WAF - ScreenConnect does not work.

I use the WAF to protect my servers but I cannot get it work with ScreenConnect (SC). Maybe it's not even possible???

I want to use the WAF, rather than a DNAT, because I am using the same static, public IP for 'mysite.com' and 'www.mysite.com'. I have ScreenConnect (SC) installed on a Windows server along with WAMP. WAMP listens on ports 80 and 443 on internal IP 10.x.x.120 (www.mysite.com) and the SC server listens on ports 80, 443, 8040, and 8041 on internal IP 10.x.x.130 (mysite.com). My SSL cert is installed correctly in the UTM as well as the webserver. I have specified separate network definitions with the correct host names and internal IP's.

SC has a so-called built-in relay and router. Presumably, this is how web and remote desktop traffic are split and redirected to the correct ports. SC also automatically redirects http to https. Below are some of the settings in the SC config:

...

<listenUris>
  <listenUri>tcp://10.x.x.130:80/</listenUri>
  <listenUri>tcp://10.x.x.130:443/</listenUri>
</listenUris>
<rules>
  <rule schemeExpression="http" actionType="issueRedirect" actionData="https://$HOST/" />
  <rule schemeExpression="ssl" actionType="forwardPayload" actionData="https://10.x.x.130:8041/" />
  <rule schemeExpression="relay" actionType="forwardPayload" actionData="https://10.x.x.130:8040/" />
</rules><add key="WebServerListenUri" value="https://10.x.x.130:8041/" />

<add key="WebServerAddressableUri" value="https://mysite.com/" />
<add key="RelayListenUri" value="relay://10.x.x.130:8040/" />
<add key="RelayAddressableUri" value="relay://mysite.com:443/" />

...

 

If I set up a basic DNAT and disable the Virtual server in the WAF settings of the UTM, I have no issues with ScreenConnect but then all traffic for 'mysite.com' and 'www.mysite.com' are picked up by SC.

I've tried setting up a Real and Virtual server for port 443. I even tried creating Real and Virtual servers for the other ports even though there is no indication that traffic on the other ports is being dropped by Sophos. I can access the SC web page and login but when I try to start a remote session, nothing happens. What's odd is there's no dropped traffic logged in the WAF, Firewall or IPS logs.

Is what I'm trying to accomplish with the WAF even possible? Could it be that some of the traffic does not contain host header info and the WAF does not know what to do with it?

  • Made some progress... Everything is working except I cannot connect to a remote session via an Android from outside.

    From the Android, I can access the SC login page, login, see all connections to clients and even use the chat functionality of SC but I still cannot connect to a session to remotely control a client.

    For testing, I have created a WAF Firewall Profile with everything unchecked and added an exception that skips all available options.

     

    I still cannot connect to a session from an external Android and I do not get any errors in the Firewall, IPS or WAF logs. All entries in the WAF log are mostly 200 status codes with a couple of 502's if left idle. I can connect from an external Windows machine. I can access from an external Android if revert back to a simple DNAT. Not sure what the WAF is not allowing or what the Android app or WAF cannot handle. 

  • Hi Jeff,

    Post the reverseproxy.log while attempting a connection.

    Thanks

  • In reply to sachingurung:

    I still haven't been able to get this to work. Keep in mind that the ScreenConnect app redirects traffic internally. See first post.

    ...


    Live Log: Web Application Firewall
    Filter:
    Autoscroll
    Reload
    2017:07:04-06:20:21 gateway httpd[9136]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:20:21 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00297: SIGUSR1 received. Doing graceful restart
    2017:07:04-06:20:21 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:20:21 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:20:22 gateway httpd[5361]: [proxy_protocol:notice] [pid 5361:tid 4148139712] ProxyProtocol: disabled on 127.0.0.1:4080
    2017:07:04-06:20:22 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00292: Apache/2.4.10 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
    2017:07:04-06:20:22 gateway httpd[5361]: [core:notice] [pid 5361:tid 4148139712] AH00094: Command line: '/usr/apache/bin/httpd'
    2017:07:04-06:20:22 gateway httpd[5361]: [mpm_worker:warn] [pid 5361:tid 4148139712] AH00291: long lost child came home! (pid 8912)
    2017:07:04-06:20:22 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="28099" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="2041" url="/status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVtr5jLwWoEAACO@3HYAAAA8"
    2017:07:04-06:20:22 gateway httpd[9313]: Restarted
    2017:07:04-06:21:19 gateway httpd: id="0299" srcip="66.x.x.x" localip="50.x.x.x" size="14865" user="-" host="66.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="881939" url="/payment-and-shipping/" server="www.mysite.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVtsHjLwWoEAACRqS2gAAAAH"
    2017:07:04-06:22:51 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="381" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVtsezLwWoEAACRqS2kAAAAK"
    2017:07:04-06:22:57 gateway httpd: id="0299" srcip="66.x.x.x" localip="50.x.x.x" size="14652" user="-" host="66.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="465073" url="/contacts/" server="www.mysite.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVtsgTLwWoEAACRqS2oAAAAL"
    2017:07:04-06:24:43 gateway httpd: id="0299" srcip="66.x.x.x" localip="50.x.x.x" size="13980" user="-" host="66.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="453363" url="/about-our-company/" server="www.mysite.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVts6jLwWoEAACRqS2sAAAAO"
    2017:07:04-06:25:05 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="356" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttATLwWoEAACRqS2wAAAAP"
    2017:07:04-06:25:05 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="349" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttATLwWoEAACRqS20AAAAQ"
    2017:07:04-06:25:25 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="272" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttFTLwWoEAACRqS24AAAAR"
    2017:07:04-06:25:25 gateway httpd[10182]: Restarting gracefully
    2017:07:04-06:25:25 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="274" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttFTLwWoEAACRqS28AAAAS"
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMysitno443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysit80] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport4432] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroJeffshe443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysi443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMagetro443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFro50xxxxxx80] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaget80] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaje443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: Syntax OK
    2017:07:04-06:25:26 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="26986" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="784" url="/status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttFjLwWoEAACRqS3AAAAAT"
    2017:07:04-06:25:26 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMysitno443] does not exist
    2017:07:04-06:25:26 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysit80] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport4432] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroJeffshe443] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysi443] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMagetro443] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFro50xxxxxx80] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaget80] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaje443] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport443] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:27 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00297: SIGUSR1 received. Doing graceful restart
    2017:07:04-06:25:27 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:25:27 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:25:28 gateway httpd[5361]: [proxy_protocol:notice] [pid 5361:tid 4148139712] ProxyProtocol: disabled on 127.0.0.1:4080
    2017:07:04-06:25:28 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00292: Apache/2.4.10 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
    2017:07:04-06:25:28 gateway httpd[5361]: [core:notice] [pid 5361:tid 4148139712] AH00094: Command line: '/usr/apache/bin/httpd'
    2017:07:04-06:25:28 gateway httpd[5361]: [mpm_worker:warn] [pid 5361:tid 4148139712] AH00291: long lost child came home! (pid 9147)
    2017:07:04-06:25:28 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="27167" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1873" url="/status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttGDLwWoEAACgAXUUAAAAM"
    2017:07:04-06:25:28 gateway httpd[10298]: Restarted
    2017:07:04-06:26:52 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="572" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttbDLwWoEAACitHkEAAAAB"
    2017:07:04-06:27:27 gateway httpd[10637]: Restarting gracefully
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMysitno443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysit80] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport4432] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroJeffshe443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysi443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMagetro443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFro50xxxxxx80] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaget80] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaje443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: Syntax OK
    2017:07:04-06:27:28 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="27235" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="800" url="/status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttkDLwWoEAACitHkIAAAAC"
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMysitno443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysit80] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport4432] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroJeffshe443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysi443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMagetro443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFro50xxxxxx80] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaget80] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaje443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:28 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00297: SIGUSR1 received. Doing graceful restart
    2017:07:04-06:27:28 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:27:28 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:27:29 gateway httpd[5361]: [proxy_protocol:notice] [pid 5361:tid 4148139712] ProxyProtocol: disabled on 127.0.0.1:4080
    2017:07:04-06:27:29 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00292: Apache/2.4.10 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
    2017:07:04-06:27:29 gateway httpd[5361]: [core:notice] [pid 5361:tid 4148139712] AH00094: Command line: '/usr/apache/bin/httpd'
    2017:07:04-06:27:29 gateway httpd[5361]: [mpm_worker:warn] [pid 5361:tid 4148139712] AH00291: long lost child came home! (pid 10235)
    2017:07:04-06:27:29 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="27335" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1938" url="/status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttkTLwWoEAACnHL6IAAAAM"
    2017:07:04-06:27:29 gateway httpd[10753]: Restarted
    2017:07:04-06:27:29 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="368" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttkTLwWoEAACnHL6MAAAAO"

    ... 

    Any help would be much appreciated!

  • In reply to jeffshead:

    WAF only supports one session (one port) and is only going to be useful if the protected session is html-based, since its purpose is to screen the traffic for appropriate html syntax.  It seems unlikely that your product fits this model.

    It may be useful to use WAF with OTP for the login page, then rely on firewall rules alone for the secondary session traffic.

    Have you considered html5 vpn (with OTP) to start a remote desktop comnection, as an alternative to your current plan and product?

  • In reply to DouglasFoster:

    DouglasFoster

    WAF only supports one session (one port) and is only going to be useful if the protected session is html-based, since its purpose is to screen the traffic for appropriate html syntax.  It seems unlikely that your product fits this model.

    It may be useful to use WAF with OTP for the login page, then rely on firewall rules alone for the secondary session traffic.

    Have you considered html5 vpn (with OTP) to start a remote desktop comnection, as an alternative to your current plan and product?

     

    Thanks for the suggestion but some SC clients are permanently installed and no one will be available to login (OTP) to join a session.

    However, a simple NAT and a single firewall rule to allow traffic over port 443 does work for SC. I was hoping to do away with all NAT's in favor of using the WAF for all traffic.

  • In reply to jeffshead:

    Did you ever get this working? I'm running into the exact same issue except I cant connect to a session from the outside.

     

    "An error occured connecting to your session. This will wait a few seconds before trying again. Error: Unable to read beyond the end of the stream"

     

    I also see all end hosts connected to the ScreenConnect server I just can't connect the the session. 

  • In reply to AlanMayer:

    Nope. Can't use the WAF with ScreenConnect.

    I had to keep my DNAT and firewall rule.