ScreenConnect SSL with LetsEncrypt
Setting up SSL for ScreenConnect natively has always been something of a pain, particularly with LetsEncrypt. There is now a further issues with TLS handshake on the version of Mono which ScreenConnect uses. If you are using a Linux server for your ScreenConnect installation, there is a relatively straightforward work-around using an Nginx proxy. This is based on this artice by Tyler Woods.
Install Nginx (yum install nginx, apt-get install nginx, etc) Install certbot
Find the WebServerListenUri line in /opt/screenconnect/web.config and change it to use the local port 10050 and immediately below this, add a new key to tell ScreenConnect the URI to use for downloading the client:
<add key="WebServerListenUri" value="http://127.0.0.1:10050/">
</add>
<add key="WebServerAddressableUri" value="https://support.yourdomain.com:<optional port>/">
</add>
Create a diffie-hellman key file:
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
Then create a new Nginx server configuration file@
## This server definition only required if you want to redirect http
server {
listen 80;
server_name support.yourdomain.com;
return 301 https://$host$request_uri;
}
## SSL server - user a port other than 443 if you wish to
server {
listen 443 default_server ssl;
server_name support.yourdomain.com;
## ENABLE SSL.
ssl on;
## DEFINE THE LOCATION OF YOUR CERTIFICATE AND KEY
ssl_certificate /etc/letsencrypt/live/support.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/support.yourdomain.com/privkey.pem;
## PERFORMANCE OPTIONS
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
keepalive_timeout 60;
## TLSv1 AND TLSv1.1 AND TLSv1.2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
## ALWAYS SAFER TO DEFINE AN ORDER - THINK CAREFULLY IF YOU DISABLE THIS.
ssl_prefer_server_ciphers on;
## CIPHERS GOOD FOR AN "A" RATING.
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
## WANT A QUALYS "A" RATING (100/100/100/100)? BE SURE TO REMOVE/COMMENT ABOVE LINE, ENABLE TLSv1.2 ONLY AND BE MINDFUL THAT CLICKONCE/JNLP DEPLOYMENT MAY NOT WORK.
# ssl_ciphers "ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA";
## ENABLE IF YOU INTEND TO USE ELLIPTIC CURVE DHE
# ssl_ecdh_curve secp521r1;
## OPTIONS
## ENABLE HSTS - CHROME & FIREFOX ONLY. ONCE ENABLED, ALL SUBSEQUENT REQUESTS WILL BE DIRECTED TO HTTPS.
add_header Strict-Transport-Security max-age=15768000;
location / {
## WHERE ARE WE PASSING OUR REQUEST TO?
# IN THIS EXAMPLE, THE NATIVE SCREENCONNECT UI IS NO LONGER ACCESSIBLE DIRECTLY. ALL REQUESTS MUST COME THROUGH NGINX PROXY.
# BE SURE TO SET SCREENCONNECT WEB.CONFIG FILE TO LISTEN ON 127.0.0.1:10050.
proxy_pass http://127.0.0.1:10050/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 50m;
client_body_buffer_size 256k;
proxy_connect_timeout 180;
proxy_send_timeout 180;
proxy_read_timeout 90;
proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
}
}
Start Nginx
service nginx start
Restart ScreenConnect
service screenconnect restart