The ScreenConnect w/Linux & Mono setup is tricky and is limited due to a lack of support for intermediate certificates.
The fix? Nginx.
Assuming you have it installed, let's dive in. If you're logged in as root, you won't need to prefix commands with "sudo". Replace "domainname" with your domain, removing dots etc. So "forumscreenconnectcom.key" for example. I'll also assume you have the latest OpenSSL installed (1.0.1e)
Step 1.Create a directory to house the TLS certificate.
Code:sudo mkdir /etc/nginx/tls
cd /etc/nginx/tls
Step 2.Create the Server key.
If you want to password protect your key, run ONE of the following 3 commands. You
will have to enter this password every time you start Nginx.
Weak Security:
Code:sudo openssl genrsa -des3 -out domainname.key 1024
High Security:
Code:sudo openssl genrsa -des3 -out domainname.key 2048
Highest Security (thus slightly slower):
Code:sudo openssl genrsa -des3 -out domainname.key 4096
It will ask you to provide a password/passphrase. Make it unique, lengthy and cryptographically sound. If you're still managing passwords manually, use 1Password.
If you don't want to password protect your key, run ONE of the following 3 commands. Nginx will start/stop as usual (service nginx restart)
Weak Security:
Code:sudo openssl genrsa -out domainname.key 1024
High Security:
Code:sudo openssl genrsa -out domainname.key 2048
Highest Security (thus slightly slower):
Code:sudo openssl genrsa -out domainname.key 4096
Step 3.Create the certificate signing request. You will need to give this to a CA. If you'd prefer to self-sign, your certs will not work with ClickOnce deployment without manually adding the cert to the browser store. Completely free, 12 month TLS certificates are available from StartSSL.com.
Code:sudo openssl req -new -key domainname.key -sha256 -out domainname.csr
You will be asked to provide your country code, state/province, locality/city, company name, OU, common name and email address.
The "common name" is your server's fully qualified domain name (FQDN). So if your SC installation resides at
http://screenconnect.mydomain.com/v4, your "common name" is "screenconnect.mydomain.com".
When you're finished with step 3, you'll have a domainname.csr file. Copy/paste the entire contents to your CA, making sure you keep the format/layout.
Step 4.Remove the passphrase.
ONLY FOLLOW THIS STEP IF YOU PASSWORD PROTECTED YOUR KEYCode:sudo cp domainname.key domainname.key.org
sudo openssl rsa -in domainname.key.org -out domainname.key
Step 5.You'll receive your certificate (either in plain text or in a .crt file).
If it's a file, simply copy it to
Code:/etc/nginx/tls/domainname.crt
If it's in text format... throw the entire text including ---- BEGIN and END ----- lines into your clipboard.
Code:
cd /etc/nginx/tls
vi domainname.crt
Press i to enter insert mode.
Right click to paste your file.
Press ESC twice.
Type :wq
Press Enter.
Step 6.Create your Nginx config file.
Code:
cd /etc/nginx/sites-enabled/
nano domainname.conf
Right click and paste the following...
Code:
server {
# DEFINE OUR PORTS (443) AND SET THIS AS OUR DEFAULT TLS CERTIFICATE
listen 443 default_server ssl;
server_name insert_your_domain_name_here;
## WE'LL BE USING TLS, SO LET'S ENABLE IT.
ssl on;
## WHERE'S THE CERTIFICATE AND KEY?
ssl_certificate /etc/nginx/tls/domainname.crt;
ssl_certificate_key /etc/nginx/tls/domainname.key;
## PERFORMANCE OPTIONS
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
keepalive_timeout 60;
## SSL/TLS PROTOCOL - POOR DESCRIPTION AS WE WON'T BE USING SSL, ONLY TLSv1.
ssl_protocols TLSv1;
## TLSv1 AND TLSv1.1;
# ssl_protocols TLSv1 TLSv1.1;
## TLSv1 AND TLSv1.1 AND TLSv1.2;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
## ALWAYS SAFER TO DEFINE AN ORDER - THINK CAREFULLY IF YOU DISABLE THIS.
ssl_prefer_server_ciphers on;
## OUR SUPPORTED CIPHERS. GOOD FOR A QUALYS "A" RATING (100/95/80/90).
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
## WANT A QUALYS "A" RATING (100/100/100/100)? BE SURE TO REMOVE/COMMENT ABOVE LINE, ENABLE TLSv1.2 ONLY AND BE MINDFUL THAT CLICKONCE/JNLP DEPLOYMENT MAY NOT WORK.
# ssl_ciphers "ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA";
## ENABLE IF YOU INTEND TO USE ELLIPTIC CURVE DHE
# ssl_ecdh_curve secp521r1;
## OPTIONS
## ENABLE HSTS - CHROME & FIREFOX ONLY. ONCE ENABLED, ALL SUBSEQUENT REQUESTS WILL BE DIRECTED TO HTTPS.
# add_header Strict-Transport-Security max-age=86400;
location / {
## WHERE ARE WE PASSING OUR REQUEST TO?
# IN THIS EXAMPLE, THE NATIVE SCREENCONNECT UI IS NO LONGER ACCESSIBLE DIRECTLY. ALL REQUESTS MUST COME THROUGH NGINX PROXY.
# BE SURE TO SET SCREENCONNECT WEB.CONFIG FILE TO LISTEN ON 127.0.0.1:PORT.
proxy_pass http://127.0.0.1:10050/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 50m;
client_body_buffer_size 256k;
proxy_connect_timeout 180;
proxy_send_timeout 180;
proxy_read_timeout 90;
proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
}
}
Step 7.Open your web.config file and alter the following line to reflect...
Code:
<add key="WebServerListenUri" value="http://127.0.0.1:10050/">
</add>
Add the following line to ensure installers use the public URI rather than the internal address. [Credit to "weehooey" for spotting this omission.]
Code:
<add key="WebServerAddressableUri" value="https://domain.name/"></add>
Step 8.When creating sessions, your agent/Host will be prompted to provide a URL to allow the guest to join. You may wish to change the "SessionHelpPanel.InstructionsGuestCodeFormat" value under SC Administration -> Appearance and replace both instances of {0} with your new address & port number. Standard hyperlink restrictions apply.
That's it. Restart ScreenConnect and Nginx ("service screenconnect restart" & "service nginx restart" respectively) and you're done.
Edited by user Saturday, October 18, 2014 5:20:44 PM(UTC)
| Reason: Not specified