Tutorial: How to Isolate Access Server's Web Services

Abstract

This tutorial shows a narrow use case in which you isolate Access Server's web services so they are no longer accessible over the internet.

Overview

This tutorial shows you how to turn off access to the Admin and Client Web UIs.

Caution

If you turn off access to Access Server's web services, you won't be able to manage Access Server with the Admin Web UI anymore. You must rely on the command-line interface (CLI) to manage settings, users, certificates, and distributing connection profiles.

OpenVPN Connect may also require Access Server's web services to use the secure XML-RPC to make an SSL connection.

Prerequisites

An installed Access Server.

Step 1: Turn off access to web services

Sign in to the Admin Web UI.
Click Configuration > Network Settings.
Under Web Service forwarding settings, set the admin and client web servers to No.
Set the Admin Web UI Interface and IP Address to the localhost.
Click Save Settings and Update Running Server.

Note

After making this change and saving, you won't be able to access the Admin Web UI anymore.

Step 2: Set firewall ports for TCP and UDP

Now you can set your firewall to only allow ports TCP 443 and UDP 1194, the default OpenVPN daemons ports.

Access Server should still be able to make OpenVPN tunnel connections, but the web interfaces are not reachable.

Important

If you use server-locked profiles for any user accounts, they won't be able to connect anymore. You must use user-locked or auto-login profiles.

In this section: