logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
hahnium  
#1 Posted : Thursday, November 17, 2011 6:29:20 AM(UTC)
hahnium


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 11/5/2010(UTC)
Posts: 21
Location: Norway

Was thanked: 1 time(s) in 1 post(s)
Hey!

Have a question. I'm trying to redirect HTTP to HTTPS. Now my site uses HTTPS, and can only be accessed by HTTPS://screenconnect. I want my users to be able to access the site by using http, and then redirected to https

Is this doable by editing web.config?

Best regards

Hahnium
bigdessert  
#2 Posted : Thursday, November 17, 2011 8:50:08 AM(UTC)
bigdessert


Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 3: Shirt off your back! Received 25 Thanks!

Joined: 9/13/2010(UTC)
Posts: 707
Location: Minnesota

Thanks: 1 times
Was thanked: 44 time(s) in 32 post(s)
It is doable to have the web.config use two ports for the web console say 80, 443, but it is not doable to redirect within web.config, this would have to be handled by IIS.

Now in my opinion there is absolutely no reason to use https on the guest page. The only reason you would want https is to protect host login page. So what I would do is use http for guest and direct your techs to use https.
Jake  
#3 Posted : Wednesday, November 23, 2011 2:02:50 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
You'll need to configure your site for HTTPs. Then add a new key to handle the requests coming in via normal HTTP:

Code:
		<add key="SmtpUseClient" value="false" />
		<add key="WebServerListenUri" value="https://+:443/" />
		<add key="WebServerAlternateListenUri" value="http://+:80/" />
		<add key="RelayListenUri" value="relay://0.0.0.0:8041/" />


Then add a subdirectory called "App_Code" under your ScreenConnect install, and put this file, HttpsRedirectModule.cs:

Code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;

public class HttpsRedirectModule : IHttpModule
{
	public void Init(HttpApplication context)
	{
		context.BeginRequest += delegate
		{
			if (!context.Context.Request.IsSecureConnection)
			{
				var newUri = new UriBuilder(Uri.UriSchemeHttps, context.Request.Url.Host, -1, context.Request.Url.AbsolutePath, context.Request.Url.Query);
				context.Response.Redirect(newUri.ToString(), true);
			}
		};
	}

	public void Dispose()
	{
	}
}


Finally put an entry in your web.config to make this module active:

Code:

			<add name="CompressionModule" type="Elsinore.ScreenConnect.CompressionModule, Elsinore.ScreenConnect.Web" />
			<add name="HttpsRedirectModule" type="HttpsRedirectModule" />
		</httpModules>

Edited by user Wednesday, November 23, 2011 2:03:24 PM(UTC)  | Reason: Not specified

File Attachment(s):
HttpsRedirectModule.cs (1kb) downloaded 330 time(s).
ScreenConnect Team
thanks 2 users thanked Jake for this useful post.
polley on 9/3/2013(UTC), dittobox on 9/4/2014(UTC)
bigdessert  
#4 Posted : Wednesday, November 23, 2011 4:21:55 PM(UTC)
bigdessert


Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 3: Shirt off your back! Received 25 Thanks!

Joined: 9/13/2010(UTC)
Posts: 707
Location: Minnesota

Thanks: 1 times
Was thanked: 44 time(s) in 32 post(s)
Thanks Jake, good to know this can be done right in ScreenConnect
bigdessert  
#5 Posted : Thursday, January 26, 2012 11:11:51 AM(UTC)
bigdessert


Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 3: Shirt off your back! Received 25 Thanks!

Joined: 9/13/2010(UTC)
Posts: 707
Location: Minnesota

Thanks: 1 times
Was thanked: 44 time(s) in 32 post(s)
Jake Morgan wrote:
You'll need to configure your site for HTTPs. Then add a new key to handle the requests coming in via normal HTTP:

Code:
		<add key="SmtpUseClient" value="false" />
		<add key="WebServerListenUri" value="https://+:443/" />
		<add key="WebServerAlternateListenUri" value="http://+:80/" />
		<add key="RelayListenUri" value="relay://0.0.0.0:8041/" />


Then add a subdirectory called "App_Code" under your ScreenConnect install, and put this file, HttpsRedirectModule.cs:

Code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;

public class HttpsRedirectModule : IHttpModule
{
	public void Init(HttpApplication context)
	{
		context.BeginRequest += delegate
		{
			if (!context.Context.Request.IsSecureConnection)
			{
				var newUri = new UriBuilder(Uri.UriSchemeHttps, context.Request.Url.Host, -1, context.Request.Url.AbsolutePath, context.Request.Url.Query);
				context.Response.Redirect(newUri.ToString(), true);
			}
		};
	}

	public void Dispose()
	{
	}
}


Finally put an entry in your web.config to make this module active:

Code:

			<add name="CompressionModule" type="Elsinore.ScreenConnect.CompressionModule, Elsinore.ScreenConnect.Web" />
			<add name="HttpsRedirectModule" type="HttpsRedirectModule" />
		</httpModules>



Can this code be modified so that everything but the guest page gets forwarded to HTTPS/SSL? It would be nice to just encrypt the login and host data and leave the guest page on 80.
Jake  
#6 Posted : Thursday, January 26, 2012 11:53:49 AM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
This should be a bit more flexible:

Code:
using System;
using System.Web;
using System.Configuration;
using System.Text.RegularExpressions;

public class BaseUrlRedirectionModule : IHttpModule
{
	public void Init(HttpApplication application)
	{
		application.BeginRequest += delegate
		{
			var redirectFromBaseUrl = ConfigurationManager.AppSettings["RedirectFromBaseUrl"];

			if (!string.IsNullOrEmpty(redirectFromBaseUrl))
			{
				var pattern = '^' + Regex.Escape(redirectFromBaseUrl).Replace("\\*", ".*").Replace("\\?", ".");
				var oldUrl = application.Context.Request.Url.AbsoluteUri;
				var match = Regex.Match(oldUrl, pattern, RegexOptions.IgnoreCase);

				if (match.Success)
				{
					var newUrl = ConfigurationManager.AppSettings["RedirectToBaseUrl"] + oldUrl.Substring(match.Length);

					if (!string.Equals(newUrl, oldUrl, StringComparison.InvariantCultureIgnoreCase))
						application.Context.Response.Redirect(newUrl);
				}
			}
		};
	}

	public void Dispose() { }
}


So you define a base URL that you redirect _from_ ... this can contain wildcards. But it really should include enough of the trailing path to "match" correctly. Meaning "http://localhost*" is not good, but "http://local*/" is good. Notice the trailing slash. Without it we don't really know where the base URL ends.

Then you define a URL to redirect _to_. This doesn't contain wildcards. The portion that was "matched" from the redirect _from_ will be replaced by this value.

So for example these are the appSettings I added:

Code:
  <add key="RedirectFromBaseUrl" value="http://*/" />
  <add key="RedirectToBaseUrl" value="http://munich.elsitech.local:8040/" />


You could add something like this:

Code:
  <add key="RedirectFromBaseUrl" value="http://*/" />
  <add key="RedirectToBaseUrl" value="https://ssl.mysecuresite.com:8443/" />


And this can be applied per page. So rather than putting in your main <appSettings>, you can define a location in your web.config:

Code:
<configuration>
	<location path="Host.aspx">
		<appSettings>
			<add key="RedirectFromBaseUrl" value="http://*:8040/" />
			<add key="RedirectToBaseUrl" value="http://munich.elsitech.local:8040/" />
		</appSettings>
	</location>
	<system.web>
File Attachment(s):
BaseUrlRedirectionModule.cs (1kb) downloaded 962 time(s).
ScreenConnect Team
bigdessert  
#7 Posted : Thursday, January 26, 2012 12:17:08 PM(UTC)
bigdessert


Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 3: Shirt off your back! Received 25 Thanks!

Joined: 9/13/2010(UTC)
Posts: 707
Location: Minnesota

Thanks: 1 times
Was thanked: 44 time(s) in 32 post(s)
With a bit of trial and error I have this working now.

I saved the first code as BaseUrlRedirectionModule.cs

Also still had to add

Code:
<add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />


HiTech  
#8 Posted : Wednesday, April 18, 2012 3:11:23 AM(UTC)
HiTech


Rank: Member

Medals: ScreenConnect Advisor: Focus Group Member

Joined: 4/18/2012(UTC)
Posts: 11
Location: Spokane, WA

Thanks: 1 times
This looks like something we are looking for. Basically, when one clicks on Login it redirects to https
Does anyone know if the contents of this thread would work for that and if it still is compatible with the latest release?
mikefg  
#9 Posted : Tuesday, September 17, 2013 7:34:15 PM(UTC)
mikefg


Rank: Newbie

Joined: 1/7/2011(UTC)
Posts: 4

Just to be clear, the line
Code:
<add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />

goes inside the httpModules block, like so:
Code:
<httpModules>
...
<add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />
</httpModules>




bigdessert wrote:
With a bit of trial and error I have this working now.

I saved the first code as BaseUrlRedirectionModule.cs

Also still had to add

Code:
<add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />



Reid  
#10 Posted : Tuesday, January 21, 2014 7:07:24 PM(UTC)
Reid


Rank: Administration

Medals: Level 2: Lent a Helping Hand! 10 Thanks!

Joined: 4/22/2010(UTC)
Posts: 475
Location: NC

Was thanked: 17 time(s) in 15 post(s)
There have been too many updates/changes spread across this topic so let's recap (verified for v4.1):

1. Configure your site for SSL.

2.Open your ScreenConnect web.config and go to the appSettings section and add a "WebServerAlternateListenUri" key.
Code:

<add key="SmtpUseClient" value="false" />
<add key="WebServerListenUri" value="https://+:443/" />
<add key="WebServerAlternateListenUri" value="http://+:80/" />
<add key="RelayListenUri" value="relay://0.0.0.0:8041/" />

3. Also in the web.config file, find the httpModules section and add the following:
Code:
<add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />

4. Create a subdirectory of your ScreenConnect folder called "App_Code" and create a new text file in there, naming it HttpsRedirectModule.cs. Open that file in Notepad and paste in the following and save it:
Code:
using System;
using System.Web;
using System.Configuration;
using System.Text.RegularExpressions;

public class BaseUrlRedirectionModule : IHttpModule
{
    public void Init(HttpApplication application)
    {
        application.BeginRequest += delegate
        {
            var redirectFromBaseUrl = ConfigurationManager.AppSettings["RedirectFromBaseUrl"];

            if (!string.IsNullOrEmpty(redirectFromBaseUrl))
            {
                var pattern = '^' + Regex.Escape(redirectFromBaseUrl).Replace("\\*", ".*").Replace("\\?", ".");
                var oldUrl = application.Context.Request.Url.AbsoluteUri;
                var match = Regex.Match(oldUrl, pattern, RegexOptions.IgnoreCase);

                if (match.Success)
                {
                    var newUrl = ConfigurationManager.AppSettings["RedirectToBaseUrl"] + oldUrl.Substring(match.Length);

                    if (!string.Equals(newUrl, oldUrl, StringComparison.InvariantCultureIgnoreCase))
                        application.Context.Response.Redirect(newUrl);
                }
            }
        };
    }

    public void Dispose() { }
}

5. Finally, back in the web.config appSettings, add the following, modifying the values to suit your environment*:
Code:

<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="http://munich.elsitech.local:8040/" />


* You define a base URL that you redirect _from_ ... this can contain wildcards. But it really should include enough of the trailing path to "match" correctly. Meaning "http://localhost*" is not good, but "http://local*/" is good. Notice the trailing slash. Without it we don't really know where the base URL ends. Then you define a URL to redirect _to_. This doesn't contain wildcards. The portion that was "matched" from the redirect _from_ will be replaced by this value.

And that should be it.

Now, if you want to get fancy, read-on.

Quoting Jake:

You could add something like this:
Code:

<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="https://ssl.mysecuresite.com:8443/" />



And this can be applied per page. So rather than putting in your main <appSettings>, you can define a location in your web.config:
Code:

<configuration>
    <location path="Host.aspx">
        <appSettings>
            <add key="RedirectFromBaseUrl" value="http://*:8040/" />
            <add key="RedirectToBaseUrl" value="http://munich.elsitech.local:8040/" />
        </appSettings>
    </location>
    <system.web>

ScreenConnect Team
thanks 2 users thanked Reid for this useful post.
cdandrea on 11/6/2014(UTC), gb5102 on 12/16/2014(UTC)
engtech  
#11 Posted : Sunday, April 20, 2014 4:11:57 PM(UTC)
engtech


Rank: Member

Joined: 7/8/2011(UTC)
Posts: 13
Location: Florida, USA

Thanks for the updates ... The page-specific redirect (via location tag) doesn't seem to work as expected. (I'm using 4.2.6403.5198 ... never tried it before now, so can't say I had it working on 4.1 as you indicate it was verified for).

I would like HTTPS to be optional for my customers (since a broken/infected computer may not be able to connect via SSL), but I want HTTPS to be forced (re-directed) for techs.

It works fine when I globally redirect everything to HTTPS by adding the following to web.config AppSettings

<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="https://myservername.com:443/" />

But it won't work when I try the page-specific option, by adding the following to web.config (right at the top of the file, immediately below 'configuration' as your example seems to indicate)
<location path="Host.aspx">
<appSettings>
<add key="RedirectFromBaseUrl" value="http://*:80/" />
<add key="RedirectToBaseUrl" value="https://myservername.com:443/" />
</appSettings>
</location>

When I say it doesn't work, I mean it doesn't redirect to HTTPS. So the pages still load ok, the screen connect web service restarts just fine, no errors or anything ... it simply doesn't redirect the host.aspx page from HTTP to HTTPS.

Any thoughts?

Thanks,
Marc
John  
#12 Posted : Thursday, April 24, 2014 2:59:52 PM(UTC)
John


Rank: Guest

Medals: Level 2: Lent a Helping Hand! 10 Thanks!

Joined: 3/25/2014(UTC)
Posts: 226

Thanks: 5 times
Was thanked: 12 time(s) in 11 post(s)
Marc, I can understand how it's a bit tough to figure it out. Basically, do this:

1. Create App_Code directory inside your SC directory.
2. Download baseUrlRedirectionModule.cs like Jake has it post #6 of this thread (quick link here: http://forum.screenconne...t-to-HTTPS.aspx#post3113) -- AND put it in that new directory.

2. Add this to web.config in the <httpmodules> section: <add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />

3. As you did before, put the bit of code you have at the top of the web.config file. For example:

<location path="Host.aspx">
<appSettings>
<add key="RedirectFromBaseUrl" value="http://*:8040/" />
<add key="RedirectToBaseUrl" value="http://blah.elsitech.blah:8040/" />
</appSettings>
</location>



Let the services restart (5 seconds or so) and try again. Your Host page should auto redirect to blah.elsitech.blah or whatever else you put in there.

Let me know if this worked.
XiteHosting  
#13 Posted : Thursday, April 24, 2014 10:12:22 PM(UTC)
XiteHosting


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 9/23/2013(UTC)
Posts: 33
Location: Belgium

Was thanked: 2 time(s) in 1 post(s)
Hi,

I was wondering, and maybe this is technically not possible.

But since the relay service is coded by you guys, and only connected from within your service,
would it be possible to detect when an HTTP call is being made on the port instead of the client connecting?

This would allow us to run the relay on Port 80 (which should be able to pass outgoing firewalls). But when a web browser connects on this port, the relay should reply with an http redirect to a configurable address. (Probably on port 443).

Like I said, no idea whether this is even remotely possible. But since a browser is requesting "GET /" to an ip address with port (and some headers), this seems doable (at least in my non programming head).

regards,
Stijn
John  
#14 Posted : Friday, April 25, 2014 1:06:19 PM(UTC)
John


Rank: Guest

Medals: Level 2: Lent a Helping Hand! 10 Thanks!

Joined: 3/25/2014(UTC)
Posts: 226

Thanks: 5 times
Was thanked: 12 time(s) in 11 post(s)
I will forward this request to the dev team....i don't think it's currently possible
mmcnetsupport  
#15 Posted : Wednesday, April 30, 2014 8:51:22 PM(UTC)
mmcnetsupport


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 12/30/2013(UTC)
Posts: 9
United States

Was thanked: 1 time(s) in 1 post(s)
We are running Sc version 4.3.6507.5226 and I cannot for the life of me get redirection to work. I have tried global redirect and redirect only for the Host.aspx page. Nothing works. Site is only available via HTTPS. Does there need to be any changes to this for the 4.3.x versions?



EDIT:::: I finally got this to work. Disregard call for help...

Edited by user Wednesday, April 30, 2014 9:04:45 PM(UTC)  | Reason: Not specified

John  
#16 Posted : Friday, May 23, 2014 3:44:18 PM(UTC)
John


Rank: Guest

Medals: Level 2: Lent a Helping Hand! 10 Thanks!

Joined: 3/25/2014(UTC)
Posts: 226

Thanks: 5 times
Was thanked: 12 time(s) in 11 post(s)
MMC, in case someone else experiences the snag you ran into, would you mind letting us know what went wrong and what needed to be done to adjust it?
MyKE  
#17 Posted : Thursday, May 29, 2014 9:29:37 AM(UTC)
MyKE


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/29/2014(UTC)
Posts: 8
Czech Republic
Location: Ostrava

Thanks: 3 times
Was thanked: 4 time(s) in 3 post(s)
Originally Posted by: mmcnetsupport Go to Quoted Post
We are running Sc version 4.3.6507.5226 and I cannot for the life of me get redirection to work. I have tried global redirect and redirect only for the Host.aspx page. Nothing works. Site is only available via HTTPS. Does there need to be any changes to this for the 4.3.x versions?



EDIT:::: I finally got this to work. Disregard call for help...


I've had same problem. Now I solved it. Problem was with firewall, ScreenConnect doesn add exception for WebServerAlternateListenUri so you must add it manually.

PS: Reid's recap has mistake, don't create HttpsRedirectModule.cs but BaseUrlRedirectionModule.cs
thanks 1 user thanked MyKE for this useful post.
John on 5/29/2014(UTC)
mmcnetsupport  
#18 Posted : Thursday, May 29, 2014 1:22:47 PM(UTC)
mmcnetsupport


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 12/30/2013(UTC)
Posts: 9
United States

Was thanked: 1 time(s) in 1 post(s)
Here is my current setup that works for us.

First things first, setup SSL in ScreenConnect per the instructions that can be found in the forums. Also add all port numbers to the local firewall on your server and to the main firewall for your company (if you have one).

As stated before, use the BaseUrlRedirectionModule.cs under your App_Code folder in the ScreenConnect directory. This folder may have to be created. Below is the contents of that .cs file:

Code:

using System;
using System.Web;
using System.Configuration;
using System.Text.RegularExpressions;
 
public class BaseUrlRedirectionModule : IHttpModule
{
    public void Init(HttpApplication application)
    {
        application.BeginRequest += delegate
        {
            var redirectFromBaseUrl = ConfigurationManager.AppSettings["RedirectFromBaseUrl"];
 
            if (!string.IsNullOrEmpty(redirectFromBaseUrl))
            {
                var pattern = '^' + Regex.Escape(redirectFromBaseUrl).Replace("\\*", ".*").Replace("\\?", ".");
                var oldUrl = application.Context.Request.Url.AbsoluteUri;
                var match = Regex.Match(oldUrl, pattern, RegexOptions.IgnoreCase);
 
                if (match.Success)
                {
                    var newUrl = ConfigurationManager.AppSettings["RedirectToBaseUrl"] + oldUrl.Substring(match.Length);
 
                    if (!string.Equals(newUrl, oldUrl, StringComparison.InvariantCultureIgnoreCase))
                        application.Context.Response.Redirect(newUrl);
                }
            }
        };
    }
 
    public void Dispose() { }
}


After creating the folder and placing the file inside, open the web.config file and add an entry to the httpModules section like below:

Code:
  
<add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />
  </httpModules>


Next, drop further down in the web.config file under the allSettings section and make sure you have the below entries:

Code:

  <add key="WebServerListenUri" value="https://+:443/" />
  <add key="WebServerAlternateListenUri" value="http://+:80/" />
  <add key="RelayListenUri" value="relay://0.0.0.0:8041/" />


I have ScreenConnect setup to only redirect the Host page for technicians. Below is the top of my web.config file that specifies to only redirect that page:

Code:

<configuration>
 <location path="Host.aspx">
<appSettings>
<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="https://my.company.com:443/" />
</appSettings>
</location>


I believe this is everything I have to do to get it working.

Edited by user Thursday, May 29, 2014 1:41:54 PM(UTC)  | Reason: Cleaned up and added Code tags.

thanks 1 user thanked mmcnetsupport for this useful post.
dittobox on 9/4/2014(UTC)
TUrben  
#19 Posted : Thursday, May 29, 2014 4:42:28 PM(UTC)
TUrben


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 9/13/2013(UTC)
Posts: 18

Thanks: 1 times
Was thanked: 1 time(s) in 1 post(s)
Is this possible with versions older than 4.1?
John  
#20 Posted : Thursday, May 29, 2014 8:55:06 PM(UTC)
John


Rank: Guest

Medals: Level 2: Lent a Helping Hand! 10 Thanks!

Joined: 3/25/2014(UTC)
Posts: 226

Thanks: 5 times
Was thanked: 12 time(s) in 11 post(s)
It should work at least from 3.x on if not earlier
dittobox  
#21 Posted : Thursday, September 4, 2014 4:45:13 PM(UTC)
dittobox


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/30/2013(UTC)
Posts: 35
Man
Location: Vancouver, WA

Thanks: 12 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: mmcnetsupport Go to Quoted Post
Here is my current setup that works for us...

...

I believe this is everything I have to do to get it working.


This worked great on 4.4 if anyone is interested. For reference I'm running SC with Ubuntu 14.04 on a Digital Ocean VPS (the basic $5/mo plan is more than enough for ScreenConnect so I setup a VPN for myself as well), with a GeoTrust RapidSSL certificate.
kilrathi  
#22 Posted : Monday, September 15, 2014 11:48:39 PM(UTC)
kilrathi


Rank: Newbie

Joined: 1/23/2014(UTC)
Posts: 6
United States
Location: AR

I am trying to redirect all port 80 request to 8040 ssl. I've followed the instructions in this post exactly. When I try to start screenconnect it times out when "Waiting on signal that services have started...". If i remove all the settings listed on this post my screenconnect server runs fine on the ssl port (8040). I verified both ports 80 and 8040 are indeed open in my firewall settings. I've re-read this thread several times and it seems to describe exactly what I'm looking to do. Is there something I'm missing?

I am looking to redirect anyone who tries to use port 80 to 8040 ssl on my screenconnect server. If anyone has another suggestion i would be most grateful. I am running Ubuntu 12LTS, and ScreenConnect 4.3.




Added entries to web.config look like this:

<add key="RelayAddressableUri" value="relay://my.example.com:443/">
</add>
<add key="WebServerAlternateListenUri" value="http://+:80/" />
<add key="RedirectFromBaseUrl" value="http://*:80/" />
<add key="RedirectToBaseUrl" value="https://my.example.com:8040/" />
</add>
</add>


<add name="MonoRewriteModule" type="Elsinore.ScreenConnect.MonoRewriteModule, Elsinore.ScreenConnect.MonoServer" />
<add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />
</httpModules>



**Domain names changes for security purposes


I created the HttpsRedirectModule.cs file in the App_Code directory as instructed.



MyKE  
#23 Posted : Tuesday, September 16, 2014 10:20:14 AM(UTC)
MyKE


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/29/2014(UTC)
Posts: 8
Czech Republic
Location: Ostrava

Thanks: 3 times
Was thanked: 4 time(s) in 3 post(s)
Hi,

Today I've published article about enabling SSL and redirection from http to https. I hope it helps somebody. It's on Windows Server platform so small differences must administrators made if they use Mono on linux. Here is whole tutorial: ScreenConnect – enable SSL with pernament redirection to HTTPS

MyKE
thanks 2 users thanked MyKE for this useful post.
dittobox on 9/18/2014(UTC), gb5102 on 12/16/2014(UTC)
dittobox  
#24 Posted : Thursday, September 18, 2014 4:38:56 PM(UTC)
dittobox


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/30/2013(UTC)
Posts: 35
Man
Location: Vancouver, WA

Thanks: 12 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: MyKE Go to Quoted Post
Hi,

Today I've published article about enabling SSL and redirection from http to https. I hope it helps somebody. It's on Windows Server platform so small differences must administrators made if they use Mono on linux. Here is whole tutorial: ScreenConnect – enable SSL with pernament redirection to HTTPS

MyKE


Excellent article, thanks for sharing!

Has anyone tried upgrading to 5 yet? Does this process break the SSL setup or the forwarding, or does it continue to work after installation?
MyKE  
#25 Posted : Thursday, September 18, 2014 7:24:04 PM(UTC)
MyKE


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/29/2014(UTC)
Posts: 8
Czech Republic
Location: Ostrava

Thanks: 3 times
Was thanked: 4 time(s) in 3 post(s)
Originally Posted by: dittobox Go to Quoted Post
Excellent article, thanks for sharing!

Has anyone tried upgrading to 5 yet? Does this process break the SSL setup or the forwarding, or does it continue to work after installation?

Thank you. I haven't tried it. I recommend wait for RC version as pre-release is in high development rate and lot of changes are made each build. But I'll try it in our testing environment when I get some free time.
thanks 1 user thanked MyKE for this useful post.
dittobox on 9/19/2014(UTC)
FreeLunch  
#26 Posted : Sunday, November 2, 2014 7:50:49 PM(UTC)
FreeLunch


Rank: Newbie

Joined: 11/2/2014(UTC)
Posts: 5

I installed v5. Has anyone been able to get the https redirect working on v5? I am using a Windows 2012 server and have the SSL certificate installed. However, I have tried the above redirection tips several times but it doesn't seem to work.

Thanks...
MyKE  
#27 Posted : Monday, November 3, 2014 2:46:16 PM(UTC)
MyKE


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/29/2014(UTC)
Posts: 8
Czech Republic
Location: Ostrava

Thanks: 3 times
Was thanked: 4 time(s) in 3 post(s)
Originally Posted by: FreeLunch Go to Quoted Post
I installed v5. Has anyone been able to get the https redirect working on v5? I am using a Windows 2012 server and have the SSL certificate installed. However, I have tried the above redirection tips several times but it doesn't seem to work.

Thanks...


I've tried to upgrade ScreenConnect 4.4 with enabled SSL to 5.0 version and everything works fine, also SSL works without intervention.
Can you paste here output from CMD: netsh http show sslcert ? You can mask your thumbprint if you want...
FreeLunch  
#28 Posted : Tuesday, November 4, 2014 3:49:49 AM(UTC)
FreeLunch


Rank: Newbie

Joined: 11/2/2014(UTC)
Posts: 5

MyKE, here is the output below. After thinking about it a little more, I decided that I'm going to leave the website on 443 and the relay on 80. I didn't want to have to deal with firewall issues. In addition, since I'm using Amazon's free tier server, I don't believe I can get an extra public IP (perhaps I'm wrong on that). My solution was to use another webpage with an embedded iframe. Therefore, you can have a user go to an http address vs explaining https and they are good to go.


SSL Certificate bindings:
-------------------------


IP:port : 0.0.0.0:443
Certificate Hash : e2 *
Application ID : {00000000-0000-0000-0000-000000000000}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled

DaveD  
#29 Posted : Tuesday, November 4, 2014 8:56:47 PM(UTC)
DaveD


Rank: Newbie

Joined: 11/4/2014(UTC)
Posts: 1
United States

When using redirect do I need to have the web server listening on port 80 to redirect the traffic to port 443 so it uses the secure connection or can I use port 8040 and then redirect those requests?

I recently changed our ScreenConnect server to use an SSL cert and bound it to port 443. When we try to connect using support.1234.com it won’t connect unless you add the Https:\\ to the URL.
I want to set it up to redirect to the Https port so clients don’t have to enter the complete URL when they connect. Currently I have the relay on 80.

Here are the three lines from my web.config showing the current port configuration.

<add key="WebServerListenUri" value="https://remote.1234.com:443/" />
<add key="RelayListenUri" value="relay://+:80/" />
<add key="RelayAddressableUri" value="relay://remote.1234.com:80/" />

When I changed over to using port 443 I had to do a reinstall for all my clients because it was listening on a different port before using SSL. Below are the original lines from the web.config.

<add key="WebServerListenUri" value="http://+:8040/" />
<add key="RelayListenUri" value="relay://+:8041/" />

If I can use port 8040 for the redirect I think my web.config would look something like this as well as adding the code to call the Redirect Module at the end of the file.

<add key="SmtpUseClient" value="false" />
<add key="WebServerListenUri" value="https://remote.1234.com:443/" />
<add key="WebServerAlternateListenUri" value="http://+:8040/" />
<add key="RelayListenUri" value="relay://+:80/" />
<add key="RelayAddressableUri" value="relay://remote.1234.com:80/" />

Thanks for any help on this.
jordantiss  
#30 Posted : Thursday, January 8, 2015 7:58:53 PM(UTC)
jordantiss


Rank: Newbie

Joined: 1/8/2015(UTC)
Posts: 8
United States

It's good to see that this thread has taken a turn toward redirecting all traffic to HTTPS. At the start of this thread (about three years ago) it was a common assumption that there was no benefit to encrypting the Guest page. In 2010, Firesheep taught us that this is a naive presumption.

Encrypting the login page will ensure that the user name and password will be sent securely. However, it's more complicated than that. When a user logs into their ScreenConnect account, the server responds with an ASPXAUTH cookie that stays on the user's computer for one year (or until they clear their cookies). That ASPXAUTH cookie is sent back to the server on every subsequent request, and it authenticates the user so they don't have to reenter their user name and password every time they return to the site. Firesheep demonstrated that these types of cookies could be hijacked when sent or received over unsecured connections, for example HTTP connections over open Wi-Fi networks, allowing the hijacker to impersonate the cookie owner. Granted, this does not allow the hijacker to collect the password of the user, but it does allow them to, in many ways, act as if they had. In the case of ScreenConnect, the hijacker could manage and modify sessions, build installers, manage sessions groups, etc., but they couldn't change a user's password without knowing the current one.

Of course, none of this is a problem when all traffic is performed over HTTPS, but if a user makes an HTTP request to that domain, the browser will send the ASPXAUTH cookie in plain text. Consider the following scenario:
  1. A user goes to their ScreenConnect site for the first time on a laptop, and clicks the Login link.
  2. They're redirected to the HTTPS URL of the Login page, and they login.
  3. The server's response includes the ASPXAUTH cookie, and the browser stores the cookie for one year.
  4. The user takes his laptop to a location with an open Wi-Fi connection like a coffee shop or airport.
  5. They use their browser bookmark that takes them to the HTTP home page of their ScreenConnect site.
  6. At this point, they have broadcasted their ASPXAUTH cookie to every other user on the open Wi-Fi connection, one of which maybe running a malicious process to capture unsecured credentials and session information.
To make matters worse, even if the Login page is setup to redirect to its HTTPS URL, if the user accesses that Login page over HTTP first, it's already too late. The browser has already sent the ASPXAUTH cookie before the redirection. The damage is done.


Thankfully, the internet community has developed a standard to thwart this threat, and most browsers already include support. It's called HTTP Strict Transport Security (HSTS), and it instructs browsers to immediately redirect certain domains to HTTPS before it ever sends a request.

ScreenConnect does not natively support HSTS yet, but you can add support yourself. I wrote a guide in the Feature Request thread for HSTS support.
bschneider94  
#31 Posted : Wednesday, January 14, 2015 3:38:22 PM(UTC)
bschneider94


Rank: Newbie

Joined: 1/14/2015(UTC)
Posts: 1
United Kingdom
Location: Harpenden

Hi Everyone,

I have got someone from ScreenConnect to configire my re-direction which works internally but not externally, can anyone help?

Thanks

Ben
peterh22  
#32 Posted : Wednesday, January 14, 2015 4:05:16 PM(UTC)
peterh22


Rank: Newbie

Joined: 3/16/2014(UTC)
Posts: 7
United States

Thanks: 1 times
I would verify the firewall rules. We implemented the same redirect. IT had allowed the appropriate ports through the corporate firewall, but the ports were not allowed through for the Windows Firewall on the server itself. Sorry, shouldn't assume you've installed ScreenConnect to a Windows machine, but for us, I need to be sure the ports were allowed on the inbound rules for the web server and relay.
gregfischer  
#33 Posted : Friday, January 30, 2015 7:09:28 AM(UTC)
gregfischer


Rank: Newbie

Joined: 1/29/2015(UTC)
Posts: 5
United States
Location: Nine Mile Falls, WA

NAT Reflection issue maybe?
We just moved from Digital Ocean on Ubuntu 14.04 where we had setup the HTTP to HTTPS redirection, which worked perfectly. Then once moved to EC2 with Windows 2012, the vm is behind a firewall (likely with 1:1 NAT I suspect) and now none of the above solutions work for redirection. I don't get why, if its a redirect, the server even cares about the return path into port 443. Because, if I am not mistaken, an http redirect header would simply tell the browser to "go elsewhere". I haven't looked into the tcp conversation, so, don't really know, just a hunch that the return trip breaks if firewall doesn't handle it on some NAT's.

When I was testing, I noticed if I used the server's browser open to "localhost", it would redirect correctly into the HTTPS connection at the correct URL even. The local server IP is internal on the EC2 network, not the public IP where the URL points. However, using a public URL at the public IP, redirection fails. And it does this on the server itself too.

gregfischer  
#34 Posted : Friday, January 30, 2015 8:30:51 AM(UTC)
gregfischer


Rank: Newbie

Joined: 1/29/2015(UTC)
Posts: 5
United States
Location: Nine Mile Falls, WA

Never mind the NAT reflection thoughts, that seems to be fine. From the EC2 server browser, If I disable all the addition config and leave only port 80 listening, Firebug will show responses correctly to the public IP and port 80. Same if I switch it to HTTPS and 443, works correctly. So I know ports are working either way, directly, both on server and externally. However, if I leave out any of the BaseUrlRedirectionModule, but do leave the WebServerAlternateListenUri, port 80 will not work externally. Only opening localhost:80 or localhost:443 will work on the server, no external. Something is odd. I am not sure how WebServerAlternateListenUri is intended to work, I am just assuming it would make the web service listen on the alternate port, even if through firewalls.
benstein  
#35 Posted : Monday, April 20, 2015 3:33:39 PM(UTC)
benstein


Rank: Newbie

Joined: 3/29/2015(UTC)
Posts: 8
United States
Location: Brooklyn, NY

Thanks: 1 times
I have carefully followed the instructions posted on this forum and i'm still having issues. On some computers it seems to be forwarding correctly, while on others i have to go to my site and manually enter HTTPS://.... only after going to my site the first time it will forward correctly.
FYI I am using GoDaddy to forward my subdomain, to the IP address of my Windows 2012 R2 server

Update: my ISP blocked out port 80 by default, its all resolved now

Edited by user Wednesday, June 17, 2015 7:12:23 PM(UTC)  | Reason: Not specified

cbrownjsc  
#36 Posted : Monday, August 17, 2015 8:20:02 PM(UTC)
cbrownjsc


Rank: Newbie

Joined: 8/17/2015(UTC)
Posts: 2
United States
Location: midwest

hopefully this isn't a necro post, but I have followed these guides...and for some reason when trying to go to http://fqdn of screen connect server I get a "this page requires authentication popup" and the page does not redirect.

My ssl I believe is setup properly because going to https://fqdn works just fine.

The redirector appears to be trying to do something...as if I remove all changes back to stock and goto http://fqdn the page displays properly.

Any ideas? I am on the current stable version ScreenConnect_5.3.9074.5646
Mike  
#37 Posted : Tuesday, August 18, 2015 4:21:46 PM(UTC)
Mike


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 5/30/2012(UTC)
Posts: 468
Location: Raleigh, NC

Thanks: 52 times
Was thanked: 74 time(s) in 60 post(s)
Did you confirm that no other application or device is using port 80?
ScreenConnect Team
cbrownjsc  
#38 Posted : Thursday, August 20, 2015 10:26:05 PM(UTC)
cbrownjsc


Rank: Newbie

Joined: 8/17/2015(UTC)
Posts: 2
United States
Location: midwest

yes I used TCPView to show the ports being used, it looks like maybe Windows 2012 r2 is using it internally... I looked at some guides to solve that, but it looked like more trouble than it was worth, so I just created a subdomain on one of our many domain names to forward to the https://sitename and then we will have clients use that instead of reminding them to put an s in after the http lol.
jonc  
#39 Posted : Tuesday, November 17, 2015 9:27:37 PM(UTC)
jonc


Rank: Member

Joined: 7/2/2013(UTC)
Posts: 26
Location: Planet Earth

Thanks: 1 times
This is an old thread, is the solution for HTTPS redirection still valid for the 5.4 code base? What happens when SC is upgraded, are these changes lost?
This really ought to be an official option available under Admin.
benstein  
#40 Posted : Tuesday, November 17, 2015 9:42:29 PM(UTC)
benstein


Rank: Newbie

Joined: 3/29/2015(UTC)
Posts: 8
United States
Location: Brooklyn, NY

Thanks: 1 times
Yes, has been working for me since 5.2
cbrasga  
#41 Posted : Friday, November 20, 2015 4:58:29 PM(UTC)
cbrasga


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/28/2014(UTC)
Posts: 38
United States

Thanks: 4 times
Was thanked: 8 time(s) in 5 post(s)
Can someone put the instructions for HTTP to HTTPS Redirect on the ScreenConnect Help site, so we know what the supported and up-to-date procedure is?

Also, since HTTP to HTTPS redirection is a feature that's pretty standard with most secure software and websites, it should be a simple checkbox in the Admin section rather than having to edit config files. Please look at incorporating into a future version.

Edited by user Friday, November 20, 2015 5:00:16 PM(UTC)  | Reason: Not specified

kingbear2  
#42 Posted : Sunday, November 22, 2015 4:19:52 AM(UTC)
kingbear2


Rank: Newbie

Joined: 11/22/2015(UTC)
Posts: 3
Location: Chicago, IL

Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: mmcnetsupport Go to Quoted Post

I have ScreenConnect setup to only redirect the Host page for technicians. Below is the top of my web.config file that specifies to only redirect that page:

Code:

<configuration>
 <location path="Host.aspx">
<appSettings>
<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="https://my.company.com:443/" />
</appSettings>
</location>


I believe this is everything I have to do to get it working.


Why would you only redirect the host page? The whole point (in my opinion) is that you want the credentials passed at the login screen to be secure so they don't go over HTTP. I setup my SC install similar to what you wrote above, but then the login screen is still not secure. I understand why you would not want guests to have to be SSL, but I don't see an alternative to getting the login screen HTTPS unless you do every page SSL. Can you comment and clarify?

Thanks
kingbear2  
#43 Posted : Sunday, November 22, 2015 6:31:43 AM(UTC)
kingbear2


Rank: Newbie

Joined: 11/22/2015(UTC)
Posts: 3
Location: Chicago, IL

Was thanked: 1 time(s) in 1 post(s)
I put together a simple (probably superfluous) PowerShell command to do everything listed here: http://www.sabrnet.cz/20...nt-redirection-to-https/

You can save this code snippet as a .ps1 file, then open PowerShell, and run the file.

Code:

$path = Read-Host -Prompt 'Please enter the full path to the screenconnect web.config file (no quotes) - press ENTER for the default (C:\Program Files (x86)\ScreenConnect\web.config)'
if ($path -eq '') {$path = 'C:\Program Files (x86)\ScreenConnect\web.config'}
write-host Your web.config file is here: $path
$https = Read-Host -Prompt 'Input the full URL inclusing https:// '
write-host Your full https:// URL to ScreenConnect is: $https
$xml = [xml] (type $path)

    $newEl=$xml.CreateElement("add");
    $nameAtt1=$xml.CreateAttribute("key");
    $nameAtt1.psbase.value="WebServerAlternateListenUri";
    $newEl.SetAttributeNode($nameAtt1);                  
    $nameAtt2=$xml.CreateAttribute("value");             
    $nameAtt2.psbase.value="http://+:80/";               
    $newEl.SetAttributeNode($nameAtt2);                  
    $xml.configuration["appSettings"].AppendChild($newEl);

    $newEl=$xml.CreateElement("add");                     
    $nameAtt1=$xml.CreateAttribute("key");                
    $nameAtt1.psbase.value="RedirectFromBaseUrl";         
    $newEl.SetAttributeNode($nameAtt1);                   
    $nameAtt2=$xml.CreateAttribute("value");              
    $nameAtt2.psbase.value="http://*/";                   
    $newEl.SetAttributeNode($nameAtt2);                   
    $xml.configuration["appSettings"].AppendChild($newEl);

    $newEl=$xml.CreateElement("add");                     
    $nameAtt1=$xml.CreateAttribute("key");                
    $nameAtt1.psbase.value="RedirectToBaseUrl";          
    $newEl.SetAttributeNode($nameAtt1);                  
    $nameAtt2=$xml.CreateAttribute("value");             
    $nameAtt2.psbase.value=$https;                       
    $newEl.SetAttributeNode($nameAtt2);                   
    $xml.configuration["appSettings"].AppendChild($newEl);

    $newEl=$xml.CreateElement("add");                     
    $nameAtt1=$xml.CreateAttribute("name");               
    $nameAtt1.psbase.value="BaseUrlRedirectionModule";    
    $newEl.SetAttributeNode($nameAtt1);                   
    $nameAtt2=$xml.CreateAttribute("type");               
    $nameAtt2.psbase.value="BaseUrlRedirectionModule";    
    $newEl.SetAttributeNode($nameAtt2);                   
    $xml.configuration.'system.web'["httpModules"].AppendChild($newEl);
	
$xml.Save($path)
$newDir = $path.substring(0,$path.Length-11) + "\App_Code"
New-Item $newDir -type directory -force
$code = @"
using System;
using System.Web;
using System.Configuration;
using System.Text.RegularExpressions;
 
public class BaseUrlRedirectionModule : IHttpModule
{
    public void Init(HttpApplication application)
    {
        application.BeginRequest += delegate
        {
            var redirectFromBaseUrl = ConfigurationManager.AppSettings["RedirectFromBaseUrl"];
 
            if (!string.IsNullOrEmpty(redirectFromBaseUrl))
            {
                var pattern = '^' + Regex.Escape(redirectFromBaseUrl).Replace("\\*", ".*").Replace("\\?", ".");
                var oldUrl = application.Context.Request.Url.AbsoluteUri;
                var match = Regex.Match(oldUrl, pattern, RegexOptions.IgnoreCase);
 
                if (match.Success)
                {
                    var newUrl = ConfigurationManager.AppSettings["RedirectToBaseUrl"] + oldUrl.Substring(match.Length);
 
                    if (!string.Equals(newUrl, oldUrl, StringComparison.InvariantCultureIgnoreCase))
                        application.Context.Response.Redirect(newUrl);
                }
            }
        };
    }
 
    public void Dispose() { }
}
"@
$newFile = $path.substring(0,$path.Length-11) + "\App_Code\BaseUrlRedirectionModule.cs"

New-Item $newFile -type file -force -value $code

Restart-Service -displayname "ScreenConnect Web Server"
NiceConnect  
#44 Posted : Monday, January 25, 2016 8:44:16 PM(UTC)
NiceConnect


Rank: Newbie

Joined: 1/25/2016(UTC)
Posts: 1

Agreed. We also want to secure the site and not have to struggle with customers getting them to get the https:// typed in over the phone. The solutions proposed are overly complicated for feature that should be a pre-baked into the solution. It's far easier to set this up on another server running IIS or Apache and have it redirect to the SSL url and I'm more confident it will work the next time we update screenconnect.

Just hoping Screenconnect/Connectwise has something in the works for the future that makes this easier.


Originally Posted by: kingbear2 Go to Quoted Post
Originally Posted by: mmcnetsupport Go to Quoted Post

I have ScreenConnect setup to only redirect the Host page for technicians. Below is the top of my web.config file that specifies to only redirect that page:

Code:

<configuration>
 <location path="Host.aspx">
<appSettings>
<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="https://my.company.com:443/" />
</appSettings>
</location>


I believe this is everything I have to do to get it working.


Why would you only redirect the host page? The whole point (in my opinion) is that you want the credentials passed at the login screen to be secure so they don't go over HTTP. I setup my SC install similar to what you wrote above, but then the login screen is still not secure. I understand why you would not want guests to have to be SSL, but I don't see an alternative to getting the login screen HTTPS unless you do every page SSL. Can you comment and clarify?

Thanks


dszp  
#45 Posted : Saturday, April 23, 2016 7:18:54 PM(UTC)
dszp


Rank: Member

Medals: ScreenConnect Advisor: Focus Group Member

Joined: 12/7/2012(UTC)
Posts: 15
Location: Indianapolis, IN

Thanks: 1 times
Just a note that we've been using this guide for setting up Nginx to proxy requests to ScreenConnect for a couple of months with great success: https://www.roushtech.ne...reenconnect-setup-nginx/

It does require a second public IP address on the server (we're running ScreenConnect on an Ubuntu VPS on Vultr) so the relay can be on port 443 as well as the main site and so port 80 can be open to redirect to the secured site with a 301 redirect (if you're OK using a relay on a non-standard port I think you can use a single IP still). We're using LetsEncrypt to issue the certificate for our Nginx proxy, so that's free at https://www.letsencrypt.org and set up to auto-renew.

It's then possible for the Qualys SSL Labs test at https://www.ssllabs.com/ssltest/ to get a grade of A on the site once this has been implemented successfully.

Additionally, we've used these instructions to enable HSTS (HTTP Strict Transport Security) for our domain: https://raymii.org/s/tut..._NGINX_and_Lighttpd.html This means web browsers that support HSTS will never even try the insecure versions of the site once they've visited the secure site once and seen that header (until the timeout; 180 days is required for Qualys to give you credit for it). Obviously be very sure your main domain and all subdomains do NOT need HTTP anywhere before setting this :-) We're using a dedicated domain for our ScreenConnect instance so this shouldn't be an issue.

With the Nginx proxy configured and HSTS enabled, Qualys gives us an A+ rating for security! It may not be for everyone but if security is your thing or your customers thing, it may be a worthwhile investment of mostly time, especially if you're on a Linux server already, have any Nginx experience, and possibly have a second public IP (which is the only thing that might cost actual money; Vultr charges $2/mo for a second one), since LetsEncrypt is free. From $7/mo to $9/mo is only $24 per year for much, much better security.
ngoa  
#46 Posted : Wednesday, February 22, 2017 3:23:23 PM(UTC)
ngoa


Rank: Guest

Joined: 1/27/2017(UTC)
Posts: 6
United States

I'm a new ScreenConnect customer on 6.1 and couldn't get it working with these instructions. Has anyone tried it on 6.1? I tried tech support, but they referred me to this forum. I'm not technically savvy, but I can follow simple instructions. Any advice?

Thank you
ngoa  
#47 Posted : Wednesday, February 22, 2017 6:12:07 PM(UTC)
ngoa


Rank: Guest

Joined: 1/27/2017(UTC)
Posts: 6
United States

Originally Posted by: Reid Go to Quoted Post
There have been too many updates/changes spread across this topic so let's recap (verified for v4.1):

1. Configure your site for SSL.

2.Open your ScreenConnect web.config and go to the appSettings section and add a "WebServerAlternateListenUri" key.
Code:

<add key="SmtpUseClient" value="false" />
<add key="WebServerListenUri" value="https://+:443/" />
<add key="WebServerAlternateListenUri" value="http://+:80/" />
<add key="RelayListenUri" value="relay://0.0.0.0:8041/" />

3. Also in the web.config file, find the httpModules section and add the following:
Code:
<add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />

4. Create a subdirectory of your ScreenConnect folder called "App_Code" and create a new text file in there, naming it HttpsRedirectModule.cs. Open that file in Notepad and paste in the following and save it:
Code:
using System;
using System.Web;
using System.Configuration;
using System.Text.RegularExpressions;

public class BaseUrlRedirectionModule : IHttpModule
{
    public void Init(HttpApplication application)
    {
        application.BeginRequest += delegate
        {
            var redirectFromBaseUrl = ConfigurationManager.AppSettings["RedirectFromBaseUrl"];

            if (!string.IsNullOrEmpty(redirectFromBaseUrl))
            {
                var pattern = '^' + Regex.Escape(redirectFromBaseUrl).Replace("\\*", ".*").Replace("\\?", ".");
                var oldUrl = application.Context.Request.Url.AbsoluteUri;
                var match = Regex.Match(oldUrl, pattern, RegexOptions.IgnoreCase);

                if (match.Success)
                {
                    var newUrl = ConfigurationManager.AppSettings["RedirectToBaseUrl"] + oldUrl.Substring(match.Length);

                    if (!string.Equals(newUrl, oldUrl, StringComparison.InvariantCultureIgnoreCase))
                        application.Context.Response.Redirect(newUrl);
                }
            }
        };
    }

    public void Dispose() { }
}

5. Finally, back in the web.config appSettings, add the following, modifying the values to suit your environment*:
Code:

<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="http://munich.elsitech.local:8040/" />


* You define a base URL that you redirect _from_ ... this can contain wildcards. But it really should include enough of the trailing path to "match" correctly. Meaning "http://localhost*" is not good, but "http://local*/" is good. Notice the trailing slash. Without it we don't really know where the base URL ends. Then you define a URL to redirect _to_. This doesn't contain wildcards. The portion that was "matched" from the redirect _from_ will be replaced by this value.

And that should be it.

Now, if you want to get fancy, read-on.

Quoting Jake:

You could add something like this:
Code:

<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="https://ssl.mysecuresite.com:8443/" />



And this can be applied per page. So rather than putting in your main <appSettings>, you can define a location in your web.config:
Code:

<configuration>
    <location path="Host.aspx">
        <appSettings>
            <add key="RedirectFromBaseUrl" value="http://*:8040/" />
            <add key="RedirectToBaseUrl" value="http://munich.elsitech.local:8040/" />
        </appSettings>
    </location>
    <system.web>





Finally, got to work. Was a typo...changed port 8443 to 443

So, I went from this:

Code:

 <add key="RedirectFromBaseUrl" value="http://*/" />
  <add key="RedirectToBaseUrl" value="http://munich.elsitech.local:8040/" />


To this:

Code:

<add key="RedirectFromBaseUrl" value="http://*/" />
  <add key="RedirectToBaseUrl" value="https://ssl.mysecuresite.com:443/" />
kingbear2  
#48 Posted : Thursday, June 22, 2017 3:52:36 PM(UTC)
kingbear2


Rank: Newbie

Joined: 11/22/2015(UTC)
Posts: 3
Location: Chicago, IL

Was thanked: 1 time(s) in 1 post(s)
Hey everyone.

This thread is from quite some time ago. Frankly I'm surprised at why no one has recommended what appears to me to be the easiest solution.

1) Install IIS

2) Configure HTTP redirect on the "Default Web Site" as per the screenshot below:

UserPostedImage

We did this on our test install (not live yet, but we plan to go live soon - migrating from an old Server 2008R2 install), opened both port 80 and 443, and everything seems to be working well. Since that first checkbox under "Redirect Behavior" is unchecked, even if someone goes to http://screenconnecturl.com/Login.aspx, it'll redirect them to the same place on https://...

Edit: You should also be able to run the following 2 powershell commands (as administrator) and then reboot the server to complete the setup:

Code:
Install-WindowsFeature -Name Web-Server -IncludeManagementTools
Set-WebConfiguration system.webServer/httpRedirect "IIS:\sites\Default Web Site" -Value @{enabled="true";destination="https://screenconnecturl.com";exactDestination="false";httpResponseStatus="Found"}


Note, that I am not sure if the server needs to be restarted between lines 1 and 2 above, as I already had IIS installed - but I don't think it needs to be.

What am I missing that's causing everyone to try something so much more complex?

Edited by user Thursday, June 22, 2017 4:05:26 PM(UTC)  | Reason: Not specified

thanks 1 user thanked kingbear2 for this useful post.
Will H on 7/5/2017(UTC)
Users browsing this topic
Similar Topics
HTTP redirect to HTTPS, relay on separate IP port 80. Could not establish trust relationshi (Advanced Customization)
by gcouch 5/14/2014 10:30:02 PM(UTC)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.