Applies To: Locally-managed Fireboxes
The default protocol and port for Mobile VPN with SSL is TCP port 443, which is usually open on most networks. If you try to configure the Firebox to use a port and protocol that is already in use, you see an error message.
Common network configurations that require TCP 443 include:
- The Firebox protects a web server that uses HTTPS.
- The Firebox protects a Microsoft Exchange server with Outlook on the web (Microsoft Outlook Web Access) configured.
If you have an additional external IP address that does not accept incoming TCP port 443 connections, you can configure it as the primary IP address for Mobile VPN with SSL.
Mobile VPN with SSL traffic is always encrypted with SSL, even if you use a different port or protocol.
How to Choose a Different Port and Protocol
If you need to change the default port or protocol for Mobile VPN with SSL, we recommend that you choose a port and protocol that is not commonly blocked. Some additional considerations include:
Select a common port and protocol
Other mobile VPN types on the Firebox use specific ports and protocols that are blocked by some public Internet connections. By default, Mobile VPN with SSL operates on the port and protocol used for encrypted website traffic (HTTPS) to avoid being blocked.
Another main advantage of SSL VPN over other mobile VPN types is that you can change the port as well as the protocol (UDP or TCP). If users cannot connect to the Firebox over TCP 443, one possible solution is to change the port or protocol. For example, change the port and protocol to UDP 53 or UDP 1194 and determine whether users can connect.
If the access site uses packet filters, the SSL VPN traffic should pass. If the access site uses proxies, the SSL VPN traffic is likely to be denied because it does not follow standard HTTP or DNS communications protocols.
If Mobile VPN with SSL on the Firebox is configured to use a port other than the default port 443, in the Mobile VPN with SSL client Server text box, you must type the IP address or FQDN followed by a colon and the port number. For example, if Mobile VPN with SSL is configured to use port 444, and the primary external IP address is 203.0.113.2, the Server address is 203.0.113.2:444.
UDP versus TCP
Normally TCP works as well as UDP, but TCP can be significantly slower if the connection is already slow or unreliable. The additional latency is caused by error checking that is part of the TCP protocol. Because the majority of traffic that passes through a VPN tunnel uses TCP, the addition of TCP error checking to the VPN connection is redundant. With slow and unreliable connections, TCP error checking timeouts cause VPN traffic to be sent more and more slowly. If this happens enough times, users might notice the poor connection performance.
UDP is a good choice if the majority of the traffic generated by your Mobile VPN with SSL clients is TCP-based. The HTTP, HTTPS, SMTP, POP3 and Microsoft Exchange protocols all use TCP by default. If the majority of the traffic generated by your Mobile VPN with SSL clients is UDP, we recommend that you select TCP as the protocol for the Mobile VPN with SSL.
Mobile VPN with SSL shares an OpenVPN server with Management Tunnel over SSL, BOVPN over TLS, and the Access Portal. If any of these features are enabled on your Firebox, Mobile VPN with SSL port settings are affected. For more information about port settings precedence, go to Manually Configure the Firebox for Mobile VPN with SSL and SSL/TLS Settings Precedence and Inheritance.