logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
ChrisLaurie  
#1 Posted : Friday, August 20, 2010 11:01:28 AM(UTC)
ChrisLaurie


Rank: Newbie

Joined: 8/20/2010(UTC)
Posts: 6

Hi there

I am evaluating ScreenConnect and am having some difficulty getting guest to connect.

My setup is this:
Firewall/Gateway is SMEServer with hostname assist.acron.biz mapped to internal IP

ScreenConnect ports have been changed to 80 and 443 on the target machine

I can connect host and guest internally on my LAN.
I can connect as guest using tor - not sure if that is a good test or not.
Using LogMeIn I connect to a remote machine. From there I can connect to the web server, get the application. It loads on that machine and says waiting to connect and gets no further. It shows it is connecting to the local ip:443, but it does not.

A client of mine could also get so far but no further.

Any suggestions on how I can trace where the block happens?

Jake  
#2 Posted : Friday, August 20, 2010 12:32:04 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
I think your firewall/gateway is messing with the HTTP request to your website and changing the Host header to the internal IP address. The guest client should try to connect to whatever host name is in the Guests browser address bar, which is specified in the Host header sent by the Guest. I can only guess that this is being altered.

To override this you can add an appSetting of RelayAddressableUri and change it make it relay://assist.acron.biz:443/ ... We've never seen this before though. Let us know what you find!
ScreenConnect Team
ChrisLaurie  
#3 Posted : Friday, August 20, 2010 1:46:29 PM(UTC)
ChrisLaurie


Rank: Newbie

Joined: 8/20/2010(UTC)
Posts: 6

I was also thinking about that. This does not work though as the Elsinore web server will not restart it complains about text where it expected an IP address.
Jake  
#4 Posted : Friday, August 20, 2010 4:41:07 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Are you sure you were using the key "RelayAddressableUri" when entering your host name? "RelayAddressableUri" should work fine with a host name. "RelayListenUri" expects an IP address.
ScreenConnect Team
ChrisLaurie  
#5 Posted : Friday, August 20, 2010 10:25:41 PM(UTC)
ChrisLaurie


Rank: Newbie

Joined: 8/20/2010(UTC)
Posts: 6

There is a slight improvement when I use "RelayAddressableUri" the pop-up screen on the guest now says assist.acron.biz:443. The window title and tray pop-up status alternates between Connecting and Negotiating. Messages sent is one and messages received says 0
Guest  
#6 Posted : Friday, August 20, 2010 11:09:32 PM(UTC)
Guest


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/9/2010(UTC)
Posts: 331

Was thanked: 2 time(s) in 2 post(s)
Ok, it is communicating with the correct address. I think your firewall is messing with the relay connection now. The firewall needs to forward the traffic directly without any http proxy mess or any other packet inspection. I'm not sure how to do this with your device, but we'd be glad to give it a look if you call into our support line.
ChrisLaurie  
#7 Posted : Friday, August 20, 2010 11:39:59 PM(UTC)
ChrisLaurie


Rank: Newbie

Joined: 8/20/2010(UTC)
Posts: 6

I've some testing and I suspect it has to do with the VirtualHost settings in the Apache configuration on my SMEServer gateway. Unfortunately I am out of my depth here. First prize would be to know what exact settings to use inside the VirtualHosts directive (ProxyPass etc)
Guest  
#8 Posted : Saturday, August 21, 2010 9:55:01 AM(UTC)
Guest


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/9/2010(UTC)
Posts: 331

Was thanked: 2 time(s) in 2 post(s)
Chris,

I'm thinking you should abandon apache and usew true port forwarding instead. Iptables? I don't know much about linux...

http://tldp.org/HOWTO/IP...de-HOWTO/forwarders.html
Guest  
#9 Posted : Monday, August 23, 2010 11:18:25 AM(UTC)
Guest


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/9/2010(UTC)
Posts: 331

Was thanked: 2 time(s) in 2 post(s)
I'm afraid I do not have the option of abandoning apache and linux. I use a popular and very good linux distribution SmeServer (contribs.org). They do have a good community so I can also ask there for help. But I would need to know what question to ask. As you can from above the gust now gets the correct address. So I would expected it to work now, except it doesn't and I cannot tell why.
Jake  
#10 Posted : Monday, August 23, 2010 3:33:27 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
You don't need to abandon linux, just Apache for the forwarding. IPTables sounded like the right way to forward your ports through an intermediate server. It should be included with your linux distro.
ScreenConnect Team
Guest  
#11 Posted : Tuesday, August 24, 2010 12:59:26 AM(UTC)
Guest


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/9/2010(UTC)
Posts: 331

Was thanked: 2 time(s) in 2 post(s)
What I am trying to achieve is get ScreenConnect to use ports 80/443. Several of my prospective guests have outbound blocks on other ports. My firewall/gateway is also a web server for other stuff so it needs ports 80/443 for itself as well. That is why the forwarding is handled by Apache. Also the distro specifically protects itself against direct editing of set-up. I'll check to see if I can selectively forward ports based on url using iptables and whether that is available to me. Apache is a common enough forwarder and would it not be in ScreenConnect's interest t be able to use it to forward/proxy it's traffic?
ChrisLaurie  
#12 Posted : Tuesday, August 24, 2010 1:13:00 AM(UTC)
ChrisLaurie


Rank: Newbie

Joined: 8/20/2010(UTC)
Posts: 6

Did you test my server again after I made the "RelayAddressableUri" change? What is the result?
Jake  
#13 Posted : Tuesday, August 24, 2010 12:17:45 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Apache can forward HTTP traffic, which works fine (after the RelayAddressableUri change) for our web server port 80 stuff, but it can't forward raw TCP traffic, which is used by our Relay, and is why you're having trouble connecting.

You can use a different IP than Apache is using on 443, or you can use a different port. But you won't be able to dual-purpose the same port/ip combination for our Relay service.

If you want to give us a call during ET business hours, our linux expert would love to give it a shot.
ScreenConnect Team
ChrisLaurie  
#14 Posted : Tuesday, August 24, 2010 3:50:05 PM(UTC)
ChrisLaurie


Rank: Newbie

Joined: 8/20/2010(UTC)
Posts: 6

Ahhh - raw TCP traffic. I will do some research. I'd love to take up your offer, but will have to work around the limitation of me being in South Africa and having a small window for this. The sme server environment works with a template system where changes to configuration are done via db settings and generate config files.
techguy  
#15 Posted : Thursday, September 23, 2010 3:54:40 PM(UTC)
techguy


Rank: Newbie

Joined: 9/23/2010(UTC)
Posts: 2

Hi Jack and All,

I'm trying out Screenconnect on a WinServer2003/2008 box and the guest has the same connection issues as described above (please note the guest is at a major bank and has a proxy firewall). The guest can access the Guest.aspx page and type in the session code. However, when connecting to the session, the ScreenConnect tray icon will just stay at "connecting..."
Is it possible that his proxy is filtering the raw TCP relay traffic? Is there a way "around" this proxy or type in the proxy somewhere in screenconnect?

Here are my current settings with all the necessary ports opened:
<add key="WebServerListenUri" value="http://+:80/" />
<add key="RelayListenUri" value="relay://0.0.0.0:443/" />

I've also tried this setting as well:
<add key="RelayListenUri" value="relay://subdomainname:443/" />

Any advice/suggestions are welcomed.
Thanks!

Jake  
#16 Posted : Friday, September 24, 2010 8:25:18 AM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
In 1.8 and below we don't go through proxies. We added proxy support for the clients in 1.9. You should try this.
ScreenConnect Team
techguy  
#17 Posted : Friday, September 24, 2010 8:49:19 AM(UTC)
techguy


Rank: Newbie

Joined: 9/23/2010(UTC)
Posts: 2

thanks Jake, shall give that a try.
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.