SSL VPN on port 80

This is happening on two different boxes: 4.2.10 and 4.3.5

Changed it to 443. Appears to be working. Although some of the older documentation says that is a bad idea, I don' t find that same thing in the new documentation. Anyone know of any draw backs to using this? Other than the security by obscurity part?

Most of the end users aren' t familiar with using ports. This reduces support calls. I understand the logic behind using another port, makes total sense to me. And its just another layer of the defense in-depth. But we have to pick our battles, and this just isn' t one worth fighting.

Of course there is an obvious drawback. If you use one of the standard ports 80 or 443 you lose the ability to remote-manage the Fortigate itself UNLESS you move the admin ports first. Second, as common web servers use these ports common web server attacks almost exclusively attack only ports 80 and 443. You' ll see that in the logs. I can' t see the advantage for your users either. You' ve got to give them the exact URL anyway, in your current setup the ' https://...' or they won' t find it. As users bookmark everything they won' t bother memorizing the URL anyway. Just my 2 cents...

one advantage of common ports is that almost all hotels and airports or whatever, allow port 80 and 443, and if you got " road warriors" you would want them to connect from all places. one more thing, you dont need to change the port 10443, leave it alone, and do a VIP instead, WAN1 on port 443 -> WAN1 on port 10443 (and of course choose another IP than the interface IP)

bingo on the above One more thing to considered, depending on who and what your end-users are sitting on, content filters might flag https like data on port80 and block it. The pros and cons of where to place the SSLVPN function has to be looked at very closely. Fortinet, should really think about a HTTP_redirect to the secured port, that would allow you to managed on 443 ( admin ), run the SSLVPN on whatever port, and when the client connects to http://yoursslvpngw/ he or she is redirect to https://yourserver:newport number. Both cisco and juniper supports this. The next best thing woud be something similar to what fortimail does; https://yourgateway/admin ( for administration ) vrs https://yourgateway/ ( for user mail access ) So based on the URL, you get one or the other. just my 2 cts opinion on the matter.

...or just move the HTTPS admin port to something else - I commonly do that just to avoid all the HTTPS attacks. And agreed, remote administration is best on the internal port + a dial-in IPsec VPN.

ORIGINAL: soma043 Can' t I change the default 10443 port to 80? For whatever reason, when I change the setting, I get no response when I try to connect. There must be a way to SSL VPN to the box without having to specify the port in the URL?

I second to please expand on this. I have all my FortiGate SSLVPN ports on 443, and I moved admin access to another port. Many of my users need to use SSLVPN at places where many ports many be blocked (hotels, airports, China) so having https:// occurring on the industry standard port maximizes compatibility. I get the odd log entry from port scanners hitting the port but I don' t get any actual attempts to access the system by having it on 443t. I get emailed immediately on failed logon attempts and I' ve received exactly zero emails in ~2 years that weren' t from known users.

I actually don' t admin the firewalls from outside so moving the admin port to something else besides 443 is no big deal to me. I guess I' ll move forward with that plan.