Question : SBS 2003 Remote Web Workplace - File Transfer

I have client who is wanting to do some file transfers while away from the office.  They currently utilize a single SBS 2003 server for email and everything else.  I am curious if the remote workplace feature would allow for this.  My question is what experience have you all had with this feature in a similar situations... is remote web workplace secured via SSL?

Answer : SBS 2003 Remote Web Workplace - File Transfer

Hi,

Yes... using RWW is very secure, and possibly more secure than using a VPN connection.
You wanted to know how secure RWW was and I'm comparing to a VPN connection.

Remote web workplace is a port 443 connection and then it dynamically  opens up port 4125.  VPN opens up a tunnel back to your entire network.

Thus in comparing two types of remote connection to your firm, I would argue that 443 protects your inner "goo" of the network better than a VPN connection.

How secure is RWW?  Do you use passphrases instead of passwords?  I would argue that I would recommend in ALL cases to only use your own laptop or computers for remote access and never kiosks at Kinkos as a case in NYC had a guy with a keystroke logger get usernames and passwords.

Is RWW secure?  Like anything, if it's part of a process where you

Patch your server
Ensure the firewall is only open for what you need
Antivirus is installed
Passphrases instead of passwords and change them on a regular basis

They we do just fine.

Is it "secure".  It's an open port, it is a risk, but it's one that they've put in place processes and procedures to ensure that it's less risky than other things.

I had to just say "yes, it's secure".  If you didn't patch your server, no it's not.  If you ran with no antivirus, no that's not secure.  If you used dumb or blank passwords, no that's not secure either. I can't just look at the one mechanism and say "oh, yes it's absolutely secure!".  If you put the password of admin on your Administrator account, no... it's not secure at all.

To configure ''Default Website'' to use SSL:

1)      Bring up IIS Management console by running inetmgr.
2)      Locate and right click ''Default Web Site'' to choose Properties.
3)      Switch to the ''Directory Security'' tab, and then click ''Server Certificate''.
4)      Next, choose ''Assign an existing certificate'', Next, choose ''publishing.'', Next, 443, Next, Finish.
5)      Click ''Edit'' (which is below ''View Certificate''), and then Enable the option ''Require secure channel (SSL).
6)      Stop and Restart ''Default Web Site''.

If the problem still persists, to perform further research, please follow the steps below to turn off the friendly error messages and post the detailed message.

1. Make a copy of Inetpub\Remote\Web.config for backup purpose.
2. Open Web.config with Notepad
3. Replace with

4. Save the file.
5. Go to command prompt, type "iisreset"
6. Logon to RWW using the administrator account, and also try it using a regular user account.
7. You should receive a more detailed error message. Please attach the detailed error message to the newsgroup so that I can better understand this issue.
8. Replace Web.config with the original one and iisreset when testing is done.


I. Please check the IIS website configuration for Companyweb and RWW. (From :Jenny wu)

For Companyweb:

1. Open IIS snap-in.
2. Right click Companyweb and click Properties.
3. Click Directory Security tab.
4. Click Edit under "Authentication and access control".
5. Make sure that only the "Enable anonymous access" has been checked.
6. Click Edit under "IP address and domain name restriction".
7. Make sure that "Granted access" has been selected.
8. Click Edit under "Secure communications".
9. Make sure that "Require secure channel (SSL)" has not been checked.

For RWW:

1. Open IIS snap-in.
2. Go to Default Web Site/Remote.
3. Right click Remote and click Properties.
4. Click Directory Security tab.
5. Click Edit under "Authentication and access control".
6. Make sure that only the "Enable anonymous access" and "Integrated
Windows Authentication" have been checked.
7. Click Edit under "IP address and domain name restriction".
8. Make sure that "Granted access" has been selected.
9. Click Edit under "Secure communications".
10. Make sure that "Require secure channel (SSL)" and "Require 128-bit
encryption" have been checked.

For RWW, please also check the following settings:

1. Open ADU&C.
2. Go to Domain.local/MyBusiness/Users/SBSUsers.
3. In the right pane, right click the problematic user and click Properties.
4. Click Member Of tab.
5. Make sure that the "Remote Web Workplace Users" group is in the list.

If the settings are not configured as above, try to change it and restart
IIS to test, how is the result?

II. If we want to the Companyweb site and RWW site can be accessed from internet, we need to publish them to internet. Please refer to the following steps to publish the Companyweb site and RWW site to internet via
CEICW.

*Note: If you have installed any hardware firewall or router outside the network, you need manually open related ports (4125, 443,444) on the hardware firewall or router. If you are not sure how to open these ports
please consultant you hardware vendor for support.

1.      Expand Standard Management | To Do List.
2.      Click Connect to the Internet in the right pane.
3.      Navigate the wizard to Firewall and then select Enable firewall. In the next page, make sure items you want to publish services are checked in services configuration page.
4.      Click Next and then select Allow access to the following web siteservices from the internet.
5.      Make sure Windows Sharepoint Services Intranet site, Remote WebWorkspace (RWW) be selected and click Next.
6.      Click Create a new Web services certificate (input your FQDN as the webserver certificate) and then click Next.
7.      Following the wizard to finish it.

It is recommended you take a look at the following KB article to get detail steps to configure network connection:

How to configure Internet access in Windows Small Business Server2003
http://support.microsoft.com/?id=825763

And then If you have installed any hardware firewall or router outside the network, please manually open related ports (4125, 443,444) on the hardware firewall or router.

Then please try to access them to see if the issue be fixed.

Additionally, it is not recommended we open too many ports in the router since it is very insecure to our network. Generally, we open the ports we needed to allow some specific traffic. You can refer to the following list:

TCP port                                            Definition
25                                                  Email (SMTP)
80                                                   required for HTTP
requests for your site
443                                                 required for HTTPS
requests using SSL, which secures communications from your server and a Web
browser
444                                                Companyweb
4125                                               Remote Web Workplace
1723 (plus GRE Protocol 47)                VPN
3389                                               Terminal Services  
21                                                    FTP

If the issue still persists, please help to gather the following information so that we can isolate the problem:

1. When you try to access the Companyweb site from LAN, what is the error you got? Please tell me the accurate error message. Is the error message the same with message when you try to access the Compayweb site from
internet?

2.      Can you access the Companyweb site on the server box using URL such as:
http://companyweb, http://servername/companyweb, or http://IP/companyweb?
Please try to test respectively using these URL and tell me the result.

3.       Can all client computers access internet successfully? Can they access other build-in web site such as RWW (https://publicFQDN/remote or
https://IP/remote)?

4.      Have you installed ISA on the server box? What is the version? Have you installed any hardware firewall or router outside the network?

5.      Do you a clean installation of SBS 2003 server box? What did you do before the issue happened?


When you attempt to connect to a LAN client from the RWW, the following conditions must be satisfied for the
connection to be successful:

1.  You must have connectivity to the RWW on the server.
2.  The client machines on the LAN to which you wish to connect must be running.
3.  The client machines on the LAN to which you wish to connect must be running one of the following:
a.  Windows XP Pro configured to allow remote desktop connections.
b.  Windows 2000 servers running Terminal Server
c.  Windows 2003 Servers configured to allow remote desktop connections
d.  Windows 2003 Servers running Terminal Server in Application Server Mode.

The articles below provide additional information:

Changes to the Terminal Services Installation in Windows Server 2003
http://support.microsoft.com/?id=278513

How to Use the Remote Desktop Feature of Windows XP Professional
http://support.microsoft.com/?id=315328

 HOW TO: Install Terminal Services in Remote Administration Mode in
http://support.microsoft.com/?id=306624
Random Solutions  
 
programming4us programming4us