Change SSL VPN Port

Is it possible to change the SSL VPN Port for Remote Access??

... and for the User Portal, too?

  • The User Portal port can be changed under System > Administration > Settings.
    Unfortunately I don't believe you can change the SSL VPN port.
  • In reply to GtVYU:

    If it's using port 443, won't that conflict with any WAF profiles you create on the same IP using HTTPS? If so, then SSL VPN port configuration needs to be enabled ASAP.

  • In reply to EmileBelcourt:

    Please urgently "fix" this as many customers dont use 443 for the ssl vpn connections
  • Hi,

    Under System > Administration > Settings
    Change the "User Portal HTTPS Port" port, this port too will be used for SSL VPN remote connection.

  • In reply to CarlosCesario:

    Hi Carlos, unfortunately you are wrong. The XG uses TCP 8443 per default for SSL VPN. (Verified via TCPdump.) The User Portal SSL Port configuration has no impact in that.

  • In reply to CarlosCesario:

    TCP 8443 :) pardon
  • In reply to MarcBorgers:

    Hi, MarcBorgers

    Yes, the same port defined in System > Administration > Settings > "User Portal HTTPS Port" :)
    Changing it, will impact in VPN config :) .. Try it
  • In reply to CarlosCesario:

    I have checked it. (System > Administration > Settings > User Portal HTTPS Port) This function is not equal to the Cyberoam configuration. Sophos use it for their User Portal and not for the SSL VPN as shown under KB1775 ( http://kb.cyberoam.com/default.asp?id=1775 ) The Sophos XG configuration site looks familiar to the Cyberoam configuration site, but the function seems to be different. I have tried 5 different port configurations and the created SSL VPN Profile (downloaded on the User Portal Site) still contains TCP 8443. So I've found my own workaround...

    Add a new rule of type Business Application Policy.
    Set application template to "Non-HTTP Based Policy".
    Give it a name.
    Set your source host to any.
    Under Hosted Server: Set source zone to "WAN"

    Under Protected Application Servers: Set protected zone to LAN
    Set protected application server to the LAN IP of the XG.
    Do not forward all ports.

    Under Port Forwarding: Set your protocol to the SSL VPN value.
    External port type is port.
    External port is 443
    Mapped port type is port as well.
    Set your internal port to 8443.

    Under Policies for Business Applications: Set Intrusion Prevention to "WAN to LAN"

    Finaly open the VPN SSL Configration File with notepad and change the SSL port to 443.

    Done...

  • In reply to MarcBorgers:

    This is not a viable option for anything larger than 2 people. Another need for this is guest wireless networks blocking non standard ports. That "change the SSL VPN port" field needs to be re added preferably as soon as possible.
  • In reply to EmileBelcourt:

    Hello, is there a way to change the port ? In the road map maybe?

  • In reply to scaledem:

    Hi Scale, I hope its in soon because it is a requirement!

  • Yuck. Currently sitting in a hospital whose network blocks non-standard web ports (including the Sophos SSL VPN port 8443) and so I am unable to connect to my VPN.

    At some later date I may try the workaround suggested by  but this is not ideal and I wonder whether this will disable the User Portal on port 443. (Although perhaps the solution there is to change the User Portal HTTPS port to something else, and then use 443 for the VPN using the forwarding policy?)

    In any case this is a mess, and there should be a configuration option for the SSL VPN Port as well, so that admins can decide which services to expose on the standard web ports. Ideally if the User Portal and VPN can both share 443 and the software can recognize the VPN traffic and deal with it appropriately in order to distinguish it from the User Portal traffic, then both of those services can be made available to someone in my current situation.

  • I just realized that in my XG i had setup port 8443 to be forwarded to an internal server for other purposes, however the VPN config file i downloaded says "8443" and both, the VPN and my port forward work 

  • In reply to scaledem:

    Hi Scaledem,

    indeed we have a request to make SSLVPN port changeable in our backlog. So this feature will be implemented. I am not quite sure how fast we will be able to deliver you this feature, but it is definitly planned with major priority.

    Greetings

    Holger

  • In reply to HolgerLehn:

    Bump.  The XG appliances need this feature sooner rather than later.  UTM9 and SG both had the option and now we have clients complaining that the feature is missing.  They are threatening to either go back to UTM9 or worse yet, move to a new vendor.

    Please escalate the urgency of this request!  I am also testing v16 and noticed that it hasn't made it into that update yet either.