Friday, June 17, 2011

How to Manually Configure SBS 2011 Essentials Internet Domain Name

Back in SBS 2003 timeframe, having an Internet domain name for remote access to your server started to become more and more essential. With the SBS 2008 product, we added the ability to work with domain partners directly inside of the product to obtain that domain name, and also configure it. This same methodology was moved to SBS 2011 Standard product, and with the birth of Essentials, only later this year, we added the ability to also get your SSL Certificate as part of this process. Moving away from the self-issued certificate, which while can be configured correctly to work, causes a lot of work pushing the root certificate around to all the remote PCs and devices that possible connect to the server.

I believe the best path to success for you is to have your domain with one of our domain partners, because the alerts are integrated, and the solution is simple to set up, and you don’t need any additional components like 3rd party Dynamic DNS clients or static IP addresses from your Internet Service Provider (ISP). It’s a built in Dynamic DNS client, that’s been completely tested by both our 3rd party vendors as well as the Microsoft test team.

However, if you must manually configure your domain name, In SBS 2011 Essentials, the path of manually configuring your domain name is more hidden, and I wanted to share with you how to do this. First off, your domain name cannot be with GoDaddy or eNom if you want to manually configure your domain name. We optimize for the automated cases as mentioned above. So let’s get started in manually configuring our domain name.

  1. Open the Server Dashboard and click on the Server Settings link
  2. On the Remote Web Access tab, select Turn On

Server Settings

  1. Choose to configure the router, or skip the router configuration. If your router does not support the UPnP based configuration protocol, or you have and want UPnP disabled; it’s recommended that you skip the router configuration. If this is the case, you should
    1. Create a DHCP reservation for your server in your router’s DHCP server (or other DHCP server on the network) such that your server gets the same IP address every time.
    2. Open at a minimum port 443 from the Internet to the router using the TCP protocol (UDP is not needed). If you do not wish to educate users to type in https://, then you should also open port 80 to the same internal IP address. The server will automatically redirect http:// requests to the secured by SSL https:// URLs
  2. When you have finished the router configuration portion of remote access, you should choose to Set up your domain name.
  3. Click Next on the Getting started page of the wizard
  4. When manually configuring a domain name, the server assumes you already own it. Thus in the Do you own a domain name page of the wizard, select I want to use a domain I already own and type in the name of the domain, eg. Contoso.com.
    1. Note: if your domain name is with eNom Central or GoDaddy, you’ll be asked to use that service instead of manually configuring your domain name.
  5. On the following page, select Set up my domain name manually, and click Next.
  6. On the following page, you will be shown a help topic on how to set up your domain name manually by clicking the I want to set up my domain name manually link.
  7. Outside of the wizard, to setup your domain name, you’ll have to log into your domain name provider and make the following changes:
    1. Create an A record called “remote” (if you choose to use remote.contoso.com) that points to the static IP address of your server
    2. Ensure that your IP address from your ISV is static (doesn’t change). If this is not an option, you can look into a 3rd party dynamic DNS solution and ensure that that’s updated. If you go with the Dynamic DNS option, then (a) above should probably be a CNAME to the URL provided by the Dynamic DNS company.
  8. Once you have completed the above step, confirm that your domain is set up, check the box and click Next.
  9. Next you will need to have a certificate for your domain name. This certificate will secure web traffic to your domain. It’s VERY important that the certificate name (remote.contoso.com) matches the A record you created above. Without a match, your users will get a certificate warning (you can change the “remote” using the Advanced button:

Set up a Trusted SSL Certificate

  1. This generates a certificate request. You’ll have to find a certificate provider (Both GoDaddy and eNom Central offer low cost certificates for use) and follow their instructions on how to get a certificate. They will need the certificate request string shown in the wizard below. To copy this into a webpage, simply press the Copy button and paste it into the certificate providers webpage when asked.

Generate a certificate request

  1. Most inexpensive certificates are issued immediately, but if you live in a country that doesn’t do this, or you purchased a higher end certificate, you might have to wait. I do want to take a second and tell you that yes, you do only need the cheapest of certificates. The SBS team has gone to a great deal of effort to ensure that you only need the cheapest security aspect, with no multi-name or wildcard certificates needed. If you choose to upgrade, it should be for another reason than those mentioned. So if your provider needs more time, just tell the wizard and follow the instructions

SSL Certificate request in progress

  1. Once you have the certificate string, or file, you’ll have to import that into the server using the next page of the wizard:

Import the trusted certificate

  1. Now you’re finished, and your domain name is set up.

You know you’re correct when on a computer outside of your network you type in NSLOOKUP remote.contoso.com (replacing your domain name here) and it returns the static IP address of the external IP of the router (the one your ISP gives you), and that when you browse to http://remote.contoso.com/remote, that you don’t get a certificate warning when the logon page comes up. This ensures you have both the router port 443 forwarded correctly, and that the certificate is installed correctly. Additionally, all the errors in your dashboard should disappear, if they were there in the first place (this can take up to 30 minutes for these alerts to clear)

That’s all there is to it!


15 comments:

John Murdoch said...

Thanks for the clear explanation.

Unfortunately the process appears to be broken for domains where the company/organisation name isn't the second level of the domain name.

e.g. if my domain is contoso.co.uk, and this is entered as the domain I own, when I get to the set up the SSL certificate page, the process offers contoso.co.uk as the hostname for the certificate generation. The only way to get remote.contoso.co.uk is to click on the Advanced button, and then enter the host as remote.contoso (if you only enter remote, it returns to the wizard as remote.co.uk).

Once you have generated the certificate request, got the certificate, and completed the wizard, the completion page shows that you can now connect to https://co.uk for remote access.

As far as I can see, the wizard doesn't assign the FQDN as a host header on the default website, so this doesn't make a difference to remote access as remote.contoso.co.uk still works, but it does make the process unnecessarily unintuitive.

Hope this feedback is of some help

John Murdoch said...

It also appears that using the wizard to do the manual certificate installation doesn't assign the third-party SSL certificate to the RDGateway service.

This can be fixed using the Repair option under the Remote Web Access section of Server Settings from the Dashboard.

John

Alex Roebuck said...

I have a domain (mycompanyname.ltd.uk) which SBS Essentials says is not a valid domain name. How can I use this domain with remote access?

Sean Daniel said...

Alex, this is a good find, I'm coordinating a configuration update, I hope to see this working in the next few weeks.

Sean Daniel said...

Alex, can you please try the .ltd.uk domain again? My understanding is it's been fixed and should work fine now.

tallygeek said...

I am having a similar problem. I am trying to set my site up with a subdomain sub.company.com. I ahve all of the updates installed but SBSE2011 is telling me that the domain is invalid.

boma23 said...

I'm having a lot of issues with Network Solutions' certificates, which have been provided in .CRT as opposed to MS' .cer format - I cannot seem to find a clear way to either import these directly or convert them, without losing the trusted authority path info.

Sean Daniel said...

You can either
(1) try to use the native tools, or (2) request that they send you a new version as a .cer, most providers will re-issue in this format.

David_PIM said...

Sean,

I am having a seemingly unique problem trying to manual setup my domain using the SBS 2011 Esentials wizard.

I have read many forums as a well as contacted my domain provider (namecheap). We are stuck. Here is where I am.

I am trying to configure my domain, but cannot. Using the configure domain Wizard I enter my domain. The wizard runs a check and displays that is it provided by eNomCentral, great a Microsoft partner this should be easy....not. The domain was purchased and managed through namecheap, a eNom re-seller. So where does that leave me. I can not A) continue installation using the automatic process becuase I don't not have a user name and password associated with eNomCentral, nor B) continue with the manual installation because that option does not appear because the domain is "provided by eNom."
Any suggestions, would get greatly appreciated.

Sean Daniel said...

Ah, this means that namecheap uses eNom as their back-end. I suggest creating a connect issue (http://connect.microsoft.com/sbs) as the team will have to contact enom to not respond to those.

Anonymous said...

David_PIM,

The correct link for leaving feedback on Windows Server 2012 Essentials seems to be:
https://connect.microsoft.com/WindowsServer/program7658

Jerry Corcoran said...

RWA and SBS 2011 is working. However, now I need to change the WAN IP for the SBS server (I need the interface IP for another purpose). When I change the A record at GoDaddy, it gets changed back, presumably by the SBS server. How can I stop the server from updating GoDaddy? Or to update GoDaddy with the new IP address?

Sean Daniel said...

The WAN IP of the SBS server is automatically determined. Do you have two WAN IP addresses and you want it to be the second one? My recommendation is to configure your domain manually instead of using the automated domain configuration

Crys Bodie said...

I keep getting "Critical Error - Can not connect to remote web access. contact server manager. " I am the server manager and I can't for the life of me figure this thing out.

Sean Daniel said...

Kind of need more detail, are you getting this inside your network (could be normal if you're router blocks traffic from inside to it's outside port. If you're outside, I'm not sure what's going on, did you set up your port forwarding correctly?