logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
JoshStevenson  
#1 Posted : Monday, January 8, 2018 3:45:27 PM(UTC)
JoshStevenson


Rank: Guest

Joined: 1/8/2018(UTC)
Posts: 3
United Kingdom
Location: Nottingham

Thanks: 1 times
Hi All,

I am creating an "Emergency Lockdown" scenario on a test machine.
This machine is on the domain network and has internet access, and I am locking it all down with the Local Windows Firewall on the machine.
All I want to be able to do to this machine is Screenconnect onto it, no internet access, no network access etc.

This machine has it's firewall set to:

  • block all outbound traffic by default, unless specifically allowed by a rule.
  • allow outbound traffic from program with the full path to the "ScreenConnect.ClientService.exe" and "ScreenConnect.WindowsClient.exe"
  • block all inbound ports (TCP & UDP) except for ports 8040 and 8041


If I don't block the outbound traffic, I can connect with Screenconnect fine, so I know that the inbound 8040 and 8041 rules are correct.
As soon as I block outbound (allowing the two executables above) I cannot connect any longer.

Has anyone achieved this before, and am I missing something fundamental here?

thank you,
Josh.
Scott  
#2 Posted : Monday, January 8, 2018 4:27:51 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,533
United States

Thanks: 3 times
Was thanked: 309 time(s) in 266 post(s)
So the ScreenConnect server software uses two ports, 8040 and 8041. 8040 is for the web service only, meaning just the website. 8041 is for the relay (the protocol the clients use to communicate to the server). Once a client is installed it shouldn't ever need 8040 so for simplicity you can leave that port out of the exclusions.

Now, for the client, 8041 is the destination port (the port to which it is talking on a remote machine). The client itself does not bind to a specific port, rather just any available port on the remote machine and calls to 8041 on the server.

Are you able to allow all inbound traffic to a program for the two exe's?
ScreenConnect Team
thanks 1 user thanked Scott for this useful post.
JoshStevenson on 1/9/2018(UTC)
JoshStevenson  
#3 Posted : Monday, January 8, 2018 4:40:29 PM(UTC)
JoshStevenson


Rank: Guest

Joined: 1/8/2018(UTC)
Posts: 3
United Kingdom
Location: Nottingham

Thanks: 1 times
Oh I see!

I didn't think of allowing the executable inbound as opposed to just those two ports.
Thanks for clarifying that and explaining those ports Scott.

Let me try that and get back to you

Josh.
JoshStevenson  
#4 Posted : Tuesday, January 9, 2018 9:06:01 AM(UTC)
JoshStevenson


Rank: Guest

Joined: 1/8/2018(UTC)
Posts: 3
United Kingdom
Location: Nottingham

Thanks: 1 times
Originally Posted by: Scott Go to Quoted Post
So the ScreenConnect server software uses two ports, 8040 and 8041. 8040 is for the web service only, meaning just the website. 8041 is for the relay (the protocol the clients use to communicate to the server). Once a client is installed it shouldn't ever need 8040 so for simplicity you can leave that port out of the exclusions.

Now, for the client, 8041 is the destination port (the port to which it is talking on a remote machine). The client itself does not bind to a specific port, rather just any available port on the remote machine and calls to 8041 on the server.

Are you able to allow all inbound traffic to a program for the two exe's?


This has resolved the issue, thanks so much Scott.

Allowing the executable, setting the default windows firewall action to "block", disabling all of the currently allowed rules and adding Inbound and Outbound rules for both the above Exe's, and inbound on port 8041, allows me to connect to a machine whilst it has completely no other network or internet access at all.

Thanks again
Josh
shawnkhall  
#5 Posted : Friday, January 12, 2018 4:11:32 AM(UTC)
shawnkhall


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/6/2014(UTC)
Posts: 204
Man
United States

Thanks: 5 times
Was thanked: 12 time(s) in 10 post(s)
Code:

set "scpath=%ProgramFiles%\ScreenConnect Client (installid)"
netsh advfirewall firewall add rule name="ScreenConnect" dir=in action=allow enable=yes profile=any program="%scpath%\ScreenConnect.ClientService.exe"
netsh advfirewall firewall add rule name="ScreenConnect" dir=in action=allow enable=yes profile=any program="%scpath%\ScreenConnect.WindowsClient.exe"
netsh advfirewall firewall add rule name="ScreenConnect" dir=out action=allow enable=yes profile=any program="%scpath%\ScreenConnect.ClientService.exe"
netsh advfirewall firewall add rule name="ScreenConnect" dir=out action=allow enable=yes profile=any program="%scpath%\ScreenConnect.WindowsClient.exe"
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.