ScreenConnect – enable SSL with permanent redirection to HTTPS
Express guide how to enable SSL certificate with redirection from http to https on Windows Server 2012 R2
Before you begin
This article assumes you have properly configured ScreenConnect server in production/testing environment with Passed statuses (everything is green in Admin panel) and you have generated SSL certificate to your domain (check Browser URL status) – for example support.contoso.com in pkcs12 format via OpenSSL. This tutorial shows steps which were tested under Windows Server 2012 R2 in production environment at the University. This is modified tutorial from original _ Reid’s ScreenConnect team member_. I’m not responsible for any damage or harm on your server.
_Tested & Compatible with: 4.3 – 5.3 stable _versions.
Enabling SSL
- Open web.config where is ScreenConnect installed and change key value of WebServerListenUri to:
..
..
- Save web.config and generate your desired SSL (self signed or via cert. authority) certificate in .p12 or .pfx form and import it to **Local Machine > Personal **(you can do it via double clicking to certificate or via MMC snap-in module).
- Now we need to get Thumbprint of imported certificate so run powershell and type command:
Get-ChildItem -path cert:LocalMachineMy
- Copy thumbprint of your imported certificate which you’ll use for ScreenConnect application, then run via CMD :
netsh http add sslcert ipport=0.0.0.0:443 certhash=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX appid={00000000-0000-0000-0000-000000000000}
- Where XXXX is thumbprint of your certificate
- Now communication via 443 port will be bounded with this certificate.
- If you wish to show active ssl certs via http protocol run:
netsh http show sslcert
- Remember to make firewall exception for port 80 and 443!
Redirecting http to https
- Open your ScreenConnect web.config and navigate to < appSettings> section and add new line WebServerAlternateListenUri key under WebServerListenUri , remember also to modify/add lines (it depends on your environment) with RedirectFromBaseUrl and RedirectToBaseUrl keys, whole configuration result should look like this:
..
..
- Find < httpModules> section in web.config and again create new line BaseUrlRedirectionModule with following result:
..
..
- Download BaseUrlRedirectionModule.cs(click save as)
- Create subdirectory called “App_Code ” inside ScreenConnect folder where is installed and put inside newly created folder App_Code downloaded file BaseUrlRedirectionModule.cs.
- Restart ScreenConnect Web Server service:
net stop "ScreenConnect Web Server" && net start "ScreenConnect Web Server"
Done. Now ScreenConnect should listen on usual http 80 port which will be immediately redirected to https 443 port. So guest from http://support.contoso.com will be redirected to https://support.contoso.com.
Historical Comments
These comments were imported from the original WordPress post.
Reid — March 03, 2015 at 13:15
Hi Michael,
Thanks for the great article! It looks like you left one piece of the puzzle out though. When redirecting http to https, you must also add the following two keys to your appSettings:
See step #5 here:
http://forum.screenconnect.com/yaf_postsm11906_HTTP-redirect-to-HTTPS.aspx#post11906Thanks again!
Reid
Michael Šabrňák — March 05, 2015 at 09:13
Hello Reid,
Thank you for review but I must admit these 2 steps were there but without warning about adding/modifying it, so It was confusing. I’ve highlighted these 2 lines and also notified about this needed change.
Thanks for useful comment.Michael
Dan — May 19, 2015 at 02:55
Followed your writeup today with a new installation and it worked as desired. Thanks!
Caleb — August 17, 2015 at 21:42
Thanks for this guide! I am having a weird problem though. When accessing the http://screenconnnectserver.server.com the browser doesn’t redirect but instead drops an authentication popup that states “http://screenconnectserver.server.com:80 requires a username and password”
Navigating directly to the https://screenconnectserver.server.com works properly so I can tell the SSL cert is installed correctly, but the redirect doesn’t seem to work.
Any help would be greatly appreciated.
Eli — November 22, 2015 at 07:32
I put together a simple (probably superfluous) PowerShell command to do everything listed here.
You can save this code snippet as a .ps1 file, then open PowerShell, and run the file.
$path = Read-Host -Prompt 'Please enter the full path to the screenconnect web.config file (no quotes) - press ENTER for the default (C:Program Files (x86)ScreenConnectweb.config)' if ($path -eq '') {$path = 'C:Program Files (x86)ScreenConnectweb.config'} write-host Your web.config file is here: $path $https = Read-Host -Prompt 'Input the full URL inclusing https:// ' write-host Your full https:// URL to ScreenConnect is: $https $xml = [xml] (type $path) $newEl=$xml.CreateElement("add"); $nameAtt1=$xml.CreateAttribute("key"); $nameAtt1.psbase.value="WebServerAlternateListenUri"; $newEl.SetAttributeNode($nameAtt1); $nameAtt2=$xml.CreateAttribute("value"); $nameAtt2.psbase.value="http://+:80/"; $newEl.SetAttributeNode($nameAtt2); $xml.configuration["appSettings"].AppendChild($newEl); $newEl=$xml.CreateElement("add"); $nameAtt1=$xml.CreateAttribute("key"); $nameAtt1.psbase.value="RedirectFromBaseUrl"; $newEl.SetAttributeNode($nameAtt1); $nameAtt2=$xml.CreateAttribute("value"); $nameAtt2.psbase.value="http://*/"; $newEl.SetAttributeNode($nameAtt2); $xml.configuration["appSettings"].AppendChild($newEl); $newEl=$xml.CreateElement("add"); $nameAtt1=$xml.CreateAttribute("key"); $nameAtt1.psbase.value="RedirectToBaseUrl"; $newEl.SetAttributeNode($nameAtt1); $nameAtt2=$xml.CreateAttribute("value"); $nameAtt2.psbase.value=$https; $newEl.SetAttributeNode($nameAtt2); $xml.configuration["appSettings"].AppendChild($newEl); $newEl=$xml.CreateElement("add"); $nameAtt1=$xml.CreateAttribute("name"); $nameAtt1.psbase.value="BaseUrlRedirectionModule"; $newEl.SetAttributeNode($nameAtt1); $nameAtt2=$xml.CreateAttribute("type"); $nameAtt2.psbase.value="BaseUrlRedirectionModule"; $newEl.SetAttributeNode($nameAtt2); $xml.configuration.'system.web'["httpModules"].AppendChild($newEl); $xml.Save($path) $newDir = $path.substring(0,$path.Length-11) + "App_Code" New-Item $newDir -type directory -force $code = @" using System; using System.Web; using System.Configuration; using System.Text.RegularExpressions; public class BaseUrlRedirectionModule : IHttpModule { public void Init(HttpApplication application) { application.BeginRequest += delegate { var redirectFromBaseUrl = ConfigurationManager.AppSettings["RedirectFromBaseUrl"]; if (!string.IsNullOrEmpty(redirectFromBaseUrl)) { var pattern = '^' + Regex.Escape(redirectFromBaseUrl).Replace("\*", ".*").Replace("\?", "."); var oldUrl = application.Context.Request.Url.AbsoluteUri; var match = Regex.Match(oldUrl, pattern, RegexOptions.IgnoreCase); if (match.Success) { var newUrl = ConfigurationManager.AppSettings["RedirectToBaseUrl"] + oldUrl.Substring(match.Length); if (!string.Equals(newUrl, oldUrl, StringComparison.InvariantCultureIgnoreCase)) application.Context.Response.Redirect(newUrl); } } }; } public void Dispose() { } } "@ $newFile = $path.substring(0,$path.Length-11) + "App_CodeBaseUrlRedirectionModule.cs" New-Item $newFile -type file -force -value $code Restart-Service -displayname "ScreenConnect Web Server"
Michael Šabrňák — November 22, 2015 at 10:02
Thank you for your script! I didn’t try it yet, so I hope it works well.
4sousa — April 16, 2021 at 16:57
Hi,
Anyone try that script?
4connectorswide — June 09, 2021 at 08:10
Is there anyway to get hold of the BaseUrlRedirectionModule.cs?
The link seems to be inactive.
MyKE — July 28, 2021 at 09:45
I can’t find file anymore in server. But you can follow comment #9 – https://sabrnet.wzk.cz/2014/09/screenconnect-enable-ssl-with-pernament-redirection-to-https/#comment-9 which has the sourcecode of that file.
Barinder Singh — August 03, 2021 at 19:10
We have automate and control server. Automate is running on port 80. Screenconnect is running on https with port 8040.
Is there way to redirect http://screenconnect.com:8040 to https://screenconnect.com:8040.
or any other way to get this ?