Topic: iptabls port forward 443 for a specific hostname?

[chrislaurie]

I'm trying to get http://www.screenconnect.com/ to work on a windows box. But I need it to use port 443. So I have set-up a hostname (assist.mydomain.com) pointing to the ScreenConnect windows box. The normal port 80 web stuff works. The problem is that the normal appache proxypass mangles the addresses. According to the guys at ScreenConnect I need to be able to forward "raw tcp traffic" to my ScreenConnect box. They suggest I use iptables.

I can forward port 443 but I would then loose the ability to connect to https stuff of my server (admin, webmail etc)

Is there a way to set-up squid/iptables that it forwards port 443 packets to the ScreenCOnnect box, but only for a specific hostname (assist.mydomain.com)?

[CharlieBrady]

Is there a way to set-up squid/iptables that it forwards port 443 packets to the ScreenCOnnect box, but only for a specific hostname (assist.mydomain.com)?

No.

What do you mean by "proxypass mangles the addresses"?

[mmccarn]

If the ONLY way to get screenconnect to work is to forward all traffic on port 443 to their server, it sounds as though they are using port 443 for non-https "screen control" data packets (this is a guess on my part, their website is unspecific on this topic).  You might ask them if there is a way to configure their client to use a different port (then forward that other port directly to the screenconnect server).

If I am wrong and all screenconnect traffic uses https, you may be able to get it working using some more advanced "proxypass" directives.  The discussions in this post describe the proxypass requirements for Outlook Web Access, and may help point you in the right direction.

Since it is easy to do, create a port forward rule on your SME that forwards port 4443 to port 443 on your internal screenconnect server - then see if screenconnect works when accessed at https://blahblahblah.com:4443 - if that works, you could create an ibay on your sme that contains a simple http redirect to redirect the desired URL (https://blahblahblah.com) to the new port (https://blahblahblah.com:4443).

Failing that, take a look at UltraVNC "single click" (http://www.uvnc.com/addons/singleclick.html) to see if that can give you the functionality you're looking for...

[chrislaurie]

Thanx a lot for your response. You are right about screenconnect using it of encrypted screen control packets.

The reason I am wnat this to work on ports 80 amd 443 is that some of my guests have strict outbound filtering so other ports won't work. It is the same with unltravnc etc.

I will look into the redirect option.

[chrislaurie]

Charlie: With regard to: "proxypass mangles the addresses" They connected to my test server with the client and after that their developer said this:

"I think your firewall/gateway is messing with the HTTP request to your website and changing the Host header to the internal IP address. The guest client should try to connect to whatever host name is in the Guests browser address bar, which is specified in the Host header sent by the Guest. I can only guess that this is being altered."

After some tweaks and more tests they said: "I think your firewall is messing with the relay connection now. The firewall needs to forward the traffic directly without any http proxy mess or any other packet inspection."

And later:

"Apache can forward HTTP traffic, which works fine ... for our web server port 80 stuff, but it can't forward raw TCP traffic, which is used by our Relay, and is why you're having trouble connecting.

You can use a different IP than Apache is using on 443, or you can use a different port. But you won't be able to dual-purpose the same port/ip combination for our Relay service."

[cactus]

I think you will have difficulties realizing you desires and at the same time be able to manage your server as server-manager also runs on port 443 as SME Server only supports one external IP address, in light of this remark:

"But you won't be able to dual-purpose the same port/ip combination for our Relay service."

[CharlieBrady]

Charlie: With regard to: "proxypass mangles the addresses" They connected to my test server with the client and after that their developer said this:

"I think your firewall/gateway is messing with the HTTP request to your website and changing the Host header to the internal IP address.."

ScreenConnect should expect that the HOST header will be rewritten whenever http traffic is forwarded through a proxy. They should look at HTTP_X_FORWARDED_HOST.

However, their documentation says;

    The HTTP web service is provided as an ASP.NET application operating on TCP port 8040, while the relay
    for session data using a proprietary protocol operates on TCP port 8041.

so you should be able to deal with this via two port forwards.

[chrislaurie]

Thanx for your input Charly. I am able to do it with 2 port forwards. I can even pick my ports. The problem is that my intended audience have outbound port blocking on their side so I want to use 80 and 443 which I cannot use with port forwarding, as I will loose my own smeserver stuff (webmail, websites etc) on those ports.