Tutorial: Restrict Public Access to the Admin Web UI
How to configure restrictions to the Access Server Admin Web UI to limit public access.
Overview
Some organizations need to restrict access to the Admin Web UI so it’s only reachable from VPN clients or from the internal network where Access Server is hosted.
This tutorial shows how to configure these restrictions for two common deployment scenarios:
Access Server behind an external NAT device (for example, AWS).
Access Server with a public IP attached directly to the VM interface.
Prerequisites
Access Server 3.x installed.
Admin Web UI access.
Root access to the server (for CLI steps).
Access to your firewall, security group, or router configuration.
Default behavior
Admin Web UI: TCP 943 and TCP 443
Client Web UI: TCP 943 and TCP 443
Configure restricted access using the Admin Web UI
Sign in to the Admin Web UI.
Click Web Services.
The Admin Web Server tab displays.
Set TCP Port to
946(or another unused port).Set Make the admin web server also reachable on OpenVPN TCP daemon port 443 to Off.
Click Save and Restart.
The Admin Web UI now listens only on TCP port 946.
No web service forwarding exists from TCP 443 → 946 for the Admin Web UI.
The Client Web UI continues to listen on TCP 443 and TCP 943.
Configure restricted access using the CLI
Connect to the console and get root privileges.
Run:
sudo sacli --key "admin_ui.https.port" --value '946' ConfigPut sudo sacli --key "vpn.server.port_share.service" --value 'client' ConfigPut sudo sacli start
The Admin Web UI now listens only on TCP port 946.
No web service forwarding exists from TCP 443 → 946 for the Admin Web UI.
The Client Web UI continues to listen on TCP 443 and TCP 943.
Update your firewall or security groups
You still need to block public access to the Admin Web UI port.
AWS: Remove any inbound rule allowing traffic to port 946.
On-prem: Block inbound traffic to TCP 946 on your firewall or router.
Important
When updating your firewall or security group, the Admin Web UI may still be reachable from the internet.
Example Deployment: Access Server on DigitalOcean with a Public IP attached to one of the VM's network interfaces.
Configure restricted access using the Admin Web UI
Sign in to the Admin Web UI.
Click Web Services.
The Admin Web Server tab displays.
For Make the admin web server available on selected interfaces, select an internal interface.
Set TCP Port to
946(or another unused port).Click Save.
Click the Client Web Server tab.
Set Use the same address and port as the admin web server to Off.
Click Save and Restart.
The Admin Web UI now listens on TCP port 946 only on the internal (private) interface.
No web service forwarding exists from TCP 443 → 946 for the Admin Web UI.
The Client Web UI continues to listen on TCP 443 and TCP 943 using the public interface.
Configure restricted access using the CLI
Connect to the console and get root privileges.
Run:
sudo sacli --key "admin_ui.https.ip_address" --value '<INTERNAL_INTERFACE>'1 ConfigPut sudo sacli --key "admin_ui.https.port" --value '946' ConfigPut sudo sacli --key "vpn.server.port_share.service" --value 'client' ConfigPut sudo sacli start
Replace
<INTERNAL_INTERFACE>with the internal interface name or IP address.The Admin Web UI now listens on TCP port 946 only on the internal (private) interface.
No web service forwarding exists from TCP 443 → 946 for the Admin Web UI.
The Client Web UI continues to listen on TCP 443 and TCP 943 using the public interface.
Update your firewall or network configuration
Even with interface binding, you should still restrict access at the network level.
Block access to TCP 946.
Allow access only from trusted internal networks or VPN clients.