logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
jeffshead  
#1 Posted : Friday, October 5, 2018 5:49:01 AM(UTC)
jeffshead


Rank: Member

Joined: 10/22/2015(UTC)
Posts: 31
United States

Thanks: 1 times
Has anyone learned that their self-hosted, CWC site is being blocked by web-filtering solutions? I learned that Fortinet Endpoint and the Web@Work (MobileIron) browser are both blocking my site. I found this out when I had a user try to access my CWC site. I finally figured out that the reason he could not connect from his company laptop was because his company deployed Fortinet Endpoint and the admin apparently enabled a filtering category that blocks remote access sites. I ran into the same thing when I tested with another person's company cell phone (different company and different web filtering solution).

My CWC site is non-existent in search results and there is nothing malicious about it. I'm not sure but I doubt that they scour the Internet and keep a database of categorized URL's.

So my question is: How do these web filtering solutions know a site offers remote access? Are there any triggers/identifiers that can be removed?

Edited by user Friday, October 5, 2018 5:57:05 AM(UTC)  | Reason: Not specified

georg.leitner  
#2 Posted : Monday, October 8, 2018 9:37:43 AM(UTC)
georg.leitner


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/3/2015(UTC)
Posts: 38
Austria

Thanks: 1 times
Was thanked: 5 time(s) in 5 post(s)
Firewall / Endpoints could identify CWC by looking into the packets like all modern Firewalls can (Application FW) and not only by IP / Ports.
jeffshead  
#3 Posted : Monday, October 8, 2018 12:44:40 PM(UTC)
jeffshead


Rank: Member

Joined: 10/22/2015(UTC)
Posts: 31
United States

Thanks: 1 times
Originally Posted by: georg.leitner Go to Quoted Post
Firewall / Endpoints could identify CWC by looking into the packets like all modern Firewalls can (Application FW) and not only by IP / Ports.

Thanks for the info!

The users can't even load the login page, before a session is created/started. Also, I have a sub domain that cannot be loaded, either. Seems they are actually blocking the domain but I can't imagine why since the domain is virtually unknown and benign. I think something else is triggering the block. I have another domain, different VPS, same IP block, that is not blocked???

georg.leitner  
#4 Posted : Tuesday, October 9, 2018 6:24:06 AM(UTC)
georg.leitner


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/3/2015(UTC)
Posts: 38
Austria

Thanks: 1 times
Was thanked: 5 time(s) in 5 post(s)
easiest way would be to get in contact with the admin of the other side to check why it is blocked.
Scott  
#5 Posted : Tuesday, October 9, 2018 12:43:15 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,806
United States

Thanks: 3 times
Was thanked: 345 time(s) in 299 post(s)
Just to clarify, however, while modern firewalls often do Deep Packet Inspections (DPI) of network traffic, since the traffic going across the relay within ConnectWise Control is encrypted they cannot tell much. We do occasionally see some firewalls that perform this DPI scan expecting to see HTTPS-traffic and it can cause connection problems since our traffic is not typical HTTPS encrypted data.

I agree with @georg.leitner, however. The easiest path forward is likely to contact the Vendor or Administrator (whichever's applicable) to determine why the traffic is being blocked. If it's a large enough vendor then typically our Product Management team will reach out to see if the problem can be resolved.
ScreenConnect Team
jeffshead  
#6 Posted : Tuesday, October 23, 2018 7:36:51 PM(UTC)
jeffshead


Rank: Member

Joined: 10/22/2015(UTC)
Posts: 31
United States

Thanks: 1 times
I still haven't received a response from their IT. As a test, I set up a new subdomain, on a totally different domain that can be accessed by the user. I setup CWC to use the new subdomain. The user cannot load the new page so it got blocked, just like the original domain, before there is any relay traffic. They are using Fortinet's EndPoint protection.

What is the best practice for setting up CWC? I thought using the built-in Router service would be the best option so that the CWC webserver and relay use the same public IP, on port 443, to avoid firewall/filtering issues.

Is it better to use two IP's? Should I use different ports?
Scott  
#7 Posted : Monday, November 12, 2018 1:04:17 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,806
United States

Thanks: 3 times
Was thanked: 345 time(s) in 299 post(s)
I wouldn't think that using two IPs would add much benefit here. When it comes down to it, we do typically recommend running both the Web Server and Relay on port 443 and while this can be done via two IPs, you can also use the router (as you mentioned).

Unfortunately, you can't always prevent zealous system administrators from blocking traffic especially in more locked-down environments. With that in mind I still think the easiest route is to contact their IT department (perhaps again) and see if they can't whitelist the traffic to/from your Control server and their environment.
ScreenConnect Team
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.