Can't Access Remote Web Workplace from Outside Network

I can't access the RWW from outside the network.  It works fine from inside the network.  I'm using ISA and have dual nic's one facing out other to network.  Static ip on server, ports open on router.  I am not sure how to configure the server to allow access, but I thought the wizard did that (to do list).  
Not sure how to create web certificate either.
Please I need help.

Netstat -n Results
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP          CLOSE_WAIT
  TCP          CLOSE_WAIT
  TCP          CLOSE_WAIT
  TCP          CLOSE_WAIT
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Larry Struckmeyer MVPCommented:
Please confirm the version of SBS.  From your description of ISA, I can guess SBS 2003 premium, but conformation would be nice.

if you have forwarded requests from the public IP of the router to the "external" nic of the SBS (the one on the same subnet as the router) for ports 25, 443, 444, 4125, and run the CEiCW, you should be able to access from a remote station.

What errors show up when you try?
OLY8892Author Commented:
SBS 2003r2 sp2

IE just says page can't be displayed.  I don't have CA set up.

I don't get the Web Services Configuration page any more. I was sure I selected RRW and OWA then left the certificate box blank and would go back and do it later as it said, "if you don't have configure later. I configured VPN but don't have a web cert.
Now I don't have an option to Create a new Web server certificate.  How can I create it without using CEICW?  I want to setup RWW.

I don't want to mess with any of the current setting so I selected keep same settings.  Do I need to reset everything in order to access the Web Services Config Page?

Fresh install of SBS 2003r2 on Dell PowerEdge 2900.  Previous Hard drive failed no backup config.
Current Config:
2 Nic
1 facing router 1 facing Network through switch
Internetwork working fine, host able to get out and communicate.
Netopia router connected to Server nic running DHCP /29
Server IP
Windows IP Configuration

   Host Name . . . . . . . . . . . . : zeus
   Primary Dns Suffix  . . . . . . . : BejeDesigns.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : BejeDesigns.local

Ethernet adapter Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : 00-24-E8-4D-4F-02
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . :
   Primary WINS Server . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client) #2
   Physical Address. . . . . . . . . : 00-24-E8-4D-4F-04
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . :
   Primary WINS Server . . . . . . . :
OLY8892Author Commented:
Here are the htm files from the 3 times I ran CEICW.
Also the SBS-BPA.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

OLY8892Author Commented:
Confirmed with ATT that the ports 25, 443, 444, 4125 are open and PUnP is enabled.
Currently the Netopia is the DHCP server.  I can change this and make the Server handle the dhcp if that is needed.  Then run the CEICW again not retaining any config and resetting the network config.
You should also use a trusted certificate.  You can get a 3 year cert from GoDaddy for only $38 if you use promo code PROMOSSL at checkout.  That will save you over $100 on the cost of the certificate.
Cris HannaSr IT Support EngineerCommented:
DHCP should be handled by the SBS Server..not the DSL router
I can ping your DSL router, but cannot ping the IP of your external NIC

Is this a brand new install?
OLY8892Author Commented:
Yes this is a new install.  
I told the ATT tech that I wanted to disable DHCP on the Netopia and use the Server.  He said it was not recommended, but I wanted to see if I could get it working the way it's currently set up.

The internetwork is working just fine.  All the host can get out and communicate on the network.  I did have some problems with Vista box.  The connectcomputer has know issues and would not run to add box to network.  So I just hit cancel and it's working fine.

I will disable DHCP on the router and run CEICW from the start.  

I have one question, What do I enter into the Web Server Certificate page, for the fully qualified domain name (FQDN) ZEUS.bejedesigns.local or  ZEUS is the SBS Server.

OLY8892Author Commented:
Able to see router from Web page and ping.
But that's has far has I can get.
Just a quick note. ISA server has been removed from SBS 2008 and higher. If you intend to continue with SBS and don't want to purchase and ISA separately, I suggest investing a good hardware firewall now. In my opinion you're just delaying the inevitable.
Typically with SBS you would use, at least that is what SBS 2008 will default to.  Then you would need to ensure you have a matching host record in public DNS that points to your public IP.  You would also want to get RDNS configured to resolve the IP to the name on the cert.
OLY8892Author Commented:
I will get things set up in the morning, well later.  Then report back.
CIECW setups up the DNS and RDNS I believe but I will check it after I run it.
Let's see if it works.
Larry Struckmeyer MVPCommented:
Some ideas that come to mind:

SBS really should be the DHCP server for your network, and the clients should be dhcp enabled, not static.  First line support for ISPs are (usually) idiots.

Your public IP should be static, which would imply business class, not residential class, service.

If email is flowing to the exchange server, you already have a cert for SBS 2003, although you will hvae to add it to the cert store on the remote clients.  It is whatever the email uses for its MX recored, usually "".  In any case, for a remote browser to find your router, and hence your RWW web site, you must have a public dns record that "points' to the ip of the router.  With SBS 2003 this is easily done using the same name as the MX record, assuming you are having your mail sent directly to your local ip.  If not, you will need another public DNS record, and is as good as any, but you could have if you wanted.

When you run the CEICW you use whatever public DNS record you have setup that points to the IP of your edged device when the wiz asks for it, and check the boxes for the services you want to be available.
OLY8892Author Commented:
Contacting ISP now.  I have public IP's /29 and have the static set on the Server.  I will have Server handle DHCP.
I was trying to set up pop3 (Yahoo) for email.  But it's not working, the only I received was the welcome for Outlook.  
Cris HannaSr IT Support EngineerCommented:
I'm curious as to why in March of 2011 you are installing software that 7-8 years old, when at least 2 new versions of SBS have been released since the version you are installing.

If you have removed ISA and your external nic has a public IP Address, your server is completely exposed to the internet.

I tried again this morning...I still cannot ping your IP address on the external nic nor can I telnet to your servers public IP on port 25 which means mail is not getting through.

I think there is still some confusion in the way the Netopia is suppose to be working.  Please confirm with ATT that the Netopia device is working as a true router, rather than as a "bridge" or gateway device.

If it's acting as a must configure it's WAN and LAN interfaces.   The WAN side would typically be configured with your public IP and the LAN side would typically be configured with a private IP scheme such as 192.168.X.X (but must be different from the IP schema on your Internal NIC.

If it's simply a gateway device, it would have the IP address of your gateway, and your second nic would have your public IP. and we should be able to telnet to your public IP on all ports because gateway devices don't block any ports.
OLY8892Author Commented:
Not my choice for SBS2003, that is what was there.  The hard drive failed and the last config was not a complete install.  It had many problems, to start could not install Server Management, only used on nic and the list went on.

Still can't ping the server but can RDP.  Have to setup the domain name.  I used  They didn't have available, I hope that doesn't matter because bejedesigns.local is the network.
Cris HannaSr IT Support EngineerCommented:
Actually, 1 nic with hardware router and firewall was preferred on SBS 2003, but dual nic with ISA was supported.

I think you may have set the domain up incorrectly.   The domain should have been, then created an A or Host record for remote pointing to the public IP now points to

My recommendation at this point
a) get your domain name issue fixed
b) purchase a simple netgear/linksys router
c) configure the lan side fo the router with IP - DHCP turned off
d) configure the WAN side of the router with :

   IP Address. . . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :

You may also need to configure PPPoE on the router (check with the ISP if not sure)

Edit Port Forwarding
Port 25 to IP
Port 443 to IP
Port 444 to IP
Port 4125 to IP to IP
Port 3389 to IP

Run a cable from the LAN side of the router to the switch
Edit your LAN NIC property settings to modify the Gateway  ENTER

Then run the CEICW
Choose Broadband Connection
Choose direct connection to the internet
Confirm all Network settings
Select all websites to be open on the firewall
Finish up the wizard as needed

You should be all set at this point

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OLY8892Author Commented:
The domain name is ""
On the server page I entered
Have not Created Host A record yet.  I am going to look at it now.
What I did with the current config:
a) got domain name
b) Set up Netopia router - DHCP turned off
c) configure the lan side fo the router with IP - DHCP turned on
d) configure the WAN side of the router with :

   IP Address. . . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :
   DNS 1:   SBS Server IP
   DNS 2:   blank

Netopia Router
Edited Port Forwarding
Port 25 to WAN Interface IP
Port 443 to WAN Interface IP
Port 444 udp to WAN Interface IP
Port 4125 tcp to WAN Interface IP

Run a cable from the SBS Server LAN Interface to the switch

Static IP "SBS Server IP"
DNS "SBS Server IP
OLY8892Author Commented:
Well I am almost there.  I have RWW working but only from the ip.  If I put Servername/remote page does not resolve.

I can't figure out how to set up the ptr/forward for ip to the  Servername.  I have searched but I am just not getting it.

This is what I added in dnsmgmt - Under Forward Lookup Domain
Name-Remote  Type -Alas(CNAME)

In Server properties  I put the public IP in the tab Interfaces.

I can't figure out how to add the ptr for the public ip to remote.

Can I have 2 host A records for the Server one local and one public?  I didn't want to break it since it's kind of working.
OLY8892Author Commented:
I changed the configuration.  But used it as a example.  We got it working!!

Thanks for all the help!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.