Welcome to our community!

Support X-Forwarded-For headers

Avatar
CJTC
  • updated
  • Considering for Future Release

Due to insurance and industry requirements we are required to host CW Control behind an approved WAF/Proxy. But in doing so all WEB activity is logged with the WAF/proxy IP instead of the endclient IP. This decreases the value of the built-in CW Control logging and triggers functionality.



Support has confirmed that CW Control does not currently support X-Forwarded-For (XFF) which is a de-facto web standard for passing client IPs through web Proxies. Can we get this header feature added? https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For


I was told Control is unable to read the header response so I wouldn't be able to manually enable it via "Security Toolkit" > "ExtraSecurityHttpHeadersList".


Thanks,
Pinned replies
Avatar
0
Sean White Team Member
  • Answer
  • Considering for Future Release

Thanks for your request, after speaking with our Architecture team I have registered this request for future consideration.

The key concern is  that the product would have to become much more aware of the reverse proxy sitting in front of it in order to properly handle the traffic in a secure manner.

Replies 27
Avatar
2
MyThoughts

100% agree with above, we are already running SC on prem behind an NGINX reverse proxy.

We used custom locations and IP filtering to block all access to login/admin except from whitelisted addresses. However the downside of this is that we have lost the public IP info form within SC.

We really need this implemented ASAP. 

Avatar
0
Chris M

@swhite I understand that everyone at Connectwise has probably been very busy the past week.  It would be great to get an update to see if this has had any further consideration.  For those of us running behind a reverse proxy, this is vital at this point.

Avatar
4
SConsulting

I just noticed that this is even mentioned in Mandiant's Remediation + Hardening Guide from, on page 7:

https://www.connectwise.com/globalassets/media/asset-docs/ebook/screenconnect/connectwise-screenconnect-remediation-hardening-guide-1.pdf


● Enable X-Forwarded-For Request Header Logging. If a load balancer or reverse proxy server is
placed in front of ScreenConnect server(s), ensure that the X-Forwarded-For field is enabled to
capture the true external IP address associated with inbound requests.

Avatar
1
Davison

@SConsulting That's interesting.  Hopefully that means it's already in the works, but likely is just an assumption by Mandiant that they already supported it.  Hopefully it's coming soon.  It really is essential at this point and should take precedence over any other UI enhancements or features.

Avatar
0
Chris M
Quote from Davison

@SConsulting That's interesting.  Hopefully that means it's already in the works, but likely is just an assumption by Mandiant that they already supported it.  Hopefully it's coming soon.  It really is essential at this point and should take precedence over any other UI enhancements or features.

I found it strange that they explicitly mentioned it in the document. Either assumption or the guide was written mainly on general best practices. 

Avatar
4
Sean White Team Member

Hi Everyone,

I am waiting for feedback from my architecture team, as you can imagine they have had a busy couple of weeks, so their responses have been delayed. As soon as I have more information, I'll post it here.

Avatar
0
Chris M
Quote from Sean White

Hi Everyone,

I am waiting for feedback from my architecture team, as you can imagine they have had a busy couple of weeks, so their responses have been delayed. As soon as I have more information, I'll post it here.

Thanks!

Avatar
0
Sean White Team Member

Hi everyone,

Our architecture team has some ideas on how this could be implemented in the product, but we'll need to do some additional discovery to determine scope and risk. If we determine it is something we can accomplish, we'll schedule it for development, but as of now no timeframe for that.

Avatar
3
Scott H.
Quote from Sean White

Hi everyone,

Our architecture team has some ideas on how this could be implemented in the product, but we'll need to do some additional discovery to determine scope and risk. If we determine it is something we can accomplish, we'll schedule it for development, but as of now no timeframe for that.

I understand full implementation of this will be tricky. Particularly when it comes to trusting the proxy enough for ScreenConnect to act on the relayed headers.

But please, PLEASE, at least add the x-forwarded-for header IP to the logs. Tag it as an information only, proxy-reported IP. A simple text entry with no action. That much should be a very simple addition.

Avatar
0
Cory Silva

Hi swhite,

Were you able to get any traction with this?



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar