logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
aaronberger  
#1 Posted : Tuesday, August 14, 2018 4:29:46 AM(UTC)
aaronberger


Rank: Guest

Joined: 7/25/2018(UTC)
Posts: 6
Australia
Location: Melbourne

Hey Guys,

I'm building a new Windows 2016 server to host onprem Screenconnect (so I can separate it from my Labtech Install).
(No other sites or apps will be hosted on this server)
I plan to use port 443 for both the listen and relay with the Router service.
I've installed Screenconnect and IIS. I've installed and bound an ssl cert on ports 443 and 8043.
I've added the required Router reg keys.
I've added the extra lines required in the webconfig file.
I've opened port 443 in the gateway firewall and mapped it to the server IP (temp disabled Windows firewall).
All services start correctly (including the new router service)

I can access the Screenconnect admin page internally (shows as using port 8043). But I can't access it externally at all.

I figure either I've got my firewall rules wrong or some of the lines in the webconfig file.
These are the lines I've added/changed in the webonfig file.

At the top:
<configSections>
<section name="screenconnect.routing" type="ScreenConnect.RoutingConfigurationHandler, ScreenConnect.Server" />
</configSections>
<screenconnect.routing>
<listenUris>
<listenUri>tcp://+:80/</listenUri>
<listenUri>tcp://+:443/</listenUri>
</listenUris>
<rules>
<rule schemeExpression="http" actionType="issueRedirect" actionData="https://$HOST/" />
<rule schemeExpression="ssl" actionType="forwardPayload" actionData="https://192.168.60.101:8043/" />
<rule schemeExpression="relay" actionType="forwardPayload" actionData="https://192.168.60.101:8041/" />
</rules>
</screenconnect.routing>

Weblisten section:
<add key="WebServerListenUri" value="https://+:8043/" />
<add key="WebServerAddressableUri" value="https://screenconnect.mydomain.com:443/RemoteSupport/" />
<add key="RelayListenUri" value="relay://+:8041/" />
<add key="RelayAddressableUri" value="relay://screenconnect.mydomain.com:443/" />


Any Ideas what I have gotten wrong? Should I be using 2x external and internal IP?

Any help would be graciously appreciated.

Kind regards
Aaron

Edited by user Tuesday, August 14, 2018 5:03:59 AM(UTC)  | Reason: Not specified

shawnkhall  
#2 Posted : Thursday, August 16, 2018 4:43:40 AM(UTC)
shawnkhall


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/6/2014(UTC)
Posts: 295
Man
United States

Thanks: 7 times
Was thanked: 25 time(s) in 22 post(s)
This feels like a gateway firewall problem. If you can access it from elsewhere on the LAN then it wouldn't be a SC configuration issue.

Are you sure that the gateway firewall is forwarding to 80+443 on your server and not 8041+8043?
aaronberger  
#3 Posted : Thursday, August 16, 2018 5:01:43 AM(UTC)
aaronberger


Rank: Guest

Joined: 7/25/2018(UTC)
Posts: 6
Australia
Location: Melbourne

Hey shawnkhall,

Many thanks for your reply. Hmm, I rechecked the rules set in my firewall, this is what I have:

Inbound Allow Rule1: protocol_tpc> source_ip:any> source_port:80> destination_port:80> destination_ip:192.168.60.101(screenserver_ip)
Inbound Allow Rule2: protocol_tpc> source_ip:any> source_port:443> destination_port:443> destination_ip:192.168.60.101

Outbound Allow Rule1: protocol_tcp> source_ip:192.168.60.101> source_port:80> destination_port:80> destination_ip:any>
Outbound Allow Rule2: protocol_tcp> source_ip:192.168.60.101> source_port:443> destination_port:443> destination_ip:any>

I figure I just need tcp right? (udp not used?)
shawnkhall  
#4 Posted : Thursday, August 16, 2018 6:08:37 AM(UTC)
shawnkhall


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/6/2014(UTC)
Posts: 295
Man
United States

Thanks: 7 times
Was thanked: 25 time(s) in 22 post(s)
yes, just TCP.

i think your rules are wrong, though. i'm not familiar with the syntax you're using, but if "source_port" means what it does most everywhere else, that would imply that Eric at 8.8.8.8 could not visit your SC install unless his browser made the request *from* port 80 (not just *to* port 80).
aaronberger  
#5 Posted : Thursday, August 16, 2018 6:31:22 AM(UTC)
aaronberger


Rank: Guest

Joined: 7/25/2018(UTC)
Posts: 6
Australia
Location: Melbourne

Ahh thank you, you're right! I ran a port open test and 80 and 443 and both were closed.

I've now corrected the rules and they show as open:
Inbound Allow Rule1: protocol_tpc> source_ip:any> source_port:Any> destination_port:80> destination_ip:192.168.60.101(screenserver_ip)
Inbound Allow Rule2: protocol_tpc> source_ip:any> source_port:Any> destination_port:443> destination_ip:192.168.60.101
Outbound Allow Rule1: protocol_tcp> source_ip:192.168.60.101> source_port:Any> destination_port:80> destination_ip:any>
Outbound Allow Rule2: protocol_tcp> source_ip:192.168.60.101> source_port:Any> destination_port:443> destination_ip:any>

Ok now were getting somewhere. Now when I try to visit externally I get a new error: 404 - File or directory not found.
This is the value I have for: WebServerAddressableUri" value="https://screenconnect.mydomain.com:443/RemoteSupport/
If I remove the :443 I get the same error. If I remove /RemoteSupport/ and just have https://screenconnect.mydomain.com or https://screenconnect.mydomain.com:443 , it just loads my server's IIS site.

It feels like the WebServerAddressableUri value I'm using isn't parsing the /RemoteSupport/ part of the url.

Do I need to add extra lines to the config so the Admin page can load? What do you think?
shawnkhall  
#6 Posted : Thursday, August 16, 2018 1:45:47 PM(UTC)
shawnkhall


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/6/2014(UTC)
Posts: 295
Man
United States

Thanks: 7 times
Was thanked: 25 time(s) in 22 post(s)
Excellent. :)

You probably don't need an allow rule for outbound traffic (all traffic is funneled through the server ports with remote queuing to pass data), but if you do need an outbound allow rule, it shouldn't be limited by destination ports, since SC can run on just about any port on the client. The 2 machines right here next to me are running on 1804 and 50139, and when restarting the SC service on one it was given a port in the 53k range - so there doesn't appear to be any client-side service port requirements that would enable you to filter specific ports.
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.