Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

configuring a secondary ('alias') port for the VPN

Hi,

We are running SFOS 17.5.9 MR-9 with VPN server on our WAN primary_IP:4444

Our XG also has a second public IP, and now we would like to create a second VPN listener on that IP, same config, but on different port 443.

We know we can globally change the VPN port, but we like to continue using the current VPN config as it is now.

The question: is there a way (a DNAT rule, for example?) to make this secondary_IP:443 an 'alias' for primary_IP:4444?

Would that work?



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Keyur,

    Apologies. We are using the sophos XG builtin SSL VPN (remote access) for end users. Clients download and install their full installation package from the end-user portal. We realize that this config will contain the regular port 4444.

    What we are looking for: an alternative port. On some networks, outgoing 4444 is blocked nowadays.

    So: in that case, advanced users would be able to edit their .ovpn config, to attempt the connection on a different port, in case the 4444 port is blocked.

    (of course in the case of DPI, using a different port would probably not help, but if a network simply blocks certain ports like 4444, using a regular port (443) could help.

    Please let me know what more info you need.

    Thanks again for your replies so far!

  • Hi  

    The user portal from where you can download clients and other config files has default port 443 unless it has been changed by the firewall admin. 

    If you create Alias on WAN port it would be accessible same as the existing web portal URL, there is no feature to separate user portal access on different port but you can change the port Go to Administration > Admin Settings, under Admin Port Settings change Admin Console HTTPS Port and User Portal HTTPS Port to a different custom ports.

    https://community.sophos.com/kb/en-us/123148

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi Keyur,

    Ok, I don't completely get the second paragraph, but think you're saying I can change the ports under Administration > Admin Settings, Admin Port Settings.

    I have seen that, but the thing is: that would change the global configuration, and would require our end-users to re-download their VPN configs again, right..?

    What I am looking for is, perhaps using a DNAT rule or so, to create an additional listener for the XG VPN service but on another port, for example 443.

    I would like the XG VPN to be reachable on that port as well.

    So my regular users would download their installation package from the end user portal, and be up and running on port 4444. And more advanced users on some remote network blocking outgoing port 4444, would be able to try connecting on a different port.

  • Hi  

    Unfortunately what you are trying to do is not supported.  however you could try a DNAT rule that listens on that IP for the port you want, then do a port translation and forward to XG internal IP and SSL VPN port set.  Also ensure to set the MASQ policy.

    Please ensure you have a way to access the XG again as this may cause all services on the XG serving admin portal, user portal, etc to stop working until the rule is removed.  As stated this is not supported by us and if you have any trouble with this, support will state that its a feature request and to submit it as such.

    Let us know how it goes.

    Thanks!

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi KingChris!

    I had missed your reply, sorry!

    I will try your suggestion, and report back here. Could be a few days, because of the requirement to be onsite, in case things go wrong.

    And we realise it's not going to be a supported setup. :-)

    Thanks!