Skip to main content

Tutorial: Restrict Public Access to the Admin Web UI

Abstract

How to configure restrictions to the Access Server Admin Web UI to limit public access.

Overview

Some organizations must meet compliance requirements that restrict access to the Admin Web UI so it’s only reachable from VPN clients or from the internal network where Access Server is hosted.

This tutorial explains how to configure these restrictions for two common deployment scenarios:

  1. Access Server behind an external NAT device (for example, AWS).

  2. Access Server with a public IP attached directly to the VM interface.

Prerequisites

  • Access Server 3.x installed.

  • Admin Web UI access.

  • Access to your firewall, security group, or router configuration.

Option 1: Restrict Admin Web UI access for an Access Server using a private IP with the public IP attached to an external NAT device

Example Deployment: Access Server on AWS

Default behavior

  • Admin Web UI: TCP 943 and TCP 443

  • Client Web UI: TCP 943 and TCP 443

Configure restricted access

  1. Sign in to the Admin Web UI.

  2. Click Web Services.

    • The Admin Web Server tab displays.

  3. For TCP Port, set the port to 946 (or another unused port).

  4. Set Make the admin web server also reachable on OpenVPN TCP daemon port 443 to Off.

  5. Click Save and Restart.

    • The Admin Web UI now listens only on TCP port 946.

    • No web service forwarding exists from TCP 443 → 946 for the Admin Web UI.

    • The Client Web UI continues to listen on TCP 443 and TCP 943.

Update your firewall or security groups

  1. For AWS deployments, open the EC2 Security Group for your instance and remove any inbound rule allowing traffic to port 946.

  2. For on-prem deployments, update your firewall or router to block inbound traffic to TCP 946.

Option 2: Restrict Admin Web UI access for an Access Server using a public IP directly attached to the Linux (VM) interfaces

Example Deployment: Access Server on DigitalOcean with a Public IP attached to one of the VM's interfaces

Configure restricted access

  1. Sign in to the Admin Web UI.

  2. Click Web Services.

    • The Admin Web Server tab displays.

  3. For Make the admin web server available on selected interfaces, select an internal interface from the drop-down.

  4. For TCP Port, set the port to 946 (or another unused port).

  5. Click Save.

  6. Click the Client Web Server tab.

  7. Set Use the same address and port as the admin web server to Off.

  8. Click Save and Restart.

    • The Admin Web UI now listens on TCP port 946 only on the internal (private) interface.

    • No web service forwarding exists from TCP 443 → 946 for the Admin Web UI.

    • The Client Web UI continues to listen on TCP 443 and TCP 943 using the public interface.

In this section: