Change SSL VPN Port

Question

Is it possible to change the SSL VPN Port for Remote Access?? 
 ... and for the User Portal, too?

Aditya Patel · Accepted Answer

Hi mapelo , 
 The feature is now available on 17.1 GA release.

Emile Belcourt · Answer

If it's using port 443, won't that conflict with any WAF profiles you create on the same IP using HTTPS? If so, then SSL VPN port configuration needs to be enabled ASAP.

MarcBorgers · Answer

I have checked it. (System > Administration > Settings > User Portal HTTPS Port) This function is not equal to the Cyberoam configuration. Sophos use it for their User Portal and not for the SSL VPN as shown under KB1775 ( http://kb.cyberoam.com/default.asp?id=1775 ) The Sophos XG configuration site looks familiar to the Cyberoam configuration site, but the function seems to be different. I have tried 5 different port configurations and the created SSL VPN Profile (downloaded on the User Portal Site) still contains TCP 8443. So I've found my own workaround... Add a new rule of type Business Application Policy. Set application template to "Non-HTTP Based Policy". Give it a name. Set your source host to any. Under Hosted Server: Set source zone to "WAN" Under Protected Application Servers: Set protected zone to LAN Set protected application server to the LAN IP of the XG. Do not forward all ports. Under Port Forwarding: Set your protocol to the SSL VPN value. External port type is port. External port is 443 Mapped port type is port as well. Set your internal port to 8443. Under Policies for Business Applications: Set Intrusion Prevention to "WAN to LAN" Finaly open the VPN SSL Configration File with notepad and change the SSL port to 443. Done...

BrianCarp · Answer

Yuck. Currently sitting in a hospital whose network blocks non-standard web ports (including the Sophos SSL VPN port 8443) and so I am unable to connect to my VPN. At some later date I may try the workaround suggested by MarcBorgers but this is not ideal and I wonder whether this will disable the User Portal on port 443. (Although perhaps the solution there is to change the User Portal HTTPS port to something else, and then use 443 for the VPN using the forwarding policy?) In any case this is a mess, and there should be a configuration option for the SSL VPN Port as well, so that admins can decide which services to expose on the standard web ports. Ideally if the User Portal and VPN can both share 443 and the software can recognize the VPN traffic and deal with it appropriately in order to distinguish it from the User Portal traffic, then both of those services can be made available to someone in my current situation.

ClaasLisowski · Answer

Hi, 
 I was playing around with VPN SSL and how to change the port. 
 Good news is: It is possible alread y.. in the way how the config file looks like :) 
 
 How I figured out? 
 Go to: VPN --> Show VPN Settings --> Override Hostname 
 The override hostname is the critical field. Here I needed to put in my Dynamic domain (because I have another router in infront of my Sophos XG before it reaches the internet - yes I have port forwarding there in my fritzbox to the Sophos and after that all the home network devices) ... 
 
 I don't know what's in that field for you... anyway here is my example which should work for you as well: 
 vpn.dyndns.com 6443 # 
 
 The 6443 is the port, and before that is a space. After the port is a space and then that '#' character which is interpreted by OpenVPN as a start of a comment. 
 The line would look this way in the final generated config: 
 
 remote vpn.dyndns.com 6443 # 8443 
 
 Okay, so it is not really changing the port internally which is used but only the config file. 
 In my case I load the config file via iPhone from the user portal and there the port 6443 is now configured. 
 In my fritzbox / router / modem I have port 6443 forwarded to port 8443 to sophos. 
 
 It is probably only a workaround which is not possible for everyone. 
 
 But it's little workaround which works fine for me. 
 Tested with UDP and TCP, Radius auth, + OTP for the VPN connection. 
 
 Hope that helps

guillaume bottollier · Answer

hello 
 i can not respond on waf + ssl vpn on port 443, cause i don't use waf. 
 But in my opnion, it's an error to use 443 UDP, because it is usually blocked by firewalls on public access, like the other exotics ports, as 443 normal traffic is TCP and not UDP !

GtVYU · Answer

The User Portal port can be changed under System > Administration > Settings. 
Unfortunately I don't believe you can change the SSL VPN port.

CarlosCesario · Answer

Hi, Under System > Administration > Settings Change the "User Portal HTTPS Port" port, this port too will be used for SSL VPN remote connection.

HolgerLehn · Answer

Hi Scaledem, 
 indeed we have a request to make SSLVPN port changeable in our backlog. So this feature will be implemented. I am not quite sure how fast we will be able to deliver you this feature, but it is definitly planned with major priority. 
 
 Greetings 
 Holger

HolgerLehn · Answer

Hi mapelo, 
 
 we plan to extend the configuration of SSLVPN. Changing the SSLVPN port is one of the things that we want to add. 
 This has a high priority, but I am not able to give you a timeline. 
 
 Greetings 
 Holger

sachingurung · Answer

Hi All, 
 Please cast your vote on this feature request here. 
 Thanks

HolgerLehn · Answer

Hi, 
 sorry for late answer. This is indeed a very good question. Unfortunatly I do not really have a good answer to your question. 
 But as I said, in the current backlog, this implementation is planned as the next change feature for SFOS. 
 Greetings 
 Holger

HolgerLehn · Answer

Hi Christian, 
 
 let me explain. The complete team, that is reponsible for this issue, is working very hard on bringing IKEv2 for Site-to-Site tunnels into SFOS. So it is just a matter of available resourses. 
 As soon as IKEv2 is implemented (planned for v17) we will start to make it possible to change SSLVPN port. 
 
 Greetings 
 Holger

HolgerLehn · Answer

Hi TheEther, 
 
 this functionality will be delivered with SFOS 17.1. which is currently under testing. 
 
 Regards, 
 Holger

HolgerLehn · Answer

Hi Jacob, 
 this functionality will be shipped with SF 17.1. 
 You do not have to change certificates for your users as the port is not part of the certificate. 
 Hope this answers is helpful. 
 Regards, 
 Holger

HolgerLehn · Answer

Hi, 17.1 is currently in testing ... release date depends also on test results. 
 
 Regards, 
 Holger

HolgerLehn · Answer

Hi SecuredNet, 
 
 the feature you are requesting will be shipped with SF 17.1 which is currently under testing and will hopefully releases soon. 
 
 Regards, 
 Holger

dark moon · Answer

17.1 has been released and this feature is now there.

Deepak Verma · Answer

Hi, 
 This you can do on the Sophos 17.1 version. And here is the detail: 
 https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-17-1-0-ga-released

HolgerLehn · Answer

Hi guillaume , 
 port sharing is possible, so you can use port 443 for user portal and SSLVPN. 
 
 Best regards, 
 Holger

HolgerLehn · Answer

Steve, 
 if you have a valid license, e.g. a home license, you can use the most current SFOS release. 
 At the moment SF 17.1 is not released yet via up-to-date server, but you should find 17.1 in your mySophos portal. 
 
 Best regards, 
 Holger