Firewall Rules for SSL VPN

Our company infrastructure provision a SSL VPN gateway on the Internet DMZ which is behind a firewall. The VPN gateway basically receive inbound VPN connections to allow VPN client to access the internal resources.

We need to setup a firewall rules to allow incoming traffic to the TCP port 443 as follows:

Status    Action    Source ip     port     Destination          port
Active      Allow      Any                   Any      10.106.xx.xx        443

My question is do we need to setup a outgoing firewall rules as well to allow for such VPN client connection ?

Thank you for your kind advice in advance.

Regards
Patrick
patricktamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Simple answer is yes both inbound and outbound.

the port requirements vary greatly by vpn and supporting infrastructure
http://blogs.technet.com/b/rrasblog/archive/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through.aspx

A better explanation : http://technet.microsoft.com/en-us/library/dd458955%28v=ws.10%29.aspx
0
kevinhsiehCommented:
Your firewall should be smart enough to allow the full TCP connection to the SSL VPN gateway located in your DMZ once you define the rule to allow TCP/443 traffic to it, so I don't think you need an outbound rule on the DMZ interface. The real question is where is the inside of the VPN appliance terminating? Many VPN appliances would have two interfaces, an outside or untrusted interface on the Internet (or DMZ), and an inside interface through which decrypted traffic flows through to the rest or your private network. VPN client traffic egressing the inside or trusted interface must be permitted by whatever firewalls and routers that are between the trusted interface of the VPN appliance and the rest of your network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.