Online Help System

www.screenconnect.com

HOWTO-0004: Configuring SSL for Web Server

Modified: 2011/10/28 10:17 by Jake Morgan - Categorized as: Knowledge Base

Edit

1 Summary

Although ScreenConnect encrypts all Relay session traffic by default, the Web Server HTTP traffic is not encrypted unless configured with SSL. SSL provides an additional layer of security for key exchange and the comfort of your users. This article describes the steps necessary to set up ScreenConnect as a secure site.

Edit

2 More Information

Edit

2.1 Option 1: Piggyback onto another site configured for SSL

Piggybacking onto another site is the easiest way to configure ScreenConnect for SSL. Refer to article HOWTO-0003: Changing ScreenConnect ports for information on configuring this. The WebServerListenUri setting in this article should be configured like the following:

<add key="WebServerListenUri" value="https://+:443/RemoteSupport/" />

Important changes here are the 'http' to 'https' in the prefix and the mandatory addition of the directory in the suffix.

Edit

2.2 Option 2: Bind certificate

Before binding, make sure your ScreenConnect ports are setup correctly. Refer to the knowledge base article, HOWTO-0003: Changing ScreenConnect ports. The WebServerListenUri parameter referenced in the article will need to be changed to include 'https' as the prefix, regardless of the port:

<add key="WebServerListenUri" value="https://+:443/" />

To bind a certificate to ScreenConnect, you first need to get a certificate. A certificate is issued by a Certificate Authority (CA) for a specific company and website.

ScreenConnect uses the HTTP Server API to support the Web Server, so configuration is mainly borrowed from the Microsoft Windows infrastructure.

The following article details the configuration of SSL: How to: Configure a Port with an SSL Certificate. The article, however, includes some unnecessary functionality, so we've provided focused snippets below.

To configure a port, the tool you use depends on the operating system that is running on your machine.

If you are running Windows Server 2003 or Windows XP, use the HttpCfg.exe tool. With Windows Server 2003 this tool is installed. With Windows XP, you can download the tool at Windows XP Service Pack 2 Support Tools. For more information, see Httpcfg Overview. The Windows Support Tools documentation explains the syntax for the Httpcfg.exe tool.

If you are running Windows Vista, use the Netsh.exe tool that is already installed.

Note that modifying certificates stored on the computer requires administrative privileges.

Note: The Netsh.exe tool referenced above is also applicable for Windows Server 2008 and Windows 7.

If you need the httpcfg.exe application for your operating system, you can quickly download it here: httpcfg.exe

You'll need to have a certificate installed in the "Local Computer" Windows certificate store. The certificate store for "Current User" is not accessible to the ScreenConnect service. You also must have the private key for the certificate. When viewing the certificate in Windows, the following message should be be displayed: "You have a private key that corresponds to this certificate."

Get the "thumbprint" of your certificate from the Windows certificate store:

  1. Use the Certificates MMC snap-in to find an X.509 certificate that has an intended purpose of client authentication. For more information, see How to: View Certificates with the MMC Snap-in.
  2. Access the certificate's thumbprint. For more information, see How to: Retrieve the Thumbprint of a Certificate.
  3. Copy the thumbprint of the certificate into a text editor, such as Notepad.
  4. Remove all spaces between the hexadecimal characters. One way to accomplish this is to use the text editor's find-and-replace feature and replace each space with a null character.

Use the tool appropriate to your operating system to bind the certificate. You'll need to substitute your IP/port combination and your certificate thumbprint:

  1. In Windows Server 2003 or Windows XP, use the HttpCfg.exe tool in "set" mode on the Secure Sockets Layer (SSL) store to bind the certificate to a port number. The tool uses the thumbprint to identify the certificate, as shown in the following example:

    httpcfg set ssl -i 0.0.0.0:8012 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6

    • The -i switch has the syntax of IP:port and instructs the tool to set the certificate to port 8012 of the computer. Optionally, the four zeroes that precede the number can also be replaced by the actual IP address of the computer.
    • The -h switch specifies the thumbprint of the certificate.
  2. In Windows Vista, use the Netsh.exe tool, as shown in the following example:

    netsh http add sslcert ipport=0.0.0.0:8000 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

    • The certhash parameter specifies the thumbprint of the certificate.
    • The ipport parameter specifies the IP address and port, and functions just like the -i switch of the Httpcfg.exe tool described.
    • The 'appid' parameter is a GUID that can be used to identify the owning application.

Note: The 'appid' parameter for the Netsh.exe tool is not relevant for ScreenConnect, but must be specified regardless. We use an empty GUID: {00000000-0000-0000-0000-000000000000}

Edit

3 References