Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CC_Mike
New Contributor II

Created on ‎11-01-2022 01:27 AM

Running a web server and VPN, both on the same port (443)

We have one static/fixed IP. We want to run both VPN and a local web server, both on port 443.

Is FortiGate # able to determine which protocol is connecting on port 443 and then redirect according
(It looks like I can run VPN on port 443 and also access the configuration page via 443).

If so, how would I configure this?

Thanks in advance
Michael

Labels:
3101
0 Kudos
1 Solution
pminarik
Staff
Staff

Created on ‎11-01-2022 02:04 AM

Hi Michael,

This isn't possible. You will only be able to use either SSL-VPN, or whatever else, on TCP/443. Even with the admin GUI (there's a CLI option that lets you choose which service takes precedence when both are enabled on the same interface+port).

[ corrections always welcome ]

View solution in original post

3094
0 Kudos
6 REPLIES 6
pminarik
Staff
Staff

Created on ‎11-01-2022 02:04 AM

Hi Michael,

This isn't possible. You will only be able to use either SSL-VPN, or whatever else, on TCP/443. Even with the admin GUI (there's a CLI option that lets you choose which service takes precedence when both are enabled on the same interface+port).

[ corrections always welcome ]
3095
0 Kudos
CC_Mike
New Contributor II
In response to pminarik

Created on ‎11-01-2022 02:20 AM

Hi @pminarik 

Thanks for your replay. Then I don't understand why I can access VPN and the admin interface from "outside" at the same time through the same port. FortiClient is configured to use myIP:443. And the admin interface is accessible via https://myIP:443. Can you explain why?

Thanks a lot

3093
0 Kudos
pminarik
Staff
Staff
In response to CC_Mike

Created on ‎11-01-2022 03:19 AM

We would need to see the configuration and some debugs, because what you're describing is not expected.

 

Here's the warning you will receive in CLI if you set the SSL-VPN port to be the same as the admin GUI port:

fgt (settings) # set port 443
Warning: SSL-VPN is using the same port number as administrative HTTPS GUI access.
If both are set to 443 and you have enabled port-precedence in the SSL-VPN settings, you may have issues connecting to the administrative HTTPS GUI access. To resolve this, you may change the administrative HTTPS GUI port or the SSL-VPN port.

 

[ corrections always welcome ]
3087
0 Kudos
CC_Mike
New Contributor II
In response to pminarik

Created on ‎11-01-2022 04:01 AM

Interesting... If you are interested in log files or access to them or our fortigate, let me know.

 

CC_Mike_0-1667299993209.png

The web UI does not complain...


For some reason this works without problems, and that's why I'm still wondering if I could send an https request to a server in the DMZ instead of the administrative GUI.... even if it was not meant that way.

3084
0 Kudos
pminarik
Staff
Staff
In response to CC_Mike

Created on ‎11-01-2022 05:06 AM

Ignoring the admin vs SSL-VPN mystery (it's not the main question anyway), if you create and use a VIP on TCP/443 it will completely take over that port, that much I can guarantee. VIPs have absolute priority over local services.

[ corrections always welcome ]
3078
0 Kudos
CC_Mike
New Contributor II
In response to pminarik

Created on ‎11-01-2022 09:34 AM

OK, thank you very much.

3067
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.