RWW under the hood in SBS 2003

Good evening folks – been a crazy busy day but I am honoring my commitment to post up several pages per day from my Windows Small Business Server 2003 Best Practices book (the purple book). I really like the part of Chapter 8 where we debunk, prove and otherwise party on with Remote Web Workplace.

Looking forward to SBS 2008 and more madness!

cheers…harrybbbb

Harry Brelsford, ceo at smb nation, www.smbnation.com

Microsoft Small Business Specialist, MBA, MCSE, CNE, MCT, MCP, CLSE and CNP – whew – I am tired!

ps – funky groovy fall conference is less than 60-days away in Seattle!

###

Under the Hood RWW Architecture

Specialists like specialist in the professional world, perhaps because there is an element of mutual respect. So when this SBS specialist (yours truly) needed some help digging deeper in this subject area, I went to fellow SBS 2003 hands-on lab instructor Beatrice Mulzer from Florida. Beatrice is an RWW nicher and provided the screen shots in this section showing a glimpse of how things work under the hood with RWW.

First off, it helps to see a Visio diagram that outlines the RWW architectural experience. This is shown in Figure 8-10.

 Visit http://www.smbnation.com for additional SMB and SBS book, newsletter and conference resources.

Figure 8-10

This diagram outlines the RWW mechanics.

Now for the step-by-step figures that bring definition to the chart above.

Notes:

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

Figure 8-11

Initial connection to SBS 2003 external Web page over port 80. Note HTTP in the Address field of Internet Explorer.

BEST PRACTICE: Note the above figure (Figure 8-11) assumes that you have selected the Business Web option on the Web Services Configuration page in the EICW. We did NOT do this back in Chapter 4 for the purpose of SPRINGERS. But please heed this advice, as imparted to me by the Microsoft program manager who owns this area. IN THE REAL WORLD, Microsoft discourages you from opening port 80 in the EICW via the Business Web selection. Rather, they’d rather have the address for RWW typed by external users be the FQDN followed by /remote (e.g., springers1.springersltd.com/ remote). The /remote component of the address makes the external listening port become 443 and the address is appended to HTTPS.

Another real worldism for NOT opening port 80 if you can help it. Beside exposing your IIS root to the world (and Web search engine crawling), you also expose RWW to Web search engine crawling. This is something you probably don’t want to do, as it might be the source of future vulnerabilities and attacks (as of this writing, this hasn’t been exploited). A really interesting exercise to see this in action is to go to Google and search on the terms “remote web workplace” and view the results. You’ll see pages of hits returned with Remote Web Workplace highlighted. These are SBS 2003 sites that have opened port 80 (again, likely via the Business Web selection on the Web Services Configuration page in the EICW). Stunning how many RWW sites you’ll see.

Finally, if you must have port 80 open because you really do host a business Web site and you’ve accepted the risks, then please consider using a robots.txt file to restrict Web search engine crawling. Details on robots.txt at http://www.robotstxt.org/wc/robots.html and in Chapter 10.

Notes:

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

Figure 8-12

Approving the security certificate (SSL) pop-up to log on to Remote Web Workplace (this process started by selecting the Remote Web Workplace link). Note the port switch from port 80 to port 443. This would be the case when you’ve published your root page via the Business Web selection on Web Services Configuration in the EICW.

Figure 8-13

The SSL pop-up was approved and the RWW logon dialog box appears. Session traffic is over port 443 and the HTTP protocol has switched to HTTPS at this point.

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

Figure 8-14

An RWW session underway with HTTPS and port 443.

BEST PRACTICE: Did you look closely at the above figure and see the entry titled “View Server Usage Report”? How did that appear? If you have run the Monitoring Configuration Wizard (which you will do in Chapter 12) and the user (in this case Beatrice) has permission to view the server usage reports, this option will appear on the RWW page.

Notes:

Figure 8-15

Internally accessing the WSS Home page (Intranet) over port 443 under RWW. Protocol is HTTPS. Note that external access to WSS is over 444 (which isn’t being depicted in this figure).

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

Figure 8-16

When you click the Connect to my computer at work, port 4125 is used for the Remote Desktop session traffic (note port 4125 doesn’t become active and listen until you click this Connect to my computer at work button; listening actually occurs on port 443). This is in addition to port 443 that remains open (ports 4125 and 443 are simultaneously open under this scenario). At this juncture, some background voodoo is performed by SBS to authenticate you and prove you are who you say you are (that’s about as well as I can explain it in this introductory text).

BEST PRACTICE: A common question in the Fall 2003 SBS hands-on labs related to which ports on a hardware-based firewall/router needed to be opened to allow RWW traffic through. RWW uses the following ports for its entire experience: 443, 444, 4125. Port 80 would be used if you published the root page (not recommended). And by the way, the other SBS-related port you’ll need open is 1723 (VPN, which I discuss more later).

By the way, you can see the port 4125 setting for RWW in the

Registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\RemoteUserPortal

and look at the Port key where the REG_DWORD value is 4125.

Another common question concerns whether you must first establish a VPN connection to drill down and take control of your Windows XP Pro workstation via Remote Desktop. The answer is no. You are using RDP over HTTP, not VPN tunneling to access the Windows XP Pro workstation.

So hopefully a few pictures here have saved over a thousand words. I thought that by starting with a diagram and then witnessing the port traffic, you could “feel” RWW first hand under the hood. More of this good stuff in my advanced SBS 2003 book in the second part of 2004.

Advertisements

Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s