Modern firewalls are capable of doing inspection of the packet contents for portions of https traffic flow. This ability falls into the category of Intrusion Detection or Intrusion Prevention (IDS/IPS) services. This can be important when a Green or Black box Amphion fails to make a connection with its VPN servers and is an unintended consequence of these advanced firewall capabilities. Following is a brief explanation of what happens and how to make a change to the firewall rules to allow the connection.

Our devices use the well known open-VPN protocol over https/SSL (secure web-browsing) to connect to our servers. Since the connection set up for an SSL connection exchanges cipher suite and SSL certificate information in clear-text, an advanced firewall can examine this stream of data. Depending on the content in the firewall IDS/IPS ruleset, the firewall might erroneously decide that the traffic between the Amphion and its VPN servers is flawed and thus interrupts the connection. By doing so, the Remote Service VPN is never established.

The fix for this is simple. The address of the Amphion needs to be added to the firewall’s white-list of exceptions for IDS/IPS inspection. By doing this, the traffic from the Amphion to its VPN servers will not be blocked and the VPNs can be established.

© 2020 ei3 Corporation. Content of this web page is proprietary to ei3 Corporation.

Print Friendly, PDF & Email