A new Chinese policy going into effect next week, will have profound impact on businesses relying on Internet VPN or SD-WAN access within China.

According to a notice from China Telecom obtained by SD-WAN Experts, the Chinese Government will require commercial Chinese ISPs to block TCP ports 80, 8080, and 443 by January 11, 2018. Port 80 is of course the TCP port commonly used for carrying HTTP traffic; 8080 and 443 are used for carrying HTTPS traffic. Commercial ISP customers interested in maintaining access to those ports must register or apply to re-open the port through their local ISP.

The news, first reported by Bloomberg July, was expected to be implemented by February, 2018. This is the first time a specific date has been provided for the action.

Millions of Internet users relied on virtual private networks (VPNs) to circumvent the Chinese censorship system, dubbed the Great Firewall of China. In the past, VPNs have worked intermittently but were invariably blocked, forcing users to jump to another VPN. The new regulations will block VPN access to unregistered services.

Crackdowns on accessing the Internet beyond the Great Firewall — the world’s most sophisticated state-censorship operation, employs at least 2 million online censors. But this news highlights how the world’s second largest economy is struggling to balance authoritarianism with its business leadership aspirations. In addition, a strict new cybersecurity law came into effect in June. In July China Telecom, the nation’s biggest Internet service provider, sent a letter to corporate clients that said in future, VPNs would only be allowed to connect to a company’s headquarters abroad.

For SD-WAN users, the regulations could have significant impact. Site-to-site connectivity across MPLS or private line will be unaffected, but site-to-site VPNs will be affected, if businesses do not register with their ISPs. This means hybrid WANs, for example, will work fine for those applications running across the private data service, but will be disrupted when failing over to the Internet or sending traffic across the encrypted Internet tunnel as the primary traffic driver. There are many SD-WAN and meshed VPN installations in China today that leverage the lower internet costs within China, using a lesser number of MPLS circuits to reach data centers outside of the country. These circuits will fail to pass traffic on January 10th, unless the enterprise register with their local ISPs.

All SD-WAN service providers will most likely to be impacted by these changes. If the customer uses the Internet, then they’ll be blocked. If they use MPLS they won’t be impacted.

Here’s a translation of the text from Chinese government describing the policy:

—————————-

Electronics Co., Ltd.

Hello, Annex is not opened 80 8080 port fixed IP line list, if your company to use the 443 port, please January 2018 January 10 to complete the relevant filing, so as not to be closed 443 port, thank you.

—————————-

China Telecom Xiamen FTA division of corporate customers

Tel: 0592-5512875 phone: 18059800252

Mailing Address: Lake Avenue 15, Building 102 telecommunications complex

Business please mail before the 25th of each month, thank you!

And the original Chinese:

氏电子有限公司

您好，附件为未开通80 8080端口的固定IP专线清单，贵司如有使用443端口的，请于2018年1月10日前完成相关备案工作，以免被关闭443端口，谢谢。

As noted in Bloomberg:

“This seems to impact individuals” most immediately, said Jake Parker, Beijing-based vice president of the US-China Business Council. “VPNs are incredibly important for companies trying to access global services outside of China,” he said. “In the past, any effort to cut off internal corporate VPNs has been enough to make a company think about closing or reducing operations in China. It’s that big a deal,” he added.

The take-away from this story: if you have facilities in China, be sure you address this VPN registration issue, if it hasn’t been addressed already.