Welcome to our community!

Support X-Forwarded-For headers

Avatar
CJTC
  • updated
  • Considering for Future Release

Due to insurance and industry requirements we are required to host CW Control behind an approved WAF/Proxy. But in doing so all WEB activity is logged with the WAF/proxy IP instead of the endclient IP. This decreases the value of the built-in CW Control logging and triggers functionality.



Support has confirmed that CW Control does not currently support X-Forwarded-For (XFF) which is a de-facto web standard for passing client IPs through web Proxies. Can we get this header feature added? https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For


I was told Control is unable to read the header response so I wouldn't be able to manually enable it via "Security Toolkit" > "ExtraSecurityHttpHeadersList".


Thanks,
Pinned replies
Avatar
0
Sean White Team Member
  • Answer
  • Considering for Future Release

Thanks for your request, after speaking with our Architecture team I have registered this request for future consideration.

The key concern is  that the product would have to become much more aware of the reverse proxy sitting in front of it in order to properly handle the traffic in a secure manner.

Replies 27
Avatar
1
Chris M

Was there progress on this?

Avatar
1
c2020

Are there any updates on this?  I too would like to see this feature implemented.

Avatar
0
c2020
Quote from SConsulting

I just noticed that this is even mentioned in Mandiant's Remediation + Hardening Guide from, on page 7:

https://www.connectwise.com/globalassets/media/asset-docs/ebook/screenconnect/connectwise-screenconnect-remediation-hardening-guide-1.pdf


● Enable X-Forwarded-For Request Header Logging. If a load balancer or reverse proxy server is
placed in front of ScreenConnect server(s), ensure that the X-Forwarded-For field is enabled to
capture the true external IP address associated with inbound requests.

Thanks for linking to this from a Connectwise source.  This appears to be sanctioned by CW if they're hosting the document so I hope this gets implemented soon.

Avatar
0
danny

We also think this is a MUST have feature implemented.

Avatar
1
Eli Hunter

I'm looking for this feature as well, I can't believe this was requested 3 years ago and there doesn't seem to be any movement on it.

Avatar
1
Scott H.

I'm just going to bring up SCConsulting's earlier comment,

I just noticed that this is even mentioned in Mandiant's Remediation + Hardening Guide from, on page 7:

https://www.connectwise.com/globalassets/media/asset-docs/ebook/screenconnect/connectwise-screenconnect-remediation-hardening-guide-1.pdf

● Enable X-Forwarded-For Request Header Logging. If a load balancer or reverse proxy server is
placed in front of ScreenConnect server(s), ensure that the X-Forwarded-For field is enabled to
capture the true external IP address associated with inbound requests.

It's been almost a year now since Connectwise posted this Hardening guide that includes a bullet point to enable a feature that doesn't exist. Has there been ANY progress on getting this added? Even just the logging aspect?

Avatar
0
Chris M

Is there any update?  This feature is incredibly important.



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar