[Today's post comes to us courtesy of Shawn Sullivan and Moloy Tandon]
Just as it was in SBS 2003, Remote Web Workplace (RWW) is an integral component in the SBS feature set for 2008. Its purpose is to provide a secure centralized web portal for employees and administrators to access network resources. Users can perform the following actions when logged in:
- Check their E-mail.
- Access the Internal Web Site (CompanyWeb).
- Connect to a computer through RDP (only network admins can connect to the SBS server)
- Change their domain password
- Access help and configuration information for RWW
- Access customized corporate links (more information available at: http://technet.microsoft.com/en-us/library/cc527586.aspx )
RWW is installed on the server during SBS Setup, but is not fully configured for Internet access until you complete the “Internet Address Management Wizard” (IAMW). Note: If you are using a 3 rd party SSL certificate, you must complete the “Add A Trusted Certificate Wizard” also. It is installed as the remote virtual directory under the SBS Web Applications site, which accepts SSL connections on port 443. By default, the IAMW will add the prefix “remote” to your chosen domain name to distinguish the SBS 2008 in your web presence as the remote user portal. In this case, if you chose contoso.com as your domain name, you would access RWW using “https://remote.contoso.com”.
For full access to the RWW feature set from the Internet, you must ensure the following:
- TCP 443 and TCP 987 (For SharePoint) are open on your Internet firewall.
- Clients are running Internet Explorer 6.0 SP2 or higher
- The RDP 6.1 client or higher is installed on the client machine
- The client must trust the SSL certificate that is installed on the SBS Web Applications site
- The client must connect using the URL that matches the common name on the certificate.
From a centralized location, users can launch OWA, connect to an authorized computer, launch CompanyWeb, change their password, and access the built-in corporate links (help for RWW and Outlook Anywhere) or customized links (these links are shared with the Vista Desktop Gadget).
Administrators and users are presented with the same features upon login to the homepage, with the following exceptions:
- Users are not offered the “Connect to Server” option. Only network administrators can connect to the SBS server.
- Users are not presented with the “Administration” links
From the SBS 2008 console, you can perform a variety of management tasks for the website itself. You can access this under “Shared Folders and Web Sites”. The various tasks you can perform include:
- Enabling or disabling the website
- Browse the website (opens in IE using https)
- Add or remove users permissions to login to RWW
- Enable or disable RWW homepage links (OWA, Connect to Computer, Internal Website, Change Password, Connect to Server, Help, and Remote Web Workplace Link List)
- Manage Organizational and Administrative links that are displayed upon user login. Here you can enable/disable them, change permissions (who can see them), remove them or add new ones, or change their titles
As it did in SBS 2003, RWW uses forms based authentication, which stores the encrypted credentials from the user’s initial login as a cookie in the web browser. This cookie is used to authenticate further connections to restricted resources inside RWW, such as OWA and CompanyWeb. Only members of the Windows SBS Remote Web Workplace Users security group are allowed to login to RWW. To modify membership for this group, use the SBS 2008 Console:
User Account Properties for RWW Login Rights
When OWA and CompanyWeb are launched in RWW, your browser is connected to either https:// remote.domain.com /owa or https:// remote.domain.com :987 respectively; where remote.domain.com is the domain name that you have configured in the IAMW . By default, they open in their own restricted Window with no address or navigation bar, preventing you from navigating to a different site in the same window. You can override this (only in IE 7) on the client machine by opening Tools > Internet Options > General > Tabs > Settings and allowing pop-ups to be opened in a new tab:
When a user clicks “Connect to a computer”, they are presented with a list of computers in which they are authorized to connect to and set as their default. Once they choose a default computer, they will no longer be presented with a list and will connect automatically to their chosen machine. Note: If the user is authorized to only a single machine, a list is not shown and instead will be directly connected to their authorized machine. This is meant to give the Administrator greater control over what machines their users can connect to. This information is defined both on the user account and computer account properties from the SBS 2008 console:
Computer account properties:
Once “Can log on remotely to this computer” is checked, the next group policy refresh will add the user account to the “Remote Desktop Users” local group on the machine. Note: Administrators automatically have the right to remotely connect to any machine in the domain.
If you have installed Terminal servers in your domain, you can run into a problem where they will not show up in the list of computers to connect to for standard users. To override this behavior to display all computers in the domain, perform the following:
- To open the Registry Editor, click Start, click Run, type regedit in the text box, and then press ENTER.
- Browse to HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer.
- Right-click SmallBusinessServer, click New, and then click Key.
- Name the key BusinessProductivity.
- Right-click BusinessProductivity, click New, and then click DWORD (32-bit) Value.
- Name the new value ShowAllComputers.
- Right-click ShowAllComputers, type 1 in the Value data text box, and then click OK.
RWW in SBS 2008 leverages the TSGateway service that is running on the SBS server to perform the remote desktop connection to the chosen machine. Like RWW, TSGateway is fully enabled when the IAMW is completed (“Add a Trusted Certificate” must also be completed if you are using a 3 rd party SSL certificate). This allows remote desktop connections to your domain-joined machines through port 443. This is different from RWW in SBS 2003, where you had to open port 4125 through your firewall.
The following screenshot shows what an RDP connection to TSGateway looks like. We can see that the “Gateway server” field is populated with the URL of the server, which is resolvable both externally and internally in DNS. The “Remote computer” field is populated with the internal machine name of the computer that we are connecting to:
You can, in fact, configure the RDP 6.1 client or higher to connect directly through TSGateway without having to first login to RWW. The only difference between this and connecting through RWW is that RWW does this for you automatically. Click on “Options” > select the “Advanced” tab > and click on “Settings” under “Connect from Anywhere” to display the TSGateway configuration settings:
Enter in the URL for the SBS 2008 server (which you configured during the IAMW)
Finally, on the “General” tab, enter the internal machine name of the computer you wish to connect to:
If you are having issues connecting to RWW or TSGateway, visit the following posts:
- http://blogs.technet.com/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-t...
- http://blogs.technet.com/sbs/archive/2009/06/19/common-remote-web-workplace-rww-connect-to-a-c...
For non domain-joined machines and mobile devices, you must install the certificate distribution package for proper web access to the server (if you are not using a trusted 3 rd party SSL certificate):