pfSense HAProxy ScreenConnect setup

Hey Tom first thanks for all the excellent videos and sharing your knowledge very much appreciated.

Ok so I am trying to get HAProxy to work on my pfSense.

I am using UNRAID (I know you don’t use it or like It) and have a HAProxy Docker working great for my Docker Containers.

I have a few VM’s that I need to get HAProxy working on. One is my ScreenConnect it’s running on a Windows VM.

So, I am not really sure what I have wrong at this point and could you some direction.

I have stopped the HAProxy on UNRAID stop the port forwards on the PfSense and tried to set up the HAProxy on the PfSense box.

I think the issue is not having the correct ports forwarded on PfSense.

I have watched both of the videos several times and just can’t figure out the correct firewall setting.

(How to Setup ACME, Let’s Encrypt, and HAProxy HTTPS offloading on pfSense and Moving Self Hosted ConnectWise Control / ScreenConnect From Linux to Windows & HA Proxy.)

If you could share the firewall setting, I need to get this working that would be much appreciated.

Here is what I have and it’s not working and probably wrong.

(ScreenConnect web.config settings.)
add key=“WebServerListenUri” value=“http://support.sitename.com:8040/” />
add key=“WebServerAddressableUri” value=“https://support.sitename.com:443/” />
add key=“RelayListenUri” value=“relay://0.0.0.0:8041/” />

What I am not sure of is where do I forward port 8040 for ScreenConnect?

Firewall Rules WAN

I only have the one site setup right now to test this out and get it working first.

The site support.sitename._com is setup as a CNAME on Cloudflare do I need to change this to an A record or will a CNAME also work?

When I connect on the local network it shows the correct ScreenConnect page and cert and the cert is the right cert and the site shows as secure.

When I connect from a remote site this is what I see? not sure were that is coming from?

Welcome to our server
The website is currently being setup under this address.
For help and support please contact me@example._com

If you need any other information let me know. I tried to post the backend a frontend setting but being a new user is would not let me.

Thanks again Tom for any input,
Dean

The back end of HA Proxy proxy should point to [YourInternalScreenconnectserverIP] port 8040 and HA Proxy front end should be bound to WAN (or whatever public IP you are using) then a WAN firewall rule to allow opening up 443 to the WAN (or whatever public IP you are using) and one more WAN rule (or whatever public IP you are using) forwarding port 8041 to [YourInternalScreenconnectserverIP]

Web Server Addressable URI should be https://TheSiteBeingHandledByHA_Proxy

Thanks for getting back to me Tom.

The backend I have it pointed to the ScreenConnect internal IP and port 8040 Encrypt(SSL) unchecked and SSL checks unchecked.

The Frontend I have Listen address set as WAN address (IPV4) Custom address blank Port 443 SSL Offloading checked

This is what I have set for the firewall WAN rules

Do I also need these on the NAT / Port Forward also or just the rule on the WAN?

The This Firewall to port 443 will allow 443 to the WAN right?

Not sure I have this one right.
Web Server Addressable URI should be https://TheSiteBeingHandledByHA_Proxy

I have it like this
WebServerAddressableUri" value="https://support.theSite.com:443

should I have the port at the end or just the site address

Thanks Again

Ok Tom,

I got it working just want to make sure I have it right before I move on trying to get the other sites working.

I changed this to point to the 8040 port and it works.

WebServerAddressableUri" value="https://support.TheSite.com:8040

For http-to-https redirects I created another front end and created an action to redirect to https

Is this the best way to do the redirect?

When I go to the main address it gives me a Warning: Potential Security Risk Ahead as it does not have a cert assigned to it. Should I just make that the main cert and do sub certs like you did in the video?

Sorry one last question should I create A records for all the subs or can I use the CNAME that are already setup?

Thanks

Tom,

If you have a chance can you tell me what I might have wrong with the firewall rules for ScreenConnect.

I have everything work and can access all the servers that I setup.

But for some reason I am getting this error on the ScreenConnect Administration page under status.

External Accessibility Check Failed

All the other test pass and the strange thing I can connect just fine outside of the local network.

Here are the rules I have setup for the ScreenConnect Ports.

NAT / Forward

Rules / WAN

Thanks again going to walk away for a while eyes have had enough maybe I can figure it out in the morning.

Sounds like you don’t have HA Proxy working properly with Screenconnect. As I stated above, you need 8041 forwarded to the Screenconnect server and 8040 should be connecting to HA Proxy

Ok Tom I guess this is where I am confused.

ScreenConnect Server is on Local IP 10.10.1.250
PfSense is at 10.10.1.1
HAProxy is on the PfSense so I assume it’s address is also 10.10.1.1

So I have

WAN address port 8040 going to 10.10.1.250 port 8040
WAN address port 8041 going to 10.10.1.250 port 8041

which as you keep telling me is wrong I’m just not sure were to point port 8040 of ScreenConnect I know you keep tell me it should be connecting to HAProxy but what IP is that? (This Firewall)?

Here is how I have the backend configured.

Here is how I have the frontend configured.

All the other servers I configured Unifi, Bitwarden, Nextcloud, GWN Manager all connect just fine and provide the correct cert. So your 100% right about port 8040 I am just not sure how to forward it to the HAProxy.

The worst part is at one point I had all the test passing in ScreenConnect and must have broken something when I was cleaning up all the rules. The only ports I need to worry about for ScreenConnect are 8040 and 8041 right?

Going to go watch the video over again maybe I am missing something simple.

Thanks

You don’t do a port forward for port 8040, you just open that port in the firewall rules so traffic from WAN can hit the PFSense itself, and configure HAProxy to listen on port 8040 on the WAN interface.

Ok so when you say configure HAProxy to listen on port 8040 on the WAN interface. That is done on the backend right?

Like This.

So how do I create the rule to open the port 8040 on the firewall?

This what I have and I know you guys are telling me it wrong. I just don’t understand the firewall rules I am going to have to read some more until I can get a grip of what I am doing wrong.

if someone could just show me how to open port 8040 on the WAN that would help.

Thanks for the help.

Well just to let you all know I got it all working and the problem was not on the PfSense side it was a setting I had in the ScreenConnect config file.

This is what I had.

I changed it to this.

So as you can see it was because I had the port in the WebServerAddressableUri and after looking at the failure it all makes sense (pun intended)

One thing I did find was I could use a CNAME and it worked just fine

Thanks again for the input everything seems to be working excellent now and happy to have my ScreenConnect using HTTPS

Can someone here help me?
When i did this setup in my logs it always shows the IP address from the router as the IP from the person that logged in, so I can’t see who really logged in.

This should help: