Back in SBS 2003 timeframe, having an Internet domain name for remote access to your server started to become more and more essential. With the SBS 2008 product, we added the ability to work with domain partners directly inside of the product to obtain that domain name, and also configure it. This same methodology was moved to SBS 2011 Standard product, and with the birth of Essentials, only later this year, we added the ability to also get your SSL Certificate as part of this process. Moving away from the self-issued certificate, which while can be configured correctly to work, causes a lot of work pushing the root certificate around to all the remote PCs and devices that possible connect to the server.
I believe the best path to success for you is to have your domain with one of our domain partners, because the alerts are integrated, and the solution is simple to set up, and you don’t need any additional components like 3rd party Dynamic DNS clients or static IP addresses from your Internet Service Provider (ISP). It’s a built in Dynamic DNS client, that’s been completely tested by both our 3rd party vendors as well as the Microsoft test team.
However, if you must manually configure your domain name, In SBS 2011 Essentials, the path of manually configuring your domain name is more hidden, and I wanted to share with you how to do this. First off, your domain name cannot be with GoDaddy or eNom if you want to manually configure your domain name. We optimize for the automated cases as mentioned above. So let’s get started in manually configuring our domain name.
- Open the Server Dashboard and click on the Server Settings link
- On the Remote Web Access tab, select Turn On
- Choose to configure the router, or skip the router configuration. If your router does not support the UPnP based configuration protocol, or you have and want UPnP disabled; it’s recommended that you skip the router configuration. If this is the case, you should
- Create a DHCP reservation for your server in your router’s DHCP server (or other DHCP server on the network) such that your server gets the same IP address every time.
- Open at a minimum port 443 from the Internet to the router using the TCP protocol (UDP is not needed). If you do not wish to educate users to type in https://, then you should also open port 80 to the same internal IP address. The server will automatically redirect http:// requests to the secured by SSL https:// URLs
- When you have finished the router configuration portion of remote access, you should choose to Set up your domain name.
- Click Next on the Getting started page of the wizard
- When manually configuring a domain name, the server assumes you already own it. Thus in the Do you own a domain name page of the wizard, select I want to use a domain I already own and type in the name of the domain, eg. Contoso.com.
- Note: if your domain name is with eNom Central or GoDaddy, you’ll be asked to use that service instead of manually configuring your domain name.
- On the following page, select Set up my domain name manually, and click Next.
- On the following page, you will be shown a help topic on how to set up your domain name manually by clicking the I want to set up my domain name manually link.
- Outside of the wizard, to setup your domain name, you’ll have to log into your domain name provider and make the following changes:
- Create an A record called “remote” (if you choose to use remote.contoso.com) that points to the static IP address of your server
- Ensure that your IP address from your ISV is static (doesn’t change). If this is not an option, you can look into a 3rd party dynamic DNS solution and ensure that that’s updated. If you go with the Dynamic DNS option, then (a) above should probably be a CNAME to the URL provided by the Dynamic DNS company.
- Once you have completed the above step, confirm that your domain is set up, check the box and click Next.
- Next you will need to have a certificate for your domain name. This certificate will secure web traffic to your domain. It’s VERY important that the certificate name (remote.contoso.com) matches the A record you created above. Without a match, your users will get a certificate warning (you can change the “remote” using the Advanced button:
- This generates a certificate request. You’ll have to find a certificate provider (Both GoDaddy and eNom Central offer low cost certificates for use) and follow their instructions on how to get a certificate. They will need the certificate request string shown in the wizard below. To copy this into a webpage, simply press the Copy button and paste it into the certificate providers webpage when asked.
- Most inexpensive certificates are issued immediately, but if you live in a country that doesn’t do this, or you purchased a higher end certificate, you might have to wait. I do want to take a second and tell you that yes, you do only need the cheapest of certificates. The SBS team has gone to a great deal of effort to ensure that you only need the cheapest security aspect, with no multi-name or wildcard certificates needed. If you choose to upgrade, it should be for another reason than those mentioned. So if your provider needs more time, just tell the wizard and follow the instructions
- Once you have the certificate string, or file, you’ll have to import that into the server using the next page of the wizard:
- Now you’re finished, and your domain name is set up.
You know you’re correct when on a computer outside of your network you type in NSLOOKUP remote.contoso.com (replacing your domain name here) and it returns the static IP address of the external IP of the router (the one your ISP gives you), and that when you browse to http://remote.contoso.com/remote, that you don’t get a certificate warning when the logon page comes up. This ensures you have both the router port 443 forwarded correctly, and that the certificate is installed correctly. Additionally, all the errors in your dashboard should disappear, if they were there in the first place (this can take up to 30 minutes for these alerts to clear)
That’s all there is to it!
6 comments:
Thanks for the clear explanation.
Unfortunately the process appears to be broken for domains where the company/organisation name isn't the second level of the domain name.
e.g. if my domain is contoso.co.uk, and this is entered as the domain I own, when I get to the set up the SSL certificate page, the process offers contoso.co.uk as the hostname for the certificate generation. The only way to get remote.contoso.co.uk is to click on the Advanced button, and then enter the host as remote.contoso (if you only enter remote, it returns to the wizard as remote.co.uk).
Once you have generated the certificate request, got the certificate, and completed the wizard, the completion page shows that you can now connect to https://co.uk for remote access.
As far as I can see, the wizard doesn't assign the FQDN as a host header on the default website, so this doesn't make a difference to remote access as remote.contoso.co.uk still works, but it does make the process unnecessarily unintuitive.
Hope this feedback is of some help
It also appears that using the wizard to do the manual certificate installation doesn't assign the third-party SSL certificate to the RDGateway service.
This can be fixed using the Repair option under the Remote Web Access section of Server Settings from the Dashboard.
John
I have a domain (mycompanyname.ltd.uk) which SBS Essentials says is not a valid domain name. How can I use this domain with remote access?
Alex, this is a good find, I'm coordinating a configuration update, I hope to see this working in the next few weeks.
Alex, can you please try the .ltd.uk domain again? My understanding is it's been fixed and should work fine now.
I am having a similar problem. I am trying to set my site up with a subdomain sub.company.com. I ahve all of the updates installed but SBSE2011 is telling me that the domain is invalid.
Post a Comment