Skip to main content
RasmusM
RasmusM
New Member
October 30, 2018
Solved

SSL VPN 443 & VIP 443

  • October 30, 2018
  • 2 replies
  • 12748 views

Hello

Is it possible to have an VIP that redirect incoming WAN traffic on 443 to an internal server AND using 443 to SSL VPN traffic?

Right now we are using 10443, which works fine but problems arise when our road warriors are behind external firewalls on hotels, trains e.g that block 10443. Almost every firewall allows 443, which is why we want the change.

 

I presented the idea to maintain SSL 10443 (more secure than 443) and create an IPsec tunnel, that users could attempt to use in case 10443 was blocked, but the idea was shutdown by they probably block IPsec ports as well.

 

Anyone know a workaround?

    Best answer by Toshi_Esumi

    Not really. You need to have different public IPs for the web server(?) and SSL VPN server. 

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_EsumiAnswer
    SuperUser
    October 30, 2018

    Not really. You need to have different public IPs for the web server(?) and SSL VPN server. 

    RasmusM
    RasmusMAuthor
    New Member
    October 31, 2018

    toshiesumi wrote:

    Not really. You need to have different public IPs for the web server(?) and SSL VPN server.

    We have available IPs, but the issue is we are using one of the IPs in the scope on the WAN interface so when I try to configure a new interface, it conflicts because it is in the same subnet.

     

    Can I somehow make a VIP that forwards the VPN IP to the firewall itself for SSL VPN?  

    tanr
    tanr
    New Member
    November 1, 2018

    RasmusM wrote:

     

     

    We have available IPs, but the issue is we are using one of the IPs in the scope on the WAN interface so when I try to configure a new interface, it conflicts because it is in the same subnet.

     

    Can I somehow make a VIP that forwards the VPN IP to the firewall itself for SSL VPN?  

    A simpler solution may be to just specify Secondary IP Addresses for your wan interface, that you can use for IPSec with one of the secondary IP addresses.  Then you don't need to do the customized port, etc.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    October 31, 2018

    Depending on the subnet of the public IPs you have and if you have control of the GW device, you might be able to split it and use the first one for WAN interface&SSL VPN then the second one for VIP, like split a /29 to two /30s.

    The key is you have to be able to change the subnet mask and add a static route at the GW device.

    RasmusM
    RasmusMAuthor
    New Member
    November 1, 2018

    I figured the issue out, thank you!

     

    We will just point our vpn dns at one of the available IPs we have and redirect it to the main IP. Then we can use 443 port since it is different than the main IP.

    Now we just have to edit the customised port on every client with a .reg file or something.

     

    Solution:

     

    Firewall objects > Virtual IP > Create new external IP: one of your WAN IPs external port: 443 mapped to : your primary WAN IP mapped to port: 443 Then, create a policy: src IF: WAN src IP: all dst IF: WAN dst IP: your VIP service: all schedule: ... action: accept NAT: no

    Terms & ConditionsAccessibility statement