Please add possibility to run SSL VPN on port 443/tcp together with WAF. It is the basic industry standard and many customers ask for that.
Jindrich
Sophos Certified Architect for XG and UTM
Please add possibility to run SSL VPN on port 443/tcp together with WAF. It is the basic industry standard and many customers ask for that.
Jindrich
Sophos Certified Architect for XG and UTM
Hello Jindrich,
This is not functionally possible (as far as I'm aware) because the OVPN uses SSL not HTTPS for the session initialisation. Due to this, the WAF or the XG could not use either the WAF or the OVPN listener to operate on the same port.
The only way this could be possible is utilise a complete new listener that listens for HTTPS or SSL intialisation that would then be routed to the appopriate loopback listener either for the WAF or the OVPN service. That would be performance dragging.
SSL is not the same as HTTPS.
If you have a need for it to be 443 for the OVPN then set it to 443/UDP which retains the most compatibility or use an alias IP.
Edit: It is possible using OpenVPNs Portshare ability but again, although it is a desirable it is a minor issue and would require a potentially large development effort to utilise that element: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/sharing-a-port-between-openvpn-and-a-web-server.html
Emile
It is absolutely easy to do - and it is possible with Sophos UTM9. Sophos just need to add the selector of the IP address, which openvpn and WAF should listen on.
From the openvpn server point of view, it is a single configuration line:
"local 192.168.1.1"
the same has to be done for WAF.
As far as I know, it is also one of top requested feature from partners (so I was told by PM like a year ago).
By the way check UTM9 history, slowly but surely this feature was implemented for all the important deamons: starting with User Portal, SSL VPN, WAF, Email Protection, Web Filtering, IPSEC....
Jindrich Rosicka
awin IT
Hello Jindrich,
You are absolutely right, I have just tried to recreate what I have done in the past and either I was mistaken in the past or something is no longer working.
Apologies for being dismissive.
PMParth or AlanT would you be able to comment on whether we will be getting the ability to align the SSL VPN to a specific IP object and not globally on configured interfaces?
I have configured a WAN Device Access ACL which is only for the WAN zone on a specific IP but the listener is on all IPs on the interface irrespective of that configuration.
Emile
There is one solution for that, which is however really complicated. That is using DNAT rule for one specific WAN IP address and secondary XG box i.e. virtual appliance (you can use free license), which is doable, however it means separate VPN box with separate set of users, groups, rules and everything. This is not acceptable for most of the customers and they would rather accept different port.
Sophos really should do something about this.
Jindrich Rosicka
awin IT
Hi Jindrich,
Yes, that is possible but doing that with a free license in a business context is against the terms and conditions of the free home license.
I've tagged the two PMs and hope either of them are responsible for this and can comment.
Emile
I am afraid, that you would need that (possibility to listen on specific IP address) AT LEAST for:
XG SSL VPN
XG WAF
XG User portal
Again - all of that was slowly but surely added in UTM9 history.
Possibility to change SSL VPN port is really useless without possibility to use 443/tcp.
PS: Btw. in UTM9 you can use SSL VPN and User Portal both on same IP and port...
Jindrich Rosicka
awin IT
As far as I know the free !BASE! license is usable also for business without limitation (only that you have no support, but can you buy support separately).
Again - it is just theory we only sell hardware appliances - always (except UTM9 email protection only).
Jindrich Rosicka
awin IT
Base License in XG has a single purchase cost. After this, its free to use for commercial uses.
Its not like on UTM, hence the base license has more features.
Just to be sure: XG supports User Portal and SSL VPN on the same port like UTM.
Only WAF is blocked by SSL VPN after changing the port to the same port.
__________________________________________________________________________________________________________________
Hi Jindrich,
There is not a free base license for the XG in a virtual config and as Lucar states a perpetual base license does have to be puchased.
I've just checked and the User portal and SSL VPN cannot seem to co-exist on the same interface if they are both TCP/443.
Emile
Actually even more. WAF na User portal supports the same port (443/tcp) :-)
Jindrich Rosicka
awin IT
Tried now SSL VPN and User Portal on Port 1443. Works fine. So most likely both will work on 443.
__________________________________________________________________________________________________________________
You are absolutely right. We sell hardware appliances, which is bundle of hardware and base license. I never realize, that for virtual appliance you have to buy base license. Thanks for pointing this out - additional reason for SSL VPN on port 443/tcp :-)
Jindrich Rosicka
awin IT
You are absolutely right. We sell hardware appliances, which is bundle of hardware and base license. I never realize, that for virtual appliance you have to buy base license. Thanks for pointing this out - additional reason for SSL VPN on port 443/tcp :-)
Jindrich Rosicka
awin IT