How to create a custom Elements Endpoint Protection profile to allow VPN traffic through the firewall? Which ports to open?

Issue:

After installing Elements Agent (EPP for Computers or for Servers), VPN connection stopped working and is blocked by the Windows firewall.
How to create a custom Elements Endpoint Protection profile to allow the VPN connection?
Which ports need to be opened to allow PPTP, L2TP and IPSec VPN connection through the firewall?

Resolution:

In this case, you have to start by creating a custom profile that can be edited.

Creating a custom profile:

Log in to the Elements Security Center Portal
Open the Security configurations section from the menu on the left
Go to the Profiles page
Select the circular symbol with three dots in the middle next to the profile you want to clone
Press on the clone profile
Enter the name and label of the new custom profile

After creating a custom profile, you can start creating new firewall rules.

Creating a new VPN firewall rule:

Select the profile you want to use
Go to the Firewall settings page
Go to Firewall rules and select add rule
Enter a name and description of the rule, e.g Allow VPN

The ports and protocols that need to be allowed vary between each VPN connection type. Verify with your VPN provider the type of VPN connection you are using and which ports to open.

To allow common PPTP VPN traffic:

Allow PPTP tunnel maintenance traffic, open outbound TCP port 1723
Allow PPTP tunneled data to pass through the router, open outbound protocol 47 (GRE)

To allow common IPSec VPN traffic:

Allow Internet Key Exchange (IKE), open UDP port 500 outbound
Allow IPSec Network Address Translation (NAT-T), open UDP port 4500 outbound
Allow Encapsulation Security Payload protocol (ESP), open protocol 50 outbound
Allow Authentication Header protocol (AH), open protocol 51 outbound
Allow IP-in-IP Encapsulation, open protocol 4 outbound.

If IPSec IKEv2 VPN connection is not working after creating the above firewall rules, enable Allow unknown outbound connections from the profile and see if it helps. By default Windows firewall has unknown outbound connections allowed, while the WithSecure firewall profile will block them.

To allow common L2TP VPN traffic:

Allow L2TP traffic, open UDP port 1701 outbound
Allow protocol 115 outbound

Once the firewall rules have been created, the profile needs to be assigned to the target devices.

Assigning a profile:

Go to the Devices page
Choose the device(s) to which you want to assign a profile to
Click on Assign > Assign profile
Select the profile with the VPN firewall rules and click Assign

Article no: 000002583