Solved

SBS Sharepoint access from external client site

Posted on 2006-06-27
18
381 Views
Last Modified: 2009-12-16

We have a Windows SBS 2003 SP1 server that we need to access remotely. The key resource apart from email is a Sharepoint site (set up in the default companyweb site) which we access via Remote Web Workplace (https://sbs1.domainname.com/remote). All appropriate ports (80, 443, 444, 4125) are open on our firewall. No fancy stuff (ISA Server, VPNs etc) installed.

Everything works fine on a normal home internet connection, but when users try and access from a particular client’s site (ie behind their firewall etc), Sharepoint isn’t accessible.
 
Users can login and get as far as the RWW main page, access “Read my company e-mail”  etc, but when they try to access the SharePoint site from “Use my company's internal Web site” – they just get “this page contains secure and non secure items” then “Page cannot be displayed”. It should be challenging them to authenticate. I assume the client’s firewall is blocking a port that’s needed (would that be port 444?).
 
Getting the client to change their firewall settings is a non-starter (and there are bound to be other sites that we visit with the same issues), so how can I get them access to Sharepoint?

One thing I should say – they tend to use client’ company’s computers when on-site, so we can’t install any software eg VPN.
0
Comment
Question by:texan_gerbil
  • 7
  • 6
  • 3
18 Comments
 
LVL 4

Expert Comment

by:gbirkemeier
ID: 17005472
I think you are pretty stuck.
I have these same issues with my clients.
For RWW to work ports 444 and 4125 must be open outbound.
4125 is the critical port that has to be open, it is used for authentication on the network after the RWW hompage is reached.
Sorry.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17006010
This sounds as though you have put things on your Companyweb homepage that may not be registered correctly as secure webparts.  Do you have any images/logos/photos that you've put on the homepage that were not uploaded to SharePoint and stored in a document library?

a few notes on gbirkemeier's comments above...  just fyi:
There should be no reason to change a client's firewall... the whole point of RWW is that you can access everything through outbound port 443 of the remote site.  You do not have to open 444 and 4125 outbound because the requests originate from the remote site.
4125 is not the authentication for the network after RWW homepage is reached, it's used for Remote Desktop functionality within RWW, and only needs to be open on the SBS side.

Jeff
TechSoEasy

0
 
LVL 4

Expert Comment

by:gbirkemeier
ID: 17006108
TechSOEasy is correct, I misspoke on when the authentication happens and why, thank you for the correction.
As for if it needs to be open for outbound connections I am not mistaken.  I tend to work in highly secured networks (hospitals to be exact), and in order for the Reomte Desktop to opperate properly we have had to open port 4125, 444, and 443.  If there is another way to accomplish Remote Desktop without needing these ports open please let me know.
Also, you need to have enought local permissions on the remote workstation to install activeX controls.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17006262
The ports you open are only for the initial TCP/IP dialogue... once the conversation is established between the two machines, the port assignment is moved to other ports automatically.  So, the remote location would certainly have to have port 443 enabled four outbound traffic, but not 444 or 4125.

If you want to see this in action try http://www.visualroute.com/index_pe.html

Jeff
TechSoEasy
0
 
LVL 4

Expert Comment

by:gbirkemeier
ID: 17006426
Wow, good info TechSoEasy.
Thanks, I always seem to learn somthing new here, even when I don't expect too.
0
 

Author Comment

by:texan_gerbil
ID: 17007572
>This sounds as though you have put things on your Companyweb homepage that may not be registered correctly as secure webparts.  
>Do you have any images/logos/photos that you've put on the homepage that were not uploaded to SharePoint and stored in a document library?

Thanks TechSoEasy, as it happens, no. Our site is still quite new so we haven't done anything fancier than tweaking the layout (announcements, calendar, tasks, links). No external files as part of the page at all.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17007627
You say they use the client's computers when on-site?  So, are they using IE or another browser?  If IE, under Tools > Internet Options > Security, add the URL to the list of Trusted Sites and see if that will fix the issue.  The client "MAY" have some other kind of firewall or content filter in place that could be blocking this so you'd have to check with their IT people.

Since this works elsewhere, I would only just try to access the Sharepoint site in one other way... directly.  This can be accomplished by going to https://sbs1.domainname.com:444

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17007731
Thanks. No-one's on the site today, but I'll pass this info around and see if it helps. I think they've already tried direct access to Sharepoint but I'll get them to try it again.

One question to aid my understanding of firewalls. Am I right in thinking that it's possible on enterprise-grade firewalls to control ports separately both inbound and outbound? I notice above you're carefully saying the ports don't need to be opened "outbound". But they do need to be accepted inbound to receive responses from sbs1? So if the client's firewall is locked down inbound as well as outbound then it's still not going to work?

So what I think you're saying is that the remote client connects to sbs1 on 443, logs in, then if they select Sharepoint, sbs1 will respond on 444 which the client has to be able to receive inbound to authenticate, then communication switches to 443? Or have I got that totally wrong? Is there a resource that documents the call and response for this process?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17009919
No, that's not really what I'm saying...

Check out this article which may describe it a bit better:  http://pubs.logicalexpressions.com/pub0009/LPMArticle.asp?ID=360

if that doesn't do it, then check this one out:  http://www.windowsecurity.com/whitepaper/Internet_Firewall_Essentials.html

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17029427
None of those suggestions work. User says:
when I click on Use my company’s internal web site, it starts to load, then asks if I want to display the nonsecure items. Whether I click yes or no, I then get:

1         Action canceled  
Internet Explorer was unable to link to the Web page you requested. The page might be temporarily unavailable.
 
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17029490
You've added the URL to the trusted sites of IE?

Have you tried connecting directly to port 444?  (ie, https://sbs1.domainname.com:444)?

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17029505
yes and yes
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17029533
I'm wondering if somehow the client site doesn't like a self-signed SSL certificate?  Can you try installing the certificate and seeing if that fixes it?

To install, just go to htts://sbs1.domainname.com/remote, if the certificate is not trusted, a warning appears. Click View Certificate, click Install Certificate, and then follow the instructions, keeping all default options until you are done with the wizard.

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17057231
installing the certificate made no difference.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 17071567
Why don't you try the solution I provided here as a workaround:  http:Q_21912700.html#17067064

Be sure to read the steps towards the bottom of the question.

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17194284
Sorry, Jeff, I've been on holiday. I'll try this in the next couple of days and get back to you.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

3 Experts available now in Live!

Get 1:1 Help Now