Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 1837 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to share port TCP 443 for WAF and SSL VPN?

JohnnyInc

Hi everyone,

I see a lot comments at this forum where I can see, that sharing Port 443 TCP for WAF and SSL VPN is working.

The documentation says, that it is not possible: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SSLVPN/RAVPNSSLSettings/index.html#port-optional

So I am wondering whats right?

At the moment I've WAF active and all webservers are running fine.

With SSL VPN enabled it works fine on UDP 443, but when I change it to TCP 443 (it must be TCP 443 for compatibility reasons, so that it works on Wifis where only 443 TCP is allowed), it does not work (the ovpn config on the client was replaced).

Do I need to create an additional WAF rule that points to the SSL VPN service at the firewall when using TCP 443? I would understand that, but I don't know how to configure that.

Best regards,

Johnny



This thread was automatically locked due to age.
  • 0

    Hello Johnny, 

    Good day. Thanks for reaching out to Sophos Community, hope you are well. 

    The doc guide states there are certain conditions/restrictions for the setup and on a sample table below from the doc guide - Option1 for SSLVPN is the possible configuration/setup for your use case (as you would use TCP)

    Hope this helps. Thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0

    Alright that means sharing Port "443 TCP" is not possible and those threads and comments in the community are wrong. I often see a thread from  where he states a blog post but which is offline now, that it should be possible since 18.5.

    But sharing would mean that a specific VPN-URL is able to run through WAF or bypass WAF and let SSL VPN work on the same IP with TCP 443.

    In my imagination it could not be that hard to implement. We just need a WAF rule for an URL like vpn.company.com without any filtering (just for redirect the traffic) that has the local VPN service as destination. But "redirecting" to the local VPN service is not possible.

    Are you able to add this as a feature request?

     

    We did that from my imagination above on some UTMs in the past, to allow access to the user portal through WAF (even it was official not possible and supported) but it works since many years until today. But the big disadvantage of that unsupported workaround is, that you are not able to block password guessing / too much wrong password attempts, because every access to the user portal comes from the firewall-ip itself, because that NATing to the WAF and its passthrough.

    To let it my imagination run smoothly, the WAF and User Portal / SSL VPN must be fine tuned in the Sophos OS code, so that the original IP address of the access is delivered to the portal user/vpn service, but it could not be that hard, because the firewall has that information.

    Or would it be possible to let the VPN service run on 444 TCP, add an WAF Webserver with the firewall ip for 444 TCP and create a WAF rule? Thats like the user-portal workaround I already use (but you need some an additional NAT rule to let it work).... I will try that ;-)

    Best regards, Johnny

Unfiltered HTML