Re: SBS 2008 - IIS Remote Web Workplace - stop default redirect

I agree and wish I would. However, Microsoft SBS2008 does not allow this. The
platform has Exchange, sharepoint, IIS7 etc all bundled preconfigured on a
domain controller. When you install the operating system they are all there
and active..you do not even need to install the roles. Hence you can sense my
concern over the size of the attack surface and wanting to do what I can to
reduce it. I did consider multiple servers running server 2008 standard on in
a DMZ and using Edge transport to Exchange. However, with only 8 computers
and the need then to buy Exchange, 2xServer 2008, Sharepoint, IIS, Forefront
etc it proves expensive!

Maybe if I get a spare machine I can configure some sort of Internet
security server...its hard when there is only one of me!

Kind regards

Ian

Steve Foster has provided a work around which seems to work fine.

"Lanwench [MVP - Exchange]" wrote:

Ian Morris <IanMorris@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Various devices on the LAN do use http that are accessible from the
internet (e.g. CCTV).

I'd view that as an unacceptable security risk, myself. Can't you put those
on a separate network segment /DMZ
configured in your perimeter device?

SBS 2008 has severe restrictions when it comes
the things like allocating ip addresses (it will ONLY support a
single class c subnet)

As opposed to multiple ones bound to a single NIC? That'd be a bad config
for a domain controller anyway. Seriously, why does this stuff need to be on
the LAN segment? If you have a decent firewall appliance you can probably
set up a DMZ therein, and allow all LAN-->DMZ traffic if you want access to
it - without allowing the reverse. You can also do one-to-one NATting so you
can use a different public IP (and different rules).

which causes significant problems. SBS2008
only really supports a single (or in some cases 2) servers

No, you can put as many as you like in, pretty much.

and comes
with everything packaged (e.g. Exchange, Sharepoint, IIS, DHCP etc)
making it hard to isolate one product from another.

You can't. That's one reason why it's far less expensive than the regular
enterprise products.

IIS comes
preconfigured with OWA, Connect, Companyweb, remote web workplace,
sharepoint services etc. It would seem reasonable to assume that
various websites could be turned off without affecting other ones.

Yes, that's true, but you really shouldn't screw around with it.

One of the problems with everything preconfigured is that as an
administrator, it isnt always clear how they were pre-configured (and
what they depend on) and therefore knowing whether blocking a
networking protocol will have an impact on functionality.

Understood.

Hence it seems safer to turn off the http to https redirect and go
from there.

One of my concerns is that in SBS 2008 all the websites use Standard
names. In IIS6 it was easy enough to just rename them, but in IIS 7
they need to be recreated with a new virtual path. This means that
if someone knows you are running SBS2008 they already know which
virtual paths are likely to be used which they can then start to
attack. Although I can create new virtual paths etc, if I cannot
change the default re-directs then I cannot easily disable the
default sites without errors arising.

Again, in SBS, you risk much if you screw around with its defaults. I tend
to err on the side of caution.

"Lanwench [MVP - Exchange]" wrote:

Ian Morris <IanMorris@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Yes, I would need to do that at the server, since with have other
web-sites using http.

Surely you don't have these on your LAN.

I would also need to be careful about whether
the impacted other network traffic that may use http. Was just
wondering about IIS7, it was all rather straightforward in IIS 5/6.

"Paul Shapiro" wrote:

You could block http at the firewall and only forward https to the
sbs server.

"Ian Morris" <IanMorris@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:995B1359-0184-45B8-93F7-14666570C13D@xxxxxxxxxxxxxxxx
Currently in SBS 2008 if a user types http://remote.public.domain
the server
redirects this URL to https://remote.public.domain/remote to
authenticate for
remote web workplace.

Is there anyway I can remove this automatic redirection so that
the user is
required to type https://remote.public.domain/remote to connect to
remote web
work place?

In sbs2003 we removed this type of redirect because when people
browsed to the public ip address they could see there was a logon
portal. This was then
subjected to continual attack. In sbs 2003 we replaced the default
webpage with a plain html file (and no links) and connected to
remote workplace by directly typing the virtual path in the URL.
The attacks dropped from hundreds per day to none in three years.

I have looked everywhere in IIS7, including the redirect options
but can find nothing. Can someone explain either what Microsoft
have done to create
this re-direct or, preferably, how I can turn it off?

Many thanks

Ian





.

Relevant Pages

  • Re: Activesync by Air not working after adding second Sharepoint Site!
    ... did try to publish a second sharepoint site externally, ... but not activesync as I explained in my first post. ... Source: Server ActiveSync ... Verify that the Exchange mailbox Server is working correctly. ...
    (microsoft.public.windows.server.sbs)
  • Re: Activesync by Air not working after adding second Sharepoint Site!
    ... did try to publish a second sharepoint site externally, ... but not activesync as I explained in my first post. ... Source: Server ActiveSync ... Verify that the Exchange mailbox Server is working correctly. ...
    (microsoft.public.windows.server.sbs)
  • Re: So why SBS?
    ... 1b) Sharepoint provides "public" folders in much the same way as Exchange, ... within SBS but its network places are populated with server/shares!! ... Portal Server, CRM for Sharepoint Web Parts, and a huge ...
    (microsoft.public.windows.server.sbs)
  • RE: Exchange 2007 OWA Broken - Please help!
    ... OWA 440 Authentication Timeout ... Well, once the new server was online, the only hiccup I ... (sharepoint and OWA) ... installed Exchange 2007 and after fumbling my way through, ...
    (microsoft.public.exchange.admin)
  • /public virtual directory
    ... I wish to know if it is normal that the virtual directories "/public" ... and "/exchange" on the Exchange2007 server with IIS7 are not not ...
    (microsoft.public.exchange.admin)
Loading