After getting WHS up and running, I wanted to see what it would take to access WHS remotely. Because my router already forwards such ports as 443, 3389 and 4125 to my SBS Premium server, I was stepping into fairly unknown waters for me. As I tell people, I barely can spell “ISA”.
Assumptions / Prerequisites:
1. I was hoping to take an approach that would NOT mess with how I currently access my SBS server via RWW, OWA, RDP. And I almost succeeded. Unfortuantely port 4125 (RWW) can be changed on the SBS server, but it is hard coded for WHS. I will address the 4125 issue in a followup post.
2. For this first attempt, I knew that I would NOT be using the WHS generated domain name (*.homeserver.com), since I would have conflicts with the SSL on my SBS box and SSL on my WHS box. So, my plan was to use my public URL and the SBS self-signed cert that I use to access my SBS server.
I use TZO since my SBS server is on a dynamic IP. So I have a TZO URL (xxx.tzo.com) pointing to the public IP address of my SBS server. Since https://xxx.tzo.com/remote is routed to my SBS box, my goal is to configure ISA so that https://xxx.txo.com/whsremote takes me directly to my WHS box.
3. Because I would not be using the WHS SSL cert, I would be using https to get to my SBS box, but then http to forward requests to my WHS box.
I have a fairly standard 2-nic SBS Premium network setup. The Verizon FIOS modem is attached to a Linksys DSL/cable router box, which is connect to NIC-1 on my SBS server. NIC-2 is attached to a switch where all my other workstations and WHS server are connected.
SBS Server Changes:
For this first attempt, I used the SBS Web Listener already in place rather than creating an additional new web listener in ISA. So all I had to do was to create a new Web Publishing rule in ISA (right click on Firewall Policy, New > Web Server Publishing Rule), with the following details:
Name of rule: WHS
To: KWHOME (this is the computer name of my WHS server)
Do not enable forward original host headers
Select ‘Requests appear to come from the ISA server’
Listener: SBS Web Listener
Public Name: all requests
External: /whsremote/* Internal: /home/*
External: <same as internel name> Internal: /remote/*
Bridging: Enable ‘Redirect requests to HTTP port 80’, Disable ‘Redirect requests to SSL port’
Edit Hosts file:
On my SBS server I edited the HOSTS file (located at c:\windows\system32\drivers\etc) using Notepad, and included the following line:
WHS Server Changes:
Disable WHS requirement for SSL:
Go to IIS on the WHS box and disable the SSL requirement for the WHS default web site.
Access the WHS Windows desktop, and click on Start > All Programs > IIS
Drill down Web Sites > Default Web Site > Remote
Right click on Remote and click Properties
Click on the Directory Security tab
Uncheck ‘Require secure channel (SSL)’
I applied the following regedits to the WHS server to address RSS/TCPChimney issues. It may not be necessary for all cases:
With these changes, from any remote computer I can go to https://xxx.tzo.com/whsremote and login to my WHS server. I can also browse shared folders, and upload/download files. But I cannot remotely access the WHS console or workstations via RWW on the WHS server, as I need to tweak 4125. That’s for a later blog.