← All posts

ConnectWise ScreenConnect Alternatives for MSPs in 2026

ScreenConnect's agent-only model and the CVE-2024-1709 breach leave MSPs exposed. Here is the no-agent router-tunnel alternative for whole client sites.

ConnectWise ScreenConnect, sold as ConnectWise Control, is one of the most widely deployed remote support tools in the MSP world. It does one thing very well: unattended and attended remote control of Windows and Mac endpoints through a lightweight agent, with a fast HTML5 session viewer. For a helpdesk that lives on user desktops, it is hard to beat.

In February 2024 that same install base became a liability. CVE-2024-1709, an authentication bypass in the ScreenConnect setup wizard rated CVSS 10.0, let attackers create an administrator account on unpatched self-hosted servers with a crafted URL. It was exploited within days and used to push ransomware through MSP-managed fleets. Two years on, plenty of MSPs are still asking whether an agent on every managed machine, reachable through one internet-facing control server, is the right model for every part of their client estate.

What ScreenConnect Does Well

ScreenConnect is a mature attended and unattended support tool. The agent installs quietly, reconnects reliably, and the session viewer is quick even on poor links. Self-hosting gives you control of where session data lives, which was a genuine advantage over cloud-only competitors, right up until the self-hosted server became the thing being exploited. For remote control of end-user PCs and servers, ScreenConnect remains a solid product.

Where It Falls Short for MSPs

Agent-only architecture. ScreenConnect reaches a device only if that device runs the ScreenConnect agent. That covers Windows and Mac endpoints. It does not cover the devices that generate a large share of an MSP's after-hours tickets:

  • NVR and camera systems (Hikvision, Dahua, Uniview), embedded firmware, no place to install an agent
  • PBX telephone systems (Yeastar, Grandstream, Matrix Comsec), proprietary OS, third-party software voids the support contract
  • Managed switches, routers, and firewalls (Cisco, Ubiquiti, MikroTik), no general-purpose software layer
  • Printers, access control panels, and industrial HMIs, real-time or embedded systems with no agent path

For an MSP running hotels, clinics, retail branches, or industrial sites, those unreachable devices are not an edge case. A hotel PBX that drops SIP trunks or an NVR that needs a firmware push is a call you still have to answer, and ScreenConnect cannot get you there. You end up keeping a second method for everything the agent cannot touch.

Attack surface. The agent-plus-control-server model means every managed endpoint trusts one internet-reachable server, and that server holds the keys to the whole fleet. CVE-2024-1709 showed the blast radius when it is compromised: every device with the agent installed. Patching becomes a security-critical, MSP-wide obligation.

The Router Tunnel Alternative

ProxyLink solves the same problem from the other end. Instead of an agent on every device, you install one WireGuard tunnel on the client site's router or gateway, MikroTik, pfSense, OPNsense, EdgeRouter, or any Linux box. The router dials outbound to ProxyLink and holds the tunnel open with a persistent keepalive. From there, every IP on that LAN is reachable, whether or not the device can run software.

Because the tunnel initiates outbound, CGNAT, dynamic IPs, Starlink, and LTE-only sites all work the same way, with no port forwarding and no static IP. And there are zero open inbound ports on the client network: a scan of the site's ISP range finds nothing to connect to. There is no per-client control server sitting on the internet waiting to be the next CVE. For multi-VLAN sites, declare each subnet when you create the tunnel and one WireGuard peer covers the main LAN, the PBX VLAN, and the camera VLAN together.

What ProxyLink Covers

ProxyLink wraps that tunnel in a browser access layer. Each device at each client site becomes a link in the dashboard:

  • Browser RDP, full Windows Remote Desktop in a browser tab via Apache Guacamole, no mstsc.exe and no client software on the engineer's laptop
  • Browser SSH, terminal access for Linux, MikroTik, and Cisco IOS including enable mode
  • Browser VNC, view and drive Mac and Linux desktops or an HMI operator screen
  • HTTP/HTTPS proxy links, NVR web UI, PBX admin panel, switch management, Synology DSM, any web interface on any port
  • TCP/UDP links, raw RTSP video, SIP/VoIP, and proprietary non-HTTP protocols

Session recording and an audit log are included on paid plans: engineer identity, target IP and port, timestamp, and duration per connection. Two-factor authentication is available on every account, and WireGuard peer isolation is enforced at the kernel level, so one client's tunnel can never reach another's.

Comparison

PlatformModelReaches network devicesHosting
ScreenConnect (self-hosted)Agent + control serverNoYour server (CVE-2024-1709)
ScreenConnect (cloud)Agent + control serverNoConnectWise cloud (US)
ProxyLinkOne router tunnel per siteYes, nativelyHetzner Germany

When ScreenConnect Still Fits

If your work is almost entirely control of end-user Windows and Mac machines, ScreenConnect is a capable tool and there is no reason to rip it out. The two models are not mutually exclusive: many MSPs run an agent-based tool for user desktops and a router tunnel for the network devices, servers, and appliances the agent cannot reach. Where ProxyLink earns its place is the half of the estate ScreenConnect was never built to touch, at one tunnel per site instead of one agent per device.

Try ProxyLink free at app.proxylink.dev, no card required, free during early access. One tunnel per client router, every device on the LAN reachable from a browser. Setup guides for MikroTik, pfSense, OPNsense, and EdgeRouter are in the docs.

ProxyLink is free during Early Access

One WireGuard tunnel on a router gives you browser RDP, VNC, and SSH to every device on the LAN. No agent on the target. No credit card. No trial countdown.

Get free access →
← Back to all posts