ScreenConnect – enable SSL with permanent redirection to HTTPS

Express guide how to enable SSL certificate with redirection from http to https on Windows Server 2012 R2

Before you begin

This article assumes you have properly configured ScreenConnect server in production/testing environment with Passed statuses (everything is green in Admin panel) and you have generated SSL certificate to your domain (check Browser URL status) – for example support.contoso.com in pkcs12 format via OpenSSL. This tutorial shows steps which were tested under Windows Server 2012 R2 in production environment at the University. This is modified tutorial from original Reid’s ScreenConnect team member. I’m not responsible for any damage or harm on your server.

Tested & Compatible with: 4.3 – 5.3 stable versions.

Enabling SSL

• Open web.config where is ScreenConnect installed and change key value of WebServerListenUri to:

..
<add key="SmtpEnableSsl" value="false" />
<add key="WebServerListenUri" value="https://+:443/" />
<add key="RelayListenUri" value="relay://+:8041/" />
..

• Save web.config and generate your desired SSL (self signed or via cert. authority) certificate in .p12 or .pfx form and import it to Local Machine > Personal (you can do it via double clicking to certificate or via MMC snap-in module).
• Now we need to get Thumbprint of imported certificate so run powershell and type command:

Get-ChildItem -path cert:\LocalMachine\My

• Copy thumbprint of your imported certificate which you’ll use for ScreenConnect application, then run via CMD:

netsh http add sslcert ipport=0.0.0.0:443 certhash=‎XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX appid={00000000-0000-0000-0000-000000000000}

• Where XXXX is thumbprint of your certificate
• Now communication via 443 port will be bounded with this certificate.
• If you wish to show active ssl certs via http protocol run:

netsh http show sslcert

• Remember to make firewall exception for port 80 and 443!

Redirecting http to https

• Open your ScreenConnect web.config and navigate to <appSettings> section and add new line WebServerAlternateListenUri key under WebServerListenUri, remember also to modify/add lines (it depends on your environment) with RedirectFromBaseUrl and RedirectToBaseUrl keys, whole configuration result should look like this:

..
<add key="SmtpEnableSsl" value="false" />
<add key="WebServerListenUri" value="https://+:443/" />
<add key="WebServerAlternateListenUri" value="http://+:80/" />
<add key="RelayListenUri" value="relay://+:8041/" />
<add key="RedirectFromBaseUrl" value="http://*/" />
<add key="RedirectToBaseUrl" value="https://support.contoso.com:443/" />
..

• Find <httpModules> section in web.config and again create new line BaseUrlRedirectionModule with following result:

..
<add name="CompressionModule" type="Elsinore.ScreenConnect.CompressionModule, Elsinore.ScreenConnect.Web" />
<add name="BaseUrlRedirectionModule" type="BaseUrlRedirectionModule" />
<add name="FormsAuthenticationModule" type="Elsinore.ScreenConnect.FormsAuthenticationModule, Elsinore.ScreenConnect.Web" />
..

• Download BaseUrlRedirectionModule.cs (click save as)
• Create subdirectory called “App_Code” inside ScreenConnect folder where is installed and put inside newly created folder App_Code downloaded file BaseUrlRedirectionModule.cs.
• Restart ScreenConnect Web Server service:

net stop "ScreenConnect Web Server" && net start "ScreenConnect Web Server"

Done. Now ScreenConnect should listen on usual http 80 port which will be immediately redirected to https 443 port. So guest from http://support.contoso.com will be redirected to https://support.contoso.com.