Change SSL VPN Port

Is it possible to change the SSL VPN Port for Remote Access??

... and for the User Portal, too?

  • In reply to guillaume bottollier:

    Thank you for your comments.


    I agree 443 UDP is not as good as 443 TCP for getting through general public firewalls, but unless we can generate a WAF rule to use a specific address (as per SNI for HTTPS), then I am limited to the options available.


    WIth regards to 443UDP vs other ports, Yes I agree 443UDP is more likely to be blocked in comparison to 443TCP, but it is significantly more likely for non 443 ports to be blocked and 443UDP to be open and acceptable.

    Also SSL VPN supposedly has better performance on UDP than TCP (according to the setup options, I have never had the opportunity to find out)





  • In reply to TheEther:



    Yes I moved the user portal from 443 to 444 when I tried it, and I have just tried again now with no luck

    I get the red pop up box saying "The selected Port is already used by another service. Please choose a different Port."





  • In reply to Ian Rogers:

    Also tried, you can not use 443 tcp or udp for vpn ssl and/or user portal since you activate a waf with https rule (and the contrary)

    should be great if sophos let choice on which port/public ip vpn ssl and user portal listen as it could be possible to have waf on one port/ip AND ssl vpn on an other port/ip.

    but it's not the case..

  • In reply to guillaume bottollier:



    I can use 443 for WAF and User Portal, this is my normal configuration.  I assume this is because WAF is only available on WAN IP And User Portal from various local interfaces.


    As SSL VPN can use all interfaces, I assume this has an effect on why it cannot be enabled.   On that note, I have just disabled SSL VPN from ALL interfaces and tried again, but still an error.

  • In Version SFOS 17.1.0 GA, now you can change the port for User Portal and SSL VPN as well from default port 443 to any as per your desire.

    Reference release note:- 

    • SSL VPN Port Option - one of the most requested features on XG Firewall is the option to customize the SSL VPN listening port.




  • In reply to Muhammad Imran Shaikh:

    Hello Imran,

    I know the new feature has been added to do this. My original post onto this thread (page 5 iirc) and the subsequent discussion was because of the fact that this new feature seems to have an issue...

    If you are using WAF / User Portal on TCP 443 you still cannot set the vpn to UDP 443, but you can still change it to other ports.

  • In reply to Ian Rogers:

    Hello Ian,

    I complete agree from you, it is restricted with User Portal only. you may use 443 for SSL VPN and WAF at same time but not with User Portal.


    Currently i am using it by changing the User Portal Port only.




  • In reply to Muhammad Imran Shaikh:


    Can you please share how you made that work?

    I have User portal on 444, WAF on 443 and SSL VPN on 8443. When I try to change SSL VPN to 443 (UDP) it says the port is already used.

    If I change the WAF port to something else, SSL VPN can be changed to 443 without issues. So I would really love to know how you managed to habe SSLVPN and WAF on the same port. I can live with user portal on a different port.


  • In reply to ZLogistics:


    were you able to set the WAF back to 443 after you had the SSL VPN on 443?

  • In reply to PeerScholz:

    No, I can't. Just tested it. If I change SSL VPN to 443 (UDP), when I try to change WAF to 443 it says the port is used elsewhere.

    The user portal is in port 444 so it's not interfering.

  • In reply to ZLogistics:

    Hi all,

    It is possible to have SSL VPN and User Portal on Port 443. 

    It is not possible to have SSL VPN / User Portal and WAF the same port.


    SSL VPN and User Portal can share the same port. 


    As far as i know, we are currently working on this.

  • In reply to LuCar Toni:

    Thanks for clearing that up.

    Do you have a rough ETA? I think we will have to cancel our migration for the second time until this is available

  • In reply to ZLogistics:

    I am not aware of a ETA for this. 

    currently, if somebody is running into this limitation, i am using 10443 for SSL VPN or leave 8443 for ssl vpn and using a DNAT trick with another appliances. 

    So simply DNAT 443 SSL VPN to Interface A to another XG / appliance and DNAT it 8443 to XG or use another appliance for SSL VPN only on Port 443. 

    It is not the best Solutions but it works fine until the change / port sharing is possible. 

  • In reply to LuCar Toni:

    I only have an HA cluster (active/passive) of XG, so that shouldn't be possible. I will have to go back to UTM or use a different port for SSL VPN. I don't know what's worse at this point.