Small Business Server (SBS) 2003 behind a Netgear FVS318 Firewall

Hi

I run a small business helping small SMEs improve their business efficency, largely through relatively simple I.T. measures (line-of-business databases, basic networking etc). As such, although 'I.T. savvy', we are jack-of-all-trades rather than specialists in any particular area.

We run SBS 2003 internally and when I set it up a couple of years ago, I sat the server behind a Netgear FVS318 that we happened to have lying around (itself behind a Draytek 2600VG ADSL router).

This arrangement has worked fine for the last couple of years and I use the Netgear VPN client software to access network facilities when out-and-about, with VPN pass-through enabled on the Draytek to the Netgear.

However, over the last couple of years, we have become increasingly familiar with SBS, both on our own server and on our clients', and really like the possibilities that Remote Web Workplace gives - particularly, the capacity to 'dial in', anywhere, straight from a browser.

The question is quite simple, can SBS Remote Web Workplace co-exist with the existing Netgear VPN ?

We do not currently use ISA and our server only has a single network card. Internally, we use 192.168.0.x addresses.

Before I go off on a long exercise to try and get it working (only to screw up the exist Netgear VPN in the process ?!?), if somebody can advise whether what I want to do is possible - and if so, HOW - then that would be really helpful.

Many thanks in advance,

Horatio_too
horatio_tooAsked:
Who is Participating?
 
Rob WilliamsConnect With a Mentor Commented:
Remote Web Workpace is unique to Small Business Server. As a result many of us are less familiar with it than Remote Desktop. You need to enable port forwarding for it, similar to Keith's instructions, but rather than the standard 3389, it requires ports 443 and 4125 be forwarded to your small business server. Then you can connect with http://aaa.bbb.ccc.ddd/remote
--Rob
0
 
Keith AlabasterEnterprise ArchitectCommented:
Absolutely.

There is an existing protocol called RDP (remote desktop protocol) which uses tcp port 3389. To test this on your own system first, set a port forwarding rule for tcp port 3389 on the Draytek to the Netgear. You can also tell it to only accept port 3389 from certain IP addresses if you want to lock it down. On the Netgear, create a port forwarding rule to the IP address of the SBS box.

You say it is SBS2003? Right-click the My Computer Icon and choose Properties. Select remote and make sure the box (Remote Desktop) is checked. Bt default it will allow Domain Admins to use the service but if you want other users to do so then use the options tab although I would suggest you would not want a user to log into a server.

Thats about it.....
0
 
Keith AlabasterEnterprise ArchitectCommented:
This is a useful link. I know it says sbs 2000 but the concept is the same.
http://www.microsoft.com/technet/prodtechnol/sbs/2000/reskit/sbrk0016.mspx?mfr=true
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
horatio_tooAuthor Commented:
Dear Keith,

Many thanks for taking the time to reply and for the subsequent link.

We are familar with forwarding Port 3389, but are you sure that that is the ONLY port that we need to forward ?

For full Remote Web Working, we are used to going to http://aaa.bbb.ccc.ddd/remote, where aaa.bbb.ccc.ddd is the static, external IP address of the router behind which the SBS server is sitting.

This then, after domain login, gives access to the SBS machine's remote 'welcome' page, from which users can chose such things as managing server or client desktops, accessing Exchange via OWA, visiting SBS's Sharepoint site etc.

However, we have ONLY ever seen this working on SBS machines (a) with two NICs, running ISA and (b) no hardware firewall running its own VPN as well.

As such, we have seen answers on other forums that suggest that ports INCLUDING 443, 444, 1723, 3389 and 4125 need to be forwarded to the SBS box, for RWW to fully work.

We have also seen a number of posts such as "You will need to disable the VPN services on the router entirely or the 1723 port forward will not work" - hence my post here !

Any comments or guidance would be appreciated - even if it is a simple recommendation to re-post the question in the SBS section of EE !

Thanks once again for your time.

Horatio_too

0
 
Rob WilliamsCommented:
By the way the above assumes RWW has been enabled on the server. If not:
-On the SBS, under administrative tools open the "Server Management" console. In the console click on Internet and e-mail on the left, and on the page that opens on the right, choose connect to the Internet, even though you may have done this before. The wizard will allow you to add to, or change your present configurations. If you already have an Internet connection you really only need to make one addition, but just verify the current options and click next through the screens. If you only have one network adapter configured, you will be prompted regarding the firewall. One network adapter is fine, click no to viewing documentation, and continue. On the "Web Services configuration" page, if it is not already enabled, check "Allow access to only the following web site services", and check the box for "Remote Web Workplace". If "Allow access to the entire web site from the Internet" is already checked that is fine too, but as a rule I recommend you only enable the services you plan to use. Then just continue through the next options and finish.
-If only administrators are connecting you are done on the server. If others wish to connect, and have access to their own desktop, with their existing permissions, they need to be added to the Remote Web Workplace Users Group, located under "Security Groups", again in the Server Management console, and also have remote desktop enabled on their workstation.

Should you enable other services at the same time, you will need
 port 443 for Outlook web access (80 if not using HTTPS -not recommended)
 port 444 for Sharepoint
0
 
horatio_tooAuthor Commented:
Keith/RobWill,

Thank you both for the input. Sorry for the delay in accepting the answer and closing the question, but illness and some other family matters intervened.

Horatio_too
0
 
Rob WilliamsCommented:
Thanks Horatio_too.
Hope all is well now with you and your family.
--Rob
0
 
Keith AlabasterEnterprise ArchitectCommented:
Welcome. Sorry my link didn't help you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.