Solved

Can't Access Remote Web Workplace from Outside Network

Posted on 2011-03-18
19
1,359 Views
Last Modified: 2012-05-11
I can't access the RWW from outside the network.  It works fine from inside the network.  I'm using ISA and have dual nic's one facing out other to network.  Static ip on server, ports open on router.  I am not sure how to configure the server to allow access, but I thought the wizard did that (to do list).  
Not sure how to create web certificate either.
Please I need help.

Netstat -n Results
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    74.164.103.98:389      74.164.103.98:28118    ESTABLISHED
  TCP    74.164.103.98:8539     74.164.103.98:3268     CLOSE_WAIT
  TCP    74.164.103.98:28118    74.164.103.98:389      ESTABLISHED
  TCP    74.164.103.98:30923    64.62.195.166:443      ESTABLISHED
  TCP    127.0.0.1:389          127.0.0.1:28136        ESTABLISHED
  TCP    127.0.0.1:389          127.0.0.1:31056        ESTABLISHED
  TCP    127.0.0.1:1096         127.0.0.1:389          CLOSE_WAIT
  TCP    127.0.0.1:1114         127.0.0.1:389          CLOSE_WAIT
  TCP    127.0.0.1:1176         127.0.0.1:389          CLOSE_WAIT
  TCP    127.0.0.1:8580         127.0.0.1:389          CLOSE_WAIT
  TCP    127.0.0.1:28136        127.0.0.1:389          ESTABLISHED
  TCP    127.0.0.1:31056        127.0.0.1:389          ESTABLISHED
  TCP    192.168.1.200:135      192.168.1.200:31560    ESTABLISHED
  TCP    192.168.1.200:139      192.168.1.141:1832     ESTABLISHED
  TCP    192.168.1.200:389      192.168.1.141:1838     TIME_WAIT
  TCP    192.168.1.200:389      192.168.1.141:1839     TIME_WAIT
  TCP    192.168.1.200:389      192.168.1.141:1843     TIME_WAIT
0
Comment
Question by:OLY8892
  • 11
  • 3
  • 2
  • +2
19 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 35172354
Please confirm the version of SBS.  From your description of ISA, I can guess SBS 2003 premium, but conformation would be nice.

if you have forwarded requests from the public IP of the router to the "external" nic of the SBS (the one on the same subnet as the router) for ports 25, 443, 444, 4125, and run the CEiCW, you should be able to access from a remote station.

What errors show up when you try?
0
 
LVL 1

Author Comment

by:OLY8892
ID: 35172419
SBS 2003r2 sp2

IE just says page can't be displayed.  I don't have CA set up.

I don't get the Web Services Configuration page any more. I was sure I selected RRW and OWA then left the certificate box blank and would go back and do it later as it said, "if you don't have configure later. I configured VPN but don't have a web cert.
Now I don't have an option to Create a new Web server certificate.  How can I create it without using CEICW?  I want to setup RWW.

I don't want to mess with any of the current setting so I selected keep same settings.  Do I need to reset everything in order to access the Web Services Config Page?

Fresh install of SBS 2003r2 on Dell PowerEdge 2900.  Previous Hard drive failed no backup config.
Current Config:
2 Nic
1 facing router 1 facing Network through switch
Internetwork working fine, host able to get out and communicate.
Netopia router connected to Server nic running DHCP  74.164.103.96 /29
Server IP 192.168.1.200
Windows IP Configuration

   Host Name . . . . . . . . . . . . : zeus
   Primary Dns Suffix  . . . . . . . : BejeDesigns.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : BejeDesigns.local

Ethernet adapter Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : 00-24-E8-4D-4F-02
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 74.164.103.98
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 74.164.103.97
   DNS Servers . . . . . . . . . . . : 192.168.1.200
   Primary WINS Server . . . . . . . : 192.168.1.200
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client) #2
   Physical Address. . . . . . . . . : 00-24-E8-4D-4F-04
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.200
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.200
   Primary WINS Server . . . . . . . : 192.168.1.200
0
 
LVL 1

Author Comment

by:OLY8892
ID: 35172446
Here are the htm files from the 3 times I ran CEICW.
Also the SBS-BPA.
Icwdetails.htm
Icwdetails1.htm
Icwdetails2.htm
SBSBPA.20110318.2011031818401824.xml
0
 
LVL 1

Author Comment

by:OLY8892
ID: 35172837
Confirmed with ATT that the ports 25, 443, 444, 4125 are open and PUnP is enabled.
Currently the Netopia is the DHCP server.  I can change this and make the Server handle the dhcp if that is needed.  Then run the CEICW again not retaining any config and resetting the network config.
0
 
LVL 15

Expert Comment

by:markdmac
ID: 35172901
You should also use a trusted certificate.  You can get a 3 year cert from GoDaddy for only $38 if you use promo code PROMOSSL at checkout.  That will save you over $100 on the cost of the certificate.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 35173878
DHCP should be handled by the SBS Server..not the DSL router
I can ping your DSL router, but cannot ping the IP of your external NIC

Is this a brand new install?
0
 
LVL 1

Author Comment

by:OLY8892
ID: 35174089
Yes this is a new install.  
I told the ATT tech that I wanted to disable DHCP on the Netopia and use the Server.  He said it was not recommended, but I wanted to see if I could get it working the way it's currently set up.

The internetwork is working just fine.  All the host can get out and communicate on the network.  I did have some problems with Vista box.  The connectcomputer has know issues and would not run to add box to network.  So I just hit cancel and it's working fine.

I will disable DHCP on the router and run CEICW from the start.  

I have one question, What do I enter into the Web Server Certificate page, for the fully qualified domain name (FQDN) ZEUS.bejedesigns.local or ZEUS.bejedesign.com?  ZEUS is the SBS Server.

0
 
LVL 1

Author Comment

by:OLY8892
ID: 35174102
Able to see router from Web page and ping.
But that's has far has I can get.
0
 
LVL 13

Expert Comment

by:connectex
ID: 35174127
Just a quick note. ISA server has been removed from SBS 2008 and higher. If you intend to continue with SBS and don't want to purchase and ISA separately, I suggest investing a good hardware firewall now. In my opinion you're just delaying the inevitable.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 15

Expert Comment

by:markdmac
ID: 35174229
Typically with SBS you would use remote.bejedesign.com, at least that is what SBS 2008 will default to.  Then you would need to ensure you have a matching host record in public DNS that points to your public IP.  You would also want to get RDNS configured to resolve the IP to the name on the cert.
0
 
LVL 1

Author Comment

by:OLY8892
ID: 35174743
I will get things set up in the morning, well later.  Then report back.
CIECW setups up the DNS and RDNS I believe but I will check it after I run it.
Thanks.
Let's see if it works.
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 35174915
Some ideas that come to mind:

SBS really should be the DHCP server for your network, and the clients should be dhcp enabled, not static.  First line support for ISPs are (usually) idiots.

Your public IP should be static, which would imply business class, not residential class, service.

If email is flowing to the exchange server, you already have a cert for SBS 2003, although you will hvae to add it to the cert store on the remote clients.  It is whatever the email uses for its MX recored, usually "mail.domain_name.com".  In any case, for a remote browser to find your router, and hence your RWW web site, you must have a public dns record that "points' to the ip of the router.  With SBS 2003 this is easily done using the same name as the MX record, assuming you are having your mail sent directly to your local ip.  If not, you will need another public DNS record, and remote.domain_name.com is as good as any, but you could have beer.domain_name.com if you wanted.

When you run the CEICW you use whatever public DNS record you have setup that points to the IP of your edged device when the wiz asks for it, and check the boxes for the services you want to be available.
0
 
LVL 1

Author Comment

by:OLY8892
ID: 35175328
Contacting ISP now.  I have public IP's /29 and have the static set on the Server.  I will have Server handle DHCP.
I was trying to set up pop3 (Yahoo) for email.  But it's not working, the only I received was the welcome for Outlook.  
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 35175352
I'm curious as to why in March of 2011 you are installing software that 7-8 years old, when at least 2 new versions of SBS have been released since the version you are installing.

If you have removed ISA and your external nic has a public IP Address, your server is completely exposed to the internet.

I tried again this morning...I still cannot ping your IP address on the external nic nor can I telnet to your servers public IP on port 25 which means mail is not getting through.

I think there is still some confusion in the way the Netopia is suppose to be working.  Please confirm with ATT that the Netopia device is working as a true router, rather than as a "bridge" or gateway device.

If it's acting as a router...you must configure it's WAN and LAN interfaces.   The WAN side would typically be configured with your public IP and the LAN side would typically be configured with a private IP scheme such as 192.168.X.X (but must be different from the IP schema on your Internal NIC.

If it's simply a gateway device, it would have the IP address of your gateway, and your second nic would have your public IP. and we should be able to telnet to your public IP on all ports because gateway devices don't block any ports.
0
 
LVL 1

Author Comment

by:OLY8892
ID: 35176651
Not my choice for SBS2003, that is what was there.  The hard drive failed and the last config was not a complete install.  It had many problems, to start could not install Server Management, only used on nic and the list went on.

Still can't ping the server but can RDP.  Have to setup the domain name.  I used remote.bejedesign.com.  They didn't have bejedesigns.com available, I hope that doesn't matter because bejedesigns.local is the network.
0
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 500 total points
ID: 35177066
Actually, 1 nic with hardware router and firewall was preferred on SBS 2003, but dual nic with ISA was supported.

I think you may have set the domain up incorrectly.   The domain should have been bejedesign.com, then created an A or Host record for remote pointing to the public IP

remote.bejedesign.com now points to 67.18.96.45

My recommendation at this point
a) get your domain name issue fixed
b) purchase a simple netgear/linksys router
c) configure the lan side fo the router with IP 192.168.1.1 - DHCP turned off
d) configure the WAN side of the router with :

   IP Address. . . . . . . . . . . . : 74.164.103.98
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 74.164.103.97
   DNS 1:   208.67.222.222 (OPENDNS)
   DNS 2:   208.67.220.220 (OPENDNS)

You may also need to configure PPPoE on the router (check with the ISP if not sure)

Edit Port Forwarding
Port 25 to IP 192.168.1.200
Port 443 to IP 192.168.1.200
Port 444 to IP 192.168.1.200
Port 4125 to IP to IP 192.168.1.200
Port 3389 to IP 192.168.1.200

Run a cable from the LAN side of the router to the switch
Edit your LAN NIC property settings to modify the Gateway  ENTER 192.168.1.1
REBOOT

Then run the CEICW
Choose Broadband Connection
Choose direct connection to the internet
Confirm all Network settings
Select all websites to be open on the firewall
Finish up the wizard as needed

You should be all set at this point

0
 
LVL 1

Author Comment

by:OLY8892
ID: 35177743
The domain name is "bejedesign.com"
On the server page I entered remote.bejedesign.com
Have not Created Host A record yet.  I am going to look at it now.
What I did with the current config:
a) got domain name bejedesign.com
b) Set up Netopia router - DHCP turned off
c) configure the lan side fo the router with IP 192.168.1.xxx - DHCP turned on
d) configure the WAN side of the router with :

   IP Address. . . . . . . . . . . . : 74.164.103.98
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 74.164.103.97
   DNS 1:   SBS Server IP
   DNS 2:   blank

Netopia Router
Edited Port Forwarding
Port 25 to WAN Interface IP
Port 443 to WAN Interface IP
Port 444 udp to WAN Interface IP
Port 4125 tcp to WAN Interface IP

Run a cable from the SBS Server LAN Interface to the switch

LAN NIC
Static IP "SBS Server IP"
DNS "SBS Server IP
0
 
LVL 1

Author Comment

by:OLY8892
ID: 35185690
Well I am almost there.  I have RWW working but only from the ip.  If I put Servername/remote page does not resolve.

I can't figure out how to set up the ptr/forward for ip to the  Servername.  I have searched but I am just not getting it.

This is what I added in dnsmgmt - Under Forward Lookup Domain
Name-Remote  Type -Alas(CNAME) Data-zeus.bejedesign.com

In Server properties  I put the public IP in the tab Interfaces.

I can't figure out how to add the ptr for the public ip to remote.

Can I have 2 host A records for the Server one local and one public?  I didn't want to break it since it's kind of working.
0
 
LVL 1

Author Closing Comment

by:OLY8892
ID: 35186048
I changed the configuration.  But used it as a example.  We got it working!!

Thanks for all the help!!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Mircosoft Exchange Server 12 45
Wireshark coloring help 4 41
Cisco layer 3 ring topology 1 52
Parse DNS log 3 33
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now