SBS 2008: Introduction to Remote Web Workplace

SBS 2008: Introduction to Remote Web Workplace

  • Comments 6
  • Likes

[Today's post comes to us courtesy of Shawn Sullivan and Moloy Tandon]

Just as it was in SBS 2003, Remote Web Workplace (RWW) is an integral component in the SBS feature set for 2008. Its purpose is to provide a secure centralized web portal for employees and administrators to access network resources. Users can perform the following actions when logged in:

  1. Check their E-mail.
  2. Access the Internal Web Site (CompanyWeb).
  3. Connect to a computer through RDP (only network admins can connect to the SBS server)
  4. Change their domain password
  5. Access help and configuration information for RWW
  6. Access customized corporate links (more information available at: http://technet.microsoft.com/en-us/library/cc527586.aspx)

RWW is installed on the server during SBS Setup, but is not fully configured for Internet access until you complete the “Internet Address Management Wizard” (IAMW). Note: If you are using a 3rd party SSL certificate, you must complete the “Add A Trusted Certificate Wizard” also. It is installed as the remote virtual directory under the SBS Web Applications site, which accepts SSL connections on port 443. By default, the IAMW will add the prefix “remote” to your chosen domain name to distinguish the SBS 2008 in your web presence as the remote user portal. In this case, if you chose contoso.com as your domain name, you would access RWW using “https://remote.contoso.com”.

For full access to the RWW feature set from the Internet, you must ensure the following:

  1. TCP 443 and TCP 987 (For SharePoint) are open on your Internet firewall.
  2. Clients are running Internet Explorer 6.0 SP2 or higher
  3. The RDP 6.1 client or higher is installed on the client machine
  4. The client must trust the SSL certificate that is installed on the SBS Web Applications site
  5. The client must connect using the URL that matches the common name on the certificate.

Features

From a centralized location, users can launch OWA, connect to an authorized computer, launch CompanyWeb, change their password, and access the built-in corporate links (help for RWW and Outlook Anywhere) or customized links (these links are shared with the Vista Desktop Gadget).

clip_image002

Administrators and users are presented with the same features upon login to the homepage, with the following exceptions:

  1. Users are not offered the “Connect to Server” option. Only network administrators can connect to the SBS server.
  2. Users are not presented with the “Administration” links

SBS Console Integration

From the SBS 2008 console, you can perform a variety of management tasks for the website itself. You can access this under “Shared Folders and Web Sites”. The various tasks you can perform include:

  1. Enabling or disabling the website
  2. Browse the website (opens in IE using https)
  3. Add or remove users permissions to login to RWW
  4. Enable or disable RWW homepage links (OWA, Connect to Computer, Internal Website, Change Password, Connect to Server, Help, and Remote Web Workplace Link List)
  5. Manage Organizational and Administrative links that are displayed upon user login. Here you can enable/disable them, change permissions (who can see them), remove them or add new ones, or change their titles

clip_image004

Login Requirements

As it did in SBS 2003, RWW uses forms based authentication, which stores the encrypted credentials from the user’s initial login as a cookie in the web browser. This cookie is used to authenticate further connections to restricted resources inside RWW, such as OWA and CompanyWeb. Only members of the Windows SBS Remote Web Workplace Users security group are allowed to login to RWW. To modify membership for this group, use the SBS 2008 Console:

clip_image006

User Account Properties for RWW Login Rights

clip_image008

Launching OWA and CompanyWeb

When OWA and CompanyWeb are launched in RWW, your browser is connected to either https://remote.domain.com/owa or https://remote.domain.com:987 respectively; where remote.domain.com is the domain name that you have configured in the IAMW. By default, they open in their own restricted Window with no address or navigation bar, preventing you from navigating to a different site in the same window. You can override this (only in IE 7) on the client machine by opening Tools > Internet Options > General > Tabs > Settings and allowing pop-ups to be opened in a new tab:

clip_image010

Connect to a computer

When a user clicks “Connect to a computer”, they are presented with a list of computers in which they are authorized to connect to and set as their default. Once they choose a default computer, they will no longer be presented with a list and will connect automatically to their chosen machine. Note: If the user is authorized to only a single machine, a list is not shown and instead will be directly connected to their authorized machine. This is meant to give the Administrator greater control over what machines their users can connect to. This information is defined both on the user account and computer account properties from the SBS 2008 console:

clip_image012

Computer account properties:

clip_image014

Once “Can log on remotely to this computer” is checked, the next group policy refresh will add the user account to the “Remote Desktop Users” local group on the machine. Note: Administrators automatically have the right to remotely connect to any machine in the domain.

If you have installed Terminal servers in your domain, you can run into a problem where they will not show up in the list of computers to connect to for standard users. To override this behavior to display all computers in the domain, perform the following:

  1. To open the Registry Editor, click Start, click Run, type regedit in the text box, and then press ENTER.
  2. Browse to HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer.
  3. Right-click SmallBusinessServer, click New, and then click Key.
  4. Name the key BusinessProductivity.
  5. Right-click BusinessProductivity, click New, and then click DWORD (32-bit) Value.
  6. Name the new value ShowAllComputers.
  7. Right-click ShowAllComputers, type 1 in the Value data text box, and then click OK.

clip_image016

TSGateway Integration

RWW in SBS 2008 leverages the TSGateway service that is running on the SBS server to perform the remote desktop connection to the chosen machine. Like RWW, TSGateway is fully enabled when the IAMW is completed (“Add a Trusted Certificate” must also be completed if you are using a 3rd party SSL certificate). This allows remote desktop connections to your domain-joined machines through port 443. This is different from RWW in SBS 2003, where you had to open port 4125 through your firewall.

The following screenshot shows what an RDP connection to TSGateway looks like. We can see that the “Gateway server” field is populated with the URL of the server, which is resolvable both externally and internally in DNS. The “Remote computer” field is populated with the internal machine name of the computer that we are connecting to:

clip_image018

You can, in fact, configure the RDP 6.1 client or higher to connect directly through TSGateway without having to first login to RWW. The only difference between this and connecting through RWW is that RWW does this for you automatically. Click on “Options” > select the “Advanced” tab > and click on “Settings” under “Connect from Anywhere” to display the TSGateway configuration settings:

clip_image020

Enter in the URL for the SBS 2008 server (which you configured during the IAMW)

clip_image022

Finally, on the “General” tab, enter the internal machine name of the computer you wish to connect to:

clip_image024

Additional Information

If you are having issues connecting to RWW or TSGateway, visit the following posts:

For non domain-joined machines and mobile devices, you must install the certificate distribution package for proper web access to the server (if you are not using a trusted 3rd party SSL certificate):

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Comments
  • PingBack from http://www.web2designer.org/news/index.php/2009/06/web2design-sbs-2008-introduction-to-remote-web-workplace-news/

  • I had alot of issues lately where I could not login to computers using RWW on SBS 2008.  I kept getting the VBscript error 50331676.  I saw some troubleshooting steps on this page http://blogs.technet.com/sbs/archive/2009/06/19/common-remote-web-workplace-rww-connect-to-a-computer-issues-in-sbs-2008.aspx but none of them worked for me.

    After some digging I realized that my users were not listed under Domain Users, they were listed as Domain Admins.  So I added them to the Domain Users group, restarted the TS Gateway service and poof, everything started working.

    I don't know how the users got setup like that but I did migrate from a previous SBS 2003 installation to this SBS 2008 installation.  Maybe it happened in the transition.

  • adding BusinessProductivity/ShowAllComputers open so all computers are listed for all users in RWW connect to computer; but overwrites settings per user which computer they are allowed to access and see in list.

    I'm looking not to have anyone login to any system but just to list my terminal server in the list of choices when giving rights to individual users under user properties, remote access in SBS console.

    any ideas?

  • Have you seen this.

    We setup a new SBS server and have a remote (previsoulsy domain joined) client that uses RWW.  All is fine EXCEPT, that some add-on in IE7 is creating LOG files that are "duplicates" of the HTML pages IE7 is browsing in the root of C:

    e.g.  If IE7 opens up yahoo.com remote.customerdomain.com and google.com, then IE7 creates three corresponding files *.log in the root of the C drive.  This happens everytime the browser is launched or a page refreshes.  It's strange.  WHen we laucnh IE7 without add-on,s the problem disappears, but of course we need the RDP add-on - any ideas?  Thanks...

  • My question is: how do I prevent the "Internal Web Site" desktop shortcut and the "Small Business Server 2008" program folder in the Start Menu from showing up every time a new user logs into a computer?  I assume this is a Group Policy setting, but I am unable to locate it.  I disabled the ever persistent CompanyWeb homepage in Internet Explorer this way.  Any help would be greatly appreciated.  Thanks in advance!  

  • Tony,

    You wrote:

    "I disabled the ever persistent CompanyWeb homepage in Internet Explorer this way",

    where did you disable this in the GPO?

    thanks in advance

    Dan