I use the WAF to protect my servers but I cannot get it work with ScreenConnect (SC). Maybe it's not even possible???
I want to use the WAF, rather than a DNAT, because I am using the same static, public IP for 'mysite.com' and 'www.mysite.com'. I have ScreenConnect (SC) installed on a Windows server along with WAMP. WAMP listens on ports 80 and 443 on internal IP 10.x.x.120 (www.mysite.com) and the SC server listens on ports 80, 443, 8040, and 8041 on internal IP 10.x.x.130 (mysite.com). My SSL cert is installed correctly in the UTM as well as the webserver. I have specified separate network definitions with the correct host names and internal IP's.
SC has a so-called built-in relay and router. Presumably, this is how web and remote desktop traffic are split and redirected to the correct ports. SC also automatically redirects http to https. Below are some of the settings in the SC config:
<listenUris> <listenUri>tcp://10.x.x.130:80/</listenUri> <listenUri>tcp://10.x.x.130:443/</listenUri> </listenUris> <rules> <rule schemeExpression="http" actionType="issueRedirect" actionData="https://$HOST/" /> <rule schemeExpression="ssl" actionType="forwardPayload" actionData="https://10.x.x.130:8041/" /> <rule schemeExpression="relay" actionType="forwardPayload" actionData="https://10.x.x.130:8040/" /> </rules><add key="WebServerListenUri" value="https://10.x.x.130:8041/" /> <add key="WebServerAddressableUri" value="https://mysite.com/" /> <add key="RelayListenUri" value="relay://10.x.x.130:8040/" /> <add key="RelayAddressableUri" value="relay://mysite.com:443/" />
If I set up a basic DNAT and disable the Virtual server in the WAF settings of the UTM, I have no issues with ScreenConnect but then all traffic for 'mysite.com' and 'www.mysite.com' are picked up by SC.
I've tried setting up a Real and Virtual server for port 443. I even tried creating Real and Virtual servers for the other ports even though there is no indication that traffic on the other ports is being dropped by Sophos. I can access the SC web page and login but when I try to start a remote session, nothing happens. What's odd is there's no dropped traffic logged in the WAF, Firewall or IPS logs.
Is what I'm trying to accomplish with the WAF even possible? Could it be that some of the traffic does not contain host header info and the WAF does not know what to do with it?