DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2930 - Allow management from the Internet - Can't Disable!

  • garethrees
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
07 Feb 2010 18:17 #60402 by garethrees
Hello,

I've just setup a new 2930 and configured it so that 'Allow management from the Internet' is disabled, however when I port scan from outside (via the internet) port 443 is open and available to login to the admin interface.

Has anyone else experienced the same problem?

Please Log in or Create an account to join the conversation.

More
07 Feb 2010 21:47 #60407 by voodle
That's the SSL VPN port, if you've got the latest firmware, you can change that under SSL VPN and General Setup.

Please Log in or Create an account to join the conversation.

  • garethrees
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
07 Feb 2010 22:15 #60408 by garethrees

Voodle wrote: That's the SSL VPN port, if you've got the latest firmware, you can change that under SSL VPN and General Setup.



Thanks for the reply, does the SSL VPN port usually show the normal login page when you https:// to it?

Please Log in or Create an account to join the conversation.

More
07 Feb 2010 22:28 #60409 by voodle
It does, yes, but you shouldn't be able to log in for remote management when you do that, only with a username / password set up for a dial-in user with SSL VPN enabled.

Please Log in or Create an account to join the conversation.

  • garethrees
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
08 Feb 2010 07:11 #60413 by garethrees
Thanks again, this is interesting I've tried logging in on the external IP https://x.x.x.x/ and I get a webpage weblogin.htm which allows me to login in as admin and change the firewall settings, however the VPN user/password does not.

I then changed the SSL VPN General Setup port from 443 to 444 and tried to https://x.x.x.x:444/ and it times out, prob because Web VPN is not enabled.

Will investigate more and post results.

Please Log in or Create an account to join the conversation.

  • garethrees
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
08 Feb 2010 13:53 #60420 by garethrees
Doing a little more testing from outside the firewall it seams that even with the following settings you CAN manage the firewall from the internet.



If you https:// then you get access to the Web Login page for managing the firewall. (The same one you get internally)

If I change the WEB VPN to 444 then the Admin login times out but is not available on port 444 ??? I would of expected the page to move to 444.

I think I will raise a bug against this with Draytek.

As a security work around I've set a port forward 443 to a dummy location, so that you cannot access the Web Based Management from the internet.

Please Log in or Create an account to join the conversation.

Moderators: Sami