Configure Small Business Server 2003 Remote Web Connection Use

Want to enable small biz server 2003 so that users can access any remote desktop, including the server, from the internet.

Questions:
What ports do I have to have open?  Already have ports 25, 80 and 443 open.
How secure will this be?
Without spending additional dollars, would there be a better way to do this?

Thanks
Eric
wileavereAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jss1199Commented:
Hi wileavere,

1.  Ports - For SBS Remote web Connection specifically, you need RTCP port 4125 open
2.  Security - As secure as other Microsoft products.
3.  Without spending more money - no.  You have purchased SBS, so take advantage of the functionality.

Cheers!
omegamuellerCommented:
Port is 3389
jss1199Commented:
Port 3389 is for terminal server RDP whilst 4125 is used by SBS for Remote Web Workplace.  For this posters question, only 4125 should be opened.
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

wileavereAuthor Commented:
Would it be more secure to use a VPN client on the users side and configure the SBS server to accept VPN connections?
jss1199Commented:
No doubt that VPN is more secure.  You lose a bit of 'easy', but secure the box.  
wileavereAuthor Commented:
Jss1199,
I am actually trying to configure it so that we can have access to client's servers and workstations.  We have 3 sbs servers installed and would very much like to use what's included with sbs.

Any additional thoughts?
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
wileavere...

You do NOT want users accessing the server's desktop from ANYWHERE.  This is definitely a security risk.  As an administrator, you can access the server desktop for administrative purposes.  All other remote access should be via Remote Web Workplace.  It is quite secure.  (see http://sbsurl.com/security for more info)

You will also need to open port 444, by the way if you want access to companyweb remotely and 1723 for VPN access.  VPN access should be limited to those users with laptops.  Otherwise RWW is more secure and easier to use.

I'm curious about you having 3 sbs servers installed... i'm hoping that they are all in different sites.

Jeff
TechSoEasy
wileavereAuthor Commented:
Jeff,

Users will not be access anything remotely, just myself and my boss to support issues that arise.  We would like to have access to the server and to all the workstations.  The 3 SBS servers are at 3 different locations.

From what you are saying, the RWW is the easiest to use with still being secure.

Will I be able to access the server and all of the workstations?
I have port 1725 open on the router and pointing to the SBS server's internal IP address.  What changes to I need to make with regards to DNS records and so forth.  I already have an A record that points to my public IP address.  I use this for webaccess email.  I want to also use this as my RWW access, is that possible?

Thanks for any suggestions!

Eric
wileavereAuthor Commented:
Jeff,

If you could also post a link on how to configure RWW properly.

Thanks
Eric
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If all you want to do is access the server and workstations for administrative purposes, then you should do that through Remote Desktop (port 3389) to the server and then using the server management console you can remote from the server to the workstation.  I have actually set up a pretty nifty Remote Desktop Management Console that does this for all the networks that I manage (see http://techsoeasy.com/m.jpg for a screenshot -- you'll see that there are three nested sets of connections there).

There is no "proper" configuration of RWW.  It's configured automatically during the installation of your server.  And if you have an A record that points to your public IP address then you can use that FQDN for whatever you want!  (Even use it in the Remote Desktop client instead of the IP address).  It'll work for https://server.domain.com/remote, http;//server.domain.com/exchange and even https://server.domain.com:444 for SharePoint access if you have port 444 open.

Here is the best overview of all of these settings:  http://www.microsoft.com/technet/prodtechnol/sbs/2003/plan/gsg/appx_c.mspx

Jeff
TechSoEasy

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
P. S. What is port 1725 open for?  VPN would be 1723, and RWW would be 4125, but there's no service for 1725.

You would NEVER need to make any manual changes to DNS records on an SBS (in most cases).  All configuration should be done with the wizards.

Jeff
TechSoEasy
wileavereAuthor Commented:
So you personally dont have an issue leaving port 3389 open?

I meant 1723 and 4125, mis-typed.

Ok, so I will open port 3389 for remote desktop to the server and then use server management to access the workstations.  I have strong passwords enabled on the network.  Is this the best I can do to keep things secure?
wileavereAuthor Commented:
Jeff,

I am having trouble.  I have opened the proper ports, but I am not able to connect to the server.  I have tried the FQDN (mail.domain.com) and also the IP address.

I get a Remote Desktop Disconnected window.  "The client could not connect to the Remote Computer.  Remote connections may not be enabled (they are).  Computer is too busy (I don't think it is).  Also possible network problems are causing the issue. Not sure able this.  I am trying to connect from with the same network using the FQDN.  I am able to resolve the FQDN to the ip add using ping.

Any suggestions?

Thanks
Eric
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
After making ANY networking change, you need to rerun the Configure Email and Internet Connection Wizard (CEICW) -- listed as Connect to the Internet in the Server Management Console.

When running this wizard you need to enable the firewall and select the appropriate services to be allowed through the server.  If your router is UPnP, make sure that's enabled before running the wizard and it will configure it corrrectly as well.  

After running the CEICW, run the Remote Access Wizard.

Jeff
TechSoEasy
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Eric,

You may want to review the contents of this paper:  http://sbsurl.com/itpro which describes how all these cool features work on SBS.

Jeff
TechSoEasy
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.