logo
Welcome Guest! You can not login or register.

Notification

Icon
Error
ScreenConnect Using SSL on IIS
Options
Go to last post Go to first unread
Previous Topic Next Topic
cwturner2  
#1 Posted : Wednesday, January 25, 2017 7:50:51 PM(UTC)
cwturner2


Rank: Guest

Joined: 1/25/2017(UTC)
Posts: 1
Location: Kansas
Confused
We have a server located in our DMZ. This server hosts our web server and services. We are attempting to make our Screen Connect available externally for support issues; however, I do not wish to operate of 8040, and 8041. I want to use 443 for web, and 80 for relay.

When I attempt to run the SSL Configuration I receive the following error when I attempt to add our SSL

"There was a problem binding the certificate to port 443. A certificate has already been bound to 0.0.0.0:443"

I am assuming that this is because on this server I also host IIS, which has several sites that use 443, with a wildcard certificate. They are able to resolve which site goes where by header information for SSL.

After talking with support, apparently this is something they do not support. Mad
Not sure why this isn't built and deployed with 443 / 80 by default, but oh well.

Has anyone been able to set this up running on a server that also hosts IIS, and other SSL Sites?

I would rather not have to setup a completely different External IP, Internal IP, Server, Etc. Just to host one application.

Thanks,
Back to top
WWW

Back to top  
Michael L  
#2 Posted : Wednesday, January 25, 2017 9:33:50 PM(UTC)
Michael L


Rank: Administration

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/18/2015(UTC)
Posts: 98
Man
United States

Thanks: 8 times
Was thanked: 14 time(s) in 12 post(s)
Hi cwturner2,

Just a quick word of warning, I have a good high-level understanding of IIS' functions, but am by no means an expert. Please make sure you make a backup of your system (web.config file at the very least) so that changes can be reverted in case this causes problems.

1) I believe that forwarding the web and relay traffic can be accomplished in IIS with the Url Rewrite extension. You'll need 2 separate rules for this, one for web and one for relay.
https://www.iis.net/down...ds/microsoft/url-rewrite

Here's a guide I found on MSDN that goes through the setup process for it:
https://blogs.msdn.micro...oxy-for-real-world-apps/

You would keep SC listening on ports 8040 and 8041 in this scenario so that IIS has some place to forward the traffic to. You would then set IIS to listen on both ports 80 and 443 for traffic that's headed to your SC URL, and forward it internally to port 8040 for web traffic and 8041 for the relay traffic.

2) You will need to modify the following key in the web.config file to read the following way:

<add key="WebServerListenUri" value="https://yourservername.com:8040/" />

3) You'd also need to add the following 2 keys into your web.config file within the same section as the WebServerListenUri key to ensure that downloads and sessions continue to work:

<add key="WebServerAddressableUri" value="https://yourservername.com/" />
<add key="RelayAddressableUri" value="relay://yourservername.com:80/" />

4) I'm not sure that step 4 is actually required, so test before you do step 4 to see if it works. If you get SSL/security errors when testing, try the following:

Manually bind the SSL certificate to port 8040.
https://help.screenconne...L_certificate_on_Windows

Your cert is already installed, so binding on a different/non-standard port is easy. You can run the following command in an elevated command prompt to get the certificate hash:
netsh http show sslcert

Then, bind the cert to 8040 using the command:
netsh http add sslcert ipport=0.0.0.0:8040 certhash=replace_with_the_hash appid={00000000-0000-0000-0000-000000000000}

5) Final note - the relay service listens separately and doesn't interact with the web service. Relay traffic is entirely TCP based, which may need to factor into your rules when setting up the application routing in IIS, while the web traffic uses the https protocol (of course).
ConnectWise Control (ScreenConnect) Support Team
Back to top
bradyosborne  
#3 Posted : Tuesday, March 13, 2018 7:23:53 PM(UTC)
bradyosborne


Rank: Newbie

Joined: 7/19/2012(UTC)
Posts: 5
Man
United States
Location: Tulsa, OK
I know this is a somewhat old topic but I thought I would post my instructions that worked to see if it would assist someone in the future...

NOTE: I changed port 8040 to 443 and 8041 I kept the same, that way I can simply go to https://screenconnect.xxx. You may have to modify web.config to make the settings match.

  • Export cert as IIS files
  • Upload all unzipped files to Linux box or OpenSSL on Windows and run:
    Code:
    openssl pkcs12 -export -in the-file-that-ends-in.crt -inkey ScreenConnectPrivateKey.key -out cert.pfx -certfile the-file-that-ends-in.ca-bundle

  • Download/acquire cert.pfx from the generated output of the above step
  • Open MMC and add the Certificates applet on the COMPUTER account
  • Go into Personal certs and delete the expired/old cert if applicable
  • Import cert.pfx into Personal
  • Import the ca-bundle into Trusted Root
  • Open an elevated command prompt and type this to remove the current bindings:
    Code:
    
netsh http delete sslcert ipport=0.0.0.0:443
netsh http delete sslcert ipport=0.0.0.0:8041

  • Open the certificate, go to the Details tab, go to the bottom and copy the thumbprint to clipboard
  • Remove the spaces in the thumbprint and replace as seen below and type the following:
    Code:
    
netsh http add sslcert ipport=0.0.0.0:443 certhash=thumbprint-goes-here appid={00000000-0000-0000-0000-000000000000}
netsh http add sslcert ipport=0.0.0.0:8041 certhash=thumbprint-goes-here appid={00000000-0000-0000-0000-000000000000}

  • Finally, if you want to check the bindings, type this:
    Code:
    
netsh http show sslcert

  • Change something in web.config and save, then undo the change and save and wait about 30 seconds
  • All done!


    • Hope this helps!
    Brady

    Edited by user Tuesday, March 13, 2018 7:34:19 PM(UTC)  | Reason: Not specified
    Back to top
    Users browsing this topic
    Forum Jump  
    You cannot post new topics in this forum.
    You cannot reply to topics in this forum.
    You cannot delete your posts in this forum.
    You cannot edit your posts in this forum.
    You cannot create polls in this forum.
    You cannot vote in polls in this forum.

    Powered by YAF.NET | YAF.NET © 2003-2019, Yet Another Forum.NET