Tutorial: Set the Interface and Ports for the Web Services
Access Server's web service and OpenVPN daemons listen on all interfaces. You can change this if needed.
Overview
When installing Access Server, the web services and OpenVPN daemons listen on all interfaces by default. You can change this in the Admin Web UI or the command-line interface (CLI), which are covered here.
These are Access Server's two web services:
Admin Web UI: The administrative web interface on port TCP 943/443.
Client Web UI: The end-user interface for the client program on port TCP 943/443.
The Client and Admin Web UIs are on the same port, with the Client Web UI at the root / URL and the Admin Web UI at the /admin URL.
By default, the OpenVPN TCP daemons are on port TCP 443, the standard HTTPS port for web services. We chose this port for the OpenVPN TCP daemons because it is likely that simpler firewalls allow this through, whereas UDP 1194 where the UDP daemons live, might be blocked. To allow an easier user experience, the OpenVPN TCP daemons can recognize web browser requests and internally forward these to where the Client and Admin Web UI services reside. We call this service forwarding. This allows access to web services through a URL like https://vpn.example.com/ without specifying the exact port.
If you turn off or change the service forwarding settings or alter the OpenVPN TCP daemon port, this automatic internal redirection of browser requests on port TCP 443 won’t work. If you stop the OpenVPN daemons, you won’t be able to access the web services on the default HTTPS port. In such a case, you must connect to the web services directly at their default port, TCP 943, in the web browser: https://your.vpnserver.com:943/.
An installed Access Server.
Access to the Admin Web UI or the console and get root privileges.
Sign in to the Admin Web UI.
Click Web Services.
Change the interface and port to your preference on the Admin Web Server tab.
Click Save and Restart.
Change the interface and port to your preference on the Client Web Server tab.
Note
If Use the same address and port as the admin web server is turned On, you must turn it to Off before you can change the interfaces or port.
Click Save and Restart.
Connect to the console and get root privileges.
Run the desired command for the settings you want to change:
Set the interface and port for the Admin Web UI:
sacli --key "admin_ui.https.ip_address" --value <INTERFACE> ConfigPut sacli --key "admin_ui.https.port" --value <PORT_NUMBER> ConfigPut sacli start
Set the interface and port for the Client Web UI:
sacli --key "cs.https.ip_address" --value <INTERFACE> ConfigPut sacli --key "cs.https.port" --value <PORT_NUMBER> ConfigPut sacli start
Restore the default settings:
./sacli --key "admin_ui.https.ip_address" --value "all" ConfigPut ./sacli --key "admin_ui.https.port" --value "943" ConfigPut ./sacli --key "cs.https.ip_address" --value "all" ConfigPut ./sacli --key "cs.https.port" --value "943" ConfigPut ./sacli start
For Access Server 3.0.0 and later: Starting with Access Server 3.0.0, the
ssl_apiinterface is no longer used. Cluster API communication now occurs over the same port as the web UIs (TCP 943). On new installations, TCP 945 is no longer opened. On upgraded systems, you may still see the legacyssl_apisettings present and TCP 945 listening, but they are no longer functional. You can safely disable them by stopping Access Server from listening on TCP 945:./sacli --key "ssl_api.enable" --value "false" ConfigPut ./sacli start
Tip
When you set the Admin and Client Web UIs on different interfaces or ports, the Admin Web UI moves to the root URL and no longer uses /admin in the URL. Adding /admin to the URL is only used when Access Server listens on the same interface and port as the Client Web UI.