Firewall Rules for SSL VPN

Posted on 2014-08-06
Last Modified: 2014-08-17
Our company infrastructure provision a SSL VPN gateway on the Internet DMZ which is behind a firewall. The VPN gateway basically receive inbound VPN connections to allow VPN client to access the internal resources.

We need to setup a firewall rules to allow incoming traffic to the TCP port 443 as follows:

Status    Action    Source ip     port     Destination          port
Active      Allow      Any                   Any      10.106.xx.xx        443

My question is do we need to setup a outgoing firewall rules as well to allow for such VPN client connection ?

Thank you for your kind advice in advance.

Question by:patricktam
    LVL 77

    Expert Comment

    by:David Johnson, CD, MVP
    Simple answer is yes both inbound and outbound.

    the port requirements vary greatly by vpn and supporting infrastructure

    A better explanation :
    LVL 41

    Accepted Solution

    Your firewall should be smart enough to allow the full TCP connection to the SSL VPN gateway located in your DMZ once you define the rule to allow TCP/443 traffic to it, so I don't think you need an outbound rule on the DMZ interface. The real question is where is the inside of the VPN appliance terminating? Many VPN appliances would have two interfaces, an outside or untrusted interface on the Internet (or DMZ), and an inside interface through which decrypted traffic flows through to the rest or your private network. VPN client traffic egressing the inside or trusted interface must be permitted by whatever firewalls and routers that are between the trusted interface of the VPN appliance and the rest of your network.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now