Moving Remote Web Workplace off Default Web Site

Is there a procedure for moving Remote Web Workplace to its own
website, instead of (or in addition to) its regular place on the
Default Web Site?

I already do this for Outlook Web Access on several clients' Standard
and Regular 2k3 Servers. From a security standpoint, things are
greatly simplified by segregating off just what I want to expose to
the Internet at the Site level, rather than trying to filter access by
permissions within the Site or by an application layer proxy.

Remote Desktop functionality is what I'm after for now, so if this
breaks Sharepoint integration that will be fine.

(E-Mail Removed) wrote:
> Is there a procedure for moving Remote Web Workplace to its own
> website, instead of (or in addition to) its regular place on the
> Default Web Site?
>
> I already do this for Outlook Web Access on several clients' Standard
> and Regular 2k3 Servers. From a security standpoint, things are
> greatly simplified by segregating off just what I want to expose to
> the Internet at the Site level, rather than trying to filter access by
> permissions within the Site or by an application layer proxy.
>
> Remote Desktop functionality is what I'm after for now, so if this
> breaks Sharepoint integration that will be fine.

I wouldn't dream of trying it. You're likely to break something badly. SBS
is tightly integrated, and RWW *is* Sharepoint.

SBS will get mad at you if you aren't careful with it. Secure access via a
decent firewall product & even look into two factor authentication if you're
very concerned about this.

On Mar 4, 12:21 pm, "Lanwench [MVP - Exchange]"
<lanwe...@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote:
> infiniteb...@yahoo.com wrote:
> > Is there a procedure for moving Remote Web Workplace to its own
> > website, instead of (or in addition to) its regular place on the
> > Default Web Site?
>
> > I already do this for Outlook Web Access on several clients' Standard
> > and Regular 2k3 Servers. From a security standpoint, things are
> > greatly simplified by segregating off just what I want to expose to
> > the Internet at the Site level, rather than trying to filter access by
> > permissions within the Site or by an application layer proxy.
>
> > Remote Desktop functionality is what I'm after for now, so if this
> > breaks Sharepoint integration that will be fine.
>
> I wouldn't dream of trying it. You're likely to break something badly. SBS
> is tightly integrated, and RWW *is* Sharepoint.
>
> SBS will get mad at you if you aren't careful with it. Secure access via a
> decent firewall product & even look into two factor authentication if you're
> very concerned about this.

Thanks for the reply. It isn't authentication I'm concerned about.
(Well, maybe a little but that is something to address later.) The
idea of exposing the Default Web Site to the world, then trying to
filter that access with a second layer -- a firewall e.g. -- is just
fundamentally much less secure than only exposing the Remote Web
Workplace virtual director[y/ies] in the first place.

On one of the servers, I see Certificate Services and Update Services
in addition to RWW and OWA on the default site. Beyond Microsoft
services, other programs sometimes install to the default site. This
is why I move OWA and its required virtual directories off to its own
site. If I don't, the possible attack or information disclosure
surface is far larger than it needs to be.

If there is a way to do it, I'd like to give it a shot. Or if anyone
knows of another product that can securely manage Remote Desktop
connections to individual workstations.

(E-Mail Removed) wrote:
> On Mar 4, 12:21 pm, "Lanwench [MVP - Exchange]"
> <lanwe...@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote:
>> infiniteb...@yahoo.com wrote:
>>> Is there a procedure for moving Remote Web Workplace to its own
>>> website, instead of (or in addition to) its regular place on the
>>> Default Web Site?
>>
>>> I already do this for Outlook Web Access on several clients'
>>> Standard and Regular 2k3 Servers. From a security standpoint,
>>> things are greatly simplified by segregating off just what I want
>>> to expose to the Internet at the Site level, rather than trying to
>>> filter access by permissions within the Site or by an application
>>> layer proxy.
>>
>>> Remote Desktop functionality is what I'm after for now, so if this
>>> breaks Sharepoint integration that will be fine.
>>
>> I wouldn't dream of trying it. You're likely to break something
>> badly. SBS is tightly integrated, and RWW *is* Sharepoint.
>>
>> SBS will get mad at you if you aren't careful with it. Secure access
>> via a decent firewall product & even look into two factor
>> authentication if you're very concerned about this.
>
> Thanks for the reply. It isn't authentication I'm concerned about.
> (Well, maybe a little but that is something to address later.) The
> idea of exposing the Default Web Site to the world, then trying to
> filter that access with a second layer -- a firewall e.g. -- is just
> fundamentally much less secure than only exposing the Remote Web
> Workplace virtual director[y/ies] in the first place.

I think using & exposing IIS at all is already asking for ttrouble, but the
functionality is just too useful to not do so. I also tend to take the
attitude of "if it works, don't __ with it" - and I use good firewall
products & reveiew the logs.
>
> On one of the servers, I see Certificate Services and Update Services
> in addition to RWW and OWA on the default site.

Yes.

> Beyond Microsoft
> services, other programs sometimes install to the default site. This
> is why I move OWA and its required virtual directories off to its own
> site. If I don't, the possible attack or information disclosure
> surface is far larger than it needs to be.
>
> If there is a way to do it, I'd like to give it a shot. Or if anyone
> knows of another product that can securely manage Remote Desktop
> connections to individual workstations.


Hmmm. Well, presuming you aren't using ISA, you could try an SSL VPN
appliance such as the SonicWALL series. Regardless, I suggest you post SBS
questions in microsoft.public.windows.server.sbs. The product suite does
many things its own way and you shouldn't generally try to apply
enterprise-level techniques to it. Perhaps someone in that group will have
more expert advice.

<(E-Mail Removed)> wrote in message
news:35d36ea1-51e6-4f8b-b908-(E-Mail Removed)...
> On Mar 4, 12:21 pm, "Lanwench [MVP - Exchange]"
> <lanwe...@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote:
>> infiniteb...@yahoo.com wrote:
>> > Is there a procedure for moving Remote Web Workplace to its own
>> > website, instead of (or in addition to) its regular place on the
>> > Default Web Site?
>>
>> > I already do this for Outlook Web Access on several clients' Standard
>> > and Regular 2k3 Servers. From a security standpoint, things are
>> > greatly simplified by segregating off just what I want to expose to
>> > the Internet at the Site level, rather than trying to filter access by
>> > permissions within the Site or by an application layer proxy.
>>
>> > Remote Desktop functionality is what I'm after for now, so if this
>> > breaks Sharepoint integration that will be fine.
>>
>> I wouldn't dream of trying it. You're likely to break something badly.
>> SBS
>> is tightly integrated, and RWW *is* Sharepoint.
>>
>> SBS will get mad at you if you aren't careful with it. Secure access via
>> a
>> decent firewall product & even look into two factor authentication if
>> you're
>> very concerned about this.
>
> Thanks for the reply. It isn't authentication I'm concerned about.
> (Well, maybe a little but that is something to address later.) The
> idea of exposing the Default Web Site to the world, then trying to
> filter that access with a second layer -- a firewall e.g. -- is just
> fundamentally much less secure than only exposing the Remote Web
> Workplace virtual director[y/ies] in the first place.

why don't you just, in IIS, set the default website to redirect to the RWW
URL?

geek-y-guy <(E-Mail Removed)> wrote:
> <(E-Mail Removed)> wrote in message
> news:35d36ea1-51e6-4f8b-b908-(E-Mail Removed)...
>> On Mar 4, 12:21 pm, "Lanwench [MVP - Exchange]"
>> <lanwe...@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote:
>>> infiniteb...@yahoo.com wrote:
>>>> Is there a procedure for moving Remote Web Workplace to its own
>>>> website, instead of (or in addition to) its regular place on the
>>>> Default Web Site?
>>>
>>>> I already do this for Outlook Web Access on several clients'
>>>> Standard and Regular 2k3 Servers. From a security standpoint,
>>>> things are greatly simplified by segregating off just what I want
>>>> to expose to the Internet at the Site level, rather than trying to
>>>> filter access by permissions within the Site or by an application
>>>> layer proxy.
>>>
>>>> Remote Desktop functionality is what I'm after for now, so if this
>>>> breaks Sharepoint integration that will be fine.
>>>
>>> I wouldn't dream of trying it. You're likely to break something
>>> badly. SBS
>>> is tightly integrated, and RWW *is* Sharepoint.
>>>
>>> SBS will get mad at you if you aren't careful with it. Secure
>>> access via a
>>> decent firewall product & even look into two factor authentication
>>> if you're
>>> very concerned about this.
>>
>> Thanks for the reply. It isn't authentication I'm concerned about.
>> (Well, maybe a little but that is something to address later.) The
>> idea of exposing the Default Web Site to the world, then trying to
>> filter that access with a second layer -- a firewall e.g. -- is just
>> fundamentally much less secure than only exposing the Remote Web
>> Workplace virtual director[y/ies] in the first place.
>
> why don't you just, in IIS, set the default website to redirect to
> the RWW URL?

Because if you do anything like this in SBS you will end up with problems.