How to block external VPNs / PROXY / Hot Spot Shield / Ultrasurf / Spotflux, etc.





Skip to comments

To secure your network, or a particular device(s) on your network against free VPN / PROXY apps like Hot Spot Shield, Ultrasurf, etc. you'll need to block all outbound firewall ports, and allow only those you know are needed. This is a very effective technique but depending on how you implement it, additional administration on your part will be required to manage this rule.

To block access to HotSpot Shield, Ultrasurf, VPNs, PROXYs, etc:

  1. Log into your BUC appliance at
  2. Go to Firewall, Restrictions
  3. Under Access Restrictions we are going to create a new rule:
    • Rule Description: block_free_vpn
    • Rule Applies To: [your decision - note that All Hosts is an acceptable option, but see !NOTE below]
    • Schedule: [your decision]
    • Restricted Resources: Un-check
      • Remote Port(s): Block All Except 80,443 
    • Add New Rule
  4. Save Changes


! NOTE: when this rule active only ports 80 and 443 will work through your BUC appliance. For general Web browsing this is all that is needed. However if you use any type of legitimate VPN or PROXY, or remote administration tools, etc. you'll need to add those ports to this rule assuming the rule you create applies to All Hosts (we recommend Only The Following Hosts). It's probably best to test your rule on a single device and when you know it's working the way you want then go All Hosts if that is your goal.

Known Safe Remote Ports:

  • 80     =  HTTP (i.e. general web browsing)
  • 443   =  HTTPS (i.e. secure web browsing, like banking sites)
  • 5938 =  Teamviewer
  • 1723 =  PPTP VPN
  • 88     =  XBOX 
  • 3074 =  XBOX
  • Complete list of TCP and UDP port numbers


Updated: 2/21/15



Widget is loading comments...