SBS 2008 Port Forward Question

Discussion in 'Windows Small Business Server' started by Richard K, Sep 2, 2009.

  1. Richard K

    Richard K Guest

    SBS 2008 Std
    mydomain.com

    Ok, I am coming across some conflicting information so I am looking for some
    clarification. I have set up an SBS 2008 server and configured an internet
    domain name in the sbs (remote.mydomain.com). From there I purchased an SSL
    certificate (from Godaddy) and have installed it on the server.

    Normally I only open ports 443, 444, 25 and 4125 to the server (I also open
    3389 for direct RDP connections) for my SBS 2003 servers. I do NOT open
    port 80. I read in the SBS 2008 Console a note about opening port 80 which
    I think will redirect to 443 if I do open it up. Right now I can tell my
    users to open up IE and go to https://remote.mydomain.com which starts up
    the \remote. Should I also turn on port 80 so users have to type in just
    "remote.mydomain.com" and it will redirect to https://remote.mydomain.com
    for the remote session?

    Also, the 444 port was for the sharepoint/companyweb. I think has now
    changed to 987 so is it valid to say turn off 444 and turn on 987 for SBS
    2008 servers?

    Thanks!

    -Richard K
     
    Richard K, Sep 2, 2009
    #1
    1. Advertisements

  2. Port 444 was used for Sharepoint in 2003, in 2008 use 987 for sharepoint, so
    it is valid to say switch off 444 and open 987.

    In case of port 80 you do not need to open it, you can just ask the users to
    type https://remote.domain.com. By not opening port 80 you won't lose any
    functionality apart from automatic redirect to port 443.

    With kind regards
    Krystian Zieja
    http://www.projectenvision.com
     
    Krystian Zieja, Sep 3, 2009
    #2
    1. Advertisements

  3. Richard K

    Richard K Guest

    But if I do open up port 80 will the users be able to just type in
    "remote.mydomain.com" and they will be redirected to
    https://remote.mydomain.com? I know it may sound trivial but it's so much
    easier telling them remote.mydomain.com vs. the whole https:// part because
    most people miss the "s" part and can't figure out why it won't work. Is
    that also safe on the server if I open port 80?

    OK, on the 987 vs. 444. that part made sense.

    -Richard K
     
    Richard K, Sep 3, 2009
    #3
  4. Your users can't type in an "s"? Really they can't be taught that
    little thing? I may be jaded admin but if they can't be taught that,
    should they have remote access in the first place?

    The reason why I keep the 80 closed is that it keeps me a little bit
    less paranoid. It's one less port for me to keep watch on.

    Is it safe? Depends. What's the complexity of the passwords?
     
    Susan Bradley, Sep 3, 2009
    #4
  5. Susan,

    I've setup all my non-SBS customers with a redirect for OWA using redirect
    command in an asp page. For SBS customers, I have the SBS Welcome page
    redirected, and removed Anonymous, so they must log in. Once in, I even
    altered the welcome page to add an SSL VPN link to the Cisco ASA to direclty
    download the SSL VPN client, as well as added a link to the OWA site.

    Believe me, after I did that a few years ago, the phone calls regarding that
    the OWA site won't work, went down to zero, of course unless the link or
    Exchange was down. You can tell them until you're blue in the face, and
    there's always that one or two that have selective listening skills that
    will be calling. And if you're late responding (this happened witha specific
    140 seat customer where I was just a consultant for their network admin),
    they go complaining to the owner, who'll call me directly. I simply explain
    that it's in the one page document how-to that I created and emailed
    everyone, which is available in a public folder, as well as thumbtacked on
    the bulletin board in the lunch room. The boss winds up laughing, which is
    cool, but I got tired of it and just setup a redirect.

    The easier you make it for them, the less phone calls. :)

    Ace
     
    Ace Fekay [MCT], Sep 3, 2009
    #5
  6. Can your users remember the url for your company web site? For example:
    www.microsoft.com

    If so, could they rememember www.yourwebsite.com/remote or some similar
    link?

    If so, create a page on your company web site with no links, in essence a
    hidden page.

    Put the https://blah-blah/remote link, along with any others you want them
    to link to on that hidden page.

    Now, all they have to remember is www.yourwebsite.com/hidden-page

    --
    Larry
    Please post the resolution to your
    issue so that others may benefit.

    Get a Health Check for SBS at:
    www.sbsbpa.com
     
    Larry Struckmeyer [SBS-MVP], Sep 3, 2009
    #6
  7. I don't do VPN.

    I have given them a quick landing page so they don't have to do
    remote.domain.com nor mail.domain.com it's a unique url similar to our
    email domain but just a little bit different. I don't tell them until
    I'm blue in the face, it's an easy url with an 's'.
     
    Susan Bradley, Sep 3, 2009
    #7

  8. I was just relating my past experience with it. I tried to ignore them after
    I've told them a dozen times, but got tired of the phone calls because they
    didn't read the doc or heard what I said. :)

    The VPN thing is only for a handful of customers. One, for instance, has an
    ERP a few people need access to from home. Non-SBS. So I set it up a VPN to
    connect in, so they can RDP into their own desktop to use the app. Otherwise
    I would have needed an IP for each user to use RDP over 3389. I dont like
    opening that up anyway, so the VPN was the answer. SSL VPN connects/installs
    using a browser, so I didn't have to install the client, which made it
    easier.

    Your solution sounds easy, too.

    :)
     
    Ace Fekay [MCT], Sep 3, 2009
    #8
  9. Richard K

    Richard K Guest

    I have been setting up 3 simple url redirects (email.mydomain.com,
    remote.mydomain.com and companyweb.mydomain.com) that will redirect to the
    full https://..... for \remote, \exchange and :444 so it was easy. I don't
    necessarily disagree with the whole "s" thing but like others have said you
    can talk until you are blue in the face. With the 3-in-1 page that SBS 2008
    has set up for email, remote and companyweb/sharepoint I want to make it a
    simple 1 url for them to remember. From there they login and chose which of
    the 3 options they want. The biggest thing for me is to move from a
    self-signed cert to a valid 3rd party like GoDaddy. After a while it's not
    worth the hastle for $26/year to get a GoDaddy cert and it seems to make SBS
    2008 function so much easier.

    Being new to SBS 2008 I'm trying to put together my "standards" for future
    clients like I have with SBS 2003 which took me a while to really nail down.
    I'm always open to ideas and hear what others have done. This is some neat
    stuff.

    Thanks for everyone's opinions.

    -Richard K
     
    Richard K, Sep 3, 2009
    #9
  10. Richard K

    Richard K Guest

    Susan, so is this a single url you provide and that landing page has the
    urls for owa, remote and companyweb/sharepoint? Can you please provide a
    sample of the url you do provide? The idea sounds simlar to what I see as
    the 3-in-1 landing page for SBS 2008 once the user logs in. Up until now I
    have had alot of success with the email., remote. and companyweb. approach,
    especially since I don't have to tell them about the "s" in the http.

    -Richard K
     
    Richard K, Sep 3, 2009
    #10
  11. Instead of how the server wants you to hand out mail.domain.com I have
    two domains. One is the email domain of domain.com. The second is
    domainpc.com. That https://www.domainpc.com goes to the normal SBS
    landing page with the links for rww, companyweb, owa.

    The domain is our normal domain name and then the "Pc" at the end is the
    brain reminder that that's the url they go to for their PC access.
     
    Susan Bradley, Sep 3, 2009
    #11
  12. The $26/year cert doesn't work correctly with Exchange 2007. :)

    You'll need a UC/SAN cert for Exchange. IIS can use it too with adding the
    IIS site you are using to the list of names on the cert.



    Ace
     
    Ace Fekay [MCT], Sep 3, 2009
    #12
  13. I like that solution. :)
     
    Ace Fekay [MCT], Sep 3, 2009
    #13
  14. No you don't. $29 Cert works fine with SBS 2008's version of Exchange
    2007. You then put the SRV/Autodiscovery records up on the DNS hoster.

    Use the SBS wizard. It handles everything it needs.

    YOU WANT the $29 cert for the ease of RWW. Sending out that cert bundle
    is a pain in the ass-ets.
     
    Susan Bradley, Sep 3, 2009
    #14

  15. It's much easier overall to use the UC/SAN cert.

    Let's say for instance, if If a laptop on the outside is connecting with
    Outlook Anywhere works fine, but when they come in the office, it will use
    the internal NetBIOS name of the Exchange server. It won't look for the
    autodiscover record, since that's just used for the initial connection. The
    NetBIOS name and the internal FQDN are two of the names added to the UC/SAN
    cert.

    Also, not all DNS providers (registrar, etc), may not have provisions to
    create an SRV for the autodiscover. It's kind of like the SPF issue with
    many DNS providers, they don't allow or have the provisions to create
    different kinds of records other than cnames, A and MX records.

    I've just heard issues with using a standard SSL cert.

    And the UC/SAN cert works with the default site, too, just add the host
    header to the list of names.

    IMHO, I would *rather* use a UC/SAN cert. :)

    Ace
     
    Ace Fekay [MCT], Sep 3, 2009
    #15
  16. Richard K

    Richard K Guest

    Ace,

    Certs are something I am not totally knowledgable about. What is a good
    source to understand the differences between SSL and UC/SAN certs and what I
    should be looking to buy vs. my $27 GoDaddy cert.

    Thank!

    -Richard K
     
    Richard K, Sep 3, 2009
    #16
  17. You are big server land. That cert is an expensive price tag when it's
    totally unneeded. This is SBS where there is a third party cert wizard
    already on the box that does the cert request needed. It truly does
    work with the srv up at the dns hoster. If your dns provider doesn't
    support SRV records, get a new one.

    It's easier to go along with the wizard than to do a 'big server land' here.
     
    Susan Bradley, Sep 3, 2009
    #17

  18. As Susan said, you don't have to buy a UC/SAN cert. That is actually my
    preference, but then again, most of my customers are non-SBS, and are larger
    environments. You already have a cert, so go with it. See if these tutorial
    videos help showing how to install it. Maybe Susan may have additional info
    to add to help you with the installation portion.

    Screencast: How to Add a GoDaddy (Trusted) SSL Certificate in SBS
    ....Screencast: How to Add a GoDaddy (Trusted) SSL Certificate in SBS 2008.
    Step-by-step video tutorial.
    http://www.netometer.com/video/tutorials/godaddy-add-trusted-certificate-sbs-2008/

    Screencast - How to Import Self-Issued (SBS 2008) Certificate in a ...A
    default installation of Small Business Server 2008 uses a Self-Issued SSL
    certificate for the Exchange Server 2007 installation. ...
    http://www.netometer.com/video/tutorials/sbs-2008-mobile-device-ssl-certificate-import/


    As for the differences, I posted some info below. (Note - this is part of a
    blog I've been working on that's not yet completed):

    ======
    UCC/SAN Certificate

    An SSL certificate has one name on it.

    The advantage and features of a UC/SAN cert is it allows you to create
    multiple names in the certificate. Note, this is not a wildcard certificate
    that will allow you to use any or an infinite number of names. Exchange 2007
    does not work with such a certificate. It will, as mentioned, work with a
    single name certificate, if so desired to save money on the certificate
    prices, but I've found it beneficial to use a UC/SAN certificate for the
    multiple names that an Exchange server will use for clients.

    The four main names I recommend adding to the cert when creating the request
    file are:

    mail.company.com (the external FQDN name used to access OWA)
    autodiscover.company.com (used for Outlook 2007 Outlook Anywhere's
    autoconnect feature)
    internalname.internaldomain.com (what Outlook Anywhere and DSProxy uses over
    RPC/HTTPS used to connect to Exchange)
    internalname (the NetBIOS name of the Exchange 2007 server)

    The internalname.internaldomain.com is what Outlook Anywhere and DSProxy
    uses over RPC/HTTPS that's used to connect to Exchange 2007.

    The autodiscover.company.com is used by Outlook 2007's Outlook Anywhere
    autoconfiguration feature.

    If you go to the following link, they offer complete instructions on how the
    request works along with a web-based tool to configure and create a
    certificate request command to be used in the Exchange Management Shell in
    Exchange 2007. I've found this feature very convenient.

    DigiCert's Exchange 2007 CSR Tool
    https://www.digicert.com/easy-csr/exchange2007.htm

    Once it creates the command for you, you can use it to create the request in
    your Exchange 2007 server, then submit the request file to the certificate
    authority.

    I've been using DigiCert to purchase this type of certificate for my
    customers.

    Note - I am not trying to push DigiCert certificates on anyone. I've just
    found it easier to use and less expensive than other certificate authorities
    out there, which may have other stipulations and requirements when
    requesting a UC/SAN certificate. There are others out there, but I found
    this one is cheaper than a couple of others, and works with Windows Mobile 5
    and 6 without problems. But that is up to you. Please check the other
    companies, such as Verisign, Thwate, InstanSSL, etc, to compare.

    Please keep in mind, your name, company name, etc, whatever name you put on
    the cert (based on the domain name), a WHOIS on your domain name must have
    this exact
    information, or they will not issue the certificate. This is a strict
    requirement by the certificate authorities. You can call them if more
    specific info about this.

    More things to consider concerning the internal AD DNS domain name and if
    using Exchange 2007:

    If you choose an internal AD DNS name, be careful of the TLD you choose. You
    do not want to choose one that is already in use by another entity. Reason
    is it will cause due confusion, and will create problems if you were to get
    an Exchange 2007 UC/SAN certificate and adding a name for the internal
    namespace on the certificate. Here are some existing TLDs that you do not
    want to choose if the name does not belong to your entity. So it would be a
    bad choice for the complications that will arise, if you name the internal
    domain is registered by others.

    In one word, please make sure never to use a internal domain with a suffix
    same as existing Top-level domain names. You can use such as domain.earth,
    domain.mars and ABC.whatever, but it prevents from using those exiting
    top-level domains suffix that exist. So If I were to chose domain.net for my
    internal name, but it is owned by someone else, the certificate authorities
    will not approve the certificate request.

    Technically speaking, you can also use the same name for the internal domain
    and the external domain. However, this method is not recommended. You may
    encounter following possible issues that you may have to perform a domain
    rename in the future. Not something that one desires to do.

    Some guidelines for internal AD DNS domain naming:

    1. If you name the internal domain the same as your Internet public domain
    name, in some time domain internal client will get the domain external IP
    (resolved from external domain name). In the scenarios that you also have
    published Exchange Server to receive external mails, the issue will be much
    more complicated. A sample issue:

    Same Internal and External Domain Name
    http://techrepublic.com.com/5208-11190-0.html?forumID=40&threadID=181117

    2. Worse, if you name the internal domain is registered by others. Then it
    will never get approved.
    ======

    Ace
     
    Ace Fekay [MCT], Sep 3, 2009
    #18
  19. Big server land? I like that one. :)

    Susan, I highly value your opinion. And you're totally right, I am not an
    SBS expert and deal mostly with non-SBS multi-DCs, multi-site, Exchange,
    larger customers, that sort of thing. Having not used SBS 2008 yet, but at
    least I am aware and know what you're saying about the SBS wizard and the
    self signed/created cert. With SBS, the internal joined machines
    automatically get the self-signed cert, as well as work nicely with iPhones
    and Blackberrys using the OWA method. Windows Mobiles, however, are a little
    trickier, having to install the cert on each phone, same with Outlook and
    installing the cert on the laptop.

    I remember seeing a blog about using an SSL cert with SBS2008, but I never
    saved the link. I don't remember who the author was. Was that you? However,
    I did find other info on how to install the cert, etc, but can't seem to
    find that specific one.

    As for DNS providers, I agree as well, that many do support SRV or (or even
    TXT for SPF) records, but I just want to point out that many don't. Also, it
    may not be that easy for a company to move hosting providers, especially if
    they have some sort of web hosting involved, etc, without incurring
    additional charges, which then may offset using a regular SSL cert vs a
    UC/SAN, where you don't need an autodiscover SRV record.

    Cheers!

    Ace
     
    Ace Fekay [MCT], Sep 3, 2009
    #19
  20. SeanDaniel.com - Small Business Server and Other Technology: Installing
    a GoDaddy Standard SSL Certificate on SBS 2008:
    http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html
     
    Susan Bradley, Sep 3, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.