Ninja Feature: Remote Web Workplace in SBS2003

Remote Web Workplace is (in my humble opinion) The Ninja Feature of SBS2003. In fact, it gets the inaugural EBTDF Ninja Feature award for being so cool.

It's a Ninja Feature!

Thanks to Susan Bradley for putting me on to it.

Let me say right now – if you’re using Small Business Server 2003, and you were thinking of fiddling around with TSWeb, hacked connection pages and port mappings, don’t!

Use Remote Web Workplace instead. It’s (often) as simple as “running the CEICW”, which SBS people tell me that other SBS people will understand (the Email and Internet Wizard).

What Is Remote Web Workplace?

It’s a web portal through which authenticated users can access:

 – Remote Desktop to internal WinXP Pro boxen and Terminal Servers (on tcp port 4125)
 – Outlook Web Access
 – Sharepoint (on port 444)

In short, the idea is that using one or all of the above, you can do anything you can do while in the office, from anywhere (alright, close to anywhere!).

The portal looks a lot like this when you’re connected as a user:

Now, I’m assuming everyone’s familiar with OWA; if not, there’s a plethora of information on it, ready for the searching (start at – in really simple terms, it’s a browser-based version of Outlook connected to your Exchange server.

While OWA’s cool and all, the bit I’m really impressed/happy/interested with is the Remote Desktop access to internal computers. Without having to hax0r the TSWeb connection page or forward ports manually!

Not Your Father’s TSWeb

In real simple terms, RWW provides an RDP Proxy for incoming RDP connections. So the same external port can be used by multiple internal clients, which isn’t otherwise possible.

RDP is Remote Desktop Protocol. It’s the protocol that all the little TS Clients use to draw the screens from the big Terminal Servers, and also how the Remote Desktop client connects to a Windows XP Pro machine with Remote Desktop enabled.

Once you’ve got it set up, here’s how RWW works: (note: my brand-new understanding – if in doubt, believe the docs over me).

Using IE, you make an HTTPS connection to the Remote website on the SBS box (

You submit your user credentials (which are protected from external snooping using SSL), and these are used to authenticate you and work out what options you’ll be given on the RWW page.

Once authenticated, you’re staring at something akin to the screenshot above.

You click the “Connect to my computer at work” item, and are presented with a list of Remote Desktop enabled computers in the Active Directory:

You pick the computer you’re interested in, and hit Connect.

What happens here is even more interesting: you’re directed to a TSWeb connection URL, the TSWeb ActiveX control fires up (it may need to be installed on the way), and then it connects to the RDP proxy on tcp port 4125 – not the regular TS port of 3389 (remote administration of the SBS box itself still happens on 3389, though).

The RDP Proxy creates a connection to the target computer, at which point you’re prompted for your username and password again to log you onto the computer (unless you’ve ticked the “Log on to selected computer” option, as above). Then, you can do whatever you want, as if you were sitting at your work PC. Magic.

I need to note at this point that you’re using straight RDP from the client to the SBS server, with RDP encryption (RC4, up to 128-bit keys) – the RDP is not additionally encrypted over an SSL tunnel – the connection to the RWW portal is made over SSL, but this is a different connection again.

This does mean that if you’re on a network that doesn’t allow 4125/tcp outbound (and let’s face it – it’s not exactly a port everyone recognizes yet), you might need to politely request that you’re allowed to use it. Please. Nice Mr Firewall Man.

More info on RWW:

For more information, start with the Support Webcast. Then set it up!

!Highly Recommended! Remote Web Workplace: The Support Webcast

(if the images seem familiar, well, that’s because they are…)

Help Your Team Work From Home (without breaking their legs)

Matt Hyunh’s mentioned RWW before – in fact, to date a whopping 50% of his blog posts have mentioned it. Might be worth watching!

It’s good. Go play.

Comments (5)

  1. Anonymous says:

    Today’s technical note concerns Remote Web Workplace in Small Business Server. You see, Remote Web Workplace has to make the assumption that it’s only got one external IP address to play with when you set it up, so it has…

  2. Anonymous says:

    Indy asks if there’s a Remote Web Workplace equivalent in big server land….

    <insert evil cackle…

  3. Ernesto Salas says:

    Tristan: I fully great the RWW is a truly great feature. THe only thing that bothers me is that you have to publish the an internal LAN server (SBS) on the internet using either direct translation or some other means to be able to use from the web. For some reason I’d have found it more pallatable to have some sort of mini-sbs/rww on an external box (maybe even on a DMZ), so that the external connections would be pure http (port 80) and then have the SBS box handle all connections to the LAN through the service specific ports. That way I would’ve been able to set better security (only SBS box has access to special ports, all others only have port 80 access to external SBS). By the way, this is the way Citrix handles it. Talk to you soon.

  4. TristanK says:

    Hi Ernesto,

    Thanks for your comment. Yes, in this case, the SBS machine is exposing ports to the Internet from the internal network: 3389 for Remote Desktop admin, 4125 for the internal RDP proxy and 444 for companyweb.

    You could think of this as providing quick and easy remote access to the network, without the need for purchasing a separate Terminal Server. A TS in the DMZ would be good, but it’s a comparatively expensive option.

    We don’t have a client capable of doing a Web protocol only remote desktop connection, so Citrix are a good value-add there for the scenario you describe.

  5. Port 80 is more attacked than 3389, 4125 and 444. I’d rather not have an exposed port 80.

Skip to main content