Solved

SBS Sharepoint access from external client site

Posted on 2006-06-27
18
380 Views
Last Modified: 2009-12-16

We have a Windows SBS 2003 SP1 server that we need to access remotely. The key resource apart from email is a Sharepoint site (set up in the default companyweb site) which we access via Remote Web Workplace (https://sbs1.domainname.com/remote). All appropriate ports (80, 443, 444, 4125) are open on our firewall. No fancy stuff (ISA Server, VPNs etc) installed.

Everything works fine on a normal home internet connection, but when users try and access from a particular client’s site (ie behind their firewall etc), Sharepoint isn’t accessible.
 
Users can login and get as far as the RWW main page, access “Read my company e-mail”  etc, but when they try to access the SharePoint site from “Use my company's internal Web site” – they just get “this page contains secure and non secure items” then “Page cannot be displayed”. It should be challenging them to authenticate. I assume the client’s firewall is blocking a port that’s needed (would that be port 444?).
 
Getting the client to change their firewall settings is a non-starter (and there are bound to be other sites that we visit with the same issues), so how can I get them access to Sharepoint?

One thing I should say – they tend to use client’ company’s computers when on-site, so we can’t install any software eg VPN.
0
Comment
Question by:texan_gerbil
  • 7
  • 6
  • 3
18 Comments
 
LVL 4

Expert Comment

by:gbirkemeier
ID: 17005472
I think you are pretty stuck.
I have these same issues with my clients.
For RWW to work ports 444 and 4125 must be open outbound.
4125 is the critical port that has to be open, it is used for authentication on the network after the RWW hompage is reached.
Sorry.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17006010
This sounds as though you have put things on your Companyweb homepage that may not be registered correctly as secure webparts.  Do you have any images/logos/photos that you've put on the homepage that were not uploaded to SharePoint and stored in a document library?

a few notes on gbirkemeier's comments above...  just fyi:
There should be no reason to change a client's firewall... the whole point of RWW is that you can access everything through outbound port 443 of the remote site.  You do not have to open 444 and 4125 outbound because the requests originate from the remote site.
4125 is not the authentication for the network after RWW homepage is reached, it's used for Remote Desktop functionality within RWW, and only needs to be open on the SBS side.

Jeff
TechSoEasy

0
 
LVL 4

Expert Comment

by:gbirkemeier
ID: 17006108
TechSOEasy is correct, I misspoke on when the authentication happens and why, thank you for the correction.
As for if it needs to be open for outbound connections I am not mistaken.  I tend to work in highly secured networks (hospitals to be exact), and in order for the Reomte Desktop to opperate properly we have had to open port 4125, 444, and 443.  If there is another way to accomplish Remote Desktop without needing these ports open please let me know.
Also, you need to have enought local permissions on the remote workstation to install activeX controls.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17006262
The ports you open are only for the initial TCP/IP dialogue... once the conversation is established between the two machines, the port assignment is moved to other ports automatically.  So, the remote location would certainly have to have port 443 enabled four outbound traffic, but not 444 or 4125.

If you want to see this in action try http://www.visualroute.com/index_pe.html

Jeff
TechSoEasy
0
 
LVL 4

Expert Comment

by:gbirkemeier
ID: 17006426
Wow, good info TechSoEasy.
Thanks, I always seem to learn somthing new here, even when I don't expect too.
0
 

Author Comment

by:texan_gerbil
ID: 17007572
>This sounds as though you have put things on your Companyweb homepage that may not be registered correctly as secure webparts.  
>Do you have any images/logos/photos that you've put on the homepage that were not uploaded to SharePoint and stored in a document library?

Thanks TechSoEasy, as it happens, no. Our site is still quite new so we haven't done anything fancier than tweaking the layout (announcements, calendar, tasks, links). No external files as part of the page at all.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17007627
You say they use the client's computers when on-site?  So, are they using IE or another browser?  If IE, under Tools > Internet Options > Security, add the URL to the list of Trusted Sites and see if that will fix the issue.  The client "MAY" have some other kind of firewall or content filter in place that could be blocking this so you'd have to check with their IT people.

Since this works elsewhere, I would only just try to access the Sharepoint site in one other way... directly.  This can be accomplished by going to https://sbs1.domainname.com:444

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17007731
Thanks. No-one's on the site today, but I'll pass this info around and see if it helps. I think they've already tried direct access to Sharepoint but I'll get them to try it again.

One question to aid my understanding of firewalls. Am I right in thinking that it's possible on enterprise-grade firewalls to control ports separately both inbound and outbound? I notice above you're carefully saying the ports don't need to be opened "outbound". But they do need to be accepted inbound to receive responses from sbs1? So if the client's firewall is locked down inbound as well as outbound then it's still not going to work?

So what I think you're saying is that the remote client connects to sbs1 on 443, logs in, then if they select Sharepoint, sbs1 will respond on 444 which the client has to be able to receive inbound to authenticate, then communication switches to 443? Or have I got that totally wrong? Is there a resource that documents the call and response for this process?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17009919
No, that's not really what I'm saying...

Check out this article which may describe it a bit better:  http://pubs.logicalexpressions.com/pub0009/LPMArticle.asp?ID=360

if that doesn't do it, then check this one out:  http://www.windowsecurity.com/whitepaper/Internet_Firewall_Essentials.html

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17029427
None of those suggestions work. User says:
when I click on Use my company’s internal web site, it starts to load, then asks if I want to display the nonsecure items. Whether I click yes or no, I then get:

1         Action canceled  
Internet Explorer was unable to link to the Web page you requested. The page might be temporarily unavailable.
 
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17029490
You've added the URL to the trusted sites of IE?

Have you tried connecting directly to port 444?  (ie, https://sbs1.domainname.com:444)?

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17029505
yes and yes
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17029533
I'm wondering if somehow the client site doesn't like a self-signed SSL certificate?  Can you try installing the certificate and seeing if that fixes it?

To install, just go to htts://sbs1.domainname.com/remote, if the certificate is not trusted, a warning appears. Click View Certificate, click Install Certificate, and then follow the instructions, keeping all default options until you are done with the wizard.

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17057231
installing the certificate made no difference.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 17071567
Why don't you try the solution I provided here as a workaround:  http:Q_21912700.html#17067064

Be sure to read the steps towards the bottom of the question.

Jeff
TechSoEasy
0
 

Author Comment

by:texan_gerbil
ID: 17194284
Sorry, Jeff, I've been on holiday. I'll try this in the next couple of days and get back to you.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

A lot of problems and solutions are available on the net for the error message "Source server does not meet minimum requirements for migration" while performing a migration from Small Business Server 2003 to SBS 2008. This error pops up just before …
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now