SSL VPN on port 443/tcp

Hello Jindrich,

This is not functionally possible (as far as I'm aware) because the OVPN uses SSL not HTTPS for the session initialisation. Due to this, the WAF or the XG could not use either the WAF or the OVPN listener to operate on the same port.

The only way this could be possible is utilise a complete new listener that listens for HTTPS or SSL intialisation that would then be routed to the appopriate loopback listener either for the WAF or the OVPN service. That would be performance dragging.

SSL is not the same as HTTPS.

If you have a need for it to be 443 for the OVPN then set it to 443/UDP which retains the most compatibility or use an alias IP.

Edit: It is possible using OpenVPNs Portshare ability but again, although it is a desirable it is a minor issue and would require a potentially large development effort to utilise that element: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/sharing-a-port-between-openvpn-and-a-web-server.html

Emile

It is absolutely easy to do - and it is possible with Sophos UTM9. Sophos just need to add the selector of the IP address, which openvpn and WAF should listen on.

From the openvpn server point of view, it is a single configuration line:

"local 192.168.1.1"

the same has to be done for WAF.

As far as I know, it is also one of top requested feature from partners (so I was told by PM like a year ago).

By the way check UTM9 history, slowly but surely this feature was implemented for all the important deamons: starting with User Portal, SSL VPN, WAF, Email Protection, Web Filtering, IPSEC....

Base License in XG has a single purchase cost. After this, its free to use for commercial uses. 

Its not like on UTM, hence the base license has more features. 

Just to be sure: XG supports User Portal and SSL VPN on the same port like UTM. 

Only WAF is blocked by SSL VPN after changing the port to the same port. 

Hi Jindrich,

There is not a free base license for the XG in a virtual config and as Lucar states a perpetual base license does have to be puchased.

I've just checked and the User portal and SSL VPN cannot seem to co-exist on the same interface if they are both TCP/443.

Emile

Actually even more. WAF na User portal supports the same port (443/tcp) :-)

Tried now SSL VPN and User Portal on Port 1443. Works fine. So most likely both will work on 443. 

You are absolutely right. We sell hardware appliances, which is bundle of hardware and base license. I never realize, that for virtual appliance you have to buy base license. Thanks for pointing this out - additional reason for SSL VPN on port 443/tcp :-)

They will, until you need to use 443/tcp for WAF.

So recommended setup from me is:

WAF+User portal - 443/tcp - so you don't need special port for User portal

SSL VPN -> any other port, which in this case really does not matter....

Hi Lucar,

Yes, you can do it for 1443 but you cannot do it for 443, there seems to be extra checks on 443. See below on the failure:

But works if it's set to 1443:

There is definitely something wrong on the 443 port.

Emile

The extra check is most prorably WAF :-)

Hello Jindrich,

I disabled the WAF for these tests.

Emile

That is not possible. Just tested this on XG18 EAP2 (but the behaviour is the same on 17.5).

The SSL VPN and User Portal both on 443/tcp work - see pictures below.

However WAF on 443/tcp together with SSL VPN AND/OR User portal does not work.

The first picture is conflict with SSL VPN (error says other port), The second picture shows confict with User Portal.

So recommended settings from me is:

WAF + User Portal on 443/tcp, but SSL VPN has to be on other port.

That is not possible. Just tested this on XG18 EAP2 (but the behaviour is the same on 17.5).

The SSL VPN and User Portal both on 443/tcp work - see pictures below.

However WAF on 443/tcp together with SSL VPN AND/OR User portal does not work.

The first picture is conflict with SSL VPN (error says other port), The second picture shows confict with User Portal.

So recommended settings from me is:

WAF + User Portal on 443/tcp, but SSL VPN has to be on other port.