Remote Web Workplace (RWW) Part II - Controlling portal access

Remote Web Workplace (RWW) Part II - Controlling portal access

  • Comments 1
  • Likes

[Jim Martin weighs in this week with a deep technical dive of RWW.  This is the second part of the series.  Part 1 can be found at http://blogs.technet.com/sbs/archive/2006/07/25/443383.aspx]

 

RWW provides a single point of access from the Internet to SBS features such as OWA, client desktops, terminal servers, the internal Sharepoint site, etc. for those users who have been granted access.  This post describes how you can control which links are displayed on the RWW web page for different kinds of RWW users. 

 

Bear in mind that in order to access a particular component all the following apply:

 

  • The component must be installed and functional.
  • The user must have the appropriate file, folder, and share permissions.
  • The user must have the appropriate user rights as defined in local and group policies.
  • The components must have been published by running the appropriate wizards.
  • The appropriate protocols and ports must have been opened and/or forwarded on firewalls between the client and the server.

 

Generally, with the exception of the configuration of 3rd-party and hardware firewalls, the above items will be installed and configured appropriately out of the box by: (1) Completing the SBS integrated setup (2) Running the CEICW and other wizards to publish the components (3) Running the Add User wizard to create new users.

 

 

Types of RWW Users

 

There are 2 different kinds of users as far as RWW is concerned: 

 

  • Administrators – members of the Administrators group. 
  • Knowledge Workers – members of the Remote Web Workplace Users group who are not also members of the Administrators group.  These are basically regular users who have been given access to the remote portal. 

 

When you run the Add User Wizard and select any of the standard user templates, the user is made a member of the Remote Web Workplace Users security group.  If you select the Administrator Template the user is also made a member of the Domain Admins security group, which is a member of the Administrators group. 

 


The Links

 

After logging on to RWW the user is presented with a web page containing links to individual components that are available to that kind of user (Knowledge Worker or Administrator).

 

Here is a sample of the Knowledge Worker web page with all links exposed:

 

 

 


Here is a summary of what the links on the Knowledge Worker web page mean:

 

  • Connect to my company’s application-sharing server – Connect to a Terminal Server that is running in application-sharing mode
  • Download Connection Manager – Connection Manager facilitates making a VPN connection to the SBS network
  • View Remote Web Workplace help – Get help about using RWW
  • Read my company e-mail – Access Outlook Web Access
  • Configure your computer to use Outlook via the Internet – Get detailed information about how to configure your remote Outlook 2003 client to connect to the Exchange server over the Internet (RPC over HTTP)
  • Use my company’s internal Web site – Access Companyweb, the Sharepoint Intranet site
  • Connect to my computer at work – Connect to XP workstations using Remote Desktop Administration
  • View server usage report – View reports about resource usage on the server

Here is a sample of the Administrator web page with all links exposed:

 

 

 

Note that links to the same function might have different display names when viewed from the Administrator RWW web page versus the Knowledge Worker page.  For example, ‘Connect to Client Desktops’ vs. ‘Connect to my computer at work’.

 


Here is a summary of what the links on the Administrator RWW page mean:

 

 

  • Connect to Client Desktops - Connect to an XP workstation using Remote Desktop Administration
  • Download Connection Manager - Connection Manager facilitates making a VPN connection to the SBS network
  • Ask the Community – Access the SBS community web page
  • View Client Help - Get help about using RWW (this is the same information that Knowledge Workers see when  they access the link called “View Remote Web Workplace help”
  • Monitor Help Desk – Manage help desk requests
  • Use Outlook Web Access – Access Outlook Web Access
  • View server performance report – View reports about server performance
  • Provide Remote Assistance – Share workstation desktops with users who need real-time help on their workstations
  • Configure Outlook via the Internet - Get detailed information about how to configure your remote Outlook 2003 client to connect to the Exchange server over the Internet (RPC over HTTP)
  • Connect to Server Desktops - Connect to a server using Remote Desktop Administration
  • Administer the company’s internet Web site – Perform administrative tasks for Companyweb, the Sharepoint Intranet site
  • View server usage report - View reports about resource usage on the server

Exposing the Links

 

In addition to group membership, exposure of most of the links is controlled by the options specified when running the following wizards:

 

  • CEICW
  • Remote Access Wizard
  • Monitoring Configuration Wizard

 

Exposure of the links related to RDP or Terminal Server access also depends upon servers or workstations being found online on the LAN with those services and the appropriate ports enabled at the time RWW is accessed.

 

When you run the CEICW you are presented with the following screen which allows you to select the web services that you wish to publish through RWW:

 

 

 

If the ‘Remote Web Workplace’ option is not selected but other components are, those components might be available independently of RWW but when a user tries to go to the RWW URL (https://mail.testrww.com/remote), they will get “Page cannot be displayed”.

 

Running the CEICW is sufficient to expose most of the frequently used features such as:

 

  • OWA
  • RWW
  • Server performance and usage reports
  • RPC over HTTP
  • Sharepoint

 


To expose the Connection Manager links, simply run the Remote Access Wizard from the Server Management console and check the box for VPN:

 


 

To expose the Server Usage Reports and Server Performance Reports, the Monitoring Configuration Wizard must be run and the “View the usage report in Server Management” box must be checked.:

 

 

 


Access to Server Usage and Performance Reports is primarily controlled by membership in the Usage Report Users security group.  By default the Domain Admins group is a member of that group. 

 

Other users can be granted access to the Server Usage Reports as well by running the Monitoring Configuration Report Wizard and adding authorized users as shown below.  One of the things the wizard does is add the users to the Usage Report Users security group.  If access is granted to non-administrative users, the link for the “View server usage report” will show up on the Knowledge Worker page for those users.  However the “View server performance report” link will still only be available on the Administrator RWW web page, regardless of group membership.

 

 

 

 


In order for workstation RDP links to be exposed, there must be at least one XP workstation running with Remote Desktop Administration enabled. And only those machines with RDA enabled will show up in the list of client machines that can be connected to from RWW. In order for the application-sharing servers link to be exposed, the following criteria must be met:
  • The server must be a member of the domain.
  • The server must be pingable from the SBS server.
  • The operatingSystem Active Directory attribute must contain the word "Server" (case-sensitive). This value can be verified in AD Users and Computers or by running adsiedit.msc .
  • The server must be running at the time the RWW page is accessed.
  • The server must be listening on TCP port 3389 on its internal IP address.
  • Terminal Services must be in Application Sharing Mode.
  • The SBS server must be able to connect to the Terminal Server using Remote Registry and the following registry values must be present and set to 1 to indicate the server is running in Application Sharing mode:  
HKLM\System\CurrentControlSet\Control\Terminal Server\TSEnabled = 1 
HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat = 1 

In general, the Remote Registry service must be running on the Terminal Server, a firewall between the SBS server and the TS must not be blocking RPC traffic, and the Network Service account must have at least read access to the registry key HKLM\System\CurrentControlSet\Control\Terminal Server.


If an application Terminal Server is brought online after an RWW Knowledge Worker logs on, refreshing the RWW link screen will not cause the “Connect to my company’s application-sharing server” link to be displayed.  The user will have to logoff of RWW and log back on the see the link.

The “Connect to Server Desktops” link on the Administrator RWW page will always be displayed but the ability to connect to specific server desktops depends on the whether the server is online, whether it is listening on port 3389, etc.


Registry Values associated with RWW Links

 

The following registry values actually control whether the links are exposed for Administrators and Knowledge Workers.  Although these values can be changed manually in the registry, you should first try to enable them by running the appropriate wizard to ensure that the component will be fully configured and functional.  Once a component has initially been configured, you can easily hide or expose the link for it by changing the appropriate registry key value to a 1 or a 0 (1=show, 0=hide):

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\RemoteUserPortal\

 

AdminLinks

 

ClientTS

Connect to Client Desktops

CM

Download Connection Manager

Community

Ask the Community

Help

View Client Help

HelpDesk

Monitor Help Desk

OWA

Use Outlook Web Access

PerfReport

View server performance report

RA

Provide Remote Assistance

RPC

Configure Outlook via the Internet

ServerTS

Connect to Server Desktops

STS

Administer the company’s internet Web site

UsageReport

View server usage report


KWLinks

AppTS

Connect to my company’s application-sharing server

CM

Download Connection Manager

Help

View Remote Web Workplace help

OWA

Read my company e-mail

RPC

Configure your computer to use Outlook via the Internet

STS

Use my company’s internal Web site

TS

Connect to my computer at work

UsageReport

View server usage report

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Comments
  • [Jim Martin weighs in this week with a deep technical dive of RWW. This is the second part of the series.