?
Solved

SBS Sharepoint access from external client site

Posted on 2006-06-27
18
Medium Priority
?
388 Views
Last Modified: 2009-12-16

We have a Windows SBS 2003 SP1 server that we need to access remotely. The key resource apart from email is a Sharepoint site (set up in the default companyweb site) which we access via Remote Web Workplace (https://sbs1.domainname.com/remote). All appropriate ports (80, 443, 444, 4125) are open on our firewall. No fancy stuff (ISA Server, VPNs etc) installed.

Everything works fine on a normal home internet connection, but when users try and access from a particular client’s site (ie behind their firewall etc), Sharepoint isn’t accessible.
 
Users can login and get as far as the RWW main page, access “Read my company e-mail”  etc, but when they try to access the SharePoint site from “Use my company's internal Web site” – they just get “this page contains secure and non secure items” then “Page cannot be displayed”. It should be challenging them to authenticate. I assume the client’s firewall is blocking a port that’s needed (would that be port 444?).
 
Getting the client to change their firewall settings is a non-starter (and there are bound to be other sites that we visit with the same issues), so how can I get them access to Sharepoint?

One thing I should say – they tend to use client’ company’s computers when on-site, so we can’t install any software eg VPN.
0
Comment
Question by:texan_gerbil
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
18 Comments
 
LVL 4

Expert Comment

by:gbirkemeier
ID: 17005472
I think you are pretty stuck.
I have these same issues with my clients.
For RWW to work ports 444 and 4125 must be open outbound.
4125 is the critical port that has to be open, it is used for authentication on the network after the RWW hompage is reached.
Sorry.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17006010
This sounds as though you have put things on your Companyweb homepage that may not be registered correctly as secure webparts.  Do you have any images/logos/photos that you've put on the homepage that were not uploaded to SharePoint and stored in a document library?

a few notes on gbirkemeier's comments above...  just fyi:
There should be no reason to change a client's firewall... the whole point of RWW is that you can access everything through outbound port 443 of the remote site.  You do not have to open 444 and 4125 outbound because the requests originate from the remote site.
4125 is not the authentication for the network after RWW homepage is reached, it's used for Remote Desktop functionality within RWW, and only needs to be open on the SBS side.

Jeff
TechSoEasy

0
 
LVL 4

Expert Comment

by:gbirkemeier
ID: 17006108
TechSOEasy is correct, I misspoke on when the authentication happens and why, thank you for the correction.
As for if it needs to be open for outbound connections I am not mistaken.  I tend to work in highly secured networks (hospitals to be exact), and in order for the Reomte Desktop to opperate properly we have had to open port 4125, 444, and 443.  If there is another way to accomplish Remote Desktop without needing these ports open please let me know.
Also, you need to have enought local permissions on the remote workstation to install activeX controls.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17006262
The ports you open are only for the initial TCP/IP dialogue... once the conversation is established between the two machines, the port assignment is moved to other ports automatically.  So, the remote location would certainly have to have port 443 enabled four outbound traffic, but not 444 or 4125.

If you want to see this in action try http://www.visualroute.com/index_pe.html

Jeff
TechSoEasy
0
 
LVL 4

Expert Comment

by:gbirkemeier
ID: 17006426
Wow, good info TechSoEasy.
Thanks, I always seem to learn somthing new here, even when I don't expect too.
0
 

Author Comment

by:texan_gerbil
ID: 17007572
>This sounds as though you have put things on your Companyweb homepage that may not be registered correctly as secure webparts.  
>Do you have any images/logos/photos that you've put on the homepage that were not uploaded to SharePoint and stored in a document library?

Thanks TechSoEasy, as it happens, no. Our site is still quite new so we haven't done anything fancier than tweaking the layout (announcements, calendar, tasks, links). No external files as part of the page at all.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17007627
You say they use the client's computers when on-site?  So, are they using IE or another browser?  If IE, under Tools > Internet Options > Security, add the URL to the list of Trusted Sites and see if that will fix the issue.  The client "MAY" have some other kind of firewall or content filter in place that could be blocking this so you'd have to check with their IT people.

Since this works elsewhere, I would only just try to access the Sharepoint site in one other way... directly.  This can be accomplished by going to https://sbs1.domainname.com:444

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17007731
Thanks. No-one's on the site today, but I'll pass this info around and see if it helps. I think they've already tried direct access to Sharepoint but I'll get them to try it again.

One question to aid my understanding of firewalls. Am I right in thinking that it's possible on enterprise-grade firewalls to control ports separately both inbound and outbound? I notice above you're carefully saying the ports don't need to be opened "outbound". But they do need to be accepted inbound to receive responses from sbs1? So if the client's firewall is locked down inbound as well as outbound then it's still not going to work?

So what I think you're saying is that the remote client connects to sbs1 on 443, logs in, then if they select Sharepoint, sbs1 will respond on 444 which the client has to be able to receive inbound to authenticate, then communication switches to 443? Or have I got that totally wrong? Is there a resource that documents the call and response for this process?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17009919
No, that's not really what I'm saying...

Check out this article which may describe it a bit better:  http://pubs.logicalexpressions.com/pub0009/LPMArticle.asp?ID=360

if that doesn't do it, then check this one out:  http://www.windowsecurity.com/whitepaper/Internet_Firewall_Essentials.html

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17029427
None of those suggestions work. User says:
when I click on Use my company’s internal web site, it starts to load, then asks if I want to display the nonsecure items. Whether I click yes or no, I then get:

1         Action canceled  
Internet Explorer was unable to link to the Web page you requested. The page might be temporarily unavailable.
 
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17029490
You've added the URL to the trusted sites of IE?

Have you tried connecting directly to port 444?  (ie, https://sbs1.domainname.com:444)?

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17029505
yes and yes
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17029533
I'm wondering if somehow the client site doesn't like a self-signed SSL certificate?  Can you try installing the certificate and seeing if that fixes it?

To install, just go to htts://sbs1.domainname.com/remote, if the certificate is not trusted, a warning appears. Click View Certificate, click Install Certificate, and then follow the instructions, keeping all default options until you are done with the wizard.

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17057231
installing the certificate made no difference.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 1000 total points
ID: 17071567
Why don't you try the solution I provided here as a workaround:  http:Q_21912700.html#17067064

Be sure to read the steps towards the bottom of the question.

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17194284
Sorry, Jeff, I've been on holiday. I'll try this in the next couple of days and get back to you.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question