ScreenConnect – enable SSL with permanent redirection to HTTPS

Posted on by

ScreenConnectLogoExpress guide how to enable SSL certificate with redirection from http to https on Windows Server 2012 R2

Before you begin

This article assumes you have properly configured ScreenConnect server in production/testing environment with Passed statuses (everything is green in Admin panel) and you have generated SSL certificate to your domain (check Browser URL status) – for example support.contoso.com in pkcs12 format via OpenSSL. This tutorial shows steps which were tested under Windows Server 2012 R2 in production environment at the University. This is modified tutorial from original Reid’s ScreenConnect team member. I’m not responsible for any damage or harm on your server.

Tested & Compatible with: 4.3 – 5.3 stable versions.

Enabling SSL

  • Open web.config where is ScreenConnect installed and change key value of WebServerListenUri to:
..
<add key="SmtpEnableSsl" value="false" />
<add key="WebServerListenUri" value="https://+:443/" />
<add key="RelayListenUri" value="relay://+:8041/" />
..
  • Save web.config and generate your desired SSL (self signed or via cert. authority) certificate in .p12 or .pfx form and import it to Local Machine > Personal (you can do it via double clicking to certificate or via MMC snap-in module).
  • Now we need to get Thumbprint of imported certificate so run powershell and type command:
Get-ChildItem -path cert:LocalMachineMy
  • Copy thumbprint of your imported certificate which you’ll use for ScreenConnect application, then run via CMD:
netsh http add sslcert ipport=0.0.0.0:443 certhash=‎XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX appid={00000000-0000-0000-0000-000000000000}
  • Where XXXX is thumbprint of your certificate
  • Now communication via 443 port will be bounded with this certificate.
  • If you wish to show active ssl certs via http protocol run:
netsh http show sslcert
  • Remember to make firewall exception for port 80 and 443!

Redirecting http to https

  • Open your ScreenConnect web.config and navigate to <appSettings> section and add new line WebServerAlternateListenUri key under WebServerListenUri, remember also to modify/add lines (it depends on your environment) with RedirectFromBaseUrl and RedirectToBaseUrl keys, whole configuration result should look like this:
..
<add key="SmtpEnableSsl" value="false" />
<add key="WebServerListenUri" value="https://+:443/" />
<add key="WebServerAlternateListenUri" value="http://+:80/" />
<add key="RelayListenUri" value="relay://+:8041/" />
<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="https://support.contoso.com:443/" />
..
  • Find <httpModules> section in web.config and again create new line BaseUrlRedirectionModule with following result:
..
<add name="CompressionModule" type="Elsinore.ScreenConnect.CompressionModule, Elsinore.ScreenConnect.Web" />
<add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />
<add name="FormsAuthenticationModule" type="Elsinore.ScreenConnect.FormsAuthenticationModule, Elsinore.ScreenConnect.Web" />
..
  • Download BaseUrlRedirectionModule.cs (click save as)
  • Create subdirectory called “App_Code” inside ScreenConnect folder where is installed and put inside newly created folder App_Code downloaded file BaseUrlRedirectionModule.cs.
  • Restart ScreenConnect Web Server service:
net stop "ScreenConnect Web Server" && net start "ScreenConnect Web Server"

Done. Now ScreenConnect should listen on usual http 80 port which will be immediately redirected to https 443 port. So guest from http://support.contoso.com will be redirected to https://support.contoso.com.

10 thoughts on “ScreenConnect – enable SSL with permanent redirection to HTTPS

    • Hello Reid,

      Thank you for review but I must admit these 2 steps were there but without warning about adding/modifying it, so It was confusing. I’ve highlighted these 2 lines and also notified about this needed change.
      Thanks for useful comment.

      Michael

      Reply

  2. Followed your writeup today with a new installation and it worked as desired. Thanks!

    Reply

  3. Thanks for this guide! I am having a weird problem though. When accessing the http://screenconnnectserver.server.com the browser doesn’t redirect but instead drops an authentication popup that states “http://screenconnectserver.server.com:80 requires a username and password”

    Navigating directly to the https://screenconnectserver.server.com works properly so I can tell the SSL cert is installed correctly, but the redirect doesn’t seem to work.

    Any help would be greatly appreciated.

    Reply

  4. I put together a simple (probably superfluous) PowerShell command to do everything listed here.

    You can save this code snippet as a .ps1 file, then open PowerShell, and run the file.

    
$path = Read-Host -Prompt 'Please enter the full path to the screenconnect web.config file (no quotes) - press ENTER for the default (C:Program Files (x86)ScreenConnectweb.config)'
if ($path -eq '') {$path = 'C:Program Files (x86)ScreenConnectweb.config'}
write-host Your web.config file is here: $path
$https = Read-Host -Prompt 'Input the full URL inclusing https:// '
write-host Your full https:// URL to ScreenConnect is: $https
$xml = [xml] (type $path)

    $newEl=$xml.CreateElement("add");
    $nameAtt1=$xml.CreateAttribute("key");
    $nameAtt1.psbase.value="WebServerAlternateListenUri";
    $newEl.SetAttributeNode($nameAtt1);                  
    $nameAtt2=$xml.CreateAttribute("value");             
    $nameAtt2.psbase.value="http://+:80/";               
    $newEl.SetAttributeNode($nameAtt2);                  
    $xml.configuration["appSettings"].AppendChild($newEl);

    $newEl=$xml.CreateElement("add");                     
    $nameAtt1=$xml.CreateAttribute("key");                
    $nameAtt1.psbase.value="RedirectFromBaseUrl";         
    $newEl.SetAttributeNode($nameAtt1);                   
    $nameAtt2=$xml.CreateAttribute("value");              
    $nameAtt2.psbase.value="http://*/";                   
    $newEl.SetAttributeNode($nameAtt2);                   
    $xml.configuration["appSettings"].AppendChild($newEl);

    $newEl=$xml.CreateElement("add");                     
    $nameAtt1=$xml.CreateAttribute("key");                
    $nameAtt1.psbase.value="RedirectToBaseUrl";          
    $newEl.SetAttributeNode($nameAtt1);                  
    $nameAtt2=$xml.CreateAttribute("value");             
    $nameAtt2.psbase.value=$https;                       
    $newEl.SetAttributeNode($nameAtt2);                   
    $xml.configuration["appSettings"].AppendChild($newEl);

    $newEl=$xml.CreateElement("add");                     
    $nameAtt1=$xml.CreateAttribute("name");               
    $nameAtt1.psbase.value="BaseUrlRedirectionModule";    
    $newEl.SetAttributeNode($nameAtt1);                   
    $nameAtt2=$xml.CreateAttribute("type");               
    $nameAtt2.psbase.value="BaseUrlRedirectionModule";    
    $newEl.SetAttributeNode($nameAtt2);                   
    $xml.configuration.'system.web'["httpModules"].AppendChild($newEl);
	
$xml.Save($path)
$newDir = $path.substring(0,$path.Length-11) + "App_Code"
New-Item $newDir -type directory -force
$code = @"
using System;
using System.Web;
using System.Configuration;
using System.Text.RegularExpressions;
 
public class BaseUrlRedirectionModule : IHttpModule
{
    public void Init(HttpApplication application)
    {
        application.BeginRequest += delegate
        {
            var redirectFromBaseUrl = ConfigurationManager.AppSettings["RedirectFromBaseUrl"];
 
            if (!string.IsNullOrEmpty(redirectFromBaseUrl))
            {
                var pattern = '^' + Regex.Escape(redirectFromBaseUrl).Replace("\*", ".*").Replace("\?", ".");
                var oldUrl = application.Context.Request.Url.AbsoluteUri;
                var match = Regex.Match(oldUrl, pattern, RegexOptions.IgnoreCase);
 
                if (match.Success)
                {
                    var newUrl = ConfigurationManager.AppSettings["RedirectToBaseUrl"] + oldUrl.Substring(match.Length);
 
                    if (!string.Equals(newUrl, oldUrl, StringComparison.InvariantCultureIgnoreCase))
                        application.Context.Response.Redirect(newUrl);
                }
            }
        };
    }
 
    public void Dispose() { }
}
"@
$newFile = $path.substring(0,$path.Length-11) + "App_CodeBaseUrlRedirectionModule.cs"

New-Item $newFile -type file -force -value $code

Restart-Service -displayname "ScreenConnect Web Server"
    Reply

  6. Is there anyway to get hold of the BaseUrlRedirectionModule.cs?
    The link seems to be inactive.

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.