SBS Sharepoint access from external client site


We have a Windows SBS 2003 SP1 server that we need to access remotely. The key resource apart from email is a Sharepoint site (set up in the default companyweb site) which we access via Remote Web Workplace (https://sbs1.domainname.com/remote). All appropriate ports (80, 443, 444, 4125) are open on our firewall. No fancy stuff (ISA Server, VPNs etc) installed.

Everything works fine on a normal home internet connection, but when users try and access from a particular client’s site (ie behind their firewall etc), Sharepoint isn’t accessible.
 
Users can login and get as far as the RWW main page, access “Read my company e-mail”  etc, but when they try to access the SharePoint site from “Use my company's internal Web site” – they just get “this page contains secure and non secure items” then “Page cannot be displayed”. It should be challenging them to authenticate. I assume the client’s firewall is blocking a port that’s needed (would that be port 444?).
 
Getting the client to change their firewall settings is a non-starter (and there are bound to be other sites that we visit with the same issues), so how can I get them access to Sharepoint?

One thing I should say – they tend to use client’ company’s computers when on-site, so we can’t install any software eg VPN.
texan_gerbilAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Jeffrey Kane - TechSoEasyConnect With a Mentor Principal ConsultantCommented:
Why don't you try the solution I provided here as a workaround:  http:Q_21912700.html#17067064

Be sure to read the steps towards the bottom of the question.

Jeff
TechSoEasy
0
 
gbirkemeierCommented:
I think you are pretty stuck.
I have these same issues with my clients.
For RWW to work ports 444 and 4125 must be open outbound.
4125 is the critical port that has to be open, it is used for authentication on the network after the RWW hompage is reached.
Sorry.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
This sounds as though you have put things on your Companyweb homepage that may not be registered correctly as secure webparts.  Do you have any images/logos/photos that you've put on the homepage that were not uploaded to SharePoint and stored in a document library?

a few notes on gbirkemeier's comments above...  just fyi:
There should be no reason to change a client's firewall... the whole point of RWW is that you can access everything through outbound port 443 of the remote site.  You do not have to open 444 and 4125 outbound because the requests originate from the remote site.
4125 is not the authentication for the network after RWW homepage is reached, it's used for Remote Desktop functionality within RWW, and only needs to be open on the SBS side.

Jeff
TechSoEasy

0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
gbirkemeierCommented:
TechSOEasy is correct, I misspoke on when the authentication happens and why, thank you for the correction.
As for if it needs to be open for outbound connections I am not mistaken.  I tend to work in highly secured networks (hospitals to be exact), and in order for the Reomte Desktop to opperate properly we have had to open port 4125, 444, and 443.  If there is another way to accomplish Remote Desktop without needing these ports open please let me know.
Also, you need to have enought local permissions on the remote workstation to install activeX controls.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The ports you open are only for the initial TCP/IP dialogue... once the conversation is established between the two machines, the port assignment is moved to other ports automatically.  So, the remote location would certainly have to have port 443 enabled four outbound traffic, but not 444 or 4125.

If you want to see this in action try http://www.visualroute.com/index_pe.html

Jeff
TechSoEasy
0
 
gbirkemeierCommented:
Wow, good info TechSoEasy.
Thanks, I always seem to learn somthing new here, even when I don't expect too.
0
 
texan_gerbilAuthor Commented:
>This sounds as though you have put things on your Companyweb homepage that may not be registered correctly as secure webparts.  
>Do you have any images/logos/photos that you've put on the homepage that were not uploaded to SharePoint and stored in a document library?

Thanks TechSoEasy, as it happens, no. Our site is still quite new so we haven't done anything fancier than tweaking the layout (announcements, calendar, tasks, links). No external files as part of the page at all.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You say they use the client's computers when on-site?  So, are they using IE or another browser?  If IE, under Tools > Internet Options > Security, add the URL to the list of Trusted Sites and see if that will fix the issue.  The client "MAY" have some other kind of firewall or content filter in place that could be blocking this so you'd have to check with their IT people.

Since this works elsewhere, I would only just try to access the Sharepoint site in one other way... directly.  This can be accomplished by going to https://sbs1.domainname.com:444

Jeff
TechSoEasy
0
 
texan_gerbilAuthor Commented:
Thanks. No-one's on the site today, but I'll pass this info around and see if it helps. I think they've already tried direct access to Sharepoint but I'll get them to try it again.

One question to aid my understanding of firewalls. Am I right in thinking that it's possible on enterprise-grade firewalls to control ports separately both inbound and outbound? I notice above you're carefully saying the ports don't need to be opened "outbound". But they do need to be accepted inbound to receive responses from sbs1? So if the client's firewall is locked down inbound as well as outbound then it's still not going to work?

So what I think you're saying is that the remote client connects to sbs1 on 443, logs in, then if they select Sharepoint, sbs1 will respond on 444 which the client has to be able to receive inbound to authenticate, then communication switches to 443? Or have I got that totally wrong? Is there a resource that documents the call and response for this process?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
No, that's not really what I'm saying...

Check out this article which may describe it a bit better:  http://pubs.logicalexpressions.com/pub0009/LPMArticle.asp?ID=360

if that doesn't do it, then check this one out:  http://www.windowsecurity.com/whitepaper/Internet_Firewall_Essentials.html

Jeff
TechSoEasy
0
 
texan_gerbilAuthor Commented:
None of those suggestions work. User says:
when I click on Use my company’s internal web site, it starts to load, then asks if I want to display the nonsecure items. Whether I click yes or no, I then get:

1         Action canceled  
Internet Explorer was unable to link to the Web page you requested. The page might be temporarily unavailable.
 
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You've added the URL to the trusted sites of IE?

Have you tried connecting directly to port 444?  (ie, https://sbs1.domainname.com:444)?

Jeff
TechSoEasy
0
 
texan_gerbilAuthor Commented:
yes and yes
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I'm wondering if somehow the client site doesn't like a self-signed SSL certificate?  Can you try installing the certificate and seeing if that fixes it?

To install, just go to htts://sbs1.domainname.com/remote, if the certificate is not trusted, a warning appears. Click View Certificate, click Install Certificate, and then follow the instructions, keeping all default options until you are done with the wizard.

Jeff
TechSoEasy
0
 
texan_gerbilAuthor Commented:
installing the certificate made no difference.
0
 
texan_gerbilAuthor Commented:
Sorry, Jeff, I've been on holiday. I'll try this in the next couple of days and get back to you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.