configuring a secondary ('alias') port for the VPN

Hi mouk 

Could you please provide more details to your requirements and configuration and VPN technology used by you?

Is Sophos XG acting as a VPN server or VPN server is hosted behind the firewall?

Hi Keyur,

Yes: sophos XG is the VPN server, hence my question on the forum here. :-)

Thanks for your response!

Hi Keyur,

Yes: sophos XG is the VPN server, hence my question on the forum here. :-)

Thanks for your response!

Hi mouk 

Which VPN are you using and please provide more details on your requirement and existing setup so that we can provide you all the relevant details and try to resolve the issue.

Hi Keyur,

Apologies. We are using the sophos XG builtin SSL VPN (remote access) for end users. Clients download and install their full installation package from the end-user portal. We realize that this config will contain the regular port 4444.

What we are looking for: an alternative port. On some networks, outgoing 4444 is blocked nowadays.

So: in that case, advanced users would be able to edit their .ovpn config, to attempt the connection on a different port, in case the 4444 port is blocked.

(of course in the case of DPI, using a different port would probably not help, but if a network simply blocks certain ports like 4444, using a regular port (443) could help.

Please let me know what more info you need.

Thanks again for your replies so far!

Hi mouk 

The user portal from where you can download clients and other config files has default port 443 unless it has been changed by the firewall admin. 

If you create Alias on WAN port it would be accessible same as the existing web portal URL, there is no feature to separate user portal access on different port but you can change the port Go to Administration > Admin Settings, under Admin Port Settings change Admin Console HTTPS Port and User Portal HTTPS Port to a different custom ports.

https://community.sophos.com/kb/en-us/123148

Hi Keyur,

Ok, I don't completely get the second paragraph, but think you're saying I can change the ports under Administration > Admin Settings, Admin Port Settings.

I have seen that, but the thing is: that would change the global configuration, and would require our end-users to re-download their VPN configs again, right..?

What I am looking for is, perhaps using a DNAT rule or so, to create an additional listener for the XG VPN service but on another port, for example 443.

I would like the XG VPN to be reachable on that port as well.

So my regular users would download their installation package from the end user portal, and be up and running on port 4444. And more advanced users on some remote network blocking outgoing port 4444, would be able to try connecting on a different port.

Hi mouk 

Unfortunately what you are trying to do is not supported.  however you could try a DNAT rule that listens on that IP for the port you want, then do a port translation and forward to XG internal IP and SSL VPN port set.  Also ensure to set the MASQ policy.

Please ensure you have a way to access the XG again as this may cause all services on the XG serving admin portal, user portal, etc to stop working until the rule is removed.  As stated this is not supported by us and if you have any trouble with this, support will state that its a feature request and to submit it as such.

Let us know how it goes.

Thanks!

Hi KingChris!

I had missed your reply, sorry!

I will try your suggestion, and report back here. Could be a few days, because of the requirement to be onsite, in case things go wrong.

And we realise it's not going to be a supported setup. :-)

Thanks!