How to setup SBS 2008 Remote Web Workplace Intranet and Remote Machines

Posted on 2009-07-14
Last Modified: 2012-05-07

How does one setup the RWW site on SBS 2008? I'm looking for information re DNS, ports and firewall rules because I've been stuck on this for a while.

My first goal is to setup the 'Internal Website' access and then, later, I want to be able to use the remote computer connections.

My current config is listed here: (the expert's comment)

Many thanks,

Question by:warrenrapson
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5

Expert Comment

ID: 24848298
The setup program should have generated the sites in IIS, are they resident in IIS?   Start -> Administrative Tools -> Internet Information Services.  RWW runs on 443  Companyweb (Internal Site) on 987 both are SSL and need a certificate, self signed or 3rd party.

Accepted Solution

russell124 earned 500 total points
ID: 24852665
You want to make sure that you have properly run the wizards during the SBS setup.  You can also run them from any time in the SBS Console home.  

The wizards that you need to make sure are configured are the "Connect to the Internet", "Set up your Internet Address", and "Configure a Smart Host for Internet Email".

The "Connect to the Internet" wizard is pretty straight forward, just point it to the IP address of the router's internal interface.

The "Set up your Internet Address" is what does most of the configuration of the Remote Web Workplace, your internal website, and the DNS settings.

A lot of these settings are going to depend on how your ISP is configured.  Do you have static IP addresses for your internet connection?  If you have static IP's set up for your connection, are there any domain names configured for those IP addresses?  You will also need the DNS settings for your ISP.  

As far as the firewall settings are concerned, that small subnet between your modem and the firewall is going to complicate things some.  I'm assuming your modem also has basic firewall functionality.  You will need to configure your modem to re-direct all the internet traffic to the external firewall interface.  Depending on the modem brand, this can be called a bunch of different things, but look for something along the lines of "Static NAT" or "DMZ Servers".  

Once you have all traffic forwarded to your Astaro, you need to configure the NAT rules to forward the appropriate traffic to your SBS server.  

Assuming you are using ASG version 7, this is done in "Network Security -> NAT", and then go to the "DNAT/SNAT" tab.  Here you will select the source of the traffic, what protocol, and then where it should be forwarded to.

For SBS, you will need to forward ports 25, 80, 443, and 987 from outside to your SBS server.

In Astaro, the rules will look something like this (this example is for port 443, repeat for each needed port):

Traffic Selector: Any -> HTTPS -> External Address
Destination Translation : SBS_Server

You will be using DNAT (Destination) for these rules, and make sure to check the "Automatic Packet Filter" option.


Author Comment

ID: 24857807
I should have mentioned that I did have my RRW working in that I could log on to it and use OWA. The sharepoint site would fail and I had not tried to setup anything for remote computers.

When I changed my modem and external interface subnet, I could no longer log on to the RRW externally. I have tried the above with no luck. I can't even see anything when I use from the server...

Any further thoughts?
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Expert Comment

ID: 24861818
How is the modem firewall configured?  Are there any filtering or forwarding rules set up?   You want to make sure that the modem is fully forwarding all ports to that external firewall interface.  

What brand of modem are you using?  What type of ISP connection do you have?

Author Comment

ID: 24864970
Hi Russell,

My modem is a Linksys AM300. I have a static IP from my ISP.

My current config (before you helped me with my subnet) was Modem ( - Ext. NIC ( - Int. NIC ( - switch ( Changing the externals to a different subnet stopped ports being visible outside using My email was also going to my secondary MXs during that config.

Last night, I changed back to my old config. What benefits does having a different external subnet bring?

During that old config. I had port forwarding set up on the modem to forward ports to 25, 443, 444, 987, 3389 and some other that ecape me now (i'm at work now). With that config, my RRW served its page and OWA was fully functional. My Astaro DNATs NATed those ports to my SBS box.

With the config with the different subnets, I couldn't do any of the above. Guessing, I tried enabling my DMZ on the modem - that didn't seem to help. I also attempted to set the NAT on the modem, but it did not like anything I entered and so none of those settings were saved.

BTW my switch (DLINK ....?) is a wireless router with the routing turned off (to the best of my knowledge). I'll check the settings on that when I get home.



Expert Comment

ID: 24873493
I'm trying to figure out why your current configuration is working at all right now.  Your subnet spans both sides of your firewall, and I'm not sure how your internal clients are able to access the internet properly.  

What device is hosting your DHCP?  Your windows server, the Astaro, or the modem?  What are the DHCP settings (subnet mask, default gateway etc)?

One thing that you might try on your modem is to configure it into "Bridged" mode.  How is your DSL configured to authenticate in the modem?  Is it PPPoE, or just a standard internet address, or something different?  

If you configure the modem to bridged mode, the firewall functionality on the modem gets disabled, and it forwards everything to the Astaro.  The Astaro would then handle the PPPoE authentication, and if you do this, the external address on the Astaro will now be your WAN static IP address, and that 2nd subnet goes away.  

I prefer bridged connections because you can configure everything on the astaro, and you don't have to configure two sets of rules and settings for both the modem firewall and the Astaro.


Expert Comment

ID: 24873510
One additional question, since you are using the D-Link as a switch, make sure you don't have anything plugged into the WAN port on the D-link.  

Author Comment

ID: 24948082
Hi Russell,

I only just tried this over the weekend - i'm so busy and it's hard to find time to trial and error this stuff. I'm not complaining though, because I always wanted to get into networking...

First, to answer your questions. My DCHP is the SBS box. It's mask is The default gateway is - i think - that's the ASG intenal.

I really like the idea of the bridge mode modem with the ASG handling everything. I tried that with no luck... I don't know what I was doing wrong - everything seems so simple, but I just couldn't get the ASG to see a successful connection. I tried PPPoE and the other one - PPPoA. My lyksys AM300 is currently authenticating over PPPoE with static IP. What's the difference? I gathered that PPPoE makes the ext NIC my static IP? What testing can I do?

Thanks again!

Author Comment

ID: 24958856
My last post was a separate problem and solution in itself. Basically, I changed the external interface on my ASG several times with several configs, but I couldn't get the connection 'up'. The solution was simply to delete the interface and create a new one rather than changing it... I blogged that in case anyone else needs it -

I'll now continue on my original quest.


Expert Comment

ID: 25019138
Were you able to get the ports properly forwarded through NAT once you got your bridge mode working?

Author Comment

ID: 25019179
Actually yes - I forgot to post my update. Two nights ago, I purchased a trusted Certificate from GoDaddy to sort out my OWA certificate issues - I thought for $US29, why not? That seemed to assist in my solution, but I can't be sure if that was the final fix because my I found that test site still doesn't allow me to access my intranet... I actually don't remember testing it from the site that I used to confirm success.

Either way, your solutions have helped me immensely (thank you) so I will accept one to close this post. My next goal is the remote PCs, but I don't have the time or real need for that anytime now. When the time is right, I sure I will post another question.

Thanks again Russell.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no…
This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer:…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question