Solved: Re: Redirect public port 443 to internal 443 serve...

PaCuS

Redirect public port 443 to internal 443 server.

Firewall: Checkpoint Quantum Spark 1800 Appliance

I need to publish an internal web service 443 to public IP 443, it can not be another port due to project specifications.

The first problem is that the remote access via VPN “takes over” the 443. If I change the port 443, then the next service that “takes over” is the “SSL Network Extender”, so I can never be able to serve a web server via 443 with access through the internet.

Can anyone help me?

Thanks.

PhoneBoy

The capability to change the port might exist, but doing so doesn't work in a working configuration.
This is what is meant by "cannot be changed" and is expected behavior on SMB appliances.

View solution in original post

Chris_Atkinson

So you've already manipulated the following option?

Device > Advanced > Advanced setting: "Remote Access VPN - Reserve port 443 for port forwarding"

CCSM R77/R80/ELITE

the_rock

For what is worth, below are steps from chatgpt.

Andy

**********************

To redirect public port 443 to an internal server on port 443 using a Check Point SMB appliance (such as a 1400/1500 series), you need to configure Port Forwarding (NAT Rule) and Access Rule (Firewall Rule). Here's how you can do it via the Web UI:

✅ Step-by-Step: Port Forward 443 to Internal Server

🔧 1. Log into the Web UI

Open a browser and go to: https://<firewall-ip>
Log in as admin

🔁 2. Create a Port Forwarding (NAT) Rule

Go to Network > NAT
Click Add
Fill in:
- Name: HTTPS-Forwarding
- Service: HTTPS (TCP 443)
- Incoming Interface: Choose the external WAN interface
- Destination IP: Leave blank or use the firewall's public IP
- Translated IP: Enter the internal server's IP (e.g., 192.168.1.100)
- Translated Port: Leave blank (or use 443 if needed)

This tells the firewall to forward traffic hitting port 443 to the internal IP.

🔥 3. Add a Firewall Access Rule

Go to Firewall > Access Policy
Click Add Rule
Set:
- Source: Any or specific source IP/range
- Destination: Firewall's external IP
- Service: HTTPS
- Action: Accept
- Install On: This Gateway

✅ 4. Save & Apply Changes

Click Apply Changes at the top

🧪 Optional: Test It

From outside your network, open a browser and go to https://<your-public-IP>
It should forward you to your internal server

PaCuS

And how do I configure the VPN client connections to work?

the_rock

I cant say for sure unless I saw why its failing and do some troubleshooting/debug. I would test port 18234, which is tunnel test packets.

fw monitor -e "accept port(18234);"

Andy

PaCuS

Hi

And how do I configure the VPN client connections to work?

the_rock

Might also be worth open TAC case to verify.

PaCuS

They have not been able to give me a solution of any kind. (It's no joke).

Chris_Atkinson

Per the advanced option I mentioned above did you both change the port and tick the option to reserve 443 for port forwarding?

Also is this a centrally or locally managed device...

CCSM R77/R80/ELITE

the_rock

Hey Chris,

I believe that option you mentioned initially is for locally managed, I saw it on demo point lab...what would be equal if its centrally managed one?

Andy

PaCuS

I didn't quite understand what you mean by local or centralised management.

My question is the following, once I change the port for VPN.
How do I configure the VPN client with the new port? For example 444.

PS: This Monday I plan to try all this again.

the_rock

What we mean is is it managed by management server or on its own? You could try delete the site on client and then re-create it as vpn.mycompany.com:444 or whatever new port is and try, BUT, not sure if that would work if you change it on gw side, but give it a go.

Andy

PaCuS

I have only managed to do the 443 redirection through one of the 2 WANs.

I can't do it with the 2nd WAN. 😕 (it only shows "This Gateway" and defaults to the first WAN)
VPN is overridden... I can't configure any vpn client with any different port. Example used vpn.compañia.com:444 (not working)

the_rock

Does it even let you create a site using port 444?

Andy

PaCuS

I've tried at least hehe But he hasn't left me. I don't care about the VPN issue. What really matters to me is the initial topic of the post and that it doesn't let me do it through the second WAN, only in the first.

the_rock

K, hang on, now Im little confused. Are you trying to get this working via custom port or 2nd wan link?

Andy

PaCuS

I have 2 WANs, I want to use one of the 2 WANs (public ip that corresponds to the second WAN, not the first). It's only working for me with the first one.

G_W_Albrecht

In Advanced Settings, for locally managed we have:

VPN Remote Access - Remote Access port	port	443	Select the port to which Remote Access clients connect, and SSL VPN Network extender portal uses
VPN Remote Access - Reserve port 443 for port forwarding	bool	false	Reserving port 443 for port forwarding (port 443 will not be used for Remote Access and SSL VPN Network extender)

VPN Remote Access - Enable Visitor Mode on All Interfaces	options	All	Enable visitor mode on all interfaces
VPN Remote Access - Enable Visitor Mode on This Interface	ipv4addr	0.0.0.0	Support visitor mode on this interface

But we can not select WAN IFs here! On GAiA, the reference is https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy

Central Management: using a Smart-1 and SmartConsole.
Local Management: using device's WebUI and/or SMP

As far as I know, SMB devices only support "Visitor Mode" (used for Remote Access VPN) on TCP 443 only and cannot be changed.

PaCuS

Hello,

It can be changed, I changed it to 444 and I could use the 443 for the internal service I was interested in (for one of the 2 WAN I have, but it only lets me for one of the two), but this has caused that it has been cancelled to be able to use VPN, even if it is for 444, it is dropping the requests for 444.

There are two problems here right now.

1. VPN does not work.
2. I cannot use 443 redirection with the 2nd WAN.

the_rock

1) When you say does not work, does that mean site cant be created or it can be but then people cant connect to anything internally?

2) 2nd WAN, are you even able to create site on that IP to begin with?

Andy

PhoneBoy

The capability to change the port might exist, but doing so doesn't work in a working configuration.
This is what is meant by "cannot be changed" and is expected behavior on SMB appliances.

G_W_Albrecht

RA config Capability is present as seen in the Advanced Settings shown below - but the second WAN is the issue, i suppose...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PaCuS

But it has to be possible somehow...

PhoneBoy

Since it is actually possible to change the Visitor Mode port (this was added in R81.10.xx firmware), the fact it's "not working" for either of your inquiries suggests you may want to involve TAC.

Are you a member of CheckMates?

Redirect public port 443 to internal 443 server.

✅ Step-by-Step: Port Forward 443 to Internal Server

🔧 1. Log into the Web UI

🔁 2. Create a Port Forwarding (NAT) Rule

🔥 3. Add a Firewall Access Rule

✅ 4. Save & Apply Changes

🧪 Optional: Test It