The official blog for Windows Server Essentials and Small Business Server support and product group communications.
[Today's post comes to us courtesy of Shawn Sullivan and Moloy Tandon]
Just as it was in SBS 2003, Remote Web Workplace (RWW) is an integral component in the SBS feature set for 2008. Its purpose is to provide a secure centralized web portal for employees and administrators to access network resources. Users can perform the following actions when logged in:
RWW is installed on the server during SBS Setup, but is not fully configured for Internet access until you complete the “Internet Address Management Wizard” (IAMW). Note: If you are using a 3rd party SSL certificate, you must complete the “Add A Trusted Certificate Wizard” also. It is installed as the remote virtual directory under the SBS Web Applications site, which accepts SSL connections on port 443. By default, the IAMW will add the prefix “remote” to your chosen domain name to distinguish the SBS 2008 in your web presence as the remote user portal. In this case, if you chose contoso.com as your domain name, you would access RWW using “https://remote.contoso.com”.
For full access to the RWW feature set from the Internet, you must ensure the following:
From a centralized location, users can launch OWA, connect to an authorized computer, launch CompanyWeb, change their password, and access the built-in corporate links (help for RWW and Outlook Anywhere) or customized links (these links are shared with the Vista Desktop Gadget).
Administrators and users are presented with the same features upon login to the homepage, with the following exceptions:
From the SBS 2008 console, you can perform a variety of management tasks for the website itself. You can access this under “Shared Folders and Web Sites”. The various tasks you can perform include:
As it did in SBS 2003, RWW uses forms based authentication, which stores the encrypted credentials from the user’s initial login as a cookie in the web browser. This cookie is used to authenticate further connections to restricted resources inside RWW, such as OWA and CompanyWeb. Only members of the Windows SBS Remote Web Workplace Users security group are allowed to login to RWW. To modify membership for this group, use the SBS 2008 Console:
User Account Properties for RWW Login Rights
When OWA and CompanyWeb are launched in RWW, your browser is connected to either https://remote.domain.com/owa or https://remote.domain.com:987 respectively; where remote.domain.com is the domain name that you have configured in the IAMW. By default, they open in their own restricted Window with no address or navigation bar, preventing you from navigating to a different site in the same window. You can override this (only in IE 7) on the client machine by opening Tools > Internet Options > General > Tabs > Settings and allowing pop-ups to be opened in a new tab:
When a user clicks “Connect to a computer”, they are presented with a list of computers in which they are authorized to connect to and set as their default. Once they choose a default computer, they will no longer be presented with a list and will connect automatically to their chosen machine. Note: If the user is authorized to only a single machine, a list is not shown and instead will be directly connected to their authorized machine. This is meant to give the Administrator greater control over what machines their users can connect to. This information is defined both on the user account and computer account properties from the SBS 2008 console:
Computer account properties:
Once “Can log on remotely to this computer” is checked, the next group policy refresh will add the user account to the “Remote Desktop Users” local group on the machine. Note: Administrators automatically have the right to remotely connect to any machine in the domain.
If you have installed Terminal servers in your domain, you can run into a problem where they will not show up in the list of computers to connect to for standard users. To override this behavior to display all computers in the domain, perform the following:
RWW in SBS 2008 leverages the TSGateway service that is running on the SBS server to perform the remote desktop connection to the chosen machine. Like RWW, TSGateway is fully enabled when the IAMW is completed (“Add a Trusted Certificate” must also be completed if you are using a 3rd party SSL certificate). This allows remote desktop connections to your domain-joined machines through port 443. This is different from RWW in SBS 2003, where you had to open port 4125 through your firewall.
The following screenshot shows what an RDP connection to TSGateway looks like. We can see that the “Gateway server” field is populated with the URL of the server, which is resolvable both externally and internally in DNS. The “Remote computer” field is populated with the internal machine name of the computer that we are connecting to:
You can, in fact, configure the RDP 6.1 client or higher to connect directly through TSGateway without having to first login to RWW. The only difference between this and connecting through RWW is that RWW does this for you automatically. Click on “Options” > select the “Advanced” tab > and click on “Settings” under “Connect from Anywhere” to display the TSGateway configuration settings:
Enter in the URL for the SBS 2008 server (which you configured during the IAMW)
Finally, on the “General” tab, enter the internal machine name of the computer you wish to connect to:
If you are having issues connecting to RWW or TSGateway, visit the following posts:
For non domain-joined machines and mobile devices, you must install the certificate distribution package for proper web access to the server (if you are not using a trusted 3rd party SSL certificate):
PingBack from http://www.web2designer.org/news/index.php/2009/06/web2design-sbs-2008-introduction-to-remote-web-workplace-news/
I had alot of issues lately where I could not login to computers using RWW on SBS 2008. I kept getting the VBscript error 50331676. I saw some troubleshooting steps on this page http://blogs.technet.com/sbs/archive/2009/06/19/common-remote-web-workplace-rww-connect-to-a-computer-issues-in-sbs-2008.aspx but none of them worked for me.
After some digging I realized that my users were not listed under Domain Users, they were listed as Domain Admins. So I added them to the Domain Users group, restarted the TS Gateway service and poof, everything started working.
I don't know how the users got setup like that but I did migrate from a previous SBS 2003 installation to this SBS 2008 installation. Maybe it happened in the transition.
adding BusinessProductivity/ShowAllComputers open so all computers are listed for all users in RWW connect to computer; but overwrites settings per user which computer they are allowed to access and see in list.
I'm looking not to have anyone login to any system but just to list my terminal server in the list of choices when giving rights to individual users under user properties, remote access in SBS console.
Have you seen this.
We setup a new SBS server and have a remote (previsoulsy domain joined) client that uses RWW. All is fine EXCEPT, that some add-on in IE7 is creating LOG files that are "duplicates" of the HTML pages IE7 is browsing in the root of C:
e.g. If IE7 opens up yahoo.com remote.customerdomain.com and google.com, then IE7 creates three corresponding files *.log in the root of the C drive. This happens everytime the browser is launched or a page refreshes. It's strange. WHen we laucnh IE7 without add-on,s the problem disappears, but of course we need the RDP add-on - any ideas? Thanks...
My question is: how do I prevent the "Internal Web Site" desktop shortcut and the "Small Business Server 2008" program folder in the Start Menu from showing up every time a new user logs into a computer? I assume this is a Group Policy setting, but I am unable to locate it. I disabled the ever persistent CompanyWeb homepage in Internet Explorer this way. Any help would be greatly appreciated. Thanks in advance!
"I disabled the ever persistent CompanyWeb homepage in Internet Explorer this way",
where did you disable this in the GPO?
thanks in advance