KB ID 0000422
Anyconnect Portal
Open the AnyConnect Client, and where you see the Network written, right click on it. Click on “Connect only to current Network”. Cisco AnyConnect Client; Solution 5: Try an Alternate Connection. At times, the internet connection that you are using might have some restrictions or might not be working properly which is causing the issue. AnyConnect Locations: Hostnames: TLS: DTLS: Cipher: Port: Czech Republic: cz.anyconnect.host: 1.2+ AES-256-GCM: 443: Germany - Frankfurt: ger.anyconnect.host: 1.2. AnyConnect client performs primary authentication via the Duo Access Gateway using an on-premises directory (example) Duo Access Gateway establishes connection to Duo Security over TCP port 443 to begin 2FA; User completes Duo two-factor authentication. Duo receives authentication response and returns that information to the Duo Access Gateway. I think Anyconnect just needs port 443 to open because it runs under ssl, isn't it?
Problem
Anyconnect Portable Download
AnyConnect runs over TCP port 443 (That’s HTTPS/SSL), but if you only have one public IP and need to forward that port to a web server or internal host then you are a bit snookered. You can of course change the port that AnyConnect runs over, so that it’s no longer on TCP port 443.
Why you would NOT want to do this.
Bear in mind that https is a well known port, and its open in most places for secure web traffic. You use it when you purchase things over the internet, or do your banking. For that reason it’s allowed from most networks, and through most firewalls. Which is what makes AnyConnect so handy, if you change the port then you may have some connection problems.
Solution
Assuming you accept the potential problems and want to swap the port over then do the following.
Via Command Line
1. Connect to the ASA via Telnet, SSH or Console Cable.
2. Log in and go to “configure terminal” mode.
3. You can’t change the port while AnyConnect is enabled, so you need to disable it, change the port then re-enable it again (in this example I’ve changed it to port 444).
4. Save the changes with a write mem command.
Via ASDM
1. Connect to the ASDM.
2. Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection profiles.
3. You will need to un-tick the allow access on the outside option, then change the port, then re-tick to allow access, then click Apply.
Anyconnect Port
Update 01/10/12
4. When done, click File > Save Running configuration to flash, to save the changes.
BE AWARE
Your clients would now need to connect to the portal on,
https://{name or IP address}:444
Or if using the client software, they will need to tag the port number on the end like so,
Related Articles, References, Credits, or External Links
There are many ways to connect to dCloud sessions. If you connect to a session through a firewall, the ports that must be permitted and opened on that firewall depend on the method you use to connect to the session. The table lists dCloud access methods and the firewall port number that must be permitted to enable the communication type used by each method.
Table 1. Firewall Port to Open and Communication Type to Enable Session Access Methods
| Method Used to Connect to dCloud Sessions | Port (Communication Type) |
|---|---|
| VPN (AnyConnect) | Port 443 (TCP and UDP) |
| VPN (Endpoint Router Kit) | Port 443 (TCP) |
| IP Phone VPN | Port 443 (UDP) |
| BYOD | Port 5247 (UDP) |
| Data for BYOD | Port 5246 (UDP) |
| Standard HTTPS (dCloud Remote Desktop) | Port 443 |
| Standard HTTP | Port 80 |
Cisco Anyconnect Port Forwarding
For VPN connections (the first three access methods), after you permit a VPN connection to dCloud sessions for the specified port, no other modifications are required on the firewall.
For example, assume that you have a router that you want to connect to a dCloud session via VPN. You must permit port 443 on the firewall for the VPN to be established between your router and dCloud. After the VPN is established, any device connected to your router can connect through the router directly to the active session. This is because after the VPN is established, all traffic to the active session will go over the VPN; however, any Internet browsing traffic is sent over the local connection. This is done by the split-tunneling setup on the router.
Similarly, assume that you want to connect an endpoint device to a dCloud session using AnyConnect. After the VPN connection is permitted across port 443 and established, all traffic between the endpoint device and the session across that VPN is allowed.
Cisco Anyconnect Ports
Cisco Vpn Ports
Some dCloud content may require that additional firewall ports be opened for specific communication types. Those port numbers will be provided in the content documentation or the Help for that architecture.