How to setup SBS 2008 Remote Web Workplace Intranet and Remote Machines


How does one setup the RWW site on SBS 2008? I'm looking for information re DNS, ports and firewall rules because I've been stuck on this for a while.

My first goal is to setup the 'Internal Website' access and then, later, I want to be able to use the remote computer connections.

My current config is listed here: (the expert's comment)

Many thanks,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian HarringtonIT ManagerCommented:
The setup program should have generated the sites in IIS, are they resident in IIS?   Start -> Administrative Tools -> Internet Information Services.  RWW runs on 443  Companyweb (Internal Site) on 987 both are SSL and need a certificate, self signed or 3rd party.
You want to make sure that you have properly run the wizards during the SBS setup.  You can also run them from any time in the SBS Console home.  

The wizards that you need to make sure are configured are the "Connect to the Internet", "Set up your Internet Address", and "Configure a Smart Host for Internet Email".

The "Connect to the Internet" wizard is pretty straight forward, just point it to the IP address of the router's internal interface.

The "Set up your Internet Address" is what does most of the configuration of the Remote Web Workplace, your internal website, and the DNS settings.

A lot of these settings are going to depend on how your ISP is configured.  Do you have static IP addresses for your internet connection?  If you have static IP's set up for your connection, are there any domain names configured for those IP addresses?  You will also need the DNS settings for your ISP.  

As far as the firewall settings are concerned, that small subnet between your modem and the firewall is going to complicate things some.  I'm assuming your modem also has basic firewall functionality.  You will need to configure your modem to re-direct all the internet traffic to the external firewall interface.  Depending on the modem brand, this can be called a bunch of different things, but look for something along the lines of "Static NAT" or "DMZ Servers".  

Once you have all traffic forwarded to your Astaro, you need to configure the NAT rules to forward the appropriate traffic to your SBS server.  

Assuming you are using ASG version 7, this is done in "Network Security -> NAT", and then go to the "DNAT/SNAT" tab.  Here you will select the source of the traffic, what protocol, and then where it should be forwarded to.

For SBS, you will need to forward ports 25, 80, 443, and 987 from outside to your SBS server.

In Astaro, the rules will look something like this (this example is for port 443, repeat for each needed port):

Traffic Selector: Any -> HTTPS -> External Address
Destination Translation : SBS_Server

You will be using DNAT (Destination) for these rules, and make sure to check the "Automatic Packet Filter" option.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
warrenrapsonAuthor Commented:
I should have mentioned that I did have my RRW working in that I could log on to it and use OWA. The sharepoint site would fail and I had not tried to setup anything for remote computers.

When I changed my modem and external interface subnet, I could no longer log on to the RRW externally. I have tried the above with no luck. I can't even see anything when I use from the server...

Any further thoughts?
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

How is the modem firewall configured?  Are there any filtering or forwarding rules set up?   You want to make sure that the modem is fully forwarding all ports to that external firewall interface.  

What brand of modem are you using?  What type of ISP connection do you have?
warrenrapsonAuthor Commented:
Hi Russell,

My modem is a Linksys AM300. I have a static IP from my ISP.

My current config (before you helped me with my subnet) was Modem ( - Ext. NIC ( - Int. NIC ( - switch ( Changing the externals to a different subnet stopped ports being visible outside using My email was also going to my secondary MXs during that config.

Last night, I changed back to my old config. What benefits does having a different external subnet bring?

During that old config. I had port forwarding set up on the modem to forward ports to 25, 443, 444, 987, 3389 and some other that ecape me now (i'm at work now). With that config, my RRW served its page and OWA was fully functional. My Astaro DNATs NATed those ports to my SBS box.

With the config with the different subnets, I couldn't do any of the above. Guessing, I tried enabling my DMZ on the modem - that didn't seem to help. I also attempted to set the NAT on the modem, but it did not like anything I entered and so none of those settings were saved.

BTW my switch (DLINK ....?) is a wireless router with the routing turned off (to the best of my knowledge). I'll check the settings on that when I get home.


I'm trying to figure out why your current configuration is working at all right now.  Your subnet spans both sides of your firewall, and I'm not sure how your internal clients are able to access the internet properly.  

What device is hosting your DHCP?  Your windows server, the Astaro, or the modem?  What are the DHCP settings (subnet mask, default gateway etc)?

One thing that you might try on your modem is to configure it into "Bridged" mode.  How is your DSL configured to authenticate in the modem?  Is it PPPoE, or just a standard internet address, or something different?  

If you configure the modem to bridged mode, the firewall functionality on the modem gets disabled, and it forwards everything to the Astaro.  The Astaro would then handle the PPPoE authentication, and if you do this, the external address on the Astaro will now be your WAN static IP address, and that 2nd subnet goes away.  

I prefer bridged connections because you can configure everything on the astaro, and you don't have to configure two sets of rules and settings for both the modem firewall and the Astaro.

One additional question, since you are using the D-Link as a switch, make sure you don't have anything plugged into the WAN port on the D-link.  
warrenrapsonAuthor Commented:
Hi Russell,

I only just tried this over the weekend - i'm so busy and it's hard to find time to trial and error this stuff. I'm not complaining though, because I always wanted to get into networking...

First, to answer your questions. My DCHP is the SBS box. It's mask is The default gateway is - i think - that's the ASG intenal.

I really like the idea of the bridge mode modem with the ASG handling everything. I tried that with no luck... I don't know what I was doing wrong - everything seems so simple, but I just couldn't get the ASG to see a successful connection. I tried PPPoE and the other one - PPPoA. My lyksys AM300 is currently authenticating over PPPoE with static IP. What's the difference? I gathered that PPPoE makes the ext NIC my static IP? What testing can I do?

Thanks again!
warrenrapsonAuthor Commented:
My last post was a separate problem and solution in itself. Basically, I changed the external interface on my ASG several times with several configs, but I couldn't get the connection 'up'. The solution was simply to delete the interface and create a new one rather than changing it... I blogged that in case anyone else needs it -

I'll now continue on my original quest.

Were you able to get the ports properly forwarded through NAT once you got your bridge mode working?
warrenrapsonAuthor Commented:
Actually yes - I forgot to post my update. Two nights ago, I purchased a trusted Certificate from GoDaddy to sort out my OWA certificate issues - I thought for $US29, why not? That seemed to assist in my solution, but I can't be sure if that was the final fix because my I found that test site still doesn't allow me to access my intranet... I actually don't remember testing it from the site that I used to confirm success.

Either way, your solutions have helped me immensely (thank you) so I will accept one to close this post. My next goal is the remote PCs, but I don't have the time or real need for that anytime now. When the time is right, I sure I will post another question.

Thanks again Russell.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.