After logging into CompanyWeb can't access computers

[mrbeepa]

We are using SBS 2008. I have very little experience in networking. (Very small business and someone had to do it!)

That said here is the problem:
I have set up 2 users as administrators, myself and the owner, we can log in to the company web remotely. But when we go to log on to one of the company computers the logon fails? It is the same logon as getting into the remote website so this is confusing me.

To restate my problem: Why do our credentials work fine to get into the Company Web (SBS app) but when we try to log on to a remote computer (through the company web links) it again asks us for authentication but fails. We have tried every way possible without success. (Ways possible being, variations of domain name and login name with a slash/ or @ sign then name or name first.

Here's some misc information that may or may not be useful:

1.) created a certificate issued by our server (self) and installed them on our home computers.

2.) set up CAPs and RAPs even though I think they do not affect our situation. ( I think they are only for running the server as a terminal server [whatever that is! ])

3.) all of our home and network computers are running various versions of Vista except the server of course it is SBS 2008.

4.) we have tried using just remote logon without going through company web and it has the same problem and doesn't accept our logon/password.

When you reply please know that I have only a slight knowledge of server side networking. My only experience with SBS is through setting up this server which does work for handling our email so far.

We really need home access to our desktops.

 

[SimonDavies]

Hang on, you're trying to access resources thru your website?

Can you clear this up, is this an external internet site that you created or an intranet (internal only)?

What kind of Firewall do you have in place?
Why would you want to grant access to your pc's from the website?

I would suggest at this stage that the OS is doing exactly what it should be doing, it's hardened the attack surface of your OS and network by not allowing remote access to your systems... a good thing if you don't know what you're doing.

You need to look at setting up some kind of VPN solution (Virtual Private Network), preferably with a token of some sorts (RSA\Cisco) and having a Firewall configured with just the right access.

You certainly DON'T want to allow unrestricted\unprotected access to your workstations.

Simon

The real world is not about exam scores, it's about ability.

 

[mrbeepa]

Sorry if I did not supply enough information:
We have a small network set up at the office consisting of 1 server running SBS 2008 and 2 other computers. One is used mostly by the owners wife doing secretarial duties and the other is used by myself and the owner for various programming and website jobs. The network is behind a router and a switch which maintains a firewall. While experimenting with getting us access from our homes and on the road our firewalls on the 2 work computers are disabled. When we figure out what we need to have open we will activate the firewalls on our computers on the network. We want to be able to work at our computers as if we were sitting at work from our homes, and on the road as there is a lot of travel involved in our daily lives and work routines. We are not wanting to open this up to anyone and everyone and I'm not sure where you got that impression. I am just trying to figure out how to get the authentication process to work so we can access our computer desktops remotely.

We actually had it working briefly and then something has happened that I am unable to determine and the access is stopped. We don't necessarily have to go through the "Company Web" site which is a part of SBS 2008. But when you log on to the SBS CompanyWeb there is an option to connect to computers on the network. So I have been trying to do it through there as well as just remote desktop from home. At this time neither will allow access to our work computers other than logging into the SBS 2008 CompanyWeb that is part of SBS. (not a site we created it is part of SBS 2008).

We definietly do not want anyone else having this access and we will in the future want VPN as well. But right now I'm just trying to get remote desktop access to our work computers.

I hope this helps you understand my intentions? Like I said not sure why you percieved that I wanted to open our business network up to others. That is why I am working with authentication issues?

 

[mrbeepa]

after I posted my response I noticed I didn't specifically state that the "CompanyWeb" I am referring to is an intranet site not an internet site.

 

[mrbeepa]

I have been reading and maybe it would also help you to know that the certificate we use was self issued and is for the purpose of server authentication and client authentication.

 

[SimonDavies]

Sorry but I am still confused.

How are you managing to connect remotely if your site is intranet based? Intranet based indicates that it has no external facing components.

As to the leaving it open to others to access, what I mean by that is that if you're not properly securing your environment you're enabling people (crackers) to potentially access your network thru insecure ports\protocols.

Do you still have the Certificate Authority working (the method you used to create the certificates)?
Has anything been revoked where the certificates are concerned?

Have you opened up the ports for RDP on your firewalls\routers (TCP port 3389 usually).

I am not upto date on SBS at all but the

Simon

The real world is not about exam scores, it's about ability.

 

[SimonDavies]

sorry, meant to delete the last line.

Simon

The real world is not about exam scores, it's about ability.

 

[mrbeepa]

I'm not sure? My perception of an intranet does not preclude remote access from authorized users?

As to what's facing out all the computers in the intranet
(our business network) have internet access through the router. We have only certain ports open.

All http goes to a specific server a linux box for which we have designed a specific purpose.

Https goes to the SBS2008 server. Also all mail is routed to the SBS2008 server from an external leased linux box in New York. Where it gets hazy for me is the control our SBS server has over the access of the other computers in the network. Since all http goes to the linux server which runs a specific software. We can only access through https which is through the SBS server.

The router directs all the traffic as mentioned above and blocks all other incoming traffic.

We do have port 3389 open for the purpose of RDP. We also have port 443 as during some of my reading I began to think that it may also be used by RDP.(I'm meaning Remote Desktop Protocol = RDP).

The external box is not part of the intranet. It only forwards mail to the SBS2008 server and runs our external web sites.

Now if having the above mentioned structure makes this network not an intranet then I will stop using that reference. I can tell you I really don't know and I thought I was using the term in the proper context?

I hope this helps clarify things. I am sure the confusion is being created because I do now well understand running an SBS server and remote access. For that I apoligize. I am willing to supply you with as much information as you might need.

Thank you for taking time to sift through all this and help me!

 

[mrbeepa]

The fourth to last line should read "I do not well understand" instead of I do now well understand"
I don't see anywhere to edit my posts?

 

[SimonDavies]

To clear the inter\intra net thing up. An intranet is usually an internal facing web portal that can't be linked to externally, it's usually the place where you put company information that wouldn't\shouldn't be made public. The Internet obviously is an external facing website that usually anyone with a browser can access (to a degree).

Now where it can get confusing is with something called an Extranet, an Extranet is where you allow 3rd party companies (usually suppliers and the like) access to certain parts of your intranet.

The 443 port you mentioned is the port used for https (also known as SSL or Secure Socket Layer), there should be a port\nat entry on your firewall that redirects all :443 traffic to your SBS server (as well as port 143 for IMAP for your mail).

RDP only uses 3389 unless you're using RDP over SSH in which case it would use 443 but only if you had enabled an SSH provider.


I am starting to think that the reason this is failing is more down to the network addressing that you're using, bear with me and you will understand.

If you're accessing your website remotely from home then you will be on a subnet issued by your ISP. You then connect to your website and try and launch an RDP session to your computers at work that would be assigned the IP address from the scheme you use at work (whether it's 10.x, 172.x or 192.x). Unfortunately those addresses wouldn't be reachable from your remote pc because it is trying to gain access to an address that it doesn't know about (it doesn't know the route into your work network).

Now the normal way around this is via the VPN route, a VPN solution would connect you into a vlan\subnet on your corporate lan that has routed access to the other vlan\subnets on your network, your home pc then has two network addresses, the ISP issues one and the VPN one, what happens is that all traffic from your home pc is now tunneled through the VPN connection until you drop it (so that potentially means no websurfing etc whilst on the VPN).

Unless you're using a public IP address scheme on your corporate network and you're publishing the computer names onto DNS you're not going to connect to those boxes without some kind of remote access (VPN) solution going in. The only potential (and I don't know for sure) would be if you were to use some kind of Terminal Services connection instead, unfortunately I don't know TS at all.

Simon

The real world is not about exam scores, it's about ability.

 

[mrbeepa]

Thank you for clearing my confusion of the terms.

Now does it help that we have assigned our SBS Box as a local DNS server? When we hit the SBS server if it has the DNS role and capability then wouldn't it be able to supply the needed IP addresses? Or am I still not quite grasping that part?

 

[SimonDavies]

Nope, the SBS server DNS would only be supplying DNS to internal clients, you remote pc's would be using a different DNS server (the ISP's one).

Again the problem with internal DNS comes down to the address range you're using, if it's a public address (rare these days) then you would normally be hosting DNS and publishing it to an upstream DNS server somewhere (usually the ISP but not all the time), what's more likely in your case is that you're using an IP address from the private range which simply isn't routable on the internet.

Simon

The real world is not about exam scores, it's about ability.

 

[SimonDavies]

Sorry to say but I am going to bed (it's now midnight here and I am up in 6 hours (or less depending on my son)).

I will have a look in the morning mate.

Simon

The real world is not about exam scores, it's about ability.

 

[mrbeepa]

Another question since you mentioned VPN, would we have Remote Desktop through VPN? I was under the impression that using VPN was a direct tunnel to the files on the work computer but not the Desktop as in Remote Desktop scenario?

If I can log on and run my work computer through a VPN connection just like I was sitting there at my work location then I wouldn't mind not having the Internet access from my work computers end because I'd still have it at home. Thought I would prefer the way it was the first time it worked for us I was able to access my work desktop and run every program as if I was there that included checking my mail and surfing the internet. (I don't know what happened that started limiting our access. With two people doing administrator functions I guess it was bound to happen.)
Now I'm the only one doing it and need to find a way to get it going again!

 

[mrbeepa]

Oh yeah get the sleep man! preciate your continued patience!
Chat at you tomorrow if you get a chance.

 

[SimonDavies]

Did you get any further with this MrBeepa?

As far as RDP across the VPN goes, there is no reason why you shouldn't be able to do that. The idea with the VPN is that it makes like you're connected locally to be able to run applications etc, be that an Outlook client or an RDP session to another pc.

Simon

The real world is not about exam scores, it's about ability.

 

[mrbeepa]

Hello again.

Maybe you can clarify the difference between RDP and VPN. Because your description of VPN is exactly what I was thinking I was doing with RDP?

When we did have access. I hadn't set up VPN so I thought I was doing just a RDP connection. But when logged in from home it was like being at my computer at work. I could run all the programs and even use the printers etc. I am not familiar with VPN but I know it is enabled/allowed on the server? But I would be happy not matter which way I go as long as I can get that sort of access (securely) to our work computers.

Not sure if you have given up on that or not?

I do appreciate the time you have spent on this.

 

[SimonDavies]

RDP is the client\protocol used to connect to another machine, depending on how you configure your workstations you can either interact with a logged on user (remote assistance) or have a console of your own doing work on that server (like a terminal services connection). The machine is limited to two connections (the limit MS has on the client unless you go down the route of a full Terminal Services server role).

VPN is a virtual private network, it is used normally to connect remote workers back to the office, it's generally used on laptops although there is no reason it can't be put onto a desktop machine either. It is basically extending your internal network to your remote pc, it allows you (depending on how it's configured) to do pretty much all you would from the office...but.. if you want to run software that you would want to run in your office it needs to be installed on that machine as well.

It is possible for you to run a VPN client that connects you to your office network and then run the MSTSC (Microsoft Terminal Services Client.. go a start\run\mstsc to launch it) and connect to another machine on the network.. obviously that machine needs to be on for you to connect to it.

In the case where you have travelling staff (sales reps etc) you would normally expect them to be able to connect back to the office with the vpn.

One slight difference that I will add, if all you need is for your users to connect to an Exchange environment you would potentially create an OWA (Outlook Web Access) site instead, it gives users access to their mailboxes from any web browser anywhere in the world. It saves on having to maintain a VPN infrastructure and providing laptops to people.

I am not suggesting however that OWA is the route for you, just mentioning that it's an option for some people.

Simon

The real world is not about exam scores, it's about ability.