Setting up Remote Web Access on SBS 2011 Essentials Part 2
July 15, 2011 70 Comments
In the last part of this post, i went through how, and how not to setup RWA on SBS 2011.
I had problems with the GoDaddy process, so wanted to give eNom a try.
So i had just removed the domain from the RWA site, and i am starting afresh.
This time i am going to purchase the domain name through the wizard.
I want to use one of the supported providers..
I want to use eNom
This is the domain name i want to try…
Aha, it is available – great i want to register it, so i click on Register Now.
I am taken to eNom’s website..
I wont bore you with setting up an account, but i also chose their very kind offer of an SSL certificate as well!
(i can see here it is actually saying ‘transfer’ i believe this is related to something a little further along. At this point i did everything i was prompted to do, and did not change anything)
Purchase complete, and i am now back to the wizard. You need to enter the credentials you created when signing up with eNom and click next.
What’s that now? Invalid, surely not, i just purchased this domain with your wizard?
So it would seem, that at this point, something went wrong with eNom, as i review my emailed receipt and i was only charged for the SSL, not the domain. Weird!
OK i thought, no big deal.
I went to the site directly and registered the domain name manually. Restarted the wizard, of course this time i already owned the domain.
I am lazy, so i want to setup my domain automatically..
Hmm, i was expecting this to pickup the fact my domain was at eNom.. it didn’t. So i choose eNom and click Next.
Eh, what now?
Transfer? What Transfer? i just bought the domain.
I thought for a few moments, and figured, well it is a new domain, maybe it is not setup – so yeah ok, lets continue..
Now the interesting point, it shows my domain as co.uk – which obviously is not right.
This appears to be a problem with the wizard itself, not handling second level domains correctly.
This is an annoyance of course, however we can work around this.
So let’s review at this point.
We have purchased an SSL Certificate and a domain name.
I am restarting the wizard..
If you choose to manually setup the domain you will need to be able to edit the DNS records for your domain and point them to your router.
You will need at the very least to add an A record for ‘remote.yourdomain.com’ for the public IP of your router, and make sure that email is either being forwarded to another provider, or set MX records to go to your preferred email provider.
You may also need an A record for WWW to point your public website.
That is beyond the scope of todays debacle however..
You will need to confirm that you have setup your domain name manually, and then you can click next.
Now for the SSL, as we already purchased our SSL Cert, the options here are not straight forward.
We have purchased our certificate, but it is not ‘existing’.
Existing is for certificates already in place on the server. You need to select, i want to purchase..
Before you click next, you need to click Advanced. If you don’t then the Certificate Signing Request (CSR) will be for the domain shown – not the full name we want to use.
Click Advanced, then fill out the domain name as shown – we need to have our prefix as shown, and you can see below how the domain name for RWA will actually look..
Click on OK, and you are back to the previous page.. this time with the correct name for your CSR.
When you click Next you will be presented with your CSR. You can copy this or save it to a file for later use.
So i copy this info to my clipboard and go to the eNom site, login and head for SSL Certificates..
Click on the RapidSSL option..
You need to choose Outside Hosting, and i also chose the type of server i have..
Delete the text in the CSR field, and paste in your CSR.
Scroll down and click Submite Certificate.
At this point you may say something rude – if you dont have email already setup for your domain, as i didnt. Of course i was forgetting that the SSL authorisation procedure will require authorisation from the domain owner, which is usually done by email. I quickly had to go and setup email forwarding for this test domain to my actual email address..
I chose a suitable email address and submitted the details..
You are then returned to your Manage SSL home page, and the status is now Processing.
Switch over to your email client and keep an eye out for a SSL Certificate request type email..
Scroll down and follow the link to approve..
You will be taken to a GeoTrust website and have to click on the Approve button.
Your certificate will then be emailed to you as plain text, and it will look almost identical to your CSR.
My advice here is to copy and paste this into a new text file and save it as SBS.cer
Now back to our Wizard.. we can now choose that we have our SSL information and click Next.
As i saved my certificate to a file, i can now browse to it, alternatively you can just paste that info into this box..
Click next, and we are all done!
Click Close to go back to the Server Settings\RWA page.
So what has all of this taught me?
I am afraid i can only so far draw a negative conclusion on this process.
I think Microsoft have to be applauded for the idea, and the theory is sound, however in practice i think this is a huge undertaking, and as always the more you try to cater for, the more variables you have to account for – the more places something can fall down.
I do not think a DIY’er (or off the shelf purchase of essentials) would have got through this without resorting to calling in an expert, giving up, or died of old age waiting for a non existent certificate to show up.. 
Having said that, i am also confident that this can be resolved with feedback given to the right people.
So to end on a positive, soothing that people do not seem to be aware of yet – is that Microsoft are giving away a free domain name, AND, a free SSL certificate with SBS Essentials.
Yes, you heard me right!
So, how do i get one?
Just like this…
Choose a new domain name…
You want the free one!
You will need a Windows LIVE ID!!
Read and accept the license agreement…
Choose your prefix. All of the free domains will be domain.remotewebaccess.com
Click to check availability.. if it is available, click Set Up!
DONE!
Is it ironic that i am using firefox in this shot?
That is a number of ways the RWA wizard can work out for you!
As i said above, you have to applaud the idea, the execution at this time has been poor.
But on a plus, the freebie domain and SSL work perfectly, and who can argue with that price?
About Robert Pearman
I would say this is an absolutely exemplary post: clear, funny, really helpful and well structured. Many thanks to Rob
Thank you David, much appreciated.
Can i unashamedly draw your attention to his page? http://titlerequired.com/donate/
Pingback: SBS 2011 Essentials : Update Rollup 1 Releasing 23rd August 2011 « Title (Required)
Hi Robert, nice article as usual.
regarding the free remotewebaccess.com setup, how does it know your WAN IP address? Is there a dynamic dns client built into SBS essentials or do you have to enter it somewhere?
Hi John, thank you.
I don’t know for 100% but will check.
I can tell you it is automated, and it ‘knows’ your public ip, I can only assume it is supported on a dynamic connection so some sort of periodic ‘phone home’ with your live-Id and *.remotewebacess.com name.
You certainly don’t need to do anything further than what I have outlined to get it working.
Thanks for your comment, good question.
Hey John,
Microsoft owns the remotewebaccess.com domain, it also runs the dns for this domain.
A process runs every 10 minutes on the server to check the current wan ip, and updates records as needed.
Hope that helps.
robert,
great article i have trying to setup with microsoft domain it says cannot connect to domian service any ideas
Hi James,
This could be a temporary service outage, or more likely something else wrong with your setup.
Did you complete the Router setup wizard?
Hi Robert,
thank you for your reply, i replaced router with one that does dhcp and reserves server ip now all is rosy all i have to is run connector on client pcs so they are able to connect when on the road..Thank You again for your and advice
Regards,
James
The RWA works on computers that are connected to the office domain but when I try to access from home it doesn’t recognize my https://cliftoneyecenter.remotewebaccess.com. Does the computer have to be added to the server to use the remote web access. I was just using my laptop at home and put in the address in IE and it doesn’t resolve the name.
Hi Richard.
I have seen it can take some time for the domain name to resolve correctly outside of your own network.
Best thing to do is use a web based dns lookup tool and see if you can resolve your custom rwa.com address to the ip address of your Internet connection.
I’m assuming that your router is being configured by the server, or that you have made sure you have the correct ports open for rwa to function.
Richard,
Great Article. I followed every step as described above (using Windows Live ID) to configure RWA. My 2011 SBS Essential server configured my router (via UPnP). The message on the server display “Available” (for remote connection). But, I have tried from different computers (and even from the server itself), I am unable to remotely access the server. As suggested earlier in one of the post, I have also checked using network-tools.com to trace/lookup my rwa address, which can trace and lookup. Could you please shed somelight on this? I would highly appreciate your help.
Thanks.
Hi Anuj,
My advice would be that you check the ports are correctly opened in the router.
Hope that helps.
Rob.
I have tried this process also and am noticing that my WHS 2011 box is passing my internal IP 192.168.0.100 to the xxxx.homeserver.com DDNS service. Instead of my external, internet IP address. It lets me obtain a free, custom xxxx.homeserver.com domain however if you ping it, it doesn’t point to my public internet IP. Is there any way to manually correct this?
I have not seen this issue before, so when you do an nslookup of your xxx.homeserver.com name, it shows your internal IP?
What sort of router do you have?
robertpearman, I apologize. my earlier report was incorrect. instead the built-in windows dynamic dns updater isn’t updating the xxx.homeserver.com domain at all. So when I do an NSLOOKUP, it has no knowledge of my IP at all.
[67.222.132.199] returned a non-authoritative response in 313 ms:
Answer records
[none]
Authority records
[none]
Additional records
[none]
The free WHS godaddy.com SSL cert does reflect my domain name xxxx.homeserver.com but it doesn’t appear the my windows box is either not reporting back the IP to the server (bug) or something else. I am using pfsense for my router and can verify that all ports are forwarded correctly and windows firewall is completely disabled.
No problem.
Afaik the windows firewall is not disabled by default, so I would check that.
Not suggesting that is the issue but it may not be helping.
Do you have Update Rollup 1 installed? I believe there is a WHS specific version available.
Aside from that I would probably look at using a packet analyser to see if the WHS actually attempts to update the dns.
I’m on a train right now so don’t have full access to things to offer suggestions.
Great Post I have Followed the Live.com way and got it looking like it all worked and could get to the home screen but when i put in my user name and password it gives me the error of “Remote Web Access is not allowed for your user account. Contact the person who manages your server.” i have gone into my username setup to make sure that i am allowed to use remote web access. Any help would be great.
Thanks
Jason
Was this a migration?
Do any accounts work for Remote Access?
Yes it was a migration from 2003.
None of the accounts work, even if i make up a new account under administration rights it does not work.
I think there was a thread on this in the technet forum, will try and dig it out later today
Have a look at this thread.
http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver2011essentials/thread/53126f7e-6670-401d-a0e4-48dc876e0c45
Thanks for the info. It looks like there was a bigger problem with the migration of settings from one to the other, i followed the instructions but still nothing.
any other ideas other then to start from scratch?
Difficult to say without knowing the details.
It might be better to start over, but I would probably post on the technet forum first.
Depends on the time scale I guess.
This is a great article – I am about to set up SBS2011 Essentials in a small office with RWA, and this has prepared me for some of the pitfalls, so I will follow this carefully. Will let you know how smoothly it goes!
Hi Andy any luck? Robert is a great guy, very helpful indeed.
Robert, setting up SBS 2011 Essentials has proven to be an epic challenge for me. SBS Standard is a champ, but SBS Essentials, one of the hardest install challenges I have ever had to experience – and I have been doing this for 20 years – RWA access still not working after at least 20 attempts (I am talking complete barebones reinstalls!) over several days. Great product terrible RWA install.
What is the current situation of your RWA?
RWA went very smoothly. I used the free domain name service from Microsoft, using https://domain_name.remotewebaccess.com/ This installed with no problem. I was able to access remotely the same evening. (Although the next morning I could not connect at all!- Hopefully a glitch with the internet!!)
Setting up SBS2011 Essentials was very easy on a small network, all done in about 5 hours including scheduling backup, adding users, setting up RWA etc.
An issue with RWA – it worked for about 24hours after setting up, but them RWA was not accessible. At the server, onsite, I had to “Repair” RWA in server settings. It then worked OK for 48hours and stopped again. I am using Microsoft https://domain_name.remotewebaccess.com/ Any ideas why this is happening? Thanks
Are you using UPnP on your router?
yes nPnP is enabled on the router
Which bit is actually not working, can you login or not?
Might be better to post on the TechNet Forum
Robert, where is the best location on the server to install an application that can be accessed and used by users across the internet using RWA? How do these users see it when they login with RWA? Thanks
RemoteApp is not supported on the SBS Server. You would need a second server running RDS (Terminal Services) and then publish the App through there.
They can of course RDP to their internal machines and access the app installed locally. What’s the app in question?
The app is called Vbase – a package for volunteer organisations. Currently users have the app installed on their local PC accessing a shared dbase on their network. The plan is to move the dbase onto the SBS server at a different location and access it using RWA. Is there any way we can do this?
The database can certainly sit on the SBS.
The app would have to stay on the client machines.
Not sure I follow your comment.
Drop me an email if you want more detailed thought!
Robert, does this mean that we cannot install applications on the SBS server for onsite users to run them from the one location, rather than installing on each machine? If we can where can we store them, and how does the local user access them?
If i understand what you are saying correctly, what you are hoping to do is terminal services, which you cannot do with an SBS Server.
This is where an app is installed on the server, and the users logon to the server using Remote Desktop and run the program there.
Thank you Robert. Can I raise another problem. I followed your steps, exactly, to enable Gateway-UI for RWA using the elevated command prompt. But I get the error that this command is not recognised. I think the error is 76?
Can you send me a screen shot – any errors in the event logs around the same time as the failure?
Im will get a shot, but may be a day or two before I get to the office. Thanks.
Thank you for the detailed explanation.
I need to fix my certificate because it still shows as a self-assigned one and even by installing a copy locally, it doesn’t let remote users connect to their pc.
I have SBS essentials with Office 365 & the Integration Module
1) Domain is by Godaddy.com
2) DNS is on Office 365
3) Exchange is Office 365
I went through the process with the automated GoDaddy.com SSL certificate.
Weird item #1) The wizard with godaddy forwarded remote.domain.com to my server… so it should have worked because redirection is working..but it’s not
Weird item #2) I check on DNS manager in office 365, no log, nothing stating its redirected…strange
Before touching anything / retrying the process.
Should I just install the certificate manually as per your post?http://titlerequired.com/2012/03/05/sbs-2011-essentials-manually-installing-ssl-certificate/
if I do, should I ask for a new certificate with the manual request?
SBS essentials is supposed to be made for DIY but I still see some remaining settings and features of WHS that should have been taken care of.
If you have installed your certificate locally, export it out with the private key, then try the manual ssl installation steps.
Hi Robert,
I should have read your forum before :-( . I have been trying to setup users to access their email from anywhere but so far no luck. I installed a goDaddy certificate on the server, opened and redirected traffic on firewall (80, 443) but when I try to access https://remote.mydomain.com/owa it does not find the site (http 404) I am lost !!!
Hi Sara,
Are you sure you have SBS Essentials?
Exchange is not included with SBS Essentials.
If you are using SBS Standard, Exchange is included, and I would be happy to try and help you solve your issue.
Thank you for your prompt reply.
I am sorry, I meant Small Business Server 2011 Standard Edition.
Thanks.
Ok no problem.
Do you want to email me with your details and ill see if i can help?
Hi Rob, Thanks, I am going to take a rain check on this one, it turned out to be a firewall issue :-) -> resolved. Great blog btw, I will continue to follow it as I navigate this SBS sea. Cheers, Sara
After setting up a xxxx.remotewebaccess.com domain I can access the RWA page although with certificate error. Installing the certificate in IE9 under Win7 doesn’t help.
Remote desktop attempts to SBS 2011 Essentials Server give an RD gateway error (“can’t verify identify of RD gateway) which prevents connection.
Is there anyway to export certificates from SBS 2011E and import on the remote client?
Any help will be appreciated.
The remotewebaccess domain (provided by Microsoft) should install a trusted SSL for you.
You would be better off troubleshooting that instead of worrying about a self signed cert.
Thanks Robert. I’ll focus on that. Is it correct that this approach works on all versions of Win7 (including Home premium)?
If using the trusted SSL it works on any platform to access the server. However you can only remote access IN TO a Pro / Business or higher SkU.
Robert, I have successfully set up RWA following the advice here. However, the Users folders which are created when the user is setup, cannot be accessed by the user – it says access denied. Administrators can open these folders. What needs to be done?
Access denied via the RWA, or through Windows Explorer, or both?
We cannot access through RWA or Windows Explorer. It says we do not have permission to access this folder.
Robert,
I’m running SBS2011 Standard and have configured my internet domain name, but would like to change it. I’ve tried to re-run the wizard, but it states “you must run the connect to internet wizard”. This wizard errors with a message stating email is not properly configured… All I want to do is change my internet domain name, which was provisioned through godaddy. Any help/guidance would be greatly appreciated.
Have you made any customisations in Exchange? Changing receive connectors / send connectors / address policy?
i have a dsl/router that has port 80 locked for its web. I can forward any other port, is there a way to use a different port like 8080 with the remotewebaccess domain (provided by Microsoft).
You should use port 443, and tell the server you want to manually configure you’re router. However it may still fail, if so i would consider using a different router.
Very well written post… one of the best I have read in many years. You are to be congratulated for your patience, depth of understanding, and most importantly, your wonderful sense of humor clearly refined over several years dealing with these issues. Well done. I have just read what I have just experienced personally attempting the same outcome. Not gratifying by any means but just goes to show us technicians in the field lose a good part of our life supporting well intentioned concepts but poorly provisioned tools.
That’s an awesome post. That was like an M. Night Shyamalan twist at the end. Here I was going through your post getting frustrated along with you and BOOM! Microsoft goes and completely redeems themselves with their own easier, FREE, way of doing it. Thanks for the post! It saved me, money, time, frustration, and added years to my life! Thanks!!!
Wow what a n00b. It’s people like you that make the Internet so insecure.
Care to elaborate, or are you just in the neighborhood giving IT Security Advice?
i’m having problems with the remotewebacces.com service
everything is setup correct (server side) but when i go to : https://bekaert.remotewebacces.com
nothing happens, “cannot display web page”
i’ve linked up a dydns to my router and this works fine
https://bks.dynalias.com/
is there some website where i can check the remotewebacces service?
any help is more than welcome
Does your remote web access address tie up to the right ip? Remember that will work with a dynamic ip so no need to use an additional third party dynamic dns service.
the remotewebacces.com adres is not even resolving .. do know where it goes wrong and i dont know how to troubleshoot this.
I’m sure my port configuration is correct because my server is reachable true dynalias…
so anybody???
Port config is correct if it works via the other address.
Use the logs under, c:\programdata\Microsoft\windowsserver\
There should be some (obvious names) relating to the RWA domain config.
Does the wizard all complete correctly?
wizard is ok , only thing to know is that i configured my router myself. i”m cheking the logs to see if i can find out more
do you have to purchase a statis ip address in order to use the remote web access function?
No it will work with a dynamic IP.