Possible to change ports used by Always On VPN to ports that aren't as commonly blocked?

I just implemented Microsoft Always On VPN within my Server 2016 network.

However, I am finding that I am not able to connect to this VPN from many places including public guest Wi-Fi networks. When trying to connect I get an error message saying that "The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g. firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem."

So far I have only been able to successfully connect to this Always On VPN network in around 15% of the places where I have tried connecting. Whenever I am unable to connect I receive the error message mentioned above and shown in the screenshot. Otherwise, everything works great as long as I am able to successfully connect.

So is it possible to change the ports that Direct Access VPN is using to more commonly used ports (such as 80 and 443) that won't be blocked and then using NAT or some other technique if necessary to convert these ports back to their original port numbers? The firewall that is being used in this network is a SonicWALL TZ600.

Always on VPN error
IT GuyNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
I am not familiar with the always on VPN, but it is not possible to change the ports for PPTP, L2TP, and IPSec VPN's.  It is a common question.  If SSTP it should use 443.

However I doubt the issue is the ports as much as multiple NAT connections, duel encryption with wi-fi, poor performance, or one thing to check....what subnet does the 2016 server use?  If a common one like 192.168.0.x or 192.168.1.x it can be a subnet conflict. Hotels and homes use those a lot.  All subnets in the path between client and server must be different for routing to take place.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael B. SmithExchange & Active Directory ExpertCommented:
Is this a duplicate question?

Are you using an Always On VPN or are you using DirectAccess? It makes a difference.

Regardless, DA intelligently fails over to port 443 tunneling (if so configured with IP/HTTPS). AOVPN does not, ttbomk. You can't change the ports.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
There is some probability that certain ISPs indeed block VPN ports, at least that has been common practice in the past. But I cannot tell if blocking ports is the issue here.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

IT GuyNetwork EngineerAuthor Commented:
No this isn't a duplicate question.

I had mistakenly posted this question about the Direct Access VPN when it should have been posted about Always On VPN so that is why I closed the other question and reposted this question correctly.

The IP subnet currently being used by this network is 10.99.199.x/24 (which isn't very common at all. So far I haven't found any other networks using this same IP subnet addressing scheme).

I want to continue to use Always On VPN and don't want to switch to another type of VPN. The reason I am interested in changing which ports Always On VPN uses is because so far I have only been able to successfully connect to this Always On VPN network in around 15% of the places where I have tried connecting. Whenever I am unable to connect I receive the error message mentioned above and shown in the screenshot. Otherwise, everything works great as long as I am able to successfully connect.
0
Rob WilliamsCommented:
As we have stated, you cannot change the ports.  
As mentioned, though VPN traffic can be blocked by ISPs it is not common with commercial accounts.  It can also be due to multiple NAT connections, dual encryption with wi-fi, or poor performance.
0
Giovanni HewardCommented:
Would you consider another solution? OpenVPN can operate on port 443/TCP and use AD for authentication.  I think you'll find many more hospitable networks than going with IKE (UDP ports 500 and 4500)
0
Michael B. SmithExchange & Active Directory ExpertCommented:
Paragraph 4 still begins "So is it possible to change the ports that Direct Access VPN..." - so my question was valid.

AOVPN can't do what you want. DirectAccess can.

Some third party VPN solutions also provide the device-level VPN (Cisco and Palo Alto come to mind), but most don't. But I don't know if those can do so via HTTPS.
0
J SpoorTMECommented:
IPSec VPN is often blocked, e.g. in hotels and such.

I strongly advise to move to an SSL VPN solution instead. This uses standard port 443 (HTTPS) and works from anywhere.
There are also solutions (e.g. SonicWall) that have the same always on functionality
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.