Re: RWW 403 forbidden error

Hi Bob,

Let's take a look at the CEICW log file when CEICW fails....

C:\Program Files\Microsoft Windows Small Business Server\Support\icwlog.txt

First delete or rename icwlog.txt. (This will allow a fresh copy of the
file to be created when you run CEICW). Then re-run CEICW and post the
resultant icwlog.txt file for us to look at (just copy and paste into your
reply).

--
Merv Porter [SBS-MVP]
============================

"BobS" <PackerIntl@xxxxxxxxx> wrote in message
news:C02DC9D3-EB90-428B-B49B-D9524A03F9C3@xxxxxxxxxxxxxxxx
Merv,

There does not appear to be any phantom devices. The extra 2 adapters
were infact as I said earlier Panda bindings to the adapter and to the WAN
Miniport (IP). To verify that this was not the problem, I uninstalled the
Panda FileSecure module and then the BPA did not give the error about 3
adapters and the extra's were gone in device manager.

However, RWW still did not work.

As per the instructions in your link below, I reinstalled RWW; still does
not work.

I am pretty sure I mentioned this earlier, but when running CEICW after
the reinstall, when it gets to the Firewall (second stage of the
configuration) it fails. It brings up a dialog that says "An error
occurred while configuring a component." (The Panda module is still
uninstalled). I do not know which log to look at for a clue as to what
happened. I told it to continue with the configuration of the other
components but as I said, RWW still does not work.

So to make sure I didn't do anything wrong, I ran it again with all the
same settings. Though I told it to continue with the other components
last time, it apparently did not because the Web Services Components were
not enabled. I clicked the radio button to enable them again. This time
there were no errors (???). And when I was done, the Web Service
components show up as allowed. But alas, still no RWW.

Just for grins and giggles I tried to start the Windows Firewall/ICS
service. It failed: Error 170. That is probably normal since there is
only 1 nic, but just thought I would try.
Support at Panda had me reset the winsock catalog just to see if that
might help. It did not.

Here's hoping that you are not completely frustrated yet.

"Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx> wrote in message
news:O865XTuDJHA.5316@xxxxxxxxxxxxxxxxxxxxxxx
And you may be close to reinstalling RWW...

Setting Up RWW
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/3a671f95de265047/47f9e62a5da45fc4?hl=en&lnk=st&q=setting+up+rww#47f9e62a5da45fc4

--
Merv Porter [SBS-MVP]
============================

"Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx> wrote in message
news:%23ydT3IuDJHA.4800@xxxxxxxxxxxxxxxxxxxxxxx
SG raises a good point about the Trend Micro (antivirus) firewall and
the SBS 2003 BPA. If you're not using Trend Micro, maybe you have a
"phantom" NIC left over from the Swing Migration:

Display "phantom" devices

1. Click Start, click Run, type cmd.exe, and then press ENTER.
2. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
3. Type Start DEVMGMT.MSC, and then press ENTER.
4. Click View, and then click Show Hidden Devices.
5. Expand Network Adapters.

Delete any phantoms you find.

Also, make sure you have the latest driver for the Broadcom NIC.

--
Merv Porter [SBS-MVP]
============================

"BobS" <BobS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FE14F943-B4F7-4C6E-9337-073A987A63FD@xxxxxxxxxxxxxxxx
Merv,

What a great tool. How is it that I have heard about Best Practices
but
never heard of this analyzer. Thanks,

Anyway, I have not solved the problem, but I think the BPA may have
pointed
out the problem. One of the critical errors says that: "Three or more
network adapter cards were detected" and that this will cause the CEICW
to
fail.

Now how do I correct this? I looked in device manager and there is
only one
network adapter there. Where do I look to seek and destroy the other 2
adapters (that really don't exist).

I exported the logs from SBS BPA, but have never had any luck trying to
attach a file here. Is there a way to do that or is there someplace
else I
could post them. I am just now trying to put up an ftp site on my
server and
I have posted them there if you can get to it:
ftp://rww.packerintl.com.

Thanks; I anxiously await your instructions.
--
Bob Showalter
Packer International


"Merv Porter [SBS-MVP]" wrote:

https://mail.westernwaterandland.com/remote does not resolve te RWW
problem.
Using your WAN IP address in place also does not resolve the problem.

OK, let's try... Install and run a scan with the SBS 2003 BPA:

Microsoft Windows Small Business Server 2003 Best Practices Analyzer
http://207.46.19.190/downloads/details.aspx?familyid=3874527A-DE19-49BB-800F-352F3B6F2922&displaylang=en

Small Business Server 2003 Best Practices Analyzer Updated
http://blogs.technet.com/sbs/archive/2008/02/20/small-business-server-2003-best-practices-analyzer-updated.aspx

How to Use the Windows SBS 2003 BPA
http://blogs.technet.com/sbs/archive/2007/10/22/how-to-use-the-windows-sbs-2003-bpa.aspx


--
Merv Porter [SBS-MVP]
============================

"BobS" <BobS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A3947259-5E40-4F6E-BB45-30EF110A997B@xxxxxxxxxxxxxxxx
My how I admire perserverance; and appreciate it for something like
this.

Response to all 3 of your posts are here:

1. Results of ipconfig /all


Windows IP Configuration

Host Name . . . . . . . . . . . . : hal
Primary Dns Suffix . . . . . . . : WesternWaterandLand.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : WesternWaterandLand.local

Ethernet adapter Server Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet
Physical Address. . . . . . . . . : 00-21-9B-F9-AD-08
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.254.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.254.1
DNS Servers . . . . . . . . . . . : 192.168.254.2
Primary WINS Server . . . . . . . : 192.168.254.2

2. Yes, port 4125 is forwarded to the server nic (192.168.254.2),
as are
all of the other ports concerned with remote access of different
types
(443,
444, 21, ...)

3. All of the settings for Directory Security for the "Remote"
virtual
web
site are exactly as you have them below.

4. I also cleared out the W3SVC1 log for the day and then tried to
log in
to RWW. The contents of the log after the failed attempt are as
follows:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2008-09-04 05:11:29
#Fields: date time s-sitename s-computername s-ip cs-method
cs-uri-stem
cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent)
cs-host
sc-status sc-substatus sc-win32-status
2008-09-04 05:11:29 W3SVC1 HAL 192.168.254.2 GET /remote - 80 -
216.52.47.231 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506;+InfoPath.2)
rww.westernwaterandland.com 302 0 0
2008-09-04 05:11:35 W3SVC1 HAL 192.168.254.2 GET /remote - 80 -
216.52.47.231 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506;+InfoPath.2)
rww.westernwaterandland.com 302 0 0
2008-09-04 05:11:35 W3SVC1 HAL 192.168.254.2 GET /remote - 443 -
216.52.47.231 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506;+InfoPath.2)
rww.westernwaterandland.com 301 0 0
2008-09-04 05:11:35 W3SVC1 HAL 192.168.254.2 GET /remote/ - 443 -
216.52.47.231 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506;+InfoPath.2)
rww.westernwaterandland.com 403 14 5

5. On your other post for the settings for Default Website and
Remote
Virtual Website Directory Security; what I have is exactly as you
have it
specified.

Thanks again for your perserverance.

--
Bob Showalter
Packer International


"Merv Porter [SBS-MVP]" wrote:

And here's a list of all settings for the properties of the
"Remote"
virtual
web site under the Default Web site in IIS...

For RWW:

1. Open IIS snap-in.
2. Go to Default Web Site/Remote.
3. Right click Remote and click Properties.
4. Click Directory Security tab.
5. Click Edit under "Authentication and access control".
6. Make sure that only the "Enable anonymous access" and
"Integrated
Windows Authentication" have been checked.
7. Click Edit under "IP address and domain name restriction".
8. Make sure that "Granted access" has been selected.
9. Click Edit under "Secure communications".
10. Make sure that "Require secure channel (SSL)" and "Require
128-bit
encryption" have been checked.


--
Merv Porter [SBS-MVP]
============================

"Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx> wrote in
message
news:OU27$KhDJHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
Is port 4125 corrected forwarded in the router to the IP address
of the
SBS NIC?

--
Merv Porter [SBS-MVP]
============================

"BobS" <BobS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6B023657-EAF6-4E91-9C1F-182E999B4CCD@xxxxxxxxxxxxxxxx
Thanks Merv,

Those are the settings I have. It is a single NIC system.
--
Bob Showalter
Packer International


"Merv Porter [SBS-MVP]" wrote:

Directory Security settings... (on a two NIC system, if that
matters)

IIS | <yourserver> | Web Sites | Default Web Site | Properties
|
Directory
Security | IP Address and Domain Name Restrictions | Edit...

Settings should be Denied Access;
Except the Following: Granted 192.168.16.2 (255.255.255.0)
Except the Following: Granted 127.0.0.1

IIS | <yourserver> | Web Sites | Default Web Site | Remote|
Properties |
Directory Security | IP Address and Domain Name Restrictions |
Edit...

Granted Access

--
Merv Porter [SBS-MVP]
============================

"BobS" <BobS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:350FE9EE-EC90-4F57-87AB-45BE4B72CB2B@xxxxxxxxxxxxxxxx
Merv, thanks for continuing to try. No luck yet. Here is
what I
did
with
your last set of suggestions:
1. I reran CEICW removing RWW (and all other website
services, OWA
and
SharePoint). Rebooted. Ran it again enabling those 3
sdervices.
Rebooted.
It made no difference. You mentioned enabling the firewall,
but
with
only
one NIC, firewal is external. However, when it rebuilt, in
going
through
the
steps, when it came to "Configuring the firewall" it said
that it
failed,
even though it gave the normal warning that with only one NIC
it
could
not
install a firewall. I ran it a second time and it did not
give
that
warning
and went right past the firewall stage with a green check.
Still
though
no
access through RWW.

2. Checked Issue 6 of the referenced BLOG which seemed to be
a
lesser
reiteration of step one above so didn't try it again.

3. The RWW virtual directory seems to be installed under the
default
website in ISS Mgr if it is the one called "Remote" (we are
getting
dangerously close to the limits of my knowledge here). I
couldn't
say
if
it
is all in tact. What I did check was that if I looked at the
Directory
Security and it is set to Grant Access to all IP's. I did
take
notice
that
during step one above, that security changed to deny all
except the
server
IP. When I wen back to enabling RWW it changed to Grant
Access.

4. Using https://.... makes no difference.

5. Not really sure where to check the binding of the NICs.
I
remember
that
from NT, but haven't had the need to look at it since.

I will give one other piece of history on the issue. When
the
problem
was
first brought to my attention a few days after the migration
was
"complete",
I spent several days trying things. I managed to get the
server to
the
point
that the network did not work at all, and people could not
log on
or
connect
to shared drives. I could not seem to get things back to
working,
so
put
in
the SBS DVD, and either reinstalled all features except
Excfthange
(or
uninstalled and installed, I can't remember which). After
that, I
was
back
to the place I am now with everything working on the system
except
RWW.

One other note that I don't know if it is of any consequence
for my
problem
is that very often (perhaps always, I don't know) one of the
exchange
services does not start when restarting the system and I have
to go
to
the
Services snap-in and start it manually, even though it is set
to
automatic.

Thanks for the patience. I will wait for other input as I
continue
to
research also.


--
Bob Showalter
Packer International


"Merv Porter [SBS-MVP]" wrote:

Maybe something to try...

Re-run CEICW, enable the firewall and uncheck Remote Web
Workplace,
complete
the rest of CEICW. Reboot server, then re-run CEICW again,
this
time
enabling RWW.

see issue No.6 here
http://msmvps.com/blogs/bradley/archive/2006/02/12/83381.aspx

Is the RWW virtual web site actually installed under the
Default
web
site
(all files intact)?
Binding order of NICs OK?
Does using https://<IP_address>/remote allow RWW access?

--
Merv Porter [SBS-MVP]
============================


"BobS" <BobS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:287F53B3-38EC-4D40-AEDB-E576595E258E@xxxxxxxxxxxxxxxx
Again, thanks for the reply. Hmmmm is not what I had
hoped for,
but I
understand. I have done this before for many clients
without a
hickup.
I
tried resyncing the IWAM and IUSR passwords as suggested
by Jeff
Middleton;
I have looked at many of the other posts on the newsgroup.
I
see
one
that







.

Loading