[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 775
  • Last Modified:

Small Business Server 2003, Remote Web Workplace, VPN hardware

This would be a multi question.  I have a server running SBS 2003 and utilize Remote Workplace.  I have a simple netgear VPN firewall with appropriate ports forwarded, and connection is semi successful.  Users can connect but when the number of users connected gets higher (8 or so) additional connection cannot be made.  Does SBS 2003 have max number of connections?  Would it be possible to have the VPN through hardware (netgear vpn firewall, cisco ASA) and have connection manager/web based running together?  Or will this cause issues?
0
jmsy
Asked:
jmsy
  • 5
  • 5
  • 3
  • +1
1 Solution
 
Joshua1909Commented:
Hi,
It is important to note that SBS should not be used as a terminal server for security reasons.

Re your first question:
1. Are you getting any errors with RWW, or does it simply fail to connect?
2. If you disconnect one of the other sessions, can you then connect?
3. Are the users connecting to individual machines via RWW, or are they connecting to the SBS server?

To answer your second question:
Remote Web Workplace basically works as a proxy, forwarding traffic from TCP port 4125 to 3389 (the RD port).  However, if you were to VPN in and connect to the SBS server directly, then you would be limited to 2 concurrent connections (SBS 2003 is limited to 2 terminal server connections--three if you include the console session).  Using Remote Web Workplace is the way to get around that connection limit.
0
 
jmsyAuthor Commented:
Should have included this info.
I have a SBS 2003 server, and a terminal server.  Using connection manager, it would timeout and not connect.  RWW would mostly give the network busy message, but after couple, to few tries remote session opens.  Users are connecting to individual machines, and terminal server, only i remote to the SBS server.  So i can have RWW and VPN through the hardware at the same time without issues?
0
 
Rob WilliamsCommented:
RWW has no connection limits other than the bandwidth that your Internet connection will support, however the VPN has a 5 user (port) limit by default with SBS. This can easily be increased. For the recod basic server 2003 has a default of 128.
To increase the number of available VPN connection ports open the RRAS console, expand the server name, locate ports, right click on ports and choose properties, in the right hand window click on WAN Miniport PPTP and click configure, at the bottom increase the maximum number of ports from the default 5.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
Joshua1909Commented:
Yes, you should be able to have both vpn and RWW running unless of course your netgear device has a limit on the number of VPN connections. Although you might find it easier if you pick one technology (VPN/RDP or RWW) and stick with it.

Re the connection issue, as RobWill mentioned, RWW has no connection limit. You do have plenty of bandwidth available?
0
 
jmsyAuthor Commented:
Thanks for the advice, I have increased the number of ports.  I will see how this goes.  The reason I mix it up is connection through RWW always takes a few to many tries before a session comes up and sometimes on the first try.  So if there are no limit for RWW why am I having issues?  Bandwidth is great...my first assumption was the low end netgear vpn firewall.  Also im using one 1 gig port on the server, planning to utilize the second 1 gig port, do you think load balancing would help? Or I was thinking of having one for WAN and one for LAN, would you know the best method to do this?
0
 
Joshua1909Commented:
It will come down to a process of elimination to figure out why the RWW problems are coming up.  The best thing you can do is test test test. Try every variable you can to get more information as to the cause.  
Some things to try:  
-Figure out exactly how many users can connect before they have the problem--does it consistently stop accepting connections at a certain number, or does it vary?
-When it stops connecting, what machine is the user attempting to connect to?

If it consistently drops off at a certain number it may be a configuration setting somewhere, however if it fluctuates we may be looking a bottleneck or resource issue somewhere...
I'm just wondering (as a point of interest), since you have a VPN server in the form of that netgear device, is there any reason you don't get the users to VPN to your network, and then use Windows' built-in RDP client to connect to your terminal server? It would seem to me a cleaner way of doing this--and less prone to issues than RWW.
P.S., in reference to your original post, you mentioned you had ports forwarded on your netgear device, can you provide more details as to the setup? eg, what ports are forwarded where? Is RWW accessible directly from external networks, or do they have to VPN in first?
0
 
Andrew DavisManagerCommented:
Just looking at this briefly and i am at a loss as to why you would use RWW to connect to a Terminal Server. why would you not simply use either the MSTSC/RDP client or the web interface located on www.yourdomain.com/tsweb to connect to the terminal server box.

You could utilize a VPN as well however this is not really required as all trafic over the RDP can (and should) be encrypted.
See http://www.windowsecurity.com/articles/Windows_Terminal_Services.html

There is an argument for VPN but it is only in place of lax security in other areas.

I would try this first and then see if your problem exists, as this will instantly take the SBS server out of the picture for having to deal with the incoming requests and route them to the TS.

Cheers
Andrew
0
 
Rob WilliamsCommented:
The first question would be why are you using RWW with a VPN. Using basic remote desktop over a VPN is very common but RWW uses SSL and is very secure, requiring no VPN, and is intended to be used without the VPN. Why not try using it without the VPN. RWW requires you forward ports 443 and 4125 from the Netgear to the SBS.

Actually, using the VPN adds some security risks as it adds a wide open tunnel between client and server over which attacks could be made and viruses transfered.
0
 
jmsyAuthor Commented:
Sorry, let me be more clear.  I have users going to mydomain.com/remote for RWW.  They get to the connect to my computers, or connect to companys application server with no problems.  But once they try to start the session by clicking on connect its a hit or miss.  "The client could not connect.....Please try connection later" (you know the message) Sometimes no message, sometimes numerous failed attempts.  So i have some users download connection manager, connect VPN, and use windows RDP....will post if the increase in ports solved issues of timing out.  
0
 
Rob WilliamsCommented:
Sorry, increasing the number of ports will not help "timing out" nor will help with direct RWW connections. However, if using the VPN and "when the number of users connected gets higher (8 or so) additional connection cannot be made." it should address the problem.
0
 
jmsyAuthor Commented:
Increasing the ports partially solved the issue of connection.  I have 443 and 4125 forwarded but there is incoming (port ~ port) and outgoing (port ~ port)  Is there a specific way to set the ports?  Currently its incoming 443~443, outgoing 4125~4125 (maybe this can be the issue with RWW)  
0
 
Rob WilliamsCommented:
It has to be incomming 443~443, and  incomming 4125~4125
0
 
jmsyAuthor Commented:
Thanks for the reply.  I had a first set incomming 443~443, outgoing 4125~4125 and second set incomming 4125~4125, outgoing 443~443.  But connections are successful with with the first set only, or both sets.  Have to fill in both outgoing, and incomming, cant leave any blank.  Tried other combinations but only works this way.   Not sure why having issues.....

I would like to try utilizing both 1Gig ports.  Having one ethernet port for LAN, and the other for WAN.  Any suggestions on the best way to do this?

0
 
Rob WilliamsCommented:
Are you using a VPN for RWW or just an router connection. There is no port configuration if using a VPN as it is the same as being on the same LAN, but if connecting from the Internet using RWW through your router you must use port forwarding to forward 443 and 4125 to the SBS WAN NIC (if 2 NIC). There is no such thing as forwarding an outgoing packet. You router may have an additional firewall configurations which would need to be configured to allow incoming and outgoing traffic on ports 443 and 4125, but as a rule most firewalls allow outgoing traffic by default.

Are you using 2 NIC's now? SBS works well with either 1 or 2 NIC's, but if you make changes you have to re-run the "Configure E-mail and Internet Connection Wizard". If you make any changes to the LAN NIC you MUST use the "Change server IP Wizard" or you will break most SBS services.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 5
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now