Remote Web Workplace Will Not Run Locally

Make sure your internal domain name isn't the same as the external one. It should be something like www.yourdomain.local and not www.yourdomain.com...

When you try to access RWW from inside the local lan.. what are you putting in the address bar to access it?

try http://<serverIP>/remote

Here is some help on reinstalling RWW if the above doesnt work.

http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/279f8379ee74eb10/2a20bd3a12437ce%232a20bd3a12437ce

Unfortunately, SBS will not function properly with alternate ports for HTTP and HTTPS.  OWA does not like to run on anything other than 443.  As you have now found out.

Primarily you MUST have 443 and 4125 open for RWW.  You also must run the Configure Email and Internet Connection Wizard (CEICW -- linked as "Connect to the Internet on the To-Do list in the Server Management Console) to make sure that RWW is enabled.

A visual how-to for that is here:  http://sbsurl.com/ceicw

These are the basic ports that are needed for SBS:

25 - SMTP
443 - HTTPS (for RWW and OWA)
444 - SharePoint
1723 - PPTP VPN
3389 - RDP for remote administration
4125 - Remote Web Workplace

As for IRIS using RDP protocol... that's irrelevant because what RWW does is allows users to access their Office Workstation's desktop just as if they were sitting at their desk.  See http://sbsurl.com/rww for details.

Jeff
TechSoEasy

In reading your question again... it appears that you've somehow broken the IIS configuration.  If rerunning the CEICW doesn't resolve your problem then please follow this KB article to reinstall IIS (and Exchange -- which has to be done as well if you reinstall IIS):  http://support.microsoft.com/kb/320202

Jeff
TechSoEasy

I now have RWW working internally on the LAN from the server to one PC using this address in IE7: https://<serverIP>:1226/Remote.  I can connect to this one PC with no problem internally.

However, when I use this link (ie going out and coming back in again): https://www.oneaccounting.oneaccounting.co.uk:1226/Remote to access the same PC from the server I get this message:

Remote Desktop Disconnected:
The client could not connect to the remote computer.  Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection.  Please try again later.  If the problem continues to occur, contact your administrator.

What does Connection Manager do?  Do I need to load this on the remote PCs?

Can any one help please?

If you did successfully get SSL to work on port 1226 you would still need port 4125 open and pointing to your SBS in order for the Remote Desktop portion of RWW to work.  

If you would have reviewed the link I supplied above (http://sbsurl.com/rww) -- specifically the TS PROXY section -- you would see how RDP works with RWW.  It's an ActiveX script that is set to work on port 4125.  If you can't use that specific port, you can modify it in the registry on this key:  HKLM\Software\Microsoft\SmallBusinessServer\RemoteUserPortal

But it still needs to be a separate port from the SSL one.

Jeff
TechSoEasy

One thing I might recommend to you as well... your URL is awfully long!  You don't need to use the same HOST name externally as you've named your server.  So, even though your SBS is named oneaccounting (with it's local FQDN being oneaccounting.oneaccounting.local) you can use ANY host name you like to access it.  

For instance, you can use remote.oneaccounting.co.uk --- you just have to configure this HOST A record the same way you did the one for oneaccounting.oneaccounting.co.uk at your ISP.  Then, rerun the CEICW and use remote.oneaccounting.co.uk in the SSL certificate's HOST name so that you don't get the host name mismatch warning in IE when you first access the server.

Jeff
TechSoEasy

Thanks Jeff.  Thats most helpful .  I will read the link.

So, I should change the key in the registry on the server to, say, port 1227?

I take note of your comments on the long name and will do as you suggested once I've got everything working.

Roy

"So, I should change the key in the registry on the server to, say, port 1227"

Well, is there any reason to change it from 4125?  Can you not get them to point 4125 to your server?  Because then you don't have to deal with another non-standard port.

Jeff
TechSoEasy

Thanks for your reply.

I can't use the standard port because we are in Serviced Accommodation along with other companies in the building.  The IT guy for the building has used port forwarding on his router to forward all the default port for SBS to another company.  That's why I have to use non-standard ports - it's a real pain.

Roy
Lambda Computing

Is it possible for you guys to get your own static IP address?  If you can get the ISP who supplies the building your own IP address then the IT guy can point all the standard ports that come in on that IP to your stuff.  Worth asking for and probably 5-10 bucks a month more.

To get a static IP address we would need to sign up to an ISP, get our own line put in then purchase our own router.  This will all cost money and the business are a start up and want things done with little cost and done quicly.  I did advise this solution before I started the work but it would have taken 3 weeks to get the line in etc.  As it has now turned out it would have been quicker doing it this way in the first place as I have had much grief changing default port and trying to get things to work.

DM
I have just reread your solution - and realise that the ISP could issue us with another IP address - I will investgate this with the IT guy who looks after the building.  Thanks

DM
I have just spoken to the ISP and they tell me that only one IP address can be allocated to each cable modem and therefore we would have to get another line in with the associated set up and rental costs.  So it looks like I'll have to do this or change the port by changing registry setting as advised by Jeff (TechsoEasy).

One other option, that may be simpler is to handle the port forwarding at the Router.  Just FYI.  

So that 1226 ----> 443 on your server
             1227 ----> 4125 on your server

...etc.

That way you can keep your SBS's configuration clean.

Jeff
TechSoEasy

Actually, that won't work... so nevermind.  RWW wouldn't be able to handle the NAT.

Jeff
TechSoEasy

What about creating a VPN tunnel and then doing it that way?  Is the other company using VPN?  If not then you only have the one port to worry about.

https://www.experts-exchange.com/questions/21815902/VPN-Configuration-Setup-for-SBS-2003.html?sfQueryTermInfo=1+sb+setup+vpn

The other company are using the VPN port - infact they have taken all the SBS default ports.

Is there a registry entry I can change to change the VPN port?

Roy
Lambda Computing

I have made a change to the registry as suggested by Jeff (TechSoEasy) replacing port 4125 with port 1227 and getting the Serviced Accomodations router to forward 1227.  I still can't make a connection to a desktop or server on the internal LAN with RWW from a PC out side the office.  I still get the error message:

Remote Desktop Disconnected:
The client could not connect to the remote computer.  Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection.  Please try again later.  If the problem continues to occur, contact your administrator.

It all still work fine internally.

Most likely, it's not working externally because you are trying from the same machine which had already installed the ActiveX component that directs traffic to port 4125.  The quickest and easiest way to test would be to check from a machine you've never used to test RWW remote destkop with.

If that works... then you just need to clean off the existing ActiveX component and clear out the machine's Temporary Internet File Cache... which should get things working properly.

Jeff
TechSoEasy

Thanks Jeff.  

I have tried your suggestion on my daughter's laptop and now I get this eror message:
An invalid server name was specified.

How do you clean off the existing ActiveX component out of my home PC?

The CLSID for the activex client is {7584C670-2274-4EFB-B00B-D6AABA6D3850}.

Open Regedit and search your registry to find all instances of this key and delete them.

Then, reboot the computer and reconnect to Remote Web Workplace.

FYI, the reason you are getting the error on your daughter's laptop is most likely due to a 3rd party firewall installed on her machine, such as ZoneAlarm or something like that.  Usually these programs disable the activeX module.  You can counter that by installing the following registry entry.  Save the file below (between the lines, but not including them) as a registry file (.reg extension) and then open it on the laptop to have it install into the registry and fix the restriction:

--------------------------------------------------------------
REGEDIT4

; ++++++++++++++++++++++++++++++++++++++++
; The following code will remove the ActiveX Compatibility restriction on
; CLSID = {7584C670-2274-4EFB-B00B-D6AABA6D3850}
; Microsoft RDP Client Control (redist)
; +++++++++++++++++++++++++++++++++++++++++

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7584C670-2274-4EFB-B00B-D6AABA6D3850}]
-------------------------------------------------------------------------------

Jeff
TechSoEasy

She has Norton Internet Security Suite 2007 installed.  I disabled all the Firewall and security setting and I still could not connect.  I got the previous error message:

Remote Desktop Disconnected:
The client could not connect to the remote computer.  Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection.  Please try again later.  If the problem continues to occur, contact your administrator.

That's a problem with port 1227 not translating properly.  After you change the setting in the registry, did you rerun the CEICW?  Because that is what creates the firewall filter within SBS itself.

Take a look at the most recent IcwdetailsXX.htm file in C:\Program Files\Microsoft Windows Small Business Server\Networking\ICW\ on your server (where XX is the incremental number assigned each time the CEICW is run).  Under the "FIREWALL CONFIGURATION SUMMARY" section you should see something like:

      Create the following custom filters:
      Remote Web Workplace, 1227, TCP

If it says "4125" instead of "1227" then you haven't run the Wizard since changing the registry entry.

Jeff
TechSoEasy

Okay thanks.  

No I did not rerun the CEICW.  I thought that if I ran the CEICW it would change the registry entry back to 4125.  I will take a look at the .htm file as you suggested.

I  looked at the file you suggested and it did still say 4125.  I re-ran the CEICW and had a look at the resulting file and it changed the port to 1227 but I can not not get the RWW splash screen so that was a backward step.

Any other suggestions would be welcome?

I've changed the registry entry back to 4125 and reran the CEICW and now this is what the file looks like.

(I still can't get the RWW splash screen remotely whereas I could before running the CEICW to get 1227 entered in the IcwdetailsXX.htm file).

SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET
CONNECTION WIZARD

This file contains detailed information about the
configurations specified in the Configure E-mail and
Internet Connection Wizard.
The configurations specified in the Configure E-mail and
Internet Connection Wizard determine the settings for your
network, firewall, secure Web site, and e-mail.

NETWORKING CONFIGURATION SUMMARY

After the wizard completes, the following network connection
settings will be configured:
Connection type: direct broadband connection
After the wizard completes, the following broadband
connection settings will be configured:
Internet connection information:
      Connection name: Local Area Connection
      IP address: 192.168.1.128
      Subnet mask: 255.255.255.0
      Default gateway: 192.168.1.1
      Preferred DNS server:
      Alternate DNS server: not provided
Connection information for the network adapter used to
connect to your local network:
      Local network connection name: Server Local Area
Connection
      Local network connection IP address: 10.18.15.1
      Local network connection subnet mask: 255.255.255.0
      The Default Gateway for the network adapter used to
access the local network is cleared so that network traffic
is routed correctly.
Routing and Remote Access will be configured as follows:
      Enable the service as a router for the local area
network to route network traffic to the Internet.
      Enable IP routing to route network traffic to the
Internet.
      Enable broadcast name resolution.
      Enable Basic Firewall on the demand-dial interface.
      Disable the option to automatically assign IP
addresses by using the DHCP allocator because DHCP is
provided by your server’s DHCP server.
      Disable the option to resolve IP address for clients
using DNS because DHCP is provided by your server’s DHCP
server.
Disable File and Print Sharing for Microsoft Networks for
the network adapter or modem used to connect to your ISP.
This reduces the chance of a malicious attack by limiting
the ability to browse the network and to connect to file
shares and network printers.
Unbind remote procedure call (RPC) from the network adapter
or modem used to connect to your ISP. This reduces the
chance of a malicious attack by limiting the ability to
connect to this service.
Set forwarders to  and  so that name resolution requests
intended for the Internet are forwarded to the DNS servers
at your ISP.
Set the DNS Server service to listen to the IP address of
the local network adapter to ensure that the DNS server is
not responding to DNS request from the Internet.
Modify the binding order so that the local network adapter
has the highest priority to route network traffic to the
Internet.
Set Internet Explorer to never dial a connection, to not use
proxy settings, and set the home page to the address of the
computer running Windows Small Business Server.

FIREWALL CONFIGURATION SUMMARY

After the wizard completes, the following firewall settings
will be configured:

Routing and Remote Access will be configured as follows:

      Enable Basic Firewall for Routing and Remote
Access.

      Create a standard set of network service filters.
For a list of the standard filters, see firewall settings
for your Windows Small Business Server network in Help and
Support.

      Create the following additional filters:
      E-mail
      Virtual Private Networking (VPN)
      Terminal Services
      FTP
      Web server
      Secure Web Server (HTTPS)
      For more information about the port number and
purpose of each additional filter, see firewall settings for
your Windows Small Business Server network in Help and
Support.

      Create the following custom filters:
      Windows SharePoint Services intranet site, 444, TCP
      OWA, 1225, TCP
      OWA UDP, 1225, UDP
      OWA Secure, 1226, TCP
      OWA Secure UDP, 1226, UDP
      Remote Web Workplace, 4125, TCP
      Remote Web Workplace, 4125, TCP

      Create a static incoming filter on the network
adapter used to connect to the Internet to prevent identity
spoofing (IP address spoofing) through the firewall
service.

      Enable IP routing.

      Add the loopback adapter IP address of 127.0.0.1 to
support the http://localhost for IIS.

Internet Information Services (IIS) will be configured as
follows:

      Restrict default Web site of IIS to only respond to
requests from the local network.

      Set the maximum number of incoming Web request
connections allowed to the default Web site to 500. This
improves system availability and reliability by mitigating
denial-of-service attacks against your Web site.

      Allow access to the default Web site in IIS to the
Internet by modifying the IP permissions of the Web site to
allow all IP address to connect:

      NOTE:  Users connecting to Outlook Web Access,
Remote Web Workplace, and Outlook via the Internet, must use
an https:// connection. Additionally, these Web site
directories are configured to require 128-bit encryption.
All other Web sites can use either https:// or http://
connections.


SECURE WEB SITE CONFIGURATION SUMMARY

After the wizard completes, the following secure Web site
settings will be configured:
Secure Sockets Layer (SSL) will be configured as follows:
Do not change current Web server certificate

E-MAIL CONFIGURATION SUMMARY

After the wizard completes, the following e-mail settings
will be configured:
Exchange will be configured as follows:
Email: Do not change Exchange configuration for Internet
e-mail.
      Keep the existing Internet e-mail configuration.

After the wizard completes, the icwlog.txt in C:\Program
Files\Microsoft Windows Small Business Server\Support is
updated.
After the wizard completes, the wizard script file
config.vbs is created in C:\Program Files\Microsoft Windows
Small Business Server\Networking\Icw.
NOTE: Each time the wizard runs, a new config.vbs file is
automatically generated to preserve the previous settings.
For example config.vbs, config1.vbs, config2.vbs, and so
on.

Re my last post.  

I found out why I couldn't get the splash screen externally.  

When I ran the CEICW it changed the internal LAN card IP settings to DHCP and the server got the wrong IP address!  

I changed it all back to the correct IP settings now I am back in the position to:
change the registry entry again to 1227,
run the CEICW again
check that the IP addresses are ok on the internal LAN card
check to see if RWW will connect to a PC remotely

It worked.  Many, many thanks.