Tutorial: How to Isolate Access Server's Web Services
This tutorial demonstrates a narrow use case in which you isolate Access Server's web services, making them inaccessible over the internet.
Overview
This tutorial shows you how to turn off access to the Admin and Client Web UIs.
Caution
If you turn off access to Access Server's web services, you won't be able to manage Access Server with the Admin Web UI anymore. You must rely on the command-line interface (CLI) to manage settings, users, certificates, and distribute connection profiles.
OpenVPN Connect may also require Access Server's web services to utilize the secure XML-RPC protocol to establish an SSL connection.
An installed Access Server.
Admin Web UI access.
Sign in to the Admin Web UI.
Click Web Services.
The Admin Web Server tab displays.
Select the local host from the drop-down for Make the admin web server available on selected interfaces. (E.g., Change the drop-down from "All interfaces" to "lo - 127.0.0.1/8.")
Turn Make the admin web server also reachable on OpenVPN TCP daemon port 443 to Off.
Click Save.
Click the Client Web Server tab.
Turn Also make the client web server reachable on OpenVPN TCP daemon port 443 to Off.
Click Save and Restart.
Note
After making this change and saving, you won't be able to access the Admin Web UI anymore.
Now you can set your firewall to only allow ports TCP 443 and UDP 1194, the default ports for the OpenVPN daemons.
Access Server should still be able to establish OpenVPN tunnel connections, but the web interfaces are unreachable.
Important
If you use server-locked profiles for any user accounts, they won't be able to connect anymore. You must use user-locked or auto-login profiles.