(formerly ScreenConnect)

• Mono SSL setup is pretty complicated.
• No access to SSL ciphers etc.
• No good way to use Let's Encrypt.
• Two ports are required, one for the web interface and one for the relay.

• Use two IPs to be able to use port 443 for web and relay.
• Use Apache (or Nginx) as reverse proxy for the web interface.

Limitation: „Browser URL Check“ on the status page will fail due to the reverse proxy.

Extra: Webinterface could be made reachable by IPv6!

• Two public IP addesses.
• Corresponding DNS A records.

Example data for this document:

„certbot“ could be found in Debian Jessie back ports. So add back ports:

echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list
apt update

And install „certbot“ for Apache:

apt install python-certbot-apache -t jessie-backports

First modify „/etc/apache2# cat ports.conf“ and restrict Apache to listen only the the first IP. You may add a IPv6 address if you like.

Listen 80

<IfModule ssl_module>
	Listen 1.2.3.4:443
	Listen [2a00:100:200:300::1]:443
</IfModule>

<IfModule mod_gnutls.c>
	Listen 1.2.3.4:443
	Listen [2a00:100:200:300::1]:443
</IfModule>

Initial setup of „/etc/apache2/sites-enabled/000-default.conf “ with port 80 for Let's Encrypt setup.

<VirtualHost *:80>
	ServerName web.example.com

	ServerAdmin webmaster@example.com
	DocumentRoot /var/www/html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

certbot --apache

This will create the file „/etc/apache2/sites-enabled/000-default-le-ssl.conf“ and modifies „/etc/apache2/sites-enabled/000-default.conf“ to read:

<VirtualHost *:80>
	ServerName web.example.com

	ServerAdmin webmaster@example.com
	DocumentRoot /var/www/html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	RewriteEngine on
	RewriteCond %{SERVER_NAME} = web.example.com
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

It is important to explicitly bind Apache to the IP addresses intended for the web interfaces as Apache by default binds to all IP addresses and we want to use port 443 on the second address for the relay.

Then modify the file „/etc/apache2/sites-enabled/000-default-le-ssl.conf“ to read:

<VirtualHost 1.2.3.4:443>
	ServerName web.example.com

	ServerAdmin webmaster@example.com
	DocumentRoot /var/www/html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	SSLCertificateFile /etc/letsencrypt/live/web.example.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/web.example.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf

	ProxyPass / http://127.0.0.1:8040/
	ProxyPassReverse / http://127.0.0.1:8040/

</VirtualHost>

<VirtualHost [2a00:100:200:300::1]:443>
	ServerName web.example.com

	ServerAdmin webmaster@example.com
	DocumentRoot /var/www/html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	SSLCertificateFile /etc/letsencrypt/live/web.example.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/web.example.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf

	ProxyPass / http://127.0.0.1:8040/
	ProxyPassReverse / http://127.0.0.1:8040/

</VirtualHost>

Edit „/opt/screenconnect/web.config“ and change „WebServerListenUri“ to:

<add key="WebServerListenUri" value="http://127.0.0.1:8040/">
</add>

Because we do not want to make the original web interface accessible to the and it should be only reachable by the reverse proxy.

Add the key „WebServerAddressableUri“ to inform Connect Wise Control about the real web interface URL:

<add key="WebServerAddressableUri" value="https://web.example.com/">
</add>

Edit the key „RelayListenUri“ to bind the relay to the additional IP and port 443:

<add key="RelayListenUri" value="relay://5.6.7.8:443/">
</add>

Add the key „RelayAddressableUri“ to inform Connect Wise Control about the real URL and port:

<add key="RelayAddressableUri" value="relay://relay.example.com:443/">
</add>