Monthly Archives: September 2010





1. Installing
IIS6 FTP on Windows Server 2003:

If using the new style Start menu: Click on “Start”,
“Control Panel”, “Add or Remove Programs”
and select the “Add/Remove Windows Components”
tab on the left-hand side.

If using the "Classic" style Start menu: Click
on “Start”, “Settings”, “Control
Panel”, “Add or Remove Programs” and
select the “Add/Remove Windows Components”
tab on the left-hand side.

In the “Windows Components Wizard”, highlight
the “Application Server” and press the “Details”
button. The screen below will be displayed (Fig 1).

Figure 1
Figure 1 – The Application Server Screen

Highlight the “Internet Information
Services (IIS)” option and press “Details”
(as shown in Fig 1 above).

Figure 2
Figure 2 – The Internet Information Services
(IIS) Screen

On the next screen (Fig 2 above) we highlight
“File Transfer Protocol (FTP) Service”.

Click “OK” to close each window
and “Next” to install the newly-selected
components. You will be asked to insert your Windows
Server 2003 disk. Click “Finish” once the
installation is complete.

You have now installed the FTP service.



Figure 3
Figure 3 – Setting up your FTP Root Directory

2. The FTP Root Directory

In order to use FTP in "Isolation" mode, we
need to construct the FTP Root so that users are "Dropped"
into their correct home directory.

The structure illustrated above contains two subdirectories,
"localuser" and my domain "simongibson"
which contain home directories for each user. These
user sub-directories must match their respective username
exactly. If not, the user will not be able to log onto
your FTP server.

Create the directory structure above to match your configuration.
The "FTPRoot" directory can be placed anywhere
on your system.



Figure 4
Figure 4 – Where to find the IIS Manager

3. Where to find the IIS Manager:

If you are using the new style Start menu, you can reach
the Internet Information Services console by clicking
“Start”, “Administrative Tools”
and selecting “Internet Information Services (IIS)
Manager” from the list in figure 4 above.

If you are using the “Classic” style Start
Menu, you can reach the console by clicking “Start”,
“Programs”, “Administrative Tools”
and select “Internet Information Services (IIS)
Manager” from the list in figure 4 above.



Figure 5
Figure 5 – Removing the Default FTP Site in

4. Removing the Default FTP Site in IIS 6:

The first task is to remove (delete) the Default FTP
Site. This site does not use Isolation and matches IIS5
FTP sites in terms of functionality and security. As
we are going to use Isolation, we will need to create
a fresh FTP site.

Simply right-click on the Default FTP Site and press
"Delete" in the menu that appears.



Figure 6
Figure 6 – Creating a fresh FTP Site in IIS.

5. Creating a fresh FTP site:

To create a new FTP site, simply right-click on "FTP
Sites" and select "New" and "FTP
Site…". Then, press "Next" to begin
the FTP Site Creation Wizard.



Figure 7
Figure 7 – FTP Site Creation Wizard: FTP Site

6. FTP Site Creation Wizard: FTP Site Description

This is the name that will appear in the "FTP Sites"
list in IIS. I’m going to use my imagination and call
this site "FTP".

Click Next.



Figure 8
Figure 8 – FTP Site Creation Wizard: IP Address
and Port Settings

7. FTP Site Creation Wizard: IP Address and
Port Settings

Simply select your server’s IP address from the list
(this is usually the only one listed).

You can also change the TCP Port if required but this
is not recommended.

Click Next.



Figure 9
Figure 9 – FTP Site Creation Wizard: FTP User

8. FTP Site Creation Wizard: FTP User Isolation

This screen allows you to choose the type of Isolation
you want to use:-

"Do not isolate users"
Although this option allows users to be "dropped"
into their own home directory (if one exists under the
FTP root that exactly matches their username), it’s
NOT able to stop them moving up out of their directory
and into those belonging to other users.

"Isolate users"
This option Isolates users based on the directory structure
under the FTP root directory (see Step 2). This is the
easiest of the two Isolation methods and the method
we will use in this tutorial.

"Isolate users using Active Directory"
This option Isolates users by getting their "FTP
Home Directory" from the Active Directory. The
advantage of this is that new users can be added without
the need to modify your FTP site. However, the "FTP
Home Directory" can not be entered using the Active
Directory snap in and must be configured from the command
line by using a VBScript utility.

As shown in Figure 9 above, select "Isolate Users"
and press "Next".



Figure 10
Figure 10 – FTP Site Creation Wizard: FTP Site
Content Directory

9. FTP Site Creation Wizard: FTP Site Content

This step defines the FTP Root directory. Select the
FTP Root directory you created in Step 2 (Figure 3).



Figure 11
Figure 11 – FTP Site Creation Wizard: FTP Site
Access Permissions

10. FTP Site Creation Wizard: FTP Site Access

This step allows you to define read or write access
for your FTP site. In this case, I intend to allow files
to be uploaded so I’ve ticked the "Write"

Click Next then click Finish to complete the Wizard.

Your FTP Site is now ready for use. To test it, simply
open Internet Explorer and enter the URL
(or your Server’s IP address if different). You should
then log in and be automatically "Dropped"
into your home directory.

Categories: Windows ServerBookmark

How to configure Active Directory FTP User Isolation Mode (IIS 6.0) on SBS 2008

How to configure Active Directory FTP User Isolation Mode (IIS 6.0) on SBS 2008

FTP is an older protocol which has been replaced with better methods of hosting files. FTP is also unsecure and your username/passwords are sent in clear text which poses a major security risk. For a list of better methods in lieu of FTP please consider using a secure SharePoint site, a secured website, or Secure FTP to host and share files. However, if you have no choice but to use FTP and need to isolate Users continue reading.

IIS 6.0 introduced a new feature for companies hosting an FTP site on their server to isolate users so they are “locked” in to their home directory and cannot browse the root of the FTP server. There are two ways of accomplishing this goal with user isolation, one method is to isolate users by creating a folder structure which has their username and another method is using Active Directory attributes to isolate the user(s). Here are the steps for configuring AD Isolation mode.

1. Install the FTP Service from add/remove windows components.

2. Open IISManager

3. Delete the Default FTP Site as it does not get created in isolation mode by default

4. Create a New FTP Site by right clicking FTP Sites and going to new FTP Site


5. This will launch the FTP Site Creation Wizard, Click Next

6. Enter a Description for Your FTP Site


7. Set the IP address and Port to use for your FTP Site

*note if you have ISA 2000/2004 installed on this server do not select All Unassigned, select the internal IP address only.


8. Next screen will be the FTP User Isolation options, Select Isolate users using Active Directory


9. Next you will need to select a User that has Access to Active Directory, any domain admin account will suffice. Click Next and re-enter password to Confirm


10. Select the required Permissions and click Next and then Click Finish


11. The IIS portion is now finished and now on to AD.

12. There are 2 schema attributes in AD that reside in the User Class that will allow us to define the users home directory for FTP. They are msIIS-FTPRoot which defines the root of the FTP server and msIIS-FTPDir which defines the users Home Directory. The problem here is that there is no GUI interface to define these attributes so for the purpose of this demonstration I will use ADSIEDIT from Support tools to modify these attributes, however you can also run the below script to do it as well.

Iisftp.vbs /SetADProp UserName FTPRoot ServerShare

Iisftp.vbs /SetADProp UserName FTPDir Directory

13. Load Up Adsiedit and drill down to the user account you want to isolate and go to the properties of that account and modify the 2 attributes mentioned above


14. Now whenever that user connects to your FTP server the user will be isolated to the Home Directory that was defined in Active Directory.

Categories: Windows sbs 2008Bookmark

Common Remote Web Workplace (RWW) Connect to a Computer Issues in SBS 2008

Common Remote Web Workplace (RWW) Connect to a Computer Issues in SBS 2008
The connect to a computer feature in SBS 2008 is one of the most popular features of RWW. The connect to a computer feature in SBS 2008 utilizes TS-Gateway behind the scenes, however, when there is a misconfiguration or a problem, RWW may only provide partial information to help isolate the root issue. This post will discuss most of the known issues, how to identify them and steps to resolve them.

What we will cover:

  1. Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008
  2. VBScript Error: 50331676
  3. Connection Authorization Policies and Resource Authorization Policies.
  4. Authentication Failures
  5. Client Machine Requirements
  6. Internal DNS Considerations
  7. External DNS Considerations
  8. TS Gateway Service Known Issues

1.  Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

For certificate related errors, please review the issues discussed in this article:

2.  VBScript Error: 50331676

When you try to connect to a server or machine you get the following error:


You must have a certificate installed in TS Gateway Manager. This is handled by the “Set up your Internet Address Wizard” or the “Add a Trusted Certificate Wizard” in the SBS 2008 Console. To verify you have a certificate installed for TS Gateway do the following:

  1. Open TS Gateway Manager from Administrative Tools — Terminal Services
  2. Select Properties on the Server Object, and choose the SSL Certificate tab from within properties. You should see a screen similar to the one below stating which certificate TS Gateway is using.


As stated beofre, you should not see this problem If you have completed the Internet Address Management Wizard, if for any reason no certificate is selected, make sure you click on Browse Certificates and select the proper certificate, for example “”.

3.  Connection Authorization Policies and Resource Authorization Policies.

You must pass the connection authorization policy to make a connection, and the resource authorization policy for the machine you are trying to connect to. This error may also display the VBSCRIPT error 50331676.

We have seen a few cases where the connection authorization policy was modified manually to only allow domain computers to make connections. This means that any machine outside the domain (e.g. their home machine) would not be able to connect. This is shown below. To access this policy:

  1. Open TS Gateway Manager from Administrative Tools – Terminal Services
  2. Expand your computer object
  3. Expand Policies
  4. Select Connection Authorization Policies
  5. Right-Click on the General Connection Authorization policy on the right hand side and choose properties
  6. Make sure the Client computer group membership is blank if you want non-domain joined machines to be able to use the RWW Connect To Computer feature.


4.  Authentication Failures

You must have Windows Authentication enabled on the IIS /RPC virtual directory under the SBS Web Applications web site. If it is missing, you will see a looping prompt for authentication when you try to connect.

Since both Outlook Anywhere and TS Gateway share this Virtual Directory modifying authentication settings in Exchange for Outlook-Anywhere within the Exchange Management Console can disable Windows Auth. To make sure Windows-Auth is enabled in Exchange Management Shell (Run as admin) perform the following command:


(Ignore the warning)

Check the value for the IISAuthenticationMethods Parameter.


You can also check in IIS Manager under the RPC virtual directory, authentication.


Changing the authentication here may only help for a few minutes as Exchange will reset the settings again. You need to complete the proper Exchange configuration steps to resolve this.

If the output of the Exchange Management Shell shows that you are missing NTLM, you need to reset the Exchange setting for outlook anywhere from the Exchange Management Shell (run as admin) perform the following command (ignore the warning):

Get-OutlookAnywhere | Set-OutlookAnywhere –IISAuthenticationMethods: Basic, ntlm

After you make this change, the settings in IIS will not immediately change, it might take up to 15 minutes for this change to happen. You can safely make the change in IIS, under the authentication for RPC to enable Windows Authentication and Basic Authentication and they should remain set as expected.

If you still cannot authenticate to the TS gateway prompt, the following resources discuss some known issues:

5.  Client Machine Requirements

The client machine you are trying to connect to must have RDP enabled and listening on the default port of 3389. You must also verify that any firewalls present on the workstation are allowing the traffic inbound on TCP/3389.  Additionally, the client machine you are making the connection from must allow the ActiveX Control to run.  The easiest way to ensure that ActiveX will be enabled is by adding your remote web workplace site to your list of trusted sites in Internet Explorer.

6.  Internal DNS Considerations

You might connect to an unexpected machine when trying to connect to the remote machine.  If this happens you should verify that the DNS records for the clients on the SBS 2008 server hosting RWW are correct.  To do this open the DNS Management console from Start, Administrative Tools, DNS.  Expand the forward lookup zones, and your local active directory zone.  Verify that the host (A) records for the clients are correct.

7.  External DNS Considerations

The hostname section of the PTR record for the remote client machine’s public IP address cannot match the NetBIOS hostname of the SBS 2008 server. If these names match the RWW will not use TS proxy and the connection will fail or connect to an unexpected target.

The only fix is the change the PTR record for the client pc’s external IP address.

Example: Suppose you are using a Windows Vista machine on the Internet. The public IP for this client is 65.53.x.x. The PTR record for this IP is If the SBS 2008 server this machine is trying to connect to has a NetBIOS hostname of Server01, the connection will fail. Ideally your PTR record should match your MX record and your MX record should not be the NetBIOS hostname of your server.

Note: This is a very RARE issue.

8.  TS Gateway Service known issues

TS Gateway Service Not Started After Restart in IIS Manager.

This issue is discussed on this post:

The Terminal Services Gateway service is not running, Contact your network administrator to resolve this issue.This error can happen due to a number of different issues other than the TS Gateway service not running or the role service not being installed.

  • If IPv6 has been unproperly unbound from the network interface you might get an error that states that the TS Gateway service is not installed.  Check the following link for issues related to improperly disabling IPv6:
  • If Client certificates has been set to Accept or Require under the SSL setttings on the Rpc virtual directory. This must be set to Ignore.
  • In general, this error will happen when we cannot properly access the /RPC virtual directory or its settings have been changed from default.
Categories: Windows sbs 2008Bookmark

Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

Remote Desktop Disconnected

You may receive the following errors when attempting to access a client machine through the Remote Web Workplace (RWW) or the TS Gateway:


[To connect to Remote Web Workplace, you must install the proper certificate. Contact the person who provides technical support for your network.]

Likewise, connections to TS Gateway will fail as well. You will receive the following error:


[This computer can’t connect to the remote computer because the certificate authority that generated the Terminal Services Gateway server’s certificate is not valid.  Contact your network administrator for assistance.]

To determine whether you trust the certificate or not, browse to RWW from Internet Explorer. If it’s not trusted, you will receive the following error in IE:


Also, check for the certificate status to the right of the URL field:


Certificate Creation

When you complete the Internet Address Management Wizard for the first time, a certificate installation package is created for distribution to non domain-joined client machines and mobile devices. Details regarding this package can be found here:

NOTE: This package is not for installation on the SBS 2008 server

Connections to TS Gateway or Terminal Services through RWW will fail if either the certificate is not trusted, or the name on the certificate does not match the name of the server that you are connecting to.

Certificate Not Trusted

If you are receiving these errors, you need to install the root CA certificate from the SBS server by using the certificate installation package as described in:

Once the certificate is installed, you can view it in IE by going to Tools > Internet Options > Content > Certificates. You will also stop receiving certificate errors once to connect to RWW.


Certificate Name Does Not Match

Connections will also fail if you connect to TS Gateway or RWW using a different address than that on the certificate. In this case, you will receive the following error when you connect.

For RWW, you will receive these errors in IE:


If you check the certificate status to the right of the URL field, you’ll see this:


For TS Gateway, you will receive the following:


In either case, click on View certificates to show the Issued to name on the certificate. This is the name that you need to put into IE or the RDP client:


In the case of the above certificate, I would type to connect to RWW. For TS Gateway, I would connect in the following manner:


Certificate Has Expired

This issue can also occur if the SSL certificate has expired.  SBS 2008 self-signed leaf certificates are valid for 2 years and the root cert is valid for 5.  If your self-signed certificate has expired run the “Fix My Network” wizard from the Connectivity tab.  This wizard will automatically issue a new matching cert.  If you are using a trusted (purchased) certificate you will need to contact the cert issuer for a new cert and import it using the “Add a trusted certificate” wizard.


Wrong Version of Remote Desktop Connection

RWW and TS Gateway require that the connecting client have Remote Desktop Connection 6.1 or greater installed.   RDP 6.1 is included with XP SP 3, Windows 2008, and Vista SP 1. RDP 6.1 is available as a separate download for XP SP 2 (requires a reboot).

You can tell the version of the RDP client by looking at the version of C:windowssystem32mstsc.exe

  • 6.0.6001.18000 is RDP 6.1
  • 6.0.6000.16386 is RDP 6.0

NOTE: After installing SP3 for XP you may see the following error “Remote Desktop Web Connection ActiveX control is not installed. A connection cannot be made without a working installed version of the control.”  If you receive this error please review KB951607 for information on enabling the IE-add on to support RWW.

In Summary:

  1. For TS Gateway or RWW to function properly, you cannot receive any certificate errors when you connect.
  2. Your client machine must trust the Root CA certificate.  Install the certificate installation package on the client accomplish this. (This package is created by running the Internet Address Management Wizard.)
  3. You must connect to TS Gateway or RWW using the address listed on the Issued to field on the certificate.
  4. The certificate must NOT be expired.
  5. You must be running Remote Desktop Connection 6.1 on the client making the connection.  (
Categories: Windows sbs 2008Bookmark

SBS 2008: Introduction to Remote Web Workplace

SBS 2008: Introduction to Remote Web Workplace
Just as it was in SBS 2003, Remote Web Workplace (RWW) is an integral component in the SBS feature set for 2008. Its purpose is to provide a secure centralized web portal for employees and administrators to access network resources. Users can perform the following actions when logged in:

  1. Check their E-mail.
  2. Access the Internal Web Site (CompanyWeb).
  3. Connect to a computer through RDP (only network admins can connect to the SBS server)
  4. Change their domain password
  5. Access help and configuration information for RWW
  6. Access customized corporate links (more information available at:

RWW is installed on the server during SBS Setup, but is not fully configured for Internet access until you complete the “Internet Address Management Wizard” (IAMW). Note: If you are using a 3rd party SSL certificate, you must complete the “Add A Trusted Certificate Wizard” also. It is installed as the remote virtual directory under the SBS Web Applications site, which accepts SSL connections on port 443. By default, the IAMW will add the prefix “remote” to your chosen domain name to distinguish the SBS 2008 in your web presence as the remote user portal. In this case, if you chose as your domain name, you would access RWW using “”.

For full access to the RWW feature set from the Internet, you must ensure the following:

  1. TCP 443 and TCP 987 (For SharePoint) are open on your Internet firewall.
  2. Clients are running Internet Explorer 6.0 SP2 or higher
  3. The RDP 6.1 client or higher is installed on the client machine
  4. The client must trust the SSL certificate that is installed on the SBS Web Applications site
  5. The client must connect using the URL that matches the common name on the certificate.


From a centralized location, users can launch OWA, connect to an authorized computer, launch CompanyWeb, change their password, and access the built-in corporate links (help for RWW and Outlook Anywhere) or customized links (these links are shared with the Vista Desktop Gadget).


Administrators and users are presented with the same features upon login to the homepage, with the following exceptions:

  1. Users are not offered the “Connect to Server” option. Only network administrators can connect to the SBS server.
  2. Users are not presented with the “Administration” links

SBS Console Integration

From the SBS 2008 console, you can perform a variety of management tasks for the website itself. You can access this under “Shared Folders and Web Sites”. The various tasks you can perform include:

  1. Enabling or disabling the website
  2. Browse the website (opens in IE using https)
  3. Add or remove users permissions to login to RWW
  4. Enable or disable RWW homepage links (OWA, Connect to Computer, Internal Website, Change Password, Connect to Server, Help, and Remote Web Workplace Link List)
  5. Manage Organizational and Administrative links that are displayed upon user login. Here you can enable/disable them, change permissions (who can see them), remove them or add new ones, or change their titles


Login Requirements

As it did in SBS 2003, RWW uses forms based authentication, which stores the encrypted credentials from the user’s initial login as a cookie in the web browser. This cookie is used to authenticate further connections to restricted resources inside RWW, such as OWA and CompanyWeb. Only members of the Windows SBS Remote Web Workplace Users security group are allowed to login to RWW. To modify membership for this group, use the SBS 2008 Console:


User Account Properties for RWW Login Rights


Launching OWA and CompanyWeb

When OWA and CompanyWeb are launched in RWW, your browser is connected to either or respectively; where is the domain name that you have configured in the IAMW. By default, they open in their own restricted Window with no address or navigation bar, preventing you from navigating to a different site in the same window. You can override this (only in IE 7) on the client machine by opening Tools > Internet Options > General > Tabs > Settings and allowing pop-ups to be opened in a new tab:


Connect to a computer

When a user clicks “Connect to a computer”, they are presented with a list of computers in which they are authorized to connect to and set as their default. Once they choose a default computer, they will no longer be presented with a list and will connect automatically to their chosen machine. Note: If the user is authorized to only a single machine, a list is not shown and instead will be directly connected to their authorized machine. This is meant to give the Administrator greater control over what machines their users can connect to. This information is defined both on the user account and computer account properties from the SBS 2008 console:


Computer account properties:


Once “Can log on remotely to this computer” is checked, the next group policy refresh will add the user account to the “Remote Desktop Users” local group on the machine. Note: Administrators automatically have the right to remotely connect to any machine in the domain.

If you have installed Terminal servers in your domain, you can run into a problem where they will not show up in the list of computers to connect to for standard users. To override this behavior to display all computers in the domain, perform the following:

  1. To open the Registry Editor, click Start, click Run, type regedit in the text box, and then press ENTER.
  2. Browse to HKEY_LOCAL_MACHINESoftwareMicrosoftSmallBusinessServer.
  3. Right-click SmallBusinessServer, click New, and then click Key.
  4. Name the key BusinessProductivity.
  5. Right-click BusinessProductivity, click New, and then click DWORD (32-bit) Value.
  6. Name the new value ShowAllComputers.
  7. Right-click ShowAllComputers, type 1 in the Value data text box, and then click OK.


TSGateway Integration

RWW in SBS 2008 leverages the TSGateway service that is running on the SBS server to perform the remote desktop connection to the chosen machine. Like RWW, TSGateway is fully enabled when the IAMW is completed (“Add a Trusted Certificate” must also be completed if you are using a 3rd party SSL certificate). This allows remote desktop connections to your domain-joined machines through port 443. This is different from RWW in SBS 2003, where you had to open port 4125 through your firewall.

The following screenshot shows what an RDP connection to TSGateway looks like. We can see that the “Gateway server” field is populated with the URL of the server, which is resolvable both externally and internally in DNS. The “Remote computer” field is populated with the internal machine name of the computer that we are connecting to:


You can, in fact, configure the RDP 6.1 client or higher to connect directly through TSGateway without having to first login to RWW. The only difference between this and connecting through RWW is that RWW does this for you automatically. Click on “Options” > select the “Advanced” tab > and click on “Settings” under “Connect from Anywhere” to display the TSGateway configuration settings:


Enter in the URL for the SBS 2008 server (which you configured during the IAMW)


Finally, on the “General” tab, enter the internal machine name of the computer you wish to connect to:


Categories: Windows sbs 2008Bookmark