SSL VPN 443 & VIP 443

RasmusM · ‎10-30-2018

Hello

Is it possible to have an VIP that redirect incoming WAN traffic on 443 to an internal server AND using 443 to SSL VPN traffic?

Right now we are using 10443, which works fine but problems arise when our road warriors are behind external firewalls on hotels, trains e.g that block 10443. Almost every firewall allows 443, which is why we want the change.

I presented the idea to maintain SSL 10443 (more secure than 443) and create an IPsec tunnel, that users could attempt to use in case 10443 was blocked, but the idea was shutdown by they probably block IPsec ports as well.

Anyone know a workaround?

Toshi_Esumi · ‎10-30-2018

Not really. You need to have different public IPs for the web server(?) and SSL VPN server.

View solution in original post

Toshi_Esumi · ‎10-30-2018

Not really. You need to have different public IPs for the web server(?) and SSL VPN server.

RasmusM · ‎10-31-2018

toshiesumi wrote:
Not really. You need to have different public IPs for the web server(?) and SSL VPN server.

We have available IPs, but the issue is we are using one of the IPs in the scope on the WAN interface so when I try to configure a new interface, it conflicts because it is in the same subnet.

Can I somehow make a VIP that forwards the VPN IP to the firewall itself for SSL VPN?

tanr · ‎11-01-2018

RasmusM wrote:

We have available IPs, but the issue is we are using one of the IPs in the scope on the WAN interface so when I try to configure a new interface, it conflicts because it is in the same subnet.

Can I somehow make a VIP that forwards the VPN IP to the firewall itself for SSL VPN?

A simpler solution may be to just specify Secondary IP Addresses for your wan interface, that you can use for IPSec with one of the secondary IP addresses. Then you don't need to do the customized port, etc.

Toshi_Esumi · ‎11-01-2018

The problem with the idea is the secondary IP on the interface needs to be outside of the primary IP's subnet.

tanr · ‎11-01-2018

I thought the OP said it was actually in the same subnet?

Toshi_Esumi · ‎11-01-2018

RasmauM wrote "we are using one of the IPs in the scope on the WAN interface" so I assumed all public IPs were in one subnet.

tanr · ‎11-01-2018

Yes, I assume they are in one subnet, but it's valid to add IPs in the same subnet to the same wan interface as Secondary IP Addresses. That's actually how I have our primary IPSec VPN set up, using one of our additional public IPs.

I think RasmauM was trying to use one of the public IPs they had in the same subnet as the primary wan interface IP, but got the error when trying to create a *new* sub-interface to the wan interface using that IP. I was pointing out that they don't need to create a new interface and can just add the secondary IP to the existing interface.

Toshi_Esumi · ‎11-01-2018

I've learned something new today. Most routers don't allow it so I've been assuming the same with FGT. I tested it and both IPs in the same subnet is pingable.

tanr · ‎11-02-2018

Rare occurrence that I knew something before you, Toshi!

SSL VPN 443 & VIP 443

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website