logo
Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
aconnor  
#1 Posted : Monday, January 7, 2019 4:49:58 AM(UTC)
aconnor


Rank: Member

Joined: 7/28/2015(UTC)
Posts: 22
Australia
Location: Sydney

Thanks: 3 times
Over the holidays I was in a hotel that was blocking port 8040, meaning I couldn't support people while soaking up the sun.

So I figured I could maybe update my install to use port 80-

I do understand that the transition isn't as simple as switching ports and profiting


But are there any downsides to this thinking?

SoCo_Systems  
#2 Posted : Monday, January 7, 2019 1:06:58 PM(UTC)
SoCo_Systems


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/29/2014(UTC)
Posts: 130
Man
United States
Location: Indianapolis, IN

Thanks: 2 times
Was thanked: 21 time(s) in 21 post(s)
You should absolutely, positively, NOT do that.
If the hotel's firewall is able to block your connection on 8040, then you are trying to hit your control server directly. It also means that if it wasn't blocking, you would be sending your login credentials in the open, to an unencrypted website, over what is sure to be a hacked/monitored network. (You should always assume hotel wifi is compromised) Moving your server to port 80 is only going to increase the risk.

You would be FAR better off reconfiguring your server to use SSL. The default port (443) won't be blocked, and you won't be handing over your server credentials (and thus control of all of your computers)to hackers every time you log in.

You'll find info on how to set that up here: https://docs.connectwise...cate_on_a_Windows_server

If you can't/won't go that route, you should at least look at using a VPN before logging in. That too would get you around the hotel's firewall.
thanks 1 user thanked SoCo_Systems for this useful post.
aconnor on 1/11/2019(UTC)
aconnor  
#3 Posted : Tuesday, January 8, 2019 5:44:13 AM(UTC)
aconnor


Rank: Member

Joined: 7/28/2015(UTC)
Posts: 22
Australia
Location: Sydney

Thanks: 3 times
Thanks for the reply.

While I agree with what you've said there, it looks like you've answered a question that I didn't intend asking. Apologies if I wasn't clear.

I'll put it another way-

I currently run a few VMs at my office and port 80 and 443 are already used. If I made my Control instance cloud based, I could use those ports.

Is there any benefit or downsides to doing that?
One benefit might be that my clients staying in hotels where port 8040 is blocked can still get support from me...
SoCo_Systems  
#4 Posted : Tuesday, January 8, 2019 12:24:25 PM(UTC)
SoCo_Systems


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/29/2014(UTC)
Posts: 130
Man
United States
Location: Indianapolis, IN

Thanks: 2 times
Was thanked: 21 time(s) in 21 post(s)
If 80 and 443 are already being used, you won't be able to just move SC to 80 and be done.

There are a few options.
1. You could enable the ScreenConnect "router" service. I *think* that will let you run your SC server and VMs on the same internet facing ports. Info on that here: http://controlforum.conn...red-Relay.aspx#post18410

2. You could put something like nginx in front of everything at the office, then use different domain names to direct traffic to either the SC server or your VMs. That would probably be the easiest option if you want to add an SSL. (and I still think you should)

3. Move your SC server to your own cloud instance. I've seen some people mention using AWS.

4. You could switch to the SC hosted version.
aconnor  
#5 Posted : Wednesday, January 9, 2019 12:20:08 AM(UTC)
aconnor


Rank: Member

Joined: 7/28/2015(UTC)
Posts: 22
Australia
Location: Sydney

Thanks: 3 times
I appreciate the reply once again, but I wasn't asking how to achieve these things.
I'm confident I can handle the technical work.

It's a matter of whether there are benefits to making the change-

ie, if I made this change I could support clients who were staying at that hotel, but are there downsides to making that change?

I hope I've made it clear, and thanks again for your help.

Jordan  
#6 Posted : Thursday, January 10, 2019 5:18:01 PM(UTC)
Jordan


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 12/26/2014(UTC)
Posts: 37

Thanks: 5 times
Was thanked: 3 time(s) in 2 post(s)
I went through the process of using NGINX as a reverse proxy a while back so that I could use more "corporate friendly" ports: https://controlforum.con...ith-Apache-or-NGINX.aspx

I'm sure a few things have changed but the setup is still working well for us.
thanks 1 user thanked Jordan for this useful post.
aconnor on 1/11/2019(UTC)
aconnor  
#7 Posted : Friday, January 11, 2019 6:06:18 AM(UTC)
aconnor


Rank: Member

Joined: 7/28/2015(UTC)
Posts: 22
Australia
Location: Sydney

Thanks: 3 times
Thanks Jordan, I appreciate the reply.

I've had some contact with CW support overnight and their official stance seems to be that they aren't interested in this.
They say they provide scripts to achieve it, but it's outside the scope of support for the product.

Without wanting to sound like a whiner-

If you produce a product that sends admin credentials in plain text you should be ashamed of yourself.
If there is a solution to this you should integrate it into your product ASAP, or produce better scripts/ instructions for self help.

I've already spent several hours on this and I'm not dumb. I'm also not going to implement the reverse proxy solution if it requires me to build nginx

I have a couple of thousand $ invested in Control and generally I'm a big fan, but roll your own security is not acceptable.

/rant
SoCo_Systems  
#8 Posted : Friday, January 11, 2019 1:37:50 PM(UTC)
SoCo_Systems


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/29/2014(UTC)
Posts: 130
Man
United States
Location: Indianapolis, IN

Thanks: 2 times
Was thanked: 21 time(s) in 21 post(s)
It isn't really "roll your own security", and the problem is not isolated to ScreenConnect. All web servers have the same issue; you need to encrypt the connection with an SSL, or risk the data being intercepted. (The ScreenConnect client/server connections themselves ARE encrypted, it is just your login portal that is not) And while ConnectWise support could probably do a better job of handholding through SSL transitions, there is a bit of an expectation that those hosting their own servers know how to secure those servers. Or that they are at least willing to do a little extra leg work to get there. Setting up nginx to play SSL proxy takes all of 5 minutes. See Jordan's link above.

Or you could switch to a hosted plan, and let ConnectWise take care of it for you.

But all of that is secondary to your original issue. If what you are wanting to do is move your SC server to port 80 to get around an 8040/8041 firewall block at the hotel, but you are already forwarding port 80 to a VM at the server site, you are going to have to do something more than just change the web port on the SC Server. SSL or not, you'll need something interpreting and splitting traffic on port 80. Which again, brings us to nginx. And since the hotel was blocking 8040, they are almost certainly blocking 8041 as well, so you'll also need to move the relay port. If you don't, your client computers won't connect when they are at that hotel, even if the user can log in to the website.
thanks 1 user thanked SoCo_Systems for this useful post.
Mike on 1/11/2019(UTC)
aconnor  
#9 Posted : Sunday, January 13, 2019 1:45:01 AM(UTC)
aconnor


Rank: Member

Joined: 7/28/2015(UTC)
Posts: 22
Australia
Location: Sydney

Thanks: 3 times
Cheers SoCo,
I don't think our attitudes are all that far apart- but if I were evaluating Control now it wouldn't get past the first hurdle because of the lack of security for logins. if I was selling it, this would be a high priority t fix.
When looking at Jordans post about setting up a reverse proxy- it's 4 years old, not in step by step order, not officially supported and probably doesn't match current software.
Sounds like 'roll your own' to me but I guess that's semantics.

So I'm kind of stuck because I can't make the official instructions work- and they won't support it. And I'm not confident that I can implement reverse proxy method from the info provided.

I appreciate your discussion of the ports- I guess the hotel example was really just the jumping off point. CW support have told me that moving to port 80/443 will gain better access to locked down networks, but I don't have a driving reason to do that right now. I'm more concerned about getting the SSL working, so it's somewhat connected. Apologies if it seems like I'm confused about the ports discussion, I'm not as confused as it may seem.

Perhaps I'll make this offer- if anyone is prepared to help I will write up the process and make it publicly available. There's been plenty of times when I've had to fix something myself and write it up, I'm just getting a bit sick of doing it for commercial products.

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.