The default protocol and port for Mobile VPN with SSL is TCP port 443. If you try to configure the Firebox to use a port and protocol that is already in use, you see an error message.
Common network configurations that require the use of TCP 443 include:
- The Firebox protects a web server that uses HTTPS.
- The Firebox protects a Microsoft Exchange server with Microsoft Outlook Web Access configured.
If you have an additional external IP address that does not accept incoming TCP port 443 connections, you can configure it as the primary IP address for Mobile VPN with SSL.
Mobile VPN with SSL traffic is always encrypted with SSL, even if you use a different port or protocol.
How to Choose a Different Port and Protocol
If you need to change the default port or protocol for Mobile VPN with SSL, we recommend that you choose a port and protocol that is not commonly blocked. Some additional considerations include:
Select a common port and protocol
Mobile VPN with IPSec uses specific ports and protocols that are blocked by some public Internet connections. By default, Mobile VPN with SSL operates on the port and protocol used for encrypted website traffic (HTTPS) to avoid being blocked. This is one of the main advantages of SSL VPN over other Mobile VPN options. We recommend that you choose TCP port 53 or UDP port 53 (DNS) to keep this advantage.
These ports are allowed by almost all Internet connections. If the access site uses packet filters, the SSL traffic should pass. If the access site uses proxies, the SSL traffic is likely to be denied because it does not follow standard HTTP or DNS communications protocols.
UDP versus TCP
Normally TCP works as well as UDP, but TCP can be significantly slower if the connection is already slow or unreliable. The additional latency is caused by the error checking that is part of the TCP protocol. Because the majority of traffic that passes through a VPN tunnel uses TCP, the addition of TCP error checking to the VPN connection is redundant. With slow and unreliable connections, the TCP error checking timeouts cause VPN traffic to be sent more and more slowly. If this happens enough times, the poor connection performance is noticed by the user.
UDP is a good choice if the majority of the traffic generated by your Mobile VPN with SSL clients is TCP-based. The HTTP, HTTPS, SMTP, POP3 and Microsoft Exchange protocols all use TCP by default. If the majority of the traffic generated by your Mobile VPN with SSL clients is UDP, we recommend that you select TCP for the MVPN with SSL protocol.
Mobile VPN with SSL shares an OpenVPN server with Management Tunnel over SSL, BOVPN over TLS, and the Access Portal. If any of these features are enabled on your Firebox, Mobile VPN with SSL port settings are affected. For more information about port settings precedence, see Manually Configure the Firebox for Mobile VPN with SSL and SSL/TLS Settings Precedence and Inheritance.