Cant connect till Connectwise Control Server port 8040

Stefan Jansson over 4 years ago

After upgrading til v 18 Im unable to remote control customers server thru our Connectwise Control server.

I have the cleanset rule for outgoing traffic (for testing) but still can't connect to the server on port 8040.

After a quick downgrade to SFOS 17.5.8 MR-8 again. All is working again.

Same FW rule as in v 18.

Thoughts

Parents

0 JTBrunnerACS over 4 years ago

Just had this issue myself and here is what I had to do to resolve. I was messing around in the Web section under protect, particularly the General Settings tab, and had turned on Block unrecognized SSL protocols. Once I turned that option back off the ScreenConnect sessions were able to connect once again. Not sure why that caused the issue or if there is a place we can put exceptions to this rule. Oddly enough I do not have HTTPS scanning turned on in the firewall rule that governs access to the WAN yet the firewall is still blocking it for some reason.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Stefan Jansson over 4 years ago in reply to JTBrunnerACS

Thanks, but EVERYTHING is turned off that possible can be turned off right now to testning. And still the same problem.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 JTBrunnerACS over 4 years ago in reply to Stefan Jansson

Did you ever get a resolution to this? Since EAP 2 we are now experiencing the same issue you describe here.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Stefan Jansson over 4 years ago in reply to JTBrunnerACS

Hi Do rec 2 below, that solved me problem Recommendation 1 - SSL/TLS disable -> Go to Protect -> Rules & Policies -> SSL/TLS Inspection Rules -> SSL/TLS Inspection Settings -> Advance Settings -> Select Disable -> Save - And try to Connectwise Control Server Port 8040 and share the feedback Recommendation2 - Enable recommendation1 then - on sfos console execute : console> system firewall-acceleration disable
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 JTBrunnerACS over 4 years ago in reply to Stefan Jansson

So turning SSL/TLS inspection off did the trick for us, however, we are using ScreenConnect which is a hosted version of ConnectWise. Obviously we don't want to have SSL/TLS inspection turned off for the entire firewall, defeats the purpose really. This is most definitely a BUG and should be reported as such if it has not already.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Stefan Jansson over 4 years ago in reply to JTBrunnerACS

It is reported
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Emile Belcourt over 4 years ago in reply to JTBrunnerACS

Hello JTBrunner,

Can you make an exception just for the IP targets/Ports of the ScreenConnect/ConnectWise services?

If turning off SSL/TLS inspection worked then placing a targeted exception should be fine.

I hope that Dev come back saying it is a bug, however it is more likely that the ScreenConnect system does not accept the Certificate from the XG so therefore terminates the connection. This happens with LogMeIn, Zoho Assist, Join.me, some elements of Zoom and Office 365 (needs at least 92 exceptions).

Emile
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Emile Belcourt over 4 years ago in reply to JTBrunnerACS

Hello JTBrunner,

Can you make an exception just for the IP targets/Ports of the ScreenConnect/ConnectWise services?

If turning off SSL/TLS inspection worked then placing a targeted exception should be fine.

I hope that Dev come back saying it is a bug, however it is more likely that the ScreenConnect system does not accept the Certificate from the XG so therefore terminates the connection. This happens with LogMeIn, Zoho Assist, Join.me, some elements of Zoom and Office 365 (needs at least 92 exceptions).

Emile
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 JTBrunnerACS over 4 years ago in reply to Emile Belcourt

Just as the OP stated, I have created exceptions for screenconnect in all possible locations. Even went as far as to create a special firewall rule just for that application and turned off everything possible, the traffic should be passing without interference. I suspect it has something to do with AWS, my latest pcap indicates that traffic is returned from an amazonaws.com address and not screenconnect.com. I had created exceptions for AWS also but it did not help. Next I will add AWS to the special firewall rule and see if that works. It may be possible that this is the root of the problem with other sites as well.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 JTBrunnerACS over 4 years ago in reply to Emile Belcourt

Here is my URL Group containing all pertinent URLs and IP addresses...

And here is my SSL/TLS Inspection Rule (Exceptions by Website) where I added the URL group to the websites...

Even went as far as to create a new SSL/TLS Inspection Rule just for ScreenConnect...

Also created a Decryption Profile just for Screenconnect with absolutely nothing being decrypted or blocked (MAXIMUM COMPATIBILITY)...

Still no help, the only thing that "fixes" this is to turn off SSL/TLS Inspection...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel