logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
oneboise  
#1 Posted : Friday, April 24, 2015 7:06:36 PM(UTC)
oneboise


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/21/2012(UTC)
Posts: 36
Location: US

Thanks: 4 times
Was thanked: 1 time(s) in 1 post(s)
We have a server setup with about 600 unattended systems. We currently have our WebServerListenUri set to port 80 and our RelayListenUri set to port 443. We want to swap these ports so that the web server is on 443 (to allow SSL configuration) and the relay is on port 80. We want to keep these two ports to make sure we can always get access through some of our customers strict firewall policies.

Below is a short detail of the steps I plan to use to make this swap/transition. Does anyone have any recommendations? Is there any step I am missing?

My biggest concern is that if half of the unattended devices are offline during the transition. Are they going to be able to reconnect to the new port when they are turned back on? Should I complete steps 1 & 2 and then add the RelayAddressableUri, but wait to get the unattended client reinstalled on ALL devices before completing step 3?

Thanks for any experiences, thoughts or input that you may have...

1. Modify the web.config WebServerListenUri from port 80 to 81 temporarily.
http://help.screenconnec...e=Changing_default_ports
2. Log into the web server with the new port and test.
3. Change the relay address. Add RelayAddressableUri to the web.config. Follow remaining steps in the article to change the port from 443 to 80.
http://help.screenconnec...nattended_access_clients
4. Modify the WebServerListenUri from port 81 to 443.
http://help.screenconnec...e=Changing_default_ports
5. Create and install the SSL certificate.
http://help.screenconnec...certificate_installation

oneboise  
#2 Posted : Saturday, April 25, 2015 2:28:54 PM(UTC)
oneboise


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/21/2012(UTC)
Posts: 36
Location: US

Thanks: 4 times
Was thanked: 1 time(s) in 1 post(s)
In testing this I read closer and found this note when changing the RelayAddressableUri - "On the Host page, your unattended access clients will disconnect and then reconnect. Make sure that all unattended access clients have reconnected before continuing onto the next step."

That makes sense and means that I will have to wait until a weekday when many of the PCs are powered on and connected so they can reconnect and then be reinstalled.

Looks like the article answered the question for me. I am still going to try it out on a test server and post my results.
oneboise  
#3 Posted : Saturday, April 25, 2015 2:40:07 PM(UTC)
oneboise


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/21/2012(UTC)
Posts: 36
Location: US

Thanks: 4 times
Was thanked: 1 time(s) in 1 post(s)
Sure enough. Leaving a test machine offline during the changes would not allow me to re-install the client, thus sending it the correct RelayAddressableUri. The other clients that were online accepted the new port and reconnected just fine.

The article explains these details, I just didn't read close enough at first - http://help.screenconnec...nattended_access_clients
Scott  
#4 Posted : Monday, April 27, 2015 12:45:58 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
Correct, if the machines are not online, then they will not receive the Reinstall and thus they will not know to callback to a different port. If it's a possibility, you can just NAT the old relay port to the new at the firewall so that the offline machines can callback with their original port which would then be translated to the new. I know this wouldn't allow HTTPS to be setup quite yet, but it would give you a little more time to ensure that the update was propagated to as many remote machines as possible.

Alternatively, if you have another IP address, you can run both the web and relay servers on the same port, just bind each to its respective address.

Also, you can run https on a non-standard port. This would mean that your users would have to enter https://your.domain.com:8443 (or whatever the alternate port would be), but you wouldn't have to worry about changing the relay for your unattended clients.
ScreenConnect Team
oneboise  
#5 Posted : Tuesday, April 28, 2015 6:05:56 PM(UTC)
oneboise


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/21/2012(UTC)
Posts: 36
Location: US

Thanks: 4 times
Was thanked: 1 time(s) in 1 post(s)
Scott, thanks so much for the reply. Those are all great recommendations. I thought about using different IPs or different ports, but want to keep them somewhat standard to prevent any firewall blocking issues. I might just use the NAT option to get all offline machines reconnected.
RADRaze2KX  
#6 Posted : Thursday, April 30, 2015 2:54:07 AM(UTC)
RADRaze2KX


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/15/2013(UTC)
Posts: 70
Man
United States
Location: Tempe, AZ

Thanks: 3 times
Was thanked: 4 time(s) in 3 post(s)
Scott, can it be suggested to have an alternate relay built into the SC clients, for this reason? Functionality would give clients a secondary relay to look for in the event the first one fails, and if the primary relay isn't connected to within a specified time, the secondary relay becomes the primary relay and the primary relay is cleared out? This would really help, moving forward, with large clients... a push could be done from the server over time to the clients that are on and once they're on the new version, a swap could be done without much headache...
My How-To's:
Restrict A User's Access to Certain Computers: Forum Search (Posts) "25422"
Scott  
#7 Posted : Thursday, April 30, 2015 1:51:06 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
I know we have that on our enhancement request list already and I can definitely give it a bump in priority. Some of the stuff we've been working on for the cloud could be used to do this, but it's not ready to implement in cases like this yet.
ScreenConnect Team
oneboise  
#8 Posted : Saturday, May 2, 2015 12:49:06 PM(UTC)
oneboise


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/21/2012(UTC)
Posts: 36
Location: US

Thanks: 4 times
Was thanked: 1 time(s) in 1 post(s)
After spending the last week and getting VERY close to the perfect configuration I had to give up. The primary issue we faced was that I could not get SC to listen on the same port for web and relay...even after defining a separate IP address for each. In a perfect situation (for us) we would be able to use 443/SSL for web access on IP1 and 443 for relay access on IP2. I attempted to do this since we have plenty of public IPs. No matter what combination of IPs and web.config keys I tried, I could never get web & relay services to start up on port 443 at the same time.

I see plenty of other forum users utilizing two separate IPs, but still using the default port 8041 or port 80 for the relay. The issue for us running relay port 80 is that we found many web appliances blocked clients from connecting to the host. On the other token using port 8041 will not allow some clients to connect because their firewall is blocking non-standard ports.

We DO have web HTTP redirection to HTTPS working and most of our unattended clients are connecting again on relay port 8041 (see below).

I like the alternate relay suggestion that RADRaze2KX has in this thread. That would make sense. To work around that for now, we have done some port mapping on our firewall for port 80, 443 & 8041 ALL to forward into port 8041 so any unattended clients that were offline during the config changes still connect.

My question really comes down to this: Is it possible to run the Web and Relay service on the same port using separate IPs? Specifically, port 443?
Example:
Public IP 1 / Internal IP 1 / Web 443 & 80
Public IP 2 / Internal IP 2 / Relay 443

Current/Working web.config:
<add key="WebServerListenUri" value="https://10.0.0.101:443/" />
<add key="WebServerAlternateListenUri" value="http://10.0.0.101:80/" />
<add key="RelayListenUri" value="relay://+:8041/" />
<add key="RelayAddressableUri" value="relay://supportrelay.domain.com:8041/" />
<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="https://support.domain.com/" />

Ideal web.config:
<add key="WebServerListenUri" value="https://10.0.0.100:443/" />
<add key="WebServerAlternateListenUri" value="http://10.0.0.100:80/" />
<add key="RelayListenUri" value="relay://10.0.0.101:443/" />
<add key="RelayAddressableUri" value="relay://supportrelay.domain.com:443/" />
<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="https://support.domain.com/" />

Thanks all for reading.
Scott, maybe we can get a chance to chat or I can submit an email/ticket for direct support.
marktoo  
#9 Posted : Saturday, May 2, 2015 3:20:28 PM(UTC)
marktoo


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/29/2015(UTC)
Posts: 100
United States
Location: Metro DC

Thanks: 27 times
Was thanked: 10 time(s) in 8 post(s)
oneboise,

You may want to take a look at the hidden "ScreenConnect Router" service. It allows us to use 1 IP address, relay over 443, and use standard https (443) for web portal. It works great for us.

Mark
oneboise  
#10 Posted : Monday, May 4, 2015 12:16:33 PM(UTC)
oneboise


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/21/2012(UTC)
Posts: 36
Location: US

Thanks: 4 times
Was thanked: 1 time(s) in 1 post(s)
Thanks for pointing that out, Mark! That makes for a MUCH simpler configuration. I'll do some testing and look at implementing it soon....then post my results here.
jeffshead  
#11 Posted : Monday, October 26, 2015 6:44:52 AM(UTC)
jeffshead


Rank: Member

Joined: 10/22/2015(UTC)
Posts: 31
United States

Thanks: 1 times
Originally Posted by: marktoo Go to Quoted Post
oneboise,

You may want to take a look at the hidden "ScreenConnect Router" service. It allows us to use 1 IP address, relay over 443, and use standard https (443) for web portal. It works great for us.

Mark


If I'm understanding your post correctly, your saying you have one IP address and both the SC web server and relay are listening on port 443. I didn't think this was possible.

Can you please share your settings? This is what I've been trying to accomplish, myself. I did read the post about the "hidden" SC router but none of the settings I've tried have worked.

Edited by user Monday, October 26, 2015 6:48:01 AM(UTC)  | Reason: Not specified

marktoo  
#12 Posted : Monday, October 26, 2015 2:28:24 PM(UTC)
marktoo


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/29/2015(UTC)
Posts: 100
United States
Location: Metro DC

Thanks: 27 times
Was thanked: 10 time(s) in 8 post(s)
jeffshead,

Yes. One IP address, relay and web portal both on 443.

I can't remember all the details of the setup right now. Contact support, they should be able to get you set up... (Steven D was very helpful.)

Mark
jeffshead  
#13 Posted : Wednesday, October 28, 2015 12:01:54 AM(UTC)
jeffshead


Rank: Member

Joined: 10/22/2015(UTC)
Posts: 31
United States

Thanks: 1 times
Originally Posted by: marktoo Go to Quoted Post
jeffshead,

Yes. One IP address, relay and web portal both on 443.

I can't remember all the details of the setup right now. Contact support, they should be able to get you set up... (Steven D was very helpful.)

Mark


Mark, thank you for taking the time to respond. I contacted SC Support and they told me they do not officially support the "hidden" router functionality.

If you have any spare time, can you share your redacted settings with me? I've hit a brick wall.
marktoo  
#14 Posted : Friday, October 30, 2015 1:39:15 PM(UTC)
marktoo


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/29/2015(UTC)
Posts: 100
United States
Location: Metro DC

Thanks: 27 times
Was thanked: 10 time(s) in 8 post(s)
jeffshead,

I have posted notes on how we set this up here.

Hope this helps!

Mark
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.