- After installing Elements Agent (EPP for Computers or for Servers), VPN connection stopped working and is blocked by the firewall feature.
- How to create a custom Elements Endpoint Protection profile to allow the VPN connection?
- Which ports need to be opened to allow PPTP, L2TP and IPSec VPN connection through the firewall?
Default Windows Firewall settings have Outbound connections that do not match a rule as Allowed, while the WithSecure Firewall profile sets it as blocked. If a VPN connection is blocked after installing Elements Agent, you need to in this case create a custom profile that can be edited and then either:
- Create a firewall rule that allows the VPN connection, or
- Set the Allow unknown outbound connections as Allowed in the profile
Creating a custom profile:
- Log in to the Endpoint Security Center:
- Open the Endpoint Protection solution from the menu on the left
- Go to the Profiles page
- Click on the three dots on the right side of the profile you want to clone
- Press on the clone profile
- Enter the name and label of the new custom profile
After creating a custom profile, you can start creating new firewall rules.
Creating a new VPN firewall rule:
- Select the profile you want to use
- Select the Firewall settings page
- Scroll down to the Firewall rules table and select add rule
- Enter a name and description of the rule, e.g Allow VPN
The ports and protocols that need to be allowed vary between each VPN connection type. Verify with your VPN provider the type of VPN connection you are using.
To allow common PPTP VPN traffic:
- Allow PPTP tunnel maintenance traffic, open outbound TCP port 1723
- Allow PPTP tunneled data to pass through the router, open outbound protocol 47 (GRE)
To allow common IPSec VPN traffic:
- Allow Internet Key Exchange (IKE), open UDP port 500 inbound and outbound
- Allow IPSec Network Address Translation (NAT-T), open UDP port 4500 inbound and outbound
- Allow Encapsulation Security Payload protocol (ESP), open protocol 50 inbound and outbound
- Allow Authentication Header protocol (AH), open protocol 51 inbound and outbound
- Allow IP-in-IP Encapsulation, open protocol 4 outbound.
If IPSec IKEv2 VPN connection is not working after creating the above firewall rules, enable Allow unknown outbound connections from the profile and see if it helps. By default Windows firewall has unknown outbound connections allowed, while the F-Secure firewall profile will block them.
To allow common L2TP VPN traffic:
- Allow L2TP traffic, open UDP port 1701 inbound and outbound
- Allow protocol 115 inbound and outbound
Once the firewall rules have been created, click Save and publish. After that the profile needs to be assigned to the target devices.
Assigning a profile:
- Go to the Devices page
- Choose the device(s) to which you want to assign a profile to
- Click on Assign > Assign profile
- Select the profile with the VPN firewall rules and click Assign
If you do not want to create custom firewall rules for the VPN connection, you can set the Outbound connections that do not match a rule as Allowed, which is the Windows default setting. You can change that setting in the Elements profile by following these steps:
- Open the profile you want to edit
- Go to the Firewall settings page
- Scroll down to the Fallback settings section
- Enable Allow unknown outbound connections
- Click Save and publish
Article no: 000002583