warrenrapson
asked on
How to setup SBS 2008 Remote Web Workplace Intranet and Remote Machines
Hi,
How does one setup the RWW site on SBS 2008? I'm looking for information re DNS, ports and firewall rules because I've been stuck on this for a while.
My first goal is to setup the 'Internal Website' access and then, later, I want to be able to use the remote computer connections.
My current config is listed here: https://www.experts-exchange.com/questions/24559357/Firewall-rules-manage-modem-on-external-side.html (the expert's comment)
Many thanks,
Warren
How does one setup the RWW site on SBS 2008? I'm looking for information re DNS, ports and firewall rules because I've been stuck on this for a while.
My first goal is to setup the 'Internal Website' access and then, later, I want to be able to use the remote computer connections.
My current config is listed here: https://www.experts-exchange.com/questions/24559357/Firewall-rules-manage-modem-on-external-side.html (the expert's comment)
Many thanks,
Warren
Brian Harrington
The setup program should have generated the sites in IIS, are they resident in IIS? Start -> Administrative Tools -> Internet Information Services. RWW runs on 443 Companyweb (Internal Site) on 987 both are SSL and need a certificate, self signed or 3rd party.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I should have mentioned that I did have my RRW working in that I could log on to it and use OWA. The sharepoint site would fail and I had not tried to setup anything for remote computers.
When I changed my modem and external interface subnet, I could no longer log on to the RRW externally. I have tried the above with no luck. I can't even see anything when I use canyouseeme.org from the server...
Any further thoughts?
When I changed my modem and external interface subnet, I could no longer log on to the RRW externally. I have tried the above with no luck. I can't even see anything when I use canyouseeme.org from the server...
Any further thoughts?
How is the modem firewall configured? Are there any filtering or forwarding rules set up? You want to make sure that the modem is fully forwarding all ports to that external firewall interface.
What brand of modem are you using? What type of ISP connection do you have?
What brand of modem are you using? What type of ISP connection do you have?
ASKER
Hi Russell,
My modem is a Linksys AM300. I have a static IP from my ISP.
My current config (before you helped me with my subnet) was Modem (10.1.1.1) - Ext. NIC (10.1.1.2) - Int. NIC (10.1.1.3) - switch (10.1.1.4). Changing the externals to a different subnet stopped ports being visible outside using canyouseeme.org. My email was also going to my secondary MXs during that config.
Last night, I changed back to my old config. What benefits does having a different external subnet bring?
During that old config. I had port forwarding set up on the modem to forward ports to 25, 443, 444, 987, 3389 and some other that ecape me now (i'm at work now). With that config, my RRW served its page and OWA was fully functional. My Astaro DNATs NATed those ports to my SBS box.
With the config with the different subnets, I couldn't do any of the above. Guessing, I tried enabling my DMZ on the modem - that didn't seem to help. I also attempted to set the NAT on the modem, but it did not like anything I entered and so none of those settings were saved.
BTW my switch (DLINK ....?) is a wireless router with the routing turned off (to the best of my knowledge). I'll check the settings on that when I get home.
...???
My modem is a Linksys AM300. I have a static IP from my ISP.
My current config (before you helped me with my subnet) was Modem (10.1.1.1) - Ext. NIC (10.1.1.2) - Int. NIC (10.1.1.3) - switch (10.1.1.4). Changing the externals to a different subnet stopped ports being visible outside using canyouseeme.org. My email was also going to my secondary MXs during that config.
Last night, I changed back to my old config. What benefits does having a different external subnet bring?
During that old config. I had port forwarding set up on the modem to forward ports to 25, 443, 444, 987, 3389 and some other that ecape me now (i'm at work now). With that config, my RRW served its page and OWA was fully functional. My Astaro DNATs NATed those ports to my SBS box.
With the config with the different subnets, I couldn't do any of the above. Guessing, I tried enabling my DMZ on the modem - that didn't seem to help. I also attempted to set the NAT on the modem, but it did not like anything I entered and so none of those settings were saved.
BTW my switch (DLINK ....?) is a wireless router with the routing turned off (to the best of my knowledge). I'll check the settings on that when I get home.
...???
I'm trying to figure out why your current configuration is working at all right now. Your subnet spans both sides of your firewall, and I'm not sure how your internal clients are able to access the internet properly.
What device is hosting your DHCP? Your windows server, the Astaro, or the modem? What are the DHCP settings (subnet mask, default gateway etc)?
One thing that you might try on your modem is to configure it into "Bridged" mode. How is your DSL configured to authenticate in the modem? Is it PPPoE, or just a standard internet address, or something different?
If you configure the modem to bridged mode, the firewall functionality on the modem gets disabled, and it forwards everything to the Astaro. The Astaro would then handle the PPPoE authentication, and if you do this, the external address on the Astaro will now be your WAN static IP address, and that 2nd subnet goes away.
I prefer bridged connections because you can configure everything on the astaro, and you don't have to configure two sets of rules and settings for both the modem firewall and the Astaro.
What device is hosting your DHCP? Your windows server, the Astaro, or the modem? What are the DHCP settings (subnet mask, default gateway etc)?
One thing that you might try on your modem is to configure it into "Bridged" mode. How is your DSL configured to authenticate in the modem? Is it PPPoE, or just a standard internet address, or something different?
If you configure the modem to bridged mode, the firewall functionality on the modem gets disabled, and it forwards everything to the Astaro. The Astaro would then handle the PPPoE authentication, and if you do this, the external address on the Astaro will now be your WAN static IP address, and that 2nd subnet goes away.
I prefer bridged connections because you can configure everything on the astaro, and you don't have to configure two sets of rules and settings for both the modem firewall and the Astaro.
One additional question, since you are using the D-Link as a switch, make sure you don't have anything plugged into the WAN port on the D-link.
ASKER
Hi Russell,
I only just tried this over the weekend - i'm so busy and it's hard to find time to trial and error this stuff. I'm not complaining though, because I always wanted to get into networking...
First, to answer your questions. My DCHP is the SBS box. It's mask is 255.255.255.0. The default gateway is 10.1.1.3 - i think - that's the ASG intenal.
I really like the idea of the bridge mode modem with the ASG handling everything. I tried that with no luck... I don't know what I was doing wrong - everything seems so simple, but I just couldn't get the ASG to see a successful connection. I tried PPPoE and the other one - PPPoA. My lyksys AM300 is currently authenticating over PPPoE with static IP. What's the difference? I gathered that PPPoE makes the ext NIC my static IP? What testing can I do?
Thanks again!
I only just tried this over the weekend - i'm so busy and it's hard to find time to trial and error this stuff. I'm not complaining though, because I always wanted to get into networking...
First, to answer your questions. My DCHP is the SBS box. It's mask is 255.255.255.0. The default gateway is 10.1.1.3 - i think - that's the ASG intenal.
I really like the idea of the bridge mode modem with the ASG handling everything. I tried that with no luck... I don't know what I was doing wrong - everything seems so simple, but I just couldn't get the ASG to see a successful connection. I tried PPPoE and the other one - PPPoA. My lyksys AM300 is currently authenticating over PPPoE with static IP. What's the difference? I gathered that PPPoE makes the ext NIC my static IP? What testing can I do?
Thanks again!
ASKER
My last post was a separate problem and solution in itself. Basically, I changed the external interface on my ASG several times with several configs, but I couldn't get the connection 'up'. The solution was simply to delete the interface and create a new one rather than changing it... I blogged that in case anyone else needs it - http://warrenrapson.wordpress.com/2009/07/28/having-trouble-bridging-your-modem-and-your-astaro-security-gateway/
I'll now continue on my original quest.
I'll now continue on my original quest.
Were you able to get the ports properly forwarded through NAT once you got your bridge mode working?
ASKER
Actually yes - I forgot to post my update. Two nights ago, I purchased a trusted Certificate from GoDaddy to sort out my OWA certificate issues - I thought for $US29, why not? That seemed to assist in my solution, but I can't be sure if that was the final fix because my I found that test site still doesn't allow me to access my intranet... I actually don't remember testing it from the site that I used to confirm success.
Either way, your solutions have helped me immensely (thank you) so I will accept one to close this post. My next goal is the remote PCs, but I don't have the time or real need for that anytime now. When the time is right, I sure I will post another question.
Thanks again Russell.
Either way, your solutions have helped me immensely (thank you) so I will accept one to close this post. My next goal is the remote PCs, but I don't have the time or real need for that anytime now. When the time is right, I sure I will post another question.
Thanks again Russell.