Hey Guys,

I'm building a new Windows 2016 server to host onprem Screenconnect (so I can separate it from my Labtech Install).
(No other sites or apps will be hosted on this server)
I plan to use port 443 for both the listen and relay with the Router service.
I've installed Screenconnect and IIS. I've installed and bound an ssl cert on ports 443 and 8043.
I've added the required Router reg keys.
I've added the extra lines required in the webconfig file.
I've opened port 443 in the gateway firewall and mapped it to the server IP (temp disabled Windows firewall).
All services start correctly (including the new router service)

I can access the Screenconnect admin page internally (shows as using port 8043). But I can't access it externally at all.

I figure either I've got my firewall rules wrong or some of the lines in the webconfig file.
These are the lines I've added/changed in the webonfig file.

At the top:
<configSections>
<section name="screenconnect.routing" type="ScreenConnect.RoutingConfigurationHandler, ScreenConnect.Server" />
</configSections>
<screenconnect.routing>
<listenUris>
<listenUri>tcp://+:80/</listenUri>
<listenUri>tcp://+:443/</listenUri>
</listenUris>
<rules>
<rule schemeExpression="http" actionType="issueRedirect" actionData="https://$HOST/" />
<rule schemeExpression="ssl" actionType="forwardPayload" actionData="https://192.168.60.101:8043/" />
<rule schemeExpression="relay" actionType="forwardPayload" actionData="https://192.168.60.101:8041/" />
</rules>
</screenconnect.routing>

Weblisten section:
<add key="WebServerListenUri" value="https://+:8043/" />
<add key="WebServerAddressableUri" value="https://screenconnect.mydomain.com:443/RemoteSupport/" />
<add key="RelayListenUri" value="relay://+:8041/" />
<add key="RelayAddressableUri" value="relay://screenconnect.mydomain.com:443/" />


Any Ideas what I have gotten wrong? Should I be using 2x external and internal IP?

Any help would be graciously appreciated.

Kind regards
Aaron

Edited by user Tuesday, August 14, 2018 5:03:59 AM(UTC)  | Reason: Not specified

Hey shawnkhall,

Many thanks for your reply. Hmm, I rechecked the rules set in my firewall, this is what I have:

Inbound Allow Rule1: protocol_tpc> source_ip:any> source_port:80> destination_port:80> destination_ip:192.168.60.101(screenserver_ip)
Inbound Allow Rule2: protocol_tpc> source_ip:any> source_port:443> destination_port:443> destination_ip:192.168.60.101

Outbound Allow Rule1: protocol_tcp> source_ip:192.168.60.101> source_port:80> destination_port:80> destination_ip:any>
Outbound Allow Rule2: protocol_tcp> source_ip:192.168.60.101> source_port:443> destination_port:443> destination_ip:any>

I figure I just need tcp right? (udp not used?)

Ahh thank you, you're right! I ran a port open test and 80 and 443 and both were closed.

I've now corrected the rules and they show as open:
Inbound Allow Rule1: protocol_tpc> source_ip:any> source_port:Any> destination_port:80> destination_ip:192.168.60.101(screenserver_ip)
Inbound Allow Rule2: protocol_tpc> source_ip:any> source_port:Any> destination_port:443> destination_ip:192.168.60.101
Outbound Allow Rule1: protocol_tcp> source_ip:192.168.60.101> source_port:Any> destination_port:80> destination_ip:any>
Outbound Allow Rule2: protocol_tcp> source_ip:192.168.60.101> source_port:Any> destination_port:443> destination_ip:any>

Ok now were getting somewhere. Now when I try to visit externally I get a new error: 404 - File or directory not found.
This is the value I have for: WebServerAddressableUri" value="https://screenconnect.mydomain.com:443/RemoteSupport/
If I remove the :443 I get the same error. If I remove /RemoteSupport/ and just have https://screenconnect.mydomain.com or https://screenconnect.mydomain.com:443 , it just loads my server's IIS site.

It feels like the WebServerAddressableUri value I'm using isn't parsing the /RemoteSupport/ part of the url.

Do I need to add extra lines to the config so the Admin page can load? What do you think?