diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
index bda3809f4..92540c96c 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
@@ -277,7 +277,12 @@ class ACL
     {
         if (!empty($_SESSION['user_shouldChangePassword'])) {
             // when a password change is enforced, lock all other endpoints
-            return $this->urlMatch($url, 'system_usermanager_passwordmg.php*');
+            foreach (['system_usermanager_passwordmg.php*', 'ui/user_portal', 'api/user_portal/user/*'] as $pattern) {
+                if ($this->urlMatch($url, $pattern)) {
+                    return true;
+                }
+            }
+            return false;
         }
         foreach ($this->urlMasks($username) as $urlmask) {
             if ($this->urlMatch($url, $urlmask)) {
@@ -358,7 +363,7 @@ class ACL
     {
         if (!empty($_SESSION['user_shouldChangePassword'])) {
             // ACL lock, may only access password page
-            return "system_usermanager_passwordmg.php";
+            return "ui/user_portal";
         } elseif (!empty($this->userDatabase[$username]['landing_page'])) {
             // remove leading slash, which would result in redirection to //page (without host) after login or auth failure.
             $page = ltrim($this->userDatabase[$username]['landing_page'], '/');
diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
index 1af69767f..7099c5c0d 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
@@ -648,6 +648,8 @@
         <name>Lobby: Password</name>
         <patterns>
             <pattern>system_usermanager_passwordmg.php*</pattern>
+            <pattern>ui/user_portal</pattern>
+            <pattern>api/user_portal/user/*</pattern>
         </patterns>
     </page-system-usermanager-passwordmg>
     <page-openvpn-client-export>
diff --git a/src/opnsense/www/index.php b/src/opnsense/www/index.php
index 3d6323ee2..658e350e4 100644
--- a/src/opnsense/www/index.php
+++ b/src/opnsense/www/index.php
@@ -68,8 +68,14 @@ try {
             'action' => 'indexAction',
         ]);
     } catch (\OPNsense\Mvc\Exceptions\DispatchException) {
-        // unroutable (page not found), present page not found controller
-        $response = $router->routeRequest('/ui/core/index/index');
+        if ($_SERVER['REQUEST_URI'] === '/ui/user_portal') {
+            /* legacy user password manager requested, non BE install */
+            header('Location: /system_usermanager_passwordmg.php');
+            exit(0);
+        } else {
+            // unroutable (page not found), present page not found controller
+            $response = $router->routeRequest('/ui/core/index/index');
+        }
     }
 
     if (!$response->isSent()) {
diff --git a/src/www/authgui.inc b/src/www/authgui.inc
index 996279bab..bdc5fa19a 100644
--- a/src/www/authgui.inc
+++ b/src/www/authgui.inc
@@ -197,7 +197,7 @@ function session_auth()
                     header(url_safe("Location: {$redir_uri}"));
                 }
             } elseif (!empty($_SESSION['user_shouldChangePassword'])) {
-                header("Location: system_usermanager_passwordmg.php");
+                header("Location: /ui/user_portal");
             } else {
                 if ($_SERVER['REQUEST_URI'] == "/") {
                     // default landing page