I use the WAF to protect my servers but I cannot get it work with ScreenConnect (SC). Maybe it's not even possible???
I want to use the WAF, rather than a DNAT, because I am using the same static, public IP for 'mysite.com' and 'www.mysite.com'. I have ScreenConnect (SC) installed on a Windows server along with WAMP. WAMP listens on ports 80 and 443 on internal IP 10.x.x.120 (www.mysite.com) and the SC server listens on ports 80, 443, 8040, and 8041 on internal IP 10.x.x.130 (mysite.com). My SSL cert is installed correctly in the UTM as well as the webserver. I have specified separate network definitions with the correct host names and internal IP's.
SC has a so-called built-in relay and router. Presumably, this is how web and remote desktop traffic are split and redirected to the correct ports. SC also automatically redirects http to https. Below are some of the settings in the SC config:
<listenUris> <listenUri>tcp://10.x.x.130:80/</listenUri> <listenUri>tcp://10.x.x.130:443/</listenUri> </listenUris> <rules> <rule schemeExpression="http" actionType="issueRedirect" actionData="https://$HOST/" /> <rule schemeExpression="ssl" actionType="forwardPayload" actionData="https://10.x.x.130:8041/" /> <rule schemeExpression="relay" actionType="forwardPayload" actionData="https://10.x.x.130:8040/" /> </rules><add key="WebServerListenUri" value="https://10.x.x.130:8041/" /> <add key="WebServerAddressableUri" value="https://mysite.com/" /> <add key="RelayListenUri" value="relay://10.x.x.130:8040/" /> <add key="RelayAddressableUri" value="relay://mysite.com:443/" />
If I set up a basic DNAT and disable the Virtual server in the WAF settings of the UTM, I have no issues with ScreenConnect but then all traffic for 'mysite.com' and 'www.mysite.com' are picked up by SC.
I've tried setting up a Real and Virtual server for port 443. I even tried creating Real and Virtual servers for the other ports even though there is no indication that traffic on the other ports is being dropped by Sophos. I can access the SC web page and login but when I try to start a remote session, nothing happens. What's odd is there's no dropped traffic logged in the WAF, Firewall or IPS logs.
Is what I'm trying to accomplish with the WAF even possible? Could it be that some of the traffic does not contain host header info and the WAF does not know what to do with it?
That's what I do. I have the ScreenConnect page through the WAF and relay traffic through DNAT. I actually use Site Path Routing and a little modification to the ScreenConnect config and now have my support page available at https://domain/support. Works great.
Am I correct in assuming you use a different port or IP for the public session traffic?
-------------------------------------------------------------------- Sophos UTM 9.713-19 - Home User Dell Optiplex XE Intel Core 2 Duo CPU E8600 @ 3.33GHz 8GB RAM --------------------------------------------------------------------
ScreenConnect requires that you utilize two ports. One for the webpage and one for the relay traffic. https://docs.connectwise.com/ConnectWise_Control_Documentation/On-premises/Get_started_with_ConnectWise_Control_On-Premise/Change_ports_for_an_on-premises_installation
I have the webpage configured to use 443 through the WAF. I'm pretty sure I left the relay traffic as the default because I didn't have a compelling reason to change it.
There's actually an undocumented SC feature (when properly configured) that internally routes/separates the traffic so you can use a single public IP and port for all traffic ;-)
You have been using the same port for both the webpage and relay sessions? I'm surprised that works at all. I'd check with ScreenConnect about whether that's a supported configuration.
What's the advantage of that? Especially if it's undocumented?
SC Tech Support may not support my configuration but the software was designed to support it. Like I said, it's an undocumented feature. Years ago, one of the SC devs posted about it in the old SC forum. I believe it only works on Windows, not the Linux version of SC. You have to do quite a bit of extra configuration to get it to work but I have everything running on the same IP, on port 443. That's why I can't use the WAF.
I use this set up so client users do not have to open a non-standard port. A lot of companies allow only ports 80/443.
My hope was to run the webserver over 443+SSL via WAF -> Looks good
But DNAT for relay Port 80 (New definition not the default HTTP) -> Not working -.-
You are running relay over 8041 (default?)