texan_gerbil
asked on
SBS Sharepoint access from external client site
We have a Windows SBS 2003 SP1 server that we need to access remotely. The key resource apart from email is a Sharepoint site (set up in the default companyweb site) which we access via Remote Web Workplace (https://sbs1.domainname.com/remote). All appropriate ports (80, 443, 444, 4125) are open on our firewall. No fancy stuff (ISA Server, VPNs etc) installed.
Everything works fine on a normal home internet connection, but when users try and access from a particular client’s site (ie behind their firewall etc), Sharepoint isn’t accessible.
Users can login and get as far as the RWW main page, access “Read my company e-mail” etc, but when they try to access the SharePoint site from “Use my company's internal Web site” – they just get “this page contains secure and non secure items” then “Page cannot be displayed”. It should be challenging them to authenticate. I assume the client’s firewall is blocking a port that’s needed (would that be port 444?).
Getting the client to change their firewall settings is a non-starter (and there are bound to be other sites that we visit with the same issues), so how can I get them access to Sharepoint?
One thing I should say – they tend to use client’ company’s computers when on-site, so we can’t install any software eg VPN.
This sounds as though you have put things on your Companyweb homepage that may not be registered correctly as secure webparts. Do you have any images/logos/photos that you've put on the homepage that were not uploaded to SharePoint and stored in a document library?
a few notes on gbirkemeier's comments above... just fyi:
There should be no reason to change a client's firewall... the whole point of RWW is that you can access everything through outbound port 443 of the remote site. You do not have to open 444 and 4125 outbound because the requests originate from the remote site.
4125 is not the authentication for the network after RWW homepage is reached, it's used for Remote Desktop functionality within RWW, and only needs to be open on the SBS side.
Jeff
TechSoEasy
a few notes on gbirkemeier's comments above... just fyi:
There should be no reason to change a client's firewall... the whole point of RWW is that you can access everything through outbound port 443 of the remote site. You do not have to open 444 and 4125 outbound because the requests originate from the remote site.
4125 is not the authentication for the network after RWW homepage is reached, it's used for Remote Desktop functionality within RWW, and only needs to be open on the SBS side.
Jeff
TechSoEasy
TechSOEasy is correct, I misspoke on when the authentication happens and why, thank you for the correction.
As for if it needs to be open for outbound connections I am not mistaken. I tend to work in highly secured networks (hospitals to be exact), and in order for the Reomte Desktop to opperate properly we have had to open port 4125, 444, and 443. If there is another way to accomplish Remote Desktop without needing these ports open please let me know.
Also, you need to have enought local permissions on the remote workstation to install activeX controls.
As for if it needs to be open for outbound connections I am not mistaken. I tend to work in highly secured networks (hospitals to be exact), and in order for the Reomte Desktop to opperate properly we have had to open port 4125, 444, and 443. If there is another way to accomplish Remote Desktop without needing these ports open please let me know.
Also, you need to have enought local permissions on the remote workstation to install activeX controls.
The ports you open are only for the initial TCP/IP dialogue... once the conversation is established between the two machines, the port assignment is moved to other ports automatically. So, the remote location would certainly have to have port 443 enabled four outbound traffic, but not 444 or 4125.
If you want to see this in action try http://www.visualroute.com/index_pe.html
Jeff
TechSoEasy
If you want to see this in action try http://www.visualroute.com/index_pe.html
Jeff
TechSoEasy
Wow, good info TechSoEasy.
Thanks, I always seem to learn somthing new here, even when I don't expect too.
Thanks, I always seem to learn somthing new here, even when I don't expect too.
ASKER
>This sounds as though you have put things on your Companyweb homepage that may not be registered correctly as secure webparts.
>Do you have any images/logos/photos that you've put on the homepage that were not uploaded to SharePoint and stored in a document library?
Thanks TechSoEasy, as it happens, no. Our site is still quite new so we haven't done anything fancier than tweaking the layout (announcements, calendar, tasks, links). No external files as part of the page at all.
>Do you have any images/logos/photos that you've put on the homepage that were not uploaded to SharePoint and stored in a document library?
Thanks TechSoEasy, as it happens, no. Our site is still quite new so we haven't done anything fancier than tweaking the layout (announcements, calendar, tasks, links). No external files as part of the page at all.
You say they use the client's computers when on-site? So, are they using IE or another browser? If IE, under Tools > Internet Options > Security, add the URL to the list of Trusted Sites and see if that will fix the issue. The client "MAY" have some other kind of firewall or content filter in place that could be blocking this so you'd have to check with their IT people.
Since this works elsewhere, I would only just try to access the Sharepoint site in one other way... directly. This can be accomplished by going to https://sbs1.domainname.com:444
Jeff
TechSoEasy
Since this works elsewhere, I would only just try to access the Sharepoint site in one other way... directly. This can be accomplished by going to https://sbs1.domainname.com:444
Jeff
TechSoEasy
ASKER
Thanks. No-one's on the site today, but I'll pass this info around and see if it helps. I think they've already tried direct access to Sharepoint but I'll get them to try it again.
One question to aid my understanding of firewalls. Am I right in thinking that it's possible on enterprise-grade firewalls to control ports separately both inbound and outbound? I notice above you're carefully saying the ports don't need to be opened "outbound". But they do need to be accepted inbound to receive responses from sbs1? So if the client's firewall is locked down inbound as well as outbound then it's still not going to work?
So what I think you're saying is that the remote client connects to sbs1 on 443, logs in, then if they select Sharepoint, sbs1 will respond on 444 which the client has to be able to receive inbound to authenticate, then communication switches to 443? Or have I got that totally wrong? Is there a resource that documents the call and response for this process?
One question to aid my understanding of firewalls. Am I right in thinking that it's possible on enterprise-grade firewalls to control ports separately both inbound and outbound? I notice above you're carefully saying the ports don't need to be opened "outbound". But they do need to be accepted inbound to receive responses from sbs1? So if the client's firewall is locked down inbound as well as outbound then it's still not going to work?
So what I think you're saying is that the remote client connects to sbs1 on 443, logs in, then if they select Sharepoint, sbs1 will respond on 444 which the client has to be able to receive inbound to authenticate, then communication switches to 443? Or have I got that totally wrong? Is there a resource that documents the call and response for this process?
No, that's not really what I'm saying...
Check out this article which may describe it a bit better: http://pubs.logicalexpressions.com/pub0009/LPMArticle.asp?ID=360
if that doesn't do it, then check this one out: http://www.windowsecurity.com/whitepaper/Internet_Firewall_Essentials.html
Jeff
TechSoEasy
Check out this article which may describe it a bit better: http://pubs.logicalexpressions.com/pub0009/LPMArticle.asp?ID=360
if that doesn't do it, then check this one out: http://www.windowsecurity.com/whitepaper/Internet_Firewall_Essentials.html
Jeff
TechSoEasy
ASKER
None of those suggestions work. User says:
when I click on Use my company’s internal web site, it starts to load, then asks if I want to display the nonsecure items. Whether I click yes or no, I then get:
1 Action canceled
Internet Explorer was unable to link to the Web page you requested. The page might be temporarily unavailable.
when I click on Use my company’s internal web site, it starts to load, then asks if I want to display the nonsecure items. Whether I click yes or no, I then get:
1 Action canceled
Internet Explorer was unable to link to the Web page you requested. The page might be temporarily unavailable.
You've added the URL to the trusted sites of IE?
Have you tried connecting directly to port 444? (ie, https://sbs1.domainname.com:444)?
Jeff
TechSoEasy
Have you tried connecting directly to port 444? (ie, https://sbs1.domainname.com:444)?
Jeff
TechSoEasy
ASKER
yes and yes
I'm wondering if somehow the client site doesn't like a self-signed SSL certificate? Can you try installing the certificate and seeing if that fixes it?
To install, just go to htts://sbs1.domainname.com
Jeff
TechSoEasy
To install, just go to htts://sbs1.domainname.com
Jeff
TechSoEasy
ASKER
installing the certificate made no difference.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, Jeff, I've been on holiday. I'll try this in the next couple of days and get back to you.
I have these same issues with my clients.
For RWW to work ports 444 and 4125 must be open outbound.
4125 is the critical port that has to be open, it is used for authentication on the network after the RWW hompage is reached.
Sorry.