Despite all the things people say about Connectwise, I still hold ScreenConnect or Connectwise Control close to my heart as one of the best support and remote access tools out there. It’s light, friendly and easy to use for support staff and end users and just gets the job done. I look after our own instance along with another for a large software provider and generally set it up so that our Web Service and Relay both run on port 443 to prevent issues with Firewalls/Ports being blocked.
Running the services all on port 443 requires using the ScreenConnect router service, which while it is an “unsupported” service, which has existed for years and years – they use this in their cloud hosting environments of ScreenConnect. I’ve ripped out and sanitised my notes on setup in case it’s ever needed. This basically listens on port 443 and then routes the appropriate traffic, whether web or relay to the Web Server or Relay service for ScreenConnect, which still run on their default ports of 8043 and 8041 respectively. The following is my guide to getting this going.
Download the latest version from the ScreenConnect Downloads page and then install the ScreenConnect on-premise onto your target server. Perform the setup wizard on the browser to setup a strong local Administrator user (we always push clients to use SAML SSO where possible). Open Regedit and go to HKLM\System\CurrentControlSet\Services then locate and export the “ScreenConnect Relay” key. Edit the save registry file in Notepad and change the Key Name to “ScreenConnect Router” and then import that back in and restart the machine. This should look something like the attached image.
Once you’re back at the desktop, navigate to C:\Program Files (x86)\ScreenConnect and backup and then open up web.config under the main install folder in your favorite text editor. You’ll want to navigate between and key/paths we can paste the following slab of text add configuration for the routing service.
<configSections>
<section name="screenconnect.routing" type="ScreenConnect.RoutingConfigurationHandler, ScreenConnect.Server" />
</configSections>
<screenconnect.routing>
<listenUris>
<listenUri>tcp://+:80/</listenUri>
<listenUri>tcp://+:443/</listenUri>
</listenUris>
<rules>
<rule schemeExpression="http" actionType="issueRedirect" actionData="https://$HOST/" />
<rule schemeExpression="ssl" actionType="forwardPayload" actionData="https://localhost:8043/" />
<rule schemeExpression="relay" actionType="forwardPayload" actionData="https://localhost:8041/" />
</rules>
</screenconnect.routing>
The next is adding the following to the AppSettings
<add key="WebServerListenUri" value="https://+:8043/" />
<add key="WebServerAddressableUri" value="https://my.domain.com" />
<add key="RelayListenUri" value="relay://+:8041/" />
<add key="RelayAddressableUri" value="relay://my.domain.com:443/" />
Once you’ve made those changes to the web.config, restart the ScreenConnect services by restarting the ScreenConnect Session manager, alternatively you can restart all services one-by-one but since they’re all dependent on the session manager this does the trick. If you’re getting an error, recheck your web.config – if you need help, you can check the Application Event Log as it will show useful crash information for ScreenConnect pointing to the issue.
The next step to getting it all working is the Windows Firewall – we had to ensure that Edge Transversal was allowed for the SC ports in the firewall. We added new Windows Firewall entries for this to ensure that ScreenConnect would not change these values when it’s services were restarted. The ports used are 80 and 443 for traffic to hit the server, and 8041 and 8043 for traffic to itself (which is seen as unsolicited routed traffic, thus requiring Edge Transversal).
Finally we want to secure everything with SSL, so install your certificate into the local machine store and take note of the thumbprint or hash of the certificate so we can use netsh to attach it to the service.
Use the following command to show any existing SSL certificates, we will be looking for a service running on port 8043.
netsh http show sslcert
We can then use the following command to remove any existing certificate
netsh http delete sslcert ipport=0.0.0.0:8043
Now finally we will attach the certificate we installed earlier, replacing the certhash with what we copied earlier, appid remains as below.
netsh http add sslcert ipport=0.0.0.0:8043 certhash=d34cxxxxxxxxxxxx appid={00000000-0000-0000-0000-000000000000}
Finally restart everything one more time for good measure, then login to the webinterface of your ScreenConnect instance and go into the Administration screen where you should see all green ticks in your Status Check screen.
As a side note you could also adjust the SQL Connection String in the web.config to point to SQL Server (an express instance is fine) instead of the embedded sqlite database, coming from managing a very large instance, this helped with performance greatly and I didn’t run into any issues, however this isn’t supported by ConnectWise and your mileage may vary.
Leave a Reply