Can connect to RWW but cannot connect to client desktops.

Bert2005
Bert2005 used Ask the Experts™
on
OK, I am confused. SBS 2003 Standard R2 with Cisco PIX with ports 443, 444 and 4125 open. I can access RWW from all inside computers with domain administrator rights as can all users wtih users rights.All XP SP2 machines are set to accept remote connections. CIECW has been run and allows RWW. I can get to all client desktops from within the LAN. I CANNOT connect to the server from the RWW Administrator's page: "Connection to the remote computer could not be established."

I can connect to the same administrator's RWW page and connect to all of the client desktops from home through the router with no problems. Not sure if I can access the server.

There are two networks in the building the other which is a completely separate network. I cannot access the desktops from that computer although I can get to the user page using a user account. I am not sure what is going on?

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
Bert2005,

If you're confused... so am I.

"I can connect to the same administrator's RWW page and connect to all of the client desktops from home through the router with no problems. Not sure if I can access the server."

It would be VERY helpful to know if you can access the server from outside the LAN.

"There are two networks in the building the other which is a completely separate network. I cannot access the desktops from that computer although I can get to the user page using a user account. I am not sure what is going on?"

I have no idea what you meant by anything in that paragraph.  Can you restate it?

Jeff
TechSoEasy

Author

Commented:
Hi Jeff!

You know me by now. I never make anything clear, lol. I was just saying that because there is another office, I am able to troubleshoot since using their computers which I have access to, I can connect from both outside the LAN through the router and from within the LAN on my network.

Also, when I click on Download Connection Manager, which I don't know if it is even necessary, it gives me the error message: "Because this is a public or shared computer, Connection Manager can not be downloaded. As a security measure, Connection Manager can only be downloaded to a computer that is not public or shared. I didn't think ours was public?

I will try connecting to the server.

Author

Commented:
A couple of more pieces of information. We did change passwords today to more secure ones given the RWW access. I don't know if that would make a difference, i.e. they need to propagate or something. Highly doubtful I imagine.

My user who could not log into her desktop from the other office with the completely different ISP, etc., was able to log in from home using AOL : (      It was an Active X issue there. I did read that and tried to make sure in security settings Active X was enabled, and it was. I didn't know how to force Active X to be downloaded.
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
The connection manager is for VPN connections, and you don't want to be downloading that for using RWW.  But that gives me a clue... when you connect to RWW, there is a box on the login screen that says, "I'm using a public or shared computer".  UNCHECK that box and then you need to allow the ActiveX plug-ins to install into IE6 or IE7 (you cannot use FireFox for this).

Jeff
TechSoEasy
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
If there is a pending password change request, that should pop up when the user logs into RWW.

Jeff
TechSoEasy
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
Oh... and if you changed the Administrator password but did not log off and back on immediately after making that change, then it's possible there are inconsistencies in the stored credentials.  You may have to change it again and then be sure to log off immediately afterwards.

Jeff
TechSoEasy

Author

Commented:
Should the Active X install simply pop up and ask you if you want to install it? Is this a setting on I.E. 6.0 or 7.0?

I didn't change the password on the server yet.

I was just able to use Log Me In from home and get into all the desktops although every once in awhile I will not be able to get in. Then if I try a login again, I get right in.

The reason I couldn't get into the server (embarrassing) was because even though I had set all of the clients to accept remote access, I didn't do it on the server.

If I am able to access the clients, how will unchecking the public computer button help? Granted, I did because it did cause some error messages.

Finally, when I connected to the server, since I was used to using my username and password, I logged in as a user (well actually as an administrator but the the admin account of the server). That reminded me that I probably shouldn't be logging into the server as an administrator. That, of course, pertains directly to the following question: Leew is trying to help me, but I don't think he realizes how much of a newbie I am when it comes to networking. I did finally open the correct ports of my PIX to allow RWW and OWA thanks to Batry_boy and Nodisco. It only took me two months. : )

http://www.experts-exchange.com/Microsoft/Windows_Security/Q_22598708.html

Author

Commented:
Oh yes. The only strange thing now is the fact that my user can connect from home. But, when she tries to use her computer at work (again a computer which is on the public side of the router), she can get all the way to the page where you select a computer and try to connect, and she gets the error message that she cannot connect remotely or the computer may be busy. I have tried downloading Active X on that machine.

By the way, I certainly don't expect you to go jumping in that question above. I guess a good article on users and groups and local administrators vs domain administrators, et al would be helpful.
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
"Should the Active X install simply pop up and ask you if you want to install it?"

Yes.  You need to have security settings on IE set properly.  In IE, open Tools, Internet Options, click Security, then click Custom Level. Verify that "Download signed ActiveX controls" and "Run ActiveX controls and plug-ins" is either set to Enable or Prompt.


You can ONLY log into the server as an administrator.  Non-admin users don't have permission to log into the server.  But since you stated above that you were getting to the RWW "Administrators" menu, I assumed you were logging in with an account that's got administrative privileges.  Since standard users get a different RWW menu that doesnt' even show the ability to connect to the server's desktop.

"The reason I couldn't get into the server (embarrassing) was because even though I had set all of the clients to accept remote access, I didn't do it on the server."

You shouldn't have needed to set either the clients or the server manually for remote access.  The clients are automatically set to allow for remote access when you properly join them to the SBS domain using http://<servername>/connectcomputer.  The SBS should be set to allow remote access when you run the CEICW and enable Terminal Services on the "Services Configuration" screen of that wizard.  Of course, you'd also need to enable Remote Web Workplace on the subsequent screen as well.

Jeff
TechSoEasy


Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
"again a computer which is on the public side of the router"

HUH???  What do you mean that the computer is on the public side of the router?

"I have tried downloading Active X on that machine"

Double HUH??  What do you mean by this as well?  The ActiveX control downloads and loads into IE of the machine that is trying to connect remotely... so that would be at the user's HOME.

Now I'm really confused.

Jeff
TechSoEasy
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
"I guess a good article on users and groups and local administrators vs domain administrators, et al would be helpful."

No... joining the workstation to the domain using http://<servername>/connectcomputer would be helpful.  This handles EVERYTHING needed to properly configure things.  During the connectcomputer wizard, you are asked to assign a domain user to the machine.  This is what enables that user to connect remotely. (by automatically making them a member of the LOCAL administrators group on that machine).  

There is never a need to do ANY manual configuration on either the server or a workstation to get RWW to work properly.

Jeff
TechSoEasy

Author

Commented:
OK. I guess I am just confused due to my two months worth of experts dialog on the PIX. They always talked about private side and public side, i.e. 72.xx.xx.xx for the public side of the router which would include any traffic from the Internet and 192.168.0.x being the private side. I must be making the whole other computer thing way too difficult. When I say from home, you understand what I mean. It's a computer not on the LAN. I am just saying that my user is NOT on the LAN right now. She is working at the office next door outside of the LAN so it is easy to see if she can get in to RWW through the router and to the desktop.

Since Active X was enabled on her machine, and it still was not working, I was just wondering if I had to download it. Microsoft does have a site with downloads of Active X for XP. I don't understrand Active X. Usually, on my machines at home, I am prompted with the yellow or beige bar across the top of my browser. She was not getting any of those prompts and it was enabled. Hence the confusion on the Active X. I think her issue is with Active X. On the User's HOME, see above. Even though I can get into my home from work through LogMeIn to check the connection, I am still logging in as an administrator. So, since my user who is the one who needs to use it the most anyway from her HOME, and, by the way, she can; I have been trying her to try to access RWW and the desktops from her computer at work (again not on my LAN). Think of her as down the street accessing from the Internet.

Also, due to other issues where I did not connect the clients properly, I at one point reinstalled Windows XP on all of the machines (I needed to anyway). I then, due to your help, connected all the computers correctly. But, even so, when I right click on My Computer and choose remote, many do not have the check box checked. I don't know if that has anything to do with it.

IMPORTANT: I have run CEICW a thousand times, and I don't see the terminal services thing. Let me tell you what it shows: Connection type: Do not change, Web services: Everything except for Performance and Usage Reports and Outlook Mobile Access, Server certificates: None, radio button at bottom is clicked, Internet email: Do not change

If instead of Do Not Change Connection Type, I click on Broadband (which I am guessing I clicked on when I first set it up), the next screen shows a local router address.

Sorry about the confusion. Thanks for your help.

Author

Commented:
"No... joining the workstation to the domain using http://<servername>/connectcomputer would be helpful.  This handles EVERYTHING needed to properly configure things.  During the connectcomputer wizard"

Well, if I listen to Leew's advice, I would need a good book as it is confusing to me. And, you have to understand that ever since you have hammered home the http:\\server\ComputerConnect  (with Server being the name of my server), I have ALWAYS used that. ALL of my clients are connected to the server with that method.

"you are asked to assign a domain user to the machine.  This is what enables that user to connect remotely. (by automatically making them a member of the LOCAL administrators group on that machine)."

Ok, here is the part that if I understand, I will never need to give out another point on E-E. Well, maybe I am exaggerating. When I go through ConnectComputer (can I call it SCC for now), it does ask for a user, in fact, it allows me to add extra users. I am pretty sure this user is a local administrator for this machine that she cannot get into from here but can get into from home (again not on the LAN for either). I added her when I did SCC. It would also be nice if a user could get into more than one PC as some users use more than one PC. Of course, I have been told by you I think that once they log in, they are a local administrator. This is why it gets so confusing for me.

There is never a need to do ANY manual configuration on either the server or a workstation to get RWW to work properly.
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
Okay... so run the CEICW again... and don't select "do not change" for connection type.  Then keep going.  See http://sbsurl.com/ceicw for a visual of all the screens.  

Re: ActiveX.  There is no download for "ActiveX" from Microsoft.  ActiveX controls are specific to the function that they are designed for.  If she's not getting the prompts, then perhaps it's already installed.   The thing is, though, what error she's getting.  Because according to you... you were able to access this workstation via RWW when logged in as an administrator.  So, she's not a domain administrator... and when she tries to connect to the workstation, what is the exact error?

Also... is this the workstation that you didn't have a local administrator account on?  (http:Q_22515211.html)?  Because if you added the administrator account with BARTS PE after joining with ConnectComputer, then it never joined right.  My recommendation was to reinstall XP at that point, which needed to be done.

Jeff
TechSoEasy



Author

Commented:
Yes, I remember that question very well. Due to the fact that the network had been running peer-to-peer about a month prior to the server even being in the mix, I did decided to reformat all seven computers and then attach them to the domain using the http:\\server\computerconnect. All seven joined without a problem, although when asked what user to assign to that computer, I assigned the most likely user, i.e. the billing person to the BILLING-PC, the receptionist to RECEPTIONIST-PC, and the nurse to NURSE-PC. Of course, I was assigned to Room1-PC, Room2-PC and OFFICE-PC. I had to add the suffixes, because prior to the reformatting and reconnecting to the domain, they all had the same computer names without the -PC. So, it seemed as though (although I am not completely sure), the user who was the biller could log on to her computer since she was considered a local administrator whether or not the computer was locked after I used it. I have reason to use computers other than Room 1, Room 2 and my computer. For instance, I may use the nurse's computer when she is not here if I need to triage a patient.

I will try to make this clear, because it may be confusing. Even though my biller could ALWAYS log into her computer whether it was locked by me, therefore saying "this computer cannot be unlocked by anyone other than Bert A... or an administrator." But, my nurse could not log into her computer if I had locked it. This was an issue, because if I came in at 9:00 AM and she arrived at 8:00 AM, she could not access her computer. This is why I was tempted to make her an administrator on the domain something I KNOW I should not do!

What I think I should have done at the time of connecting the computer was added the users I thought we need to access certain computers. I am told I can do that after by adding users to certain groups but, so far, that has not worked. I am sure I am doing something wrong. And, when I am told to add that user as a local administrator, I am not sure if I should do it physically on the local client or from the server. I tried from the local client, but it didn't seem to work.

As to the error message my user received:

The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, contact your administrator or Jeff.

As to CEICW:

I am almost 99% certain that Broadband was connected the first time around as that is what we had. We certainly didn't have Dial-up. The article did say that a direct connection should be checked rather than the local router and IP address due to the time service being disconnected. I did not enable the firewall, because I thought that was for ISA and we have one NIC and a Cisco firewall. I do not recall what I put down for the Service Configuration: Email, VPN, Terminal Services or FTP. I imagine we put down Email. I know we did not put down VPN or FTP. Can't recall on T.S. I do not have a web server certificate.

Hope this helps.
Principal Consultant
Most Valuable Expert 2016
Top Expert 2014
Commented:
First, your situation is not unique...
When you run connectcomputer and assign a user, the wizard puts that user into the LOCAL Administrators group for that workstation.  That is what is meant by "an administrator" when you need to log off someone that did not properly log off before.  You don't need to make anyone a domain administrator... just a local one.  Furthermore, if you leave the computer at night, don't just lock it... log off!

To add a user AFTER you've initially joined a workstation to the domain, you must FIRST add that user on the server to give them a domain account... using the Add User Wizard and applying the default user template.  Then, you can either go to the machine and open Computer Management or just access it in the Client Computers section of the Server Management Console > Manage Computer.  Either way, it's the same console.  

When the computer management console opens, you expand Local Users and Groups > Groups.  Double-click the Administrators group and add the new user as DOMAIN\Username.  That's all there is to it.  

"I was assigned to Room1-PC, Room2-PC and OFFICE-PC."

Well, this isn't actually possible... since once a domain user account is assigned to a workstation it's wouldn't show up on the list anymore.  Further, you are a Domain Administrator and you don't need to assign yourself to any computer other than your own.  If you look in the Local Administrators Group of each workstation (via the Computer Management Console as described above) you'll see that (hopefull) "DOMAIN\Domain Admins" is a member of that group and your account should be a member of Domain Admins if you used the Administrator Template when you created your user account on the server.

Re the CEICW:

If you want to see what you initially set, just look at the overview file it stores every time you run it.  You'll find that at C:\Program Files\Microsoft Windows Small Business Server\Networking\ICW\IcwdetailsXX.htm  (where XX is the incremental number inserted for each time you run the wizard).

Now... the "direct connection" instead of "connect to a local router" bug was corrected in SP1.  So you you can choose that option.  In fact, you are forced to select it now when you have a single NIC configuration.  Then, you're right,  I wasn't thinking that you had a single NIC configuration , so the "firewall" Services Configuration screen won't show up in this case and you may have to enable Remote Access in the System Properties as you said.  It's been awhile since I've joined a single NIC SBS, so I don't remember if it handles it or not.

On the Web Services Configuration screen, you should have everything checked EXCEPT Business Web Site (wwwroot).  The remaining screens you can just select "do not change" and finish out the wizard.

Jeff
TechSoEasy









Author

Commented:
Finally! I think you are the first to explain the users thing so I can understand it. Plus, all of your replies in the last comment made complete sense with my statements and questions. Remember, I take almost everything you advise to heart. That is why I spent an entire day (while seeing 30 kids) to reformat all of my PCs and do it right. I always try to set up my computer correctly.

Remember, I am fascinated by computers and especially SBS 3003, but I still am a full time pediatrician so I do all of this with my "free time."  This is why I will always be a member of Experts-Exchange.

Other than allowing the users to log on to the computer, are their other advantages to my logging off rather than locking the PC at night. And, if an employee had a locked computer, what would happen if they restarted the PC, not that I want them doing that all the time?

Thanks, Jeff, as usual. At least I kept your HUHs down to less than five, which is always a plus for me, <G>

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial