[Today's post comes to us courtesy of Shawn Sullivan and Moloy Tandon]

Just as it was in SBS 2003, Remote Web Workplace (RWW) is an integral component in the SBS feature set for 2008. Its purpose is to provide a secure centralized web portal for employees and administrators to access network resources. Users can perform the following actions when logged in:

1. Check their E-mail.
2. Access the Internal Web Site (CompanyWeb).
3. Connect to a computer through RDP (only network admins can connect to the SBS server)
4. Change their domain password
5. Access help and configuration information for RWW
6. Access customized corporate links (more information available at: http://technet.microsoft.com/en-us/library/cc527586.aspx)

RWW is installed on the server during SBS Setup, but is not fully configured for Internet access until you complete the “Internet Address Management Wizard” (IAMW). Note: If you are using a 3^rd party SSL certificate, you must complete the “Add A Trusted Certificate Wizard” also. It is installed as the remote virtual directory under the SBS Web Applications site, which accepts SSL connections on port 443. By default, the IAMW will add the prefix “remote” to your chosen domain name to distinguish the SBS 2008 in your web presence as the remote user portal. In this case, if you chose contoso.com as your domain name, you would access RWW using “https://remote.contoso.com”.

For full access to the RWW feature set from the Internet, you must ensure the following:

1. TCP 443 and TCP 987 (For SharePoint) are open on your Internet firewall.
2. Clients are running Internet Explorer 6.0 SP2 or higher
3. The RDP 6.1 client or higher is installed on the client machine
4. The client must trust the SSL certificate that is installed on the SBS Web Applications site
5. The client must connect using the URL that matches the common name on the certificate.

Features

From a centralized location, users can launch OWA, connect to an authorized computer, launch CompanyWeb, change their password, and access the built-in corporate links (help for RWW and Outlook Anywhere) or customized links (these links are shared with the Vista Desktop Gadget).

Administrators and users are presented with the same features upon login to the homepage, with the following exceptions:

1. Users are not offered the “Connect to Server” option. Only network administrators can connect to the SBS server.
2. Users are not presented with the “Administration” links

SBS Console Integration

From the SBS 2008 console, you can perform a variety of management tasks for the website itself. You can access this under “Shared Folders and Web Sites”. The various tasks you can perform include:

1. Enabling or disabling the website
2. Browse the website (opens in IE using https)
3. Add or remove users permissions to login to RWW
4. Enable or disable RWW homepage links (OWA, Connect to Computer, Internal Website, Change Password, Connect to Server, Help, and Remote Web Workplace Link List)
5. Manage Organizational and Administrative links that are displayed upon user login. Here you can enable/disable them, change permissions (who can see them), remove them or add new ones, or change their titles

Login Requirements

As it did in SBS 2003, RWW uses forms based authentication, which stores the encrypted credentials from the user’s initial login as a cookie in the web browser. This cookie is used to authenticate further connections to restricted resources inside RWW, such as OWA and CompanyWeb. Only members of the Windows SBS Remote Web Workplace Users security group are allowed to login to RWW. To modify membership for this group, use the SBS 2008 Console:

User Account Properties for RWW Login Rights

Launching OWA and CompanyWeb

When OWA and CompanyWeb are launched in RWW, your browser is connected to either https://remote.domain.com/owa or https://remote.domain.com:987 respectively; where remote.domain.com is the domain name that you have configured in the IAMW. By default, they open in their own restricted Window with no address or navigation bar, preventing you from navigating to a different site in the same window. You can override this (only in IE 7) on the client machine by opening Tools > Internet Options > General > Tabs > Settings and allowing pop-ups to be opened in a new tab:

Connect to a computer

When a user clicks “Connect to a computer”, they are presented with a list of computers in which they are authorized to connect to and set as their default. Once they choose a default computer, they will no longer be presented with a list and will connect automatically to their chosen machine. Note: If the user is authorized to only a single machine, a list is not shown and instead will be directly connected to their authorized machine. This is meant to give the Administrator greater control over what machines their users can connect to. This information is defined both on the user account and computer account properties from the SBS 2008 console:

Computer account properties:

Once “Can log on remotely to this computer” is checked, the next group policy refresh will add the user account to the “Remote Desktop Users” local group on the machine. Note: Administrators automatically have the right to remotely connect to any machine in the domain.

If you have installed Terminal servers in your domain, you can run into a problem where they will not show up in the list of computers to connect to for standard users. To override this behavior to display all computers in the domain, perform the following:

1. To open the Registry Editor, click Start, click Run, type regedit in the text box, and then press ENTER.
2. Browse to HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer.
3. Right-click SmallBusinessServer, click New, and then click Key.
4. Name the key BusinessProductivity.
5. Right-click BusinessProductivity, click New, and then click DWORD (32-bit) Value.
6. Name the new value ShowAllComputers.
7. Right-click ShowAllComputers, type 1 in the Value data text box, and then click OK.

TSGateway Integration

RWW in SBS 2008 leverages the TSGateway service that is running on the SBS server to perform the remote desktop connection to the chosen machine. Like RWW, TSGateway is fully enabled when the IAMW is completed (“Add a Trusted Certificate” must also be completed if you are using a 3^rd party SSL certificate). This allows remote desktop connections to your domain-joined machines through port 443. This is different from RWW in SBS 2003, where you had to open port 4125 through your firewall.

The following screenshot shows what an RDP connection to TSGateway looks like. We can see that the “Gateway server” field is populated with the URL of the server, which is resolvable both externally and internally in DNS. The “Remote computer” field is populated with the internal machine name of the computer that we are connecting to:

You can, in fact, configure the RDP 6.1 client or higher to connect directly through TSGateway without having to first login to RWW. The only difference between this and connecting through RWW is that RWW does this for you automatically. Click on “Options” > select the “Advanced” tab > and click on “Settings” under “Connect from Anywhere” to display the TSGateway configuration settings:

Enter in the URL for the SBS 2008 server (which you configured during the IAMW)

Finally, on the “General” tab, enter the internal machine name of the computer you wish to connect to:

Additional Information

If you are having issues connecting to RWW or TSGateway, visit the following posts:

• http://blogs.technet.com/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx
• http://blogs.technet.com/sbs/archive/2009/06/19/common-remote-web-workplace-rww-connect-to-a-computer-issues-in-sbs-2008.aspx

For non domain-joined machines and mobile devices, you must install the certificate distribution package for proper web access to the server (if you are not using a trusted 3^rd party SSL certificate):

• http://blogs.technet.com/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

[Today’s post comes to us courtesy of Shawn Sullivan]

SBS 2008 includes the Update Services component to provide the administrator with a simple interface for managing software updates from the SBS Console. Those who are familiar with Update Services from SBS 2003 R2 will find that the SBS 2008 implementation is quite similar. It is essentially a wrapper for the native WSUS 3.0 interface meant to simplify the management of software updates for the network. By default all critical updates, security updates, and update definitions will be automatically approved for installation if at least one machine on the network requires it. Other updates are manually approved by the administrator as needed.

Default Configuration Settings

Below is the full list of default configuration settings in WSUS as they exist after SBS 2008 setup has completed:

Important: If you go into the native WSUS 3.0 SP1 console and change these default settings, SBS Update Services will detect this and shut down. In order to guarantee the accuracy and reliability of its reporting function, it requires WSUS to be configured with these settings. If you are in this state, you will get the following warning when you click on “Change the software update settings” in the SBS console:

“Windows Small Business Server (Windows SBS) Update Services is not running because it automatically turns off if you customize Windows Server Update Services (WSUS)”

The easiest way to tell which changes you need to revert is to run the SBS 2008 BPA: http://www.microsoft.com/downloads/info.aspx?na=22&p=1&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d86a1aa32-9814-484e-bd43-3e42aec7f731%26DisplayLang%3den

The below screenshot shows an example of the warning and its specific cause:

WSUS Update Groups

The Update Services Excluded Computers, Update Services Client Computers, and Update Services Server Computers groups are created natively in WSUS during setup and managed through the SBS 2008 Console.

By default, the Client and Server groups will be populated by machine accounts that are either in the SBS Servers or SBS Computers Organizational Units in Active Directory. The purpose of these groups is to assign one of the following update levels to them through the SBS Console:

• High: Automatically approve for installation all security, critical, and definition updates and all service packs
• Medium: Automatically approve for installation all security, critical, and definition updates
• Low: Automatically approve for installation all security and definition updates.
• None: Do not automatically approve any updates

By default, Server updates are set to Medium and client updates are set to High. If you choose to exclude a machine from receiving updates through Update Services, then they will be placed in the Excluded Computers group.

Included Computers adds the machine account to the proper WSUS group and to the security filter of either the Update Services Client Computers or Update Services Server Computers GPOs:

WSUS Group Policy Objects

These GPOs control various settings in how machines in your network contact WSUS. You should not make changes to them:

• Update Services Client Computers Policy: Configures client machines to “auto download and schedule the install” everyday at 03:00.
• Update Services Server Computers Policy: Configures server machines to “auto download and notify for install”. Updates will never be automatically installed.
• Update Services Common Settings Policy: Settings common to both servers and clients, include update detection frequency, system restart settings, scheduled installation settings, and the URL that machines contact for Update Services and intranet statistics (:8530">http://<SBSServer>:8530)

Windows SBS Manager Service

Among its many responsibilities, this service applies all of the configuration settings that the administrator has chosen through the SBS 2008 Console. It performs the following tasks:

• Every 5 minutes it will check Active Directory and apply machine accounts to the proper WSUS Update Group, either the Client Computers or the Server Computers group. It also adds the machine account to the security filter of either the client or server GPOs. This is all configured by the administrator in the “Included Computers” window in Figure 2 above.
• Every 60 minutes it checks with WSUS to review the updates being reported as needed by the machines. At this time, it will approve critical, security, and update definitions for all machines while including service packs for machines in the Client Update group.

The logs for this service are found in the following directory: C:\Program Files\Windows Small Business Server\Logs\MonitoringServiceLogs.

Administration through the SBS 2008 Console

All of the pieces described above are brought together to give the administrator a simplified interface in the SBS 2008 Console in which to manage all updates for all machines on the network. You can access Update services information from the following locations:

• Under “Network Essentials Summary” on the Home tab: If all updates that are needed have not been installed, you will receive a Warning here. If you have made changes to the default WSUS configuration, you will also receive a blue question mark here
• Under the “Computers” sub-tab on the Network tab: Right-click on the machine accounts and go to properties to access the list of missing and installed updates.
• Under the “Updates” sub-tab on the “Security” tab: At this location, you can “Change the software update settings” to change the update levels for servers and clients, specify the schedule for installation or notify the user, and choose which servers and clients to manage through Update services:

You also receive a list of Updates with Microsoft Software License Terms that are pending approval, Updates with Errors, Optional Updates and Updates in Progress. From here you can deploy the update, decline the update, or view the update deployment report:

[Today's post comes to us courtesy of Wayne McIntyre]

We are seeing quite a few calls where public folders, Offline Address books, and Free/Busy information are not replicating to the new SBS 2008 server after following the “Move Exchange Server public folders for Windows SBS 2008 migration” steps from http://technet.microsoft.com/en-us/library/cc527516(WS.10).aspx. The key thing to remember is that public folder replication messages use SMTP for transport, therefore if you have modified settings to the default SMTP Virtual Server these messages may never reach the destination. The SBS 2003 BPA will detect some of these mis-configurations, so make sure to also run both the Exchange BPA and SBS BPA.

Identifying the Issue

To identify the issue you should view the queue in Exchange 2003. You will notice you have a backlog of messages in the queue using the Routing group connector that SBS 2008 creates during a migration setup. In this case we have a non-standard outbound TCP port configured.

Common Causes

1. You have a Smarthost configured on your SMTP virtual server, which will route all messages including Public Folder replication messages to your Smarthost server. To modify this go to the properties of your Default SMTP Virtual Server on your Exchange 2003 server, select the Delivery tab and click the Advanced button. You should then see a dialogue like the one below, if a Smarthost is configured, simply remove it and hit OK.
   
   
   
2. Verify that Outbound Security on the SMTP Virtual Server is using Anonymous access.

   

3. The Outbound Connections TCP port has been modified to something other than port 25 on the Default SMTP Virtual Server in Exchange 2003. From the same Delivery tab as before click on the Outbound connections button and verify the TCP port is set to 25.
   
   
   
4. A less common issue is that you have added your domain to the blocked senders list. This is often done to prevent spam from spammer@contoso.com (where Contoso is your email domain) who is spoofing your domain. In Exchange 2007, under Organization Configuration – Hub Transport, click on the Anti-Spam tab and go to the properties of Sender Filtering. Within Sender Filtering Properties verify the Blocked Senders List, and ensure that you have not listed your own domain as a blocked sender.
   
   
   
5. Integrated Windows Authentication is unchecked on the Default SMTP virtual server on your source SBS 2003 machine. To ensure that Integrated Windows Authentication is enabled, go to the properties of the Default SMTP virtual server, select the Access tab, and click the Authentication button.
   
   

Additional Information

Understanding Public Folder Replication: http://technet.microsoft.com/en-us/library/bb629523.aspx

[Today's post comes to us courtesy of Wayne McIntyre, Damian Leibaschoff, and Justin Crosby]

The connect to a computer feature in SBS 2008 is one of the most popular features of RWW. The connect to a computer feature in SBS 2008 utilizes TS-Gateway behind the scenes, however, when there is a misconfiguration or a problem, RWW may only provide partial information to help isolate the root issue. This post will discuss most of the known issues, how to identify them and steps to resolve them.

What we will cover:

1. Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008
2. VBScript Error: 50331676
3. Connection Authorization Policies and Resource Authorization Policies.
4. Authentication Failures
5. Client Machine Requirements
6. Internal DNS Considerations
7. External DNS Considerations
8. TS Gateway Service Known Issues

1.  Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

For certificate related errors, please review the issues discussed in this article: http://blogs.technet.com/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx

2.  VBScript Error: 50331676

When you try to connect to a server or machine you get the following error:

You must have a certificate installed in TS Gateway Manager. This is handled by the “Set up your Internet Address Wizard” or the “Add a Trusted Certificate Wizard” in the SBS 2008 Console. To verify you have a certificate installed for TS Gateway do the following:

1. Open TS Gateway Manager from Administrative Tools --- Terminal Services
2. Select Properties on the Server Object, and choose the SSL Certificate tab from within properties. You should see a screen similar to the one below stating which certificate TS Gateway is using.
   
   

As stated beofre, you should not see this problem If you have completed the Internet Address Management Wizard, if for any reason no certificate is selected, make sure you click on Browse Certificates and select the proper certificate, for example “remote.contoso.com”.

3.  Connection Authorization Policies and Resource Authorization Policies.

You must pass the connection authorization policy to make a connection, and the resource authorization policy for the machine you are trying to connect to. This error may also display the VBSCRIPT error 50331676.

We have seen a few cases where the connection authorization policy was modified manually to only allow domain computers to make connections. This means that any machine outside the domain (e.g. their home machine) would not be able to connect. This is shown below. To access this policy:

1. Open TS Gateway Manager from Administrative Tools – Terminal Services
2. Expand your computer object
3. Expand Policies
4. Select Connection Authorization Policies
5. Right-Click on the General Connection Authorization policy on the right hand side and choose properties
6. Make sure the Client computer group membership is blank if you want non-domain joined machines to be able to use the RWW Connect To Computer feature.

4.  Authentication Failures

You must have Windows Authentication enabled on the IIS /RPC virtual directory under the SBS Web Applications web site. If it is missing, you will see a looping prompt for authentication when you try to connect.

Since both Outlook Anywhere and TS Gateway share this Virtual Directory modifying authentication settings in Exchange for Outlook-Anywhere within the Exchange Management Console can disable Windows Auth. To make sure Windows-Auth is enabled in Exchange Management Shell (Run as admin) perform the following command:

Get-OutlookAnywhere

(Ignore the warning)

Check the value for the IISAuthenticationMethods Parameter.

You can also check in IIS Manager under the RPC virtual directory, authentication.

Changing the authentication here may only help for a few minutes as Exchange will reset the settings again. You need to complete the proper Exchange configuration steps to resolve this.

If the output of the Exchange Management Shell shows that you are missing NTLM, you need to reset the Exchange setting for outlook anywhere from the Exchange Management Shell (run as admin) perform the following command (ignore the warning):

Get-OutlookAnywhere | Set-OutlookAnywhere –IISAuthenticationMethods: Basic, ntlm

After you make this change, the settings in IIS will not immediately change, it might take up to 15 minutes for this change to happen. You can safely make the change in IIS, under the authentication for RPC to enable Windows Authentication and Basic Authentication and they should remain set as expected.

If you still cannot authenticate to the TS gateway prompt, the following resources discuss some known issues:

• http://blogs.technet.com/sbs/archive/2009/02/20/the-network-policy-server-service-ias-fails-to-start-or-be-installed.aspx
• http://blogs.technet.com/sbs/archive/2009/05/18/bits-ias-vss-and-rras-may-stop-responding-on-sbs-2008-with-a-particular-nic-driver.aspx

5.  Client Machine Requirements

The client machine you are trying to connect to must have RDP enabled and listening on the default port of 3389. You must also verify that any firewalls present on the workstation are allowing the traffic inbound on TCP/3389.  Additionally, the client machine you are making the connection from must allow the ActiveX Control to run.  The easiest way to ensure that ActiveX will be enabled is by adding your remote web workplace site to your list of trusted sites in Internet Explorer.

6.  Internal DNS Considerations

You might connect to an unexpected machine when trying to connect to the remote machine.  If this happens you should verify that the DNS records for the clients on the SBS 2008 server hosting RWW are correct.  To do this open the DNS Management console from Start, Administrative Tools, DNS.  Expand the forward lookup zones, and your local active directory zone.  Verify that the host (A) records for the clients are correct.

7.  External DNS Considerations

The hostname section of the PTR record for the remote client machine’s public IP address cannot match the NetBIOS hostname of the SBS 2008 server. If these names match the RWW will not use TS proxy and the connection will fail or connect to an unexpected target.

The only fix is the change the PTR record for the client pc's external IP address.

Example: Suppose you are using a Windows Vista machine on the Internet. The public IP for this client is 65.53.x.x. The PTR record for this IP is server01.contoso.com. If the SBS 2008 server this machine is trying to connect to has a NetBIOS hostname of Server01, the connection will fail. Ideally your PTR record should match your MX record and your MX record should not be the NetBIOS hostname of your server.

Note: This is a very RARE issue.

8.  TS Gateway Service known issues

TS Gateway Service Not Started After Restart in IIS Manager.

This issue is discussed on this post: http://blogs.technet.com/sbs/archive/2009/04/20/ts-gateway-service-not-started-after-restart-in-iis-manager.aspx

The Terminal Services Gateway service is not running, Contact your network administrator to resolve this issue.This error can happen due to a number of different issues other than the TS Gateway service not running or the role service not being installed.

• If IPv6 has been unproperly unbound from the network interface you might get an error that states that the TS Gateway service is not installed.  Check the following link for issues related to improperly disabling IPv6: http://blogs.technet.com/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx
• If Client certificates has been set to Accept or Require under the SSL setttings on the Rpc virtual directory. This must be set to Ignore.
• In general, this error will happen when we cannot properly access the /RPC virtual directory or its settings have been changed from default.

Additional RWW related links:

• http://blogs.technet.com/sbs/archive/2009/02/12/how-to-enable-drive-mapping-through-sbs-2008-remote-web-workplace.aspx
• http://blogs.technet.com/sbs/archive/2009/01/09/sbs-2008-how-to-make-terminal-servers-in-application-sharing-mode-appear-in-remote-web-workplace.aspx
• http://blogs.technet.com/sbs/archive/2009/06/15/how-to-configure-the-rww-timeout.aspx
• http://blogs.technet.com/sbs/archive/2008/09/26/can-i-use-terminal-services-in-sbs-2008.aspx

We have updated the SBS 2003 to SBS 2008 Migration Best Practices blog post with a few new recommendations.  Please review the following post before attempting an SBS 2003 to 2008 migration: SBS 2008 Migrations from SBS 2003 – Keys to Success

On Tuesday, June 23rd from 10:30am - 11:00am (PDT), join a teleconference with Bob Kelly, corporate VP of Infrastructure Server Marketing. Bob will talk about the state of IT within the context of results from a new Harris Interactive study of 1,200 IT professionals from the U.S., United Kingdom, Japan and Germany. The study was commissioned by Microsoft's Server & Tools Business.

There will be time for your questions following the brief presentation. Submit questions over the phone or you can submit them at any time leading up to or during the teleconference by tweeting with the Twitter hashtag,  #qs4ms.

If you are interested in attending, please REGISTER NOW. Once you open the invite box, you can save and close to your calendar.