SRX Dynamic VPN

After redirecting the web ports to 10443 and 8080 on a SRX-100, dynamic vpn doesn't work anymore. I’m getting an error message in Pulse saying: Failed to initialize authentication
Need help!
Pulse.png
LVL 1
elit2007Asked:
Who is Participating?
 
deimarkConnect With a Mentor Commented:
Here is an extract


Summary:
This article provides information about the ports that can be used by Junos Pulse for dynamic VPN.

Problem or Goal:
 Can any other port, apart from 443, be configured for dynamic VPN?

Cause:
 

Solution:

    No other port can be configured for Dynamic-VPN (initial web-auth). For dynamic-VPN requests, the JSRX device has to listen on port 443.

    JSRX dynamic VPN clients (Akedia or Junos Pulse client) initiate a connection on port 443 for web-auth and when web-auth is passed, it starts the phase-1 negotiation and xauth process.

    The Junos Pulse or Akedia client does not have an option to configure the port, on which it has to send the request; it is hard coded.

    If a customer needs the option to configure dynamic VPN, on any other port apart from 443, they have to contact the Juniper Accounts team to file an Enhancement Request.
0
 
ArneLoviusCommented:
How did you redirect the ports ?
0
 
deimarkCommented:
The web ports need to be 443 for pulse bud

we can redirect mgmt traffic to a different URL but 443 needs to stay
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
elit2007Author Commented:
I used destination nat to redirect 443 and 80 to a local Exchange server.
I used this command to change the management ports:

set system services web-management http port 8080
set system services web-management https port 10443
0
 
deimarkCommented:
Do you have more than 1 IP on the WAN?

If you have, redirect the mail traffic to the new IP and revert the mgmt traffic to 443 and set a new mgmt URL to allow mgmt and dynamic VPN traffic to the 443 port.

Pulse uses SSL technology to initiate the VPN and needs to be on 443 bud
0
 
ArneLoviusCommented:
can you post the output from "show system services web-management"
0
 
elit2007Author Commented:
I only got 1 public address available for this customer. And 443 need to be redirected to the Exchange server. I think I have to use NCP on the client computers and use standard IPSEC like I used to on SSG5?
0
 
deimarkCommented:
Not sure if NCP works on SRX bud as Pulse uses SSL.  The only remote access VN on SRX is for Pulse
0
 
ArneLoviusConnect With a Mentor Commented:
I can find no direct reference to pulse not running on a different port, but I can also find no reference to pulse working on a different port.

There is an indirect reference to it not working in the second post here http://www.juniperforum.com/index.php?topic=16961.0
0
 
deimarkCommented:
The post inst completely correct as we now have the ability to change the mgmt URL and mgmt port in Junos.

Pulse does indeed use 443 for VPN connections.
0
 
ArneLoviusCommented:
it looks however as if the port is embedded in other places as well

http://forums.juniper.net/t5/SSL-VPN/Change-SSL-port/td-p/22841
0
 
ArneLoviusCommented:
aha Juniper kb23720 looks good, but you need a login to access.
0
 
elit2007Author Commented:
Does anyone got a login to dowload kb23720? I suppose a lot of people are facing the same problem. So i really want to solve this problem :)
0
 
deimarkCommented:
so it would seem that for Pulse, you need port 443
0
 
ArneLoviusCommented:
I would guess that it is the DTLS component that is "hard wired" to port 443.

In your situation, you need a /29 instead of a single IP address...
0
 
elit2007Author Commented:
Thanks, than it's clear. 29 bit public address space or no dynamic VPN.
I think I exchange the SRX with a SSG5 for this customer. They are only 5 users so extra NCP license costs wil not be a problem. Thanks for all help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.