Re: Netopia 3347NWG with Remote Desktop and Remote Web Workplace

The Shields Up! report is as expected because port 4125 is opened
dynamically (i.e., only when required).

Glad you're back in business Greg!

--
Merv Porter [SBS-MVP]
============================

"Greg Kirkpatrick [SBSC,MCTS-Vista,MCITP]" <greg@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:DD607D72-7639-46E4-8D4C-4A32CD3FB8C6@xxxxxxxxxxxxxxxx
I disabled RRAS as you suggested, via MMC, and I re-ran CEICW, configuring
Firewall and VPN, etc. I then ran Remote Access Wizard. Both completed
without errors.

I then ran a SHIELDS UP probe at www.grc.com and got these results:


----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2008-05-19 at 22:46:36

Results from scan of ports: 443, 444, 3389, 4125

3 Ports Open
1 Ports Closed
0 Ports Stealth
---------------------
4 Ports Tested

NO PORTS were found to be STEALTH.

The port found to be CLOSED was: 4125

Other than what is listed above, all ports are OPEN.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

Despite this, Remote Web Workplace DOES WORK now, and Connect to Server
Desktops (and Connect to Client Desktops) are also WORKING now!
Apparently,
disabling RRAS in MMC as suggested and re-running CEICW and Remote Access
Wizards fixed the problems.

Thank you, thank you, thank you, Merv!



"Greg Kirkpatrick [SBSC,MCTS-Vista,MCITP]" wrote:

Nom=, KB 886209 does not apply, as when I ran this command
netstat -aon | find ":4125"
I got absolutely no response.

Then, when I tested port 4125 via SHIELDS UP (https://www.grc.com) I got
"Stealth" as the response (443, 444, and 3389 were OPEN).

"Merv Porter [SBS-MVP]" wrote:

And maybe...

Users cannot connect to remote desktops by using the Windows Small
Business
Server 2003 Remote Web Workplace
http://support.microsoft.com/kb/886209

--
Merv Porter [SBS-MVP]
============================

"Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx> wrote in message
news:OOPnL5TuIHA.5832@xxxxxxxxxxxxxxxxxxxxxxx
Sounds like you're getting closer Greg. :-)

What error message are you getting when you try to access a
workstation
via
RWW? In your router, are you sure you have port 4125 forwarded to
your
external NIC (192.168.2.10)?

You can take the router out of the equation by connecting a spare
workstation or laptop to a port onthe router, putting it in a
workgroup,
giving it an IP address in the same range as the LAN side of the
router
(192.168.2.x) and giving it a gateway of the router IP address
(192.168.2.10). Then try to RWW into the server and workstations.
If you
still can't, then their is a configuration or software issue with the
SBS
server.

--
Merv Porter [SBS-MVP]
============================


"Greg Kirkpatrick [SBSC,MCTS-Vista,MCITP]"
<greg@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:1FDE6D63-94B1-4631-913A-49F23E1DA198@xxxxxxxxxxxxxxxx
Again, Merv, thank you for your help!

I figured out the reason Exchange Best Practices Analyzer could not
connect
to the server -- a mistyping in the previous entry was the culprit.
It's
working fine now, with (almost) no issues, and certainly no critical
ones.

While Remote Web Workplace is working, and Remote Desktop Connection
will
connect directly with the server (port 3389 is forwarded to
192.168.2.10,
the
WAN Ethernet adapter of the server), I cannot Connect to Server
Desktops
or
Connect to Client Desktops from Remote Web Workplace. I have seen
this
problem in newsgroups previously, so perhaps I can find the
solution.



"Greg Kirkpatrick [SBSC,MCTS-Vista,MCITP]" wrote:

Okay, while waiting, I ran the Exchange BPA anyway (after applying
the
Exchange BPA updates), and here are its results:

Paging file larger than Physical Memory
[this was not strictly correct, as the current paging file was
2048MB,
and
the Physical Memory is 3.50GB; however, the automatically-created
settings
had a custom size of 2048MB initial and 5348MB maximum, so perhaps
it
was
this that triggered the error...no matter, it was a good time to
reduce
the
paging file on the Windows drive to 200MB and create a static one
of
3500MB
on another drive.]

RPC binding does not contain FQDN
The 'ncacn_ip_tcp' binding for server SBS2003 does not contain a
fully-qualified domain name.
[fixed]

Database backup critical
Database 'Public Folder Store (SBS2003)' on server SBS2003 has
never had
a
full online backup.
[fixed]

Network interface driver file is more than two years old
[noted...there is no newer file available]

Storage driver is more than two years old
[noted...there is no newer file available]

The 'fast message retrieval' option is not enabled on IMAP4
[fixed]

The Network News Transfer Protocol (NNTP) service is running on
server
sbs2003
[now disabled and stopped]

Application log size
As a best practice, the size of the 'Application' log on server
sbs2003.domain.local should be increased. The current size is 16MB.
For
servers running Microsoft Exchange, a size of 40MB or more is
recommended.
[fixed...set to 40960KB]

Consider setting TarpitTime
Recipient filtering is enabled on server sbs2003.domain.local. As a
best
practice, consider setting the 'TarpitTime' parameter as
recommended in
Microsoft Knowledge Base article 899492.
[registry entry made, and request made for Hotfix from KB article
899492
via
"Contact Us: Hotfix Request Web Submission Form"...which Microsoft
seems
to
keep moving to try to hide, but is currently at:
https://support.microsoft.com/contactus/emailcontact.aspx?scid=sw;en;1414&WS=hotfix ]

Enable automatic updates for message filtering
Automatic update for the Intelligent Message Filter is not enabled
on
server
SBS2003. To improve the effectiveness of the filter, follow the
instructions
outlined in Microsoft Knowledge Base article 907747.
[why must this be a download-only .DOC file? First it says you
should
enable automatic updates for message filtering, then it says you
should
not
have them automatically installed!! -- and this is only the tip of
the
Intelligent Message Filtering options. Done.]

Crash upload logging disabled
Exchange fatal error information on server sbs2003.domain.local is
not
automatically sent to Microsoft for analysis. It is recommended
that you
enable this feature through the Exchange System Manager.
[now enabled]

Sink registration not found Small Business Server Attachment
Remover
Transport event sink 'Small Business Server Attachment Remover' was
found
in
the metabase for SMTP instance '1' on server sbs2003.domain.local
but
its
registration could not be found. Registration expected in
HKEY_CLASSES_ROOT\CLSID\.
[this is one I'm going to need help with...the instructions on what
to
do
to
re-register the sink dll's are clear, but when I ran them as
instructed
from
the \Program Files\Exchsrvr\Bin directory, I got errors for each
one,
all
of
them similar to this last one:
---------------------------
RegSvr32
---------------------------
msgfilter.dll was loaded, but the DllInstall entry point was not
found.

This file can not be registered.
---------------------------
OK
---------------------------

So much for Exchange Best Practices Analyzer.

As for the Small Business Server 2003 Best Practices Analyzer, I
was
already
automatically seeking and downloading updates, so I was using the
latest
version.

I followed the steps to ascertain the "IP Address and Domain Name
Restrictions" of the Default Web Site, and it was already set to
Grant
Access
with nothing listed as exceptions. Knowing how these settings can
sometimes
be entered in the Registry incorrectly, I reset this to Deny Access
(applied
to all) and clicked OK and APPLY and OK, then repeated the steps to
change it
back to Grant Access.

One thing I did notice, is that for anonymous access to the Default
Web
Site, it is checking the password for IUSR_SBS2003, and perhaps the
problem
is there. I reset the password for this user in AD, and changed it
for
Default Web Site and the other Virtual Directories in IIS Admin, as
well
as
for each of the Web Sites under the Virtual Directories that had
anonymous
access checked.

In the message thread you mentioned, there was a mention of an
ISAPI
Filter
sbssft.dll for Default Web Site. It was not there, and I have
added
it.
However, I question whether it is indeed necessary, since a
working-RRW
SBS
server does not have this entry.

Having rebooted the server, it appears I have done something wrong,
as
the
Exchange Best Practices Analzyer now cannot connect to the first
administration group under the SERVER -- there is an orange circle
with
a
white X next to it.

However, I just tested from an external connection, and REMOTE WEB
WORKPLACE
IS NOW WORKING !!!

Huzzah, Merv! Thank you.

That fixes both RWW and RDC, so I think I'll stop this thread, and
start
a
new one in the Exchange newsgroup.


"Merv Porter [SBS-MVP]" wrote:

That second link should be:

Small Business Server 2003 Best Practices Analyzer Updated
http://blogs.technet.com/sbs/archive/2008/02/20/small-business-server-2003-best-practices-analyzer-updated.aspx


Also, let's look at IP restrictions (as in this thread):
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/1c4d49062fbed5c0/6ef2c2be383e1d30?hl=en&lnk=st&q=RWW+Lost+after+SBS2003+Reinstallation#6ef2c2be383e1d30


This issue can be caused by incorrect IP restriction settings.
Let's
try
following steps to see if it works:

1. Open Server Management and expand to Internet Information
Services
node.
2. Open the Default Web Site's properties
3. Click the Directory Security tab.
4. Click the Edit button next to the IP Address and Domain Name
Restrictions
heading.
5. Click to choose Granted Access and remove all the entries.
6. Click OK.

--
Merv Porter [SBS-MVP]
============================

"Greg Kirkpatrick [SBSC,MCTS-Vista,MCITP]"
<greg@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:71331AC0-ADFC-44C4-B515-AB5FCC9FFB1A@xxxxxxxxxxxxxxxx
Correct -- the working-RWW server is named "win2003", but it is
an
SBS
2003
Premium R2. The non-working-RWW server is named "sbs2003" and
it is
an
SBS
2003 Premium R1. Hopefully, that won't make any difference in
RWw's
setup.

Your second link was the same as the first, perhaps you meant
this
one?
Microsoft Exchange Best Practices Analyzer Web Update Pack
http://www.microsoft.com/downloads/details.aspx?familyid=4f2f1339-cbcd-4d26-9174-f30c10d7ec4c&displaylang=en

When I ran SBS 2003 Best Practices Analyzer, I got these 6
warnings:
Network driver is more than a year old [I know this, but there
doesn't
appear to be an update, either from OEM, Tyan (most recent
2006/01/09) or
from Vendor, nVidia (most recent 2006/07). ]
EDNS is enabled [never heard of this, but I followed the steps
to
disable
it]
The OWA update is not installed [it is now]
Reverse DNS zone does not allow for secure updates [so why
wasn't
this set
automatically? it does now.]
Windows Backup Wizard has not yet run [I know -- I was waiting
to
get
this
clean, but now's a good time, I think]
Microsoft Outlook 2003 is missing [from the ClientApps
folder--I
hadn't
installed Outlook 2003 or IE6, as all the workstations are on
Office
2007
&
IE7, but to keep BPA happy, I did so]

The Reverse DNS message was a tad vague:
You should configure Reverse Lookup Zone:
16.168.192.in-addr.arpa to
allow
only secure dynamic updates. To configure the Reverse Lookup
Zone,
click
Start, point to Administrative Tools, and then click DNS.
Right-click


.