Inside the Remote Web Workplace - Part I

In this first part of a two-part series, Justin Crosby gives an overview of the SBS 2003 Remote Web Workplace (RWW).  This article explores the functionality and basic workings of RWW, and is appropriate for both end users and new SBS admins.  Part II will delve in-depth to look at the underlying architecture and advanced troubleshooting.

What is the Remote Web Workplace?

The Remote Web Workplace (RWW) is a dynamically updated web site that provides a single, simple, secure, and consolidated entry point for remote users to access SBS features. It empowers external SBS users by providing one place from which all relevant features of SBS, such as Outlook Web Access and the user’s desktop, can be accessed from outside the network firewall. This feature is only available in SBS 2003.

 

Remote Web Workplace – Logon Page

When users navigate their browsers to the Remote Web Workplaceweb site, they are first presented with a forms-based authentication logon page. Users are required to enter a valid domain user name and password.  The page does not request the domain name; during the authentication process, the existing SBS domain name will be forwarded with the user’s log on credentials.  The logon page also contains a connection speed drop-down menu that allows the user to configure the connection speed for the session, and subsequently set performance options within the site. This menu will be set to Broadband by default. The options available to the user are:

 

Modem (28.8 Kbps)

Modem (56 Kbps)

Broadband

Small Business Network

 

The connection speed drop down controls the following settings:

Connection Speed

Terminal Server Performance Option

Outlook Web Access Mode

Modem (28.8k)

Enable Bitmap Caching

Basic

Modem (56k)

Enable Themes and Bitmap Caching

Basic

Broadband

Enable Show contents of windows while dragging, Menu and window animation, Themes, and Bitmap caching

Premium

Small Business Network

 

Enable Desktop background, Show contents of windows while dragging, Menu and window animation, Themes, and Bitmap caching

Premium

 

 

 

 

 

 

 

 

 

 

 

 

 

During the rendering of the logon page, Internet Explorer’s credential cache is cleared. This is done to prevent conflicts with any existing cached credentials and sites on the server, such as OWA, which may use NTLM credentials.

 

Public or Shared Computer

On the logon page you will see a checkbox entitled “I’m using a public or shared computer”.  This checkbox controls two settings, connection manager download and idle timeout value.  If this box is checked you will receive the following error if you attempt to download connection manager.

 

Because this is a shared or public computer, Connection Manager cannot be downloaded. As a security precaution, Connection Manager can be downloaded only to a computer that is not shared or public.

 

Leaving this box checked will configure the idle timeout to 20 minutes.  Un-checking this box will extend the timeout to 120 minutes.  This box is checked by default.  For more information on RWW idle timeout please read the next section.

 

Time Out

If there is no action from an external user after a set period of time (Default: 10 minutes), the session will time out and the user will have to log on again in order to use the site. On an internal SBS client computer (Uncheck I’m using a public or shared computer), the timeout is set to 20 minutes to allow for longer uninterrupted sessions in order to prevent losing established remote desktop connections or e-mail in progress. One minute before expiration, users are prompted to confirm to continue the session with a pop-up Yes/No window. This window appears above all others, and remains displayed for one minute.

 

 Your Remote Web Workplace session is about to expire due to inactivity. Do you want to continue using the site?

 

 

If the user does not respond after one minute, the pop-up window will disappear, and the user will be signed out. If the user selects No, the user is signed out. If the user selects Yes, the timer is reset to its internal or external limit appropriately.

 

Loading Page

After logging on, the user is presented with a blank page that has the text Loading… centered on it until the appropriate page (Knowledge Worker or Administrator Web Page) is loaded. The page is chosen based on the user credential. Non-administrators are redirected to the Knowledge Worker Page, while Administrators are redirected to the Administrator Page.

 

Expired Password

If it is determined that the user must change his/her password upon logging on to the site (for example, the password has expired or set to User must change password at next logon), the logon page will present an error message to the user.  It will be followed by four text boxes: User name, Old password, New password, and Confirm new password.  By default, the user’s logon name is automatically entered in the User name field.

 

Knowledge Worker Page

Once a normal user (non-admin) has logged in they will be presented with the knowledge worker page.  This page provides the user with a gateway to all of the resources of the SBS server.  This page is dynamically built based on the server’s current configuration.  This means that the list is tailored to your server and may not completely match the list below.  In the RWW follow-up blog post we will go in-depth into what causes each link to appear.

 

 

Read my company e-mail

Use Outlook Web Access to manage your company e-mail

This link is only shown if Outlook Web Access (OWA) is installed and published. It opens OWA within the RWW frame. The logged on user’s credential is forwarded to the OWA site. This is implemented by sending a POST message directly to OWA that contains the logged on user’s user name and password, bypassing the OWA logon page. If the credential passed fails on the OWA authentication, the user is presented with the OWA logon page.

 

Connect to my computer at work

Work on your computer desktop just as you do in the office

This link opens the Computer Selection page that is populated with a list of all client computers on the network that are running Windows XP or above. If there is a user-to-computer mapping (%systemroot%\Inetpub\ClientSetup\usermap.txt) available, the known user’s computer will be selected by default from the list. Otherwise the user will have to manually select his/her workstation from the list of available computers.

Once a computer is selected, a terminal session to the computer will open in the same IE window. The credentials the user specified in the Connect as field will be used to establish connection with the selected workstation. The TS connection will be closed if the user clicks either the Main Menu or Log Off link.

This link will only be displayed if there is at least one computer running Windows XP or above on the network.

 

Connect to my company’s application-sharing server

Use shared company software, such as an application specific to your type of business.

If there is an additional Terminal Server on the network running in Application Sharing Mode, and the logged on user is a member of the TS Application Sharing group. Then the Remote Web Workplace page will display a link to the secondary Terminal Server. The credentials the user enters in the Connect as field will be used to establish the session with the Terminal Server. The functionality will be the same as the TS-to-client feature discussed in the previous section.

 

Use my company’s internal Web site

View, create, and edit documents and announcements on the site.

This link is shown if SharePoint is installed and published. It opens Companyweb within the RWW frame. Users will always be prompted for user name and password if they are accessing SharePoint outside of the Small Business Server network.

To determine if SharePoint is installed, the following registry key is checked:

HKLM\Software\Microsoft\SmallBusinessServer\Intranet\STSVersion (REG_DWORD).

 

View Server Usage Report

Examine how server resources are being used in your business.

If the user is a member of Usage Report Users group, and the Monitoring web site is published, the View server usage report link is shown. This link provides the business owner a way to monitor how the server is being used while away from the office. Upon clicking the link, the Usage Report is opened within an RWW frame.

 

Download Connection Manager

You can download Connection Manager and use it to remotely connect a computer to your company’s network.

This link downloads sbspackage.exe to the computer accessing RWW.  When you run this program it will automatically create a VPN connection object that the user can use to VPN into the SBS network.  This link only appears if the RRAS wizard has been run on the SBS server.  You must be logged in with a private computer to be able to use this link.

 

Configure your computer to use Outlook via the Internet

 Learn how to configure Outlook on your remote computer to connect via the Internet to Windows Small Business Server.

This link opens step-by-step instruction on how to configure RPC over HTTP in remote Outlook 2003 clients.  This link is only available if you enabled the “Outlook via the Internet” option in the CEICW.

 

 

View Remote Web Workplace Help

Learn more about the Remote Web Workplace.

This link opens Client Help within the same IE window and points to the Remote Access Chapter.

 

Administrator Page

The Administrator Web Page is shown to all users belonging to the Domain Admins group. All possible links, grouped into Administrative Tasks and Additional Links, are available to administrators from this page.

 

Connect to Server Desktops

Access server desktops within the network

This link is always shown on the Administrators Page unless the administrator manually alters the registry to turn it off. It will link to the Computer Selection page populated with a list of servers in the SBS network, including the SBS server itself. The SBS server is selected from the list by default. This feature is similar to connecting to the client desktop as described earlier.

Connect to Client Desktops

Access client desktops within the network

This link opens a Computer Selection page in the same IE window from which a client computer is selected. Once a computer is selected, a TS connection to the computer will open in the same IE window. Credentials are forwarded to open the TS connection for the user. If the user selects the Connect as check box, it will function in the same manner as the other TS connections described earlier. This link is only displayed if there is at least one computer running Windows XP and it is not a server.

Monitor Help Desk

View a current list of issues for the networks

This link launches the SharePoint Help Desk in the same IE window so that the administrator can examine the issues on the network. User credentials will be forwarded to the SharePoint site. If SharePoint is not installed or published, the link is hidden.

Administer the company’s internal Web site

Edit, modify, and maintain the site

This link launches the SharePoint Administration page in the same IE window so that administrators can make changes to the SharePoint sites. Users will always be prompted for user name and password if they are accessing the SharePoint outside of the Small Business Server network.

 

View server performance report

View the most recent list of critical alerts, event log messages, and performance counters

This link allows the administrator to view the latest Performance Server Status Report (SSR) in the same IE window. User credentials will be forwarded to the Monitoring folder.

 

View server usage report

View how server resources are being used.

This link allows the administrator to view the latest Usage Status Report in the same IE window. User credentials will be forwarded to the Monitoring folder.

 

 

Use Outlook Web Access

Use Outlook Web Access to manage your company e-mail

Download Connection Manager

This link begins a download of the Connection Manager software to the client.

Provide Remote Assistance

Learn how to offer your client desktops Remote Assistance.

Configure your computer to use Outlook via the Internet

 Learn how to configure Outlook on your remote computer to connect via the Internet to Windows Small Business Server.

View Client Help

Learn more about the Remote Web Workplace.

Ask the Community

Redirects you to the SBS Community Web site at https://www.microsoft.com/windowsserver2003/sbs/community/default.mspx.

Remote Computer Selection

After the users select to connect to their computer desktop, they will receive the Computer Selection page. Depending upon the link selected, the list on this page will contain a different set of computers:

· Connect to my computer at work/Connect to Client Desktops
All SBS client computers that are running Windows XP or above. This list does not include servers and the computer from which the RWW is being accessed.

· Connect to Server Desktops
All Windows 2000 or 2003 servers.

· Connect to my company’s application-sharing server
All Windows 2000 or 2003 servers that are running TS Application-Sharing mode.

 

Before the page loads, the browser attempts to download theMicrosoft Remote Desktop ActiveX Control, if it is not already present on the client. If the client cannot download the ActiveX Control, the user is returned to the main menu and presented with the following error message:

This portion of the Remote Web Workplace requires the Microsoft Remote Desktop ActiveX Control. Your browser’s security settings may be preventing you from downloading ActiveX controls. Adjust these settings, and try to connect again.

The Connect button will be unavailable (dimmed) until a client is selected.

As the TS session is established, the message Connecting… will be displayed in the center of the page. Unless full screen is used to connect to the remote desktop, it is rendered in the same IE window.

 

 

Users will need to install the following ActiveX control to use this feature of the RWW.

 

Once you successfully log onto your local client you screen will look similar to this:

 

 

TS Proxy

In order to allow a remote desktop connection to a client computer through Remote Web Workplace, TS Proxy is used to forward TS requests through a firewall on TCP port 4125, in essence keeping the connection alive. Once the connection is established on port 4125, the traffic is then redirected to another dynamically allocated port. All subsequence traffic will flow through the new port at the server to the client at port 3389.

 

 

TS Proxy Connection Flow:

  1. User initializes a remote desktop session to an internal server through the RWW.
  2. The ActiveX control on the user’s machine makes a connection to the SBS server on TCP port 4125
  3. The RDP Proxy on the SBS 2003 server makes a connection to the internal client on TCP port 3389

--- Justin Crosby