rww from behind EBS2008 domain so I'm pretty left to myself and your hints! Just retried another search on google and the first link was this question hahaha

Anyone have some idea of what kind of rule I could try? Or what else on the EBS Security Server could keep me from logging into the rww of my clients??

Thank you!

Try this ... start an elevated commnad prompt and run the command "net stop fweng /y".  This will shutdown TMG and then you can test anc confirm whether it's TMG or something else in the Security server.  Remember to start it up after with "net start fweng".

See what that does and let us know.

Hey DNadon57,

Just did as you said but after doing Net Stop FWENG /y I completly lost Internet in my Domain. So did Net Start fweng and didn't get Internet back. Had to do:
Net start Fweng
Net start isactrl
Net start isasched
Net start fwsrv

and then my Internet went back on. But as I said, if I shut down the TMG server and unplug his network cables and plug them in a router with the same IP as the TMG server I can access RWW of SBS2003 from my EBS domain... So it basically means that the problem is within the Security server maybe not TMG but anything inside the Security server.

I made another test.

I logged onto the SBS2008 of another client and tried from his SBS2008 server to use the SBS2003 RWW of my other clients and it WORKS! So the diference between SBS2008 and EBS2008 is that EBS2008 has TMG and SBS doesn't. So another test that lead to TMG as the culprit or else it's because I already configured something in the SBS2008 to allow the use of RWW of other domains... I still think it's only a rule I need to create in my TMG but I tried so many diferent things that didn't work... Maybe you can help with this?

By the way, once you determine the port that's being blocked, that will tell you what rule needs to be configured.  I agree that TMG sounds like the culprit, though.

YOU ARE MY HERO!!!!!

It was the port 4125 that didn't pass throught TMG!! I should have known! But been a long time since I setuped and configured a SBS2003 so totally forgot about this one... Anyway TCPVIEW was the way to go to discover the blocked port. Only had to run it on my PC and not on the TMG server, then saw it was trying to connect via port 4125 but was rejected. So created a simple rule in TMG (add to create a new Protocol for port 4125) that allow traffic from Internal to External via Port 4125 and Voila! its working as it should!

I didn't know of this tool but you can be sure it has been added to my USB key!

Thanks a million again!