SSL VPN on port 443/tcp

Hello Jindrich,

This is not functionally possible (as far as I'm aware) because the OVPN uses SSL not HTTPS for the session initialisation. Due to this, the WAF or the XG could not use either the WAF or the OVPN listener to operate on the same port.

The only way this could be possible is utilise a complete new listener that listens for HTTPS or SSL intialisation that would then be routed to the appopriate loopback listener either for the WAF or the OVPN service. That would be performance dragging.

SSL is not the same as HTTPS.

If you have a need for it to be 443 for the OVPN then set it to 443/UDP which retains the most compatibility or use an alias IP.

Edit: It is possible using OpenVPNs Portshare ability but again, although it is a desirable it is a minor issue and would require a potentially large development effort to utilise that element: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/sharing-a-port-between-openvpn-and-a-web-server.html

Emile

It is absolutely easy to do - and it is possible with Sophos UTM9. Sophos just need to add the selector of the IP address, which openvpn and WAF should listen on.

From the openvpn server point of view, it is a single configuration line:

"local 192.168.1.1"

the same has to be done for WAF.

As far as I know, it is also one of top requested feature from partners (so I was told by PM like a year ago).

By the way check UTM9 history, slowly but surely this feature was implemented for all the important deamons: starting with User Portal, SSL VPN, WAF, Email Protection, Web Filtering, IPSEC....

Hello Jindrich,

You can run SSL VPN using 443 TCP and WAF at the same time together. Disable SSL VPN on your WAN (which is for all IPs) then make a Device Access ACL that only targets a single WAN IP for SSL VPN services.

If Customers don't want to move to UDP for performance and want TCP for compatibility then that is what I generally do.

Emile

Hello,

first of all it is always TCP traffic. Even when you select UDP on SSL VPN (which makes sense for performance reasons), as a result of traffic

encryption it is UDP inside TCP stream. At the end the main reason of the port 443/tcp for VPN is to be able to establish VPN from any network,

even where other ports (different then http and https) are blocked, which means you need to use 443/tcp anyway.

Obviously both VPN and WAN should in most cases established from the WAN zone (internet), therefore you need to allow it on the WAN zone.

WAF then always listen on all WAN IP addresses (and you CANNOT select in device access acl exception for WAF), which means that 443/tcp port cannot be used

for anything else - even when you have multiple public IP addresses on WAN interface.

Hello Jindrich,

If you select TCP then you are encapsulating the traffic in an encrypted SSL tunnel using a TCP methodology. If you select UDP then you are encapsulating the traffic in an encrypted SSL tunnel using a UDP methodology.

It is irrelevant to the outside world what is happening inside the tunnel because the encapsulated outside of the tunnel is the only thing visible. I believe you have misread the documentation on how OpenVPN functions between the two methods.

There is only 1 reason I've perceptibly seen to use 443/TCP and that is for compatibility with all WiFi/4G/ethernet networks because no one in their right mind would block 443/TCP. There are only 2 reasons I've perceptibly seen to using 443/UDP and that is for speed (as it is faster and does not suffer from a double TCP retransmission) and that you can have 443/HTTPS and 443/UDP-OpenVPN on the same IP address with little issue.

In WAF configuration you can only select 1 IP address as a listener from the GUI, WAF is not controlled by the ACLs

Emile

What I want to achieve with Sophos XG is SSL VPN and WAF running both on the WAN interface, but using different IP address. That is not possible. WAF cannot be selected in device access exceptions at all.

Hello Jindrich,

That is currently possible and I have mentioned in a previous reply how to allow this.

If you need further assistance I can send you screenshots of an example configuration.

Emile

If you want to use 443/tcp with both SSL VPN and WAF, that is not possible. I would welcome the screenshot.

Hello Jindrich,

You are absolutely right, I have just tried to recreate what I have done in the past and either I was mistaken in the past or something is no longer working.

Apologies for being dismissive.

PMParth or AlanT would you be able to comment on whether we will be getting the ability to align the SSL VPN to a specific IP object and not globally on configured interfaces?

I have configured a WAN Device Access ACL which is only for the WAN zone on a specific IP but the listener is on all IPs on the interface irrespective of that configuration.

Emile

There is one solution for that, which is however really complicated. That is using DNAT rule for one specific WAN IP address and secondary XG box i.e. virtual appliance (you can use free license), which is doable, however it means separate VPN box with separate set of users, groups, rules and everything. This is not acceptable for most of the customers and they would rather accept different port.

Sophos really should do something about this.