Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 25739 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - ScreenConnect does not work.

Jeff x

I use the WAF to protect my servers but I cannot get it work with ScreenConnect (SC). Maybe it's not even possible???

I want to use the WAF, rather than a DNAT, because I am using the same static, public IP for 'mysite.com' and 'www.mysite.com'. I have ScreenConnect (SC) installed on a Windows server along with WAMP. WAMP listens on ports 80 and 443 on internal IP 10.x.x.120 (www.mysite.com) and the SC server listens on ports 80, 443, 8040, and 8041 on internal IP 10.x.x.130 (mysite.com). My SSL cert is installed correctly in the UTM as well as the webserver. I have specified separate network definitions with the correct host names and internal IP's.

SC has a so-called built-in relay and router. Presumably, this is how web and remote desktop traffic are split and redirected to the correct ports. SC also automatically redirects http to https. Below are some of the settings in the SC config:

...

<listenUris>
  <listenUri>tcp://10.x.x.130:80/</listenUri>
  <listenUri>tcp://10.x.x.130:443/</listenUri>
</listenUris>
<rules>
  <rule schemeExpression="http" actionType="issueRedirect" actionData="https://$HOST/" />
  <rule schemeExpression="ssl" actionType="forwardPayload" actionData="https://10.x.x.130:8041/" />
  <rule schemeExpression="relay" actionType="forwardPayload" actionData="https://10.x.x.130:8040/" />
</rules><add key="WebServerListenUri" value="https://10.x.x.130:8041/" />
<add key="WebServerAddressableUri" value="https://mysite.com/" />
<add key="RelayListenUri" value="relay://10.x.x.130:8040/" />
<add key="RelayAddressableUri" value="relay://mysite.com:443/" />

...

 

If I set up a basic DNAT and disable the Virtual server in the WAF settings of the UTM, I have no issues with ScreenConnect but then all traffic for 'mysite.com' and 'www.mysite.com' are picked up by SC.

I've tried setting up a Real and Virtual server for port 443. I even tried creating Real and Virtual servers for the other ports even though there is no indication that traffic on the other ports is being dropped by Sophos. I can access the SC web page and login but when I try to start a remote session, nothing happens. What's odd is there's no dropped traffic logged in the WAF, Firewall or IPS logs.

Is what I'm trying to accomplish with the WAF even possible? Could it be that some of the traffic does not contain host header info and the WAF does not know what to do with it?



This thread was automatically locked due to age.
Parents
  • 0

    Hi Jeff,

    Post the reverseproxy.log while attempting a connection.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I still haven't been able to get this to work. Keep in mind that the ScreenConnect app redirects traffic internally. See first post.

    ...


    Live Log: Web Application Firewall
    Filter:
    Autoscroll
    Reload
    2017:07:04-06:20:21 gateway httpd[9136]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:20:21 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00297: SIGUSR1 received. Doing graceful restart
    2017:07:04-06:20:21 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:20:21 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:20:22 gateway httpd[5361]: [proxy_protocol:notice] [pid 5361:tid 4148139712] ProxyProtocol: disabled on 127.0.0.1:4080
    2017:07:04-06:20:22 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00292: Apache/2.4.10 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
    2017:07:04-06:20:22 gateway httpd[5361]: [core:notice] [pid 5361:tid 4148139712] AH00094: Command line: '/usr/apache/bin/httpd'
    2017:07:04-06:20:22 gateway httpd[5361]: [mpm_worker:warn] [pid 5361:tid 4148139712] AH00291: long lost child came home! (pid 8912)
    2017:07:04-06:20:22 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="28099" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="2041" url="/status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVtr5jLwWoEAACO@3HYAAAA8"
    2017:07:04-06:20:22 gateway httpd[9313]: Restarted
    2017:07:04-06:21:19 gateway httpd: id="0299" srcip="66.x.x.x" localip="50.x.x.x" size="14865" user="-" host="66.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="881939" url="/payment-and-shipping/" server="www.mysite.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVtsHjLwWoEAACRqS2gAAAAH"
    2017:07:04-06:22:51 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="381" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVtsezLwWoEAACRqS2kAAAAK"
    2017:07:04-06:22:57 gateway httpd: id="0299" srcip="66.x.x.x" localip="50.x.x.x" size="14652" user="-" host="66.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="465073" url="/contacts/" server="www.mysite.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVtsgTLwWoEAACRqS2oAAAAL"
    2017:07:04-06:24:43 gateway httpd: id="0299" srcip="66.x.x.x" localip="50.x.x.x" size="13980" user="-" host="66.x.x.x" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="453363" url="/about-our-company/" server="www.mysite.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVts6jLwWoEAACRqS2sAAAAO"
    2017:07:04-06:25:05 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="356" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttATLwWoEAACRqS2wAAAAP"
    2017:07:04-06:25:05 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="349" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttATLwWoEAACRqS20AAAAQ"
    2017:07:04-06:25:25 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="272" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttFTLwWoEAACRqS24AAAAR"
    2017:07:04-06:25:25 gateway httpd[10182]: Restarting gracefully
    2017:07:04-06:25:25 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="274" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttFTLwWoEAACRqS28AAAAS"
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMysitno443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysit80] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport4432] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroJeffshe443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysi443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMagetro443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFro50xxxxxx80] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaget80] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaje443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport443] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:26 gateway httpd[10187]: Syntax OK
    2017:07:04-06:25:26 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="26986" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="784" url="/status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttFjLwWoEAACRqS3AAAAAT"
    2017:07:04-06:25:26 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMysitno443] does not exist
    2017:07:04-06:25:26 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysit80] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport4432] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroJeffshe443] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysi443] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMagetro443] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFro50xxxxxx80] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaget80] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaje443] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport443] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:27 gateway httpd[10224]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:25:27 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00297: SIGUSR1 received. Doing graceful restart
    2017:07:04-06:25:27 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:25:27 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:25:28 gateway httpd[5361]: [proxy_protocol:notice] [pid 5361:tid 4148139712] ProxyProtocol: disabled on 127.0.0.1:4080
    2017:07:04-06:25:28 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00292: Apache/2.4.10 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
    2017:07:04-06:25:28 gateway httpd[5361]: [core:notice] [pid 5361:tid 4148139712] AH00094: Command line: '/usr/apache/bin/httpd'
    2017:07:04-06:25:28 gateway httpd[5361]: [mpm_worker:warn] [pid 5361:tid 4148139712] AH00291: long lost child came home! (pid 9147)
    2017:07:04-06:25:28 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="27167" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1873" url="/status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttGDLwWoEAACgAXUUAAAAM"
    2017:07:04-06:25:28 gateway httpd[10298]: Restarted
    2017:07:04-06:26:52 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="572" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttbDLwWoEAACitHkEAAAAB"
    2017:07:04-06:27:27 gateway httpd[10637]: Restarting gracefully
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMysitno443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysit80] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport4432] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroJeffshe443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysi443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMagetro443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFro50xxxxxx80] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaget80] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaje443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport443] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:27 gateway httpd[10645]: Syntax OK
    2017:07:04-06:27:28 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="27235" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="800" url="/status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttkDLwWoEAACitHkIAAAAC"
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMysitno443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysit80] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport4432] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroJeffshe443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmysi443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroMagetro443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFro50xxxxxx80] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaget80] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroWwwmaje443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSupport443] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:28 gateway httpd[10681]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroSkillAndOther] does not exist
    2017:07:04-06:27:28 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00297: SIGUSR1 received. Doing graceful restart
    2017:07:04-06:27:28 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:27:28 gateway httpd[5361]: [ssl:warn] [pid 5361:tid 4148139712] AH01909: REF_RevFroSkillAndOther:443:0 server certificate does NOT include an ID which matches the server name
    2017:07:04-06:27:29 gateway httpd[5361]: [proxy_protocol:notice] [pid 5361:tid 4148139712] ProxyProtocol: disabled on 127.0.0.1:4080
    2017:07:04-06:27:29 gateway httpd[5361]: [mpm_worker:notice] [pid 5361:tid 4148139712] AH00292: Apache/2.4.10 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
    2017:07:04-06:27:29 gateway httpd[5361]: [core:notice] [pid 5361:tid 4148139712] AH00094: Command line: '/usr/apache/bin/httpd'
    2017:07:04-06:27:29 gateway httpd[5361]: [mpm_worker:warn] [pid 5361:tid 4148139712] AH00291: long lost child came home! (pid 10235)
    2017:07:04-06:27:29 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="27335" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1938" url="/status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttkTLwWoEAACnHL6IAAAAM"
    2017:07:04-06:27:29 gateway httpd[10753]: Restarted
    2017:07:04-06:27:29 gateway httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="726" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="368" url="/lb-status" server="localhost" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WVttkTLwWoEAACnHL6MAAAAO"

    ... 

    Any help would be much appreciated!

    --------------------------------------------------------------------
    Sophos UTM 9.715-4 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x

    WAF only supports one session (one port) and is only going to be useful if the protected session is html-based, since its purpose is to screen the traffic for appropriate html syntax.  It seems unlikely that your product fits this model.

    It may be useful to use WAF with OTP for the login page, then rely on firewall rules alone for the secondary session traffic.

    Have you considered html5 vpn (with OTP) to start a remote desktop comnection, as an alternative to your current plan and product?

  • 0 in reply to DouglasFoster

    DouglasFoster said:

    WAF only supports one session (one port) and is only going to be useful if the protected session is html-based, since its purpose is to screen the traffic for appropriate html syntax.  It seems unlikely that your product fits this model.

    It may be useful to use WAF with OTP for the login page, then rely on firewall rules alone for the secondary session traffic.

    Have you considered html5 vpn (with OTP) to start a remote desktop comnection, as an alternative to your current plan and product?

     

    Thanks for the suggestion but some SC clients are permanently installed and no one will be available to login (OTP) to join a session.

    However, a simple NAT and a single firewall rule to allow traffic over port 443 does work for SC. I was hoping to do away with all NAT's in favor of using the WAF for all traffic.

    --------------------------------------------------------------------
    Sophos UTM 9.715-4 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x

    Did you ever get this working? I'm running into the exact same issue except I cant connect to a session from the outside.

     

    "An error occured connecting to your session. This will wait a few seconds before trying again. Error: Unable to read beyond the end of the stream"

     

    I also see all end hosts connected to the ScreenConnect server I just can't connect the the session. 

  • 0 in reply to AlanMayer

    Nope. Can't use the WAF with ScreenConnect.

    I had to keep my DNAT and firewall rule.

    --------------------------------------------------------------------
    Sophos UTM 9.715-4 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Reply
  • 0 in reply to AlanMayer

    Nope. Can't use the WAF with ScreenConnect.

    I had to keep my DNAT and firewall rule.

    --------------------------------------------------------------------
    Sophos UTM 9.715-4 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Children
  • 0 in reply to Jeff x

    Somebody solved it? 

    You are using DNAT for Port 80, or for every 443 traffic? 

     

    Thanks a lot

    Best Regards

  • 0 in reply to Joe_AB

    No,

     

    I never did get this to work with Sophos UTM. I just kept the DNAT and firewall rules in place. Recently swapped out for Fortigates and Screenconnect relay worked with their Web server protection feature.

  • 0 in reply to Joe_AB

    The WAF supports only HTML-based traffic.

    It's been a long time since I visited this issue. Going from memory, I think I determined that the Sophos WAF could not be used with my ScreenConnnect (SC) setup because I use the same public IP address and port for both the SC web page and the SC sessions. The WAF doesn't know what to do with the SC session data since it's not HTML-based. That's why I have to use a DNAT.

    However, most SC installations use separate IP addresses/ports for the SC web page and sessions so, unless I'm mistaken, I think you should be able to use the WAF for the SC web page.

    --------------------------------------------------------------------
    Sophos UTM 9.715-4 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x

    That's what I do. I have the ScreenConnect page through the WAF and relay traffic through DNAT. I actually use Site Path Routing and a little modification to the ScreenConnect config and now have my support page available at https://domain/support. Works great.

  • 0 in reply to JRWalters

    Am I correct in assuming you use a different port or IP for the public session traffic?

    --------------------------------------------------------------------
    Sophos UTM 9.715-4 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x

    ScreenConnect requires that you utilize two ports. One for the webpage and one for the relay traffic. https://docs.connectwise.com/ConnectWise_Control_Documentation/On-premises/Get_started_with_ConnectWise_Control_On-Premise/Change_ports_for_an_on-premises_installation

    I have the webpage configured to use 443 through the WAF. I'm pretty sure I left the relay traffic as the default because I didn't have a compelling reason to change it. 

  • 0 in reply to JRWalters

    There's actually an undocumented SC feature (when properly configured) that internally routes/separates the traffic so you can use a single public IP and port for all traffic ;-)

    --------------------------------------------------------------------
    Sophos UTM 9.715-4 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x

    You have been using the same port for both the webpage and relay sessions? I'm surprised that works at all. I'd check with ScreenConnect about whether that's a supported configuration.

  • 0 in reply to Jeff x

    What's the advantage of that? Especially if it's undocumented? 

  • 0 in reply to JRWalters

    SC Tech Support may not support my configuration but the software was designed to support it. Like I said, it's an undocumented feature. Years ago, one of the SC devs posted about it in the old SC forum. I believe it only works on Windows, not the Linux version of SC. You have to do quite a bit of extra configuration to get it to work but I have everything running on the same IP, on port 443. That's why I can't use the WAF.

    I use this set up so client users do not have to open a non-standard port. A lot of companies allow only ports 80/443.

    --------------------------------------------------------------------
    Sophos UTM 9.715-4 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Unfiltered HTML