Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CC_Mike
New Contributor II

Running a web server and VPN, both on the same port (443)

We have one static/fixed IP. We want to run both VPN and a local web server, both on port 443.

Is FortiGate # able to determine which protocol is connecting on port 443 and then redirect according
(It looks like I can run VPN on port 443 and also access the configuration page via 443).

If so, how would I configure this?

Thanks in advance
Michael

1 Solution
pminarik
Staff
Staff

Hi Michael,

This isn't possible. You will only be able to use either SSL-VPN, or whatever else, on TCP/443. Even with the admin GUI (there's a CLI option that lets you choose which service takes precedence when both are enabled on the same interface+port).

[ corrections always welcome ]

View solution in original post

6 REPLIES 6
pminarik
Staff
Staff

Hi Michael,

This isn't possible. You will only be able to use either SSL-VPN, or whatever else, on TCP/443. Even with the admin GUI (there's a CLI option that lets you choose which service takes precedence when both are enabled on the same interface+port).

[ corrections always welcome ]
CC_Mike
New Contributor II

Hi @pminarik 

Thanks for your replay. Then I don't understand why I can access VPN and the admin interface from "outside" at the same time through the same port. FortiClient is configured to use myIP:443. And the admin interface is accessible via https://myIP:443. Can you explain why?

Thanks a lot

pminarik

We would need to see the configuration and some debugs, because what you're describing is not expected.

 

Here's the warning you will receive in CLI if you set the SSL-VPN port to be the same as the admin GUI port:

fgt (settings) # set port 443
Warning: SSL-VPN is using the same port number as administrative HTTPS GUI access.
If both are set to 443 and you have enabled port-precedence in the SSL-VPN settings, you may have issues connecting to the administrative HTTPS GUI access. To resolve this, you may change the administrative HTTPS GUI port or the SSL-VPN port.

 

[ corrections always welcome ]
CC_Mike
New Contributor II

Interesting... If you are interested in log files or access to them or our fortigate, let me know.

 

CC_Mike_0-1667299993209.png

The web UI does not complain...


For some reason this works without problems, and that's why I'm still wondering if I could send an https request to a server in the DMZ instead of the administrative GUI.... even if it was not meant that way.

pminarik

Ignoring the admin vs SSL-VPN mystery (it's not the main question anyway), if you create and use a VIP on TCP/443 it will completely take over that port, that much I can guarantee. VIPs have absolute priority over local services.

[ corrections always welcome ]
CC_Mike
New Contributor II

OK, thank you very much.

Labels
Top Kudoed Authors