Link to home
Start Free TrialLog in
Avatar of elit2007
elit2007

asked on

SRX Dynamic VPN

After redirecting the web ports to 10443 and 8080 on a SRX-100, dynamic vpn doesn't work anymore. I’m getting an error message in Pulse saying: Failed to initialize authentication
Need help!
Pulse.png
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

How did you redirect the ports ?
The web ports need to be 443 for pulse bud

we can redirect mgmt traffic to a different URL but 443 needs to stay
Avatar of elit2007
elit2007

ASKER

I used destination nat to redirect 443 and 80 to a local Exchange server.
I used this command to change the management ports:

set system services web-management http port 8080
set system services web-management https port 10443
Do you have more than 1 IP on the WAN?

If you have, redirect the mail traffic to the new IP and revert the mgmt traffic to 443 and set a new mgmt URL to allow mgmt and dynamic VPN traffic to the 443 port.

Pulse uses SSL technology to initiate the VPN and needs to be on 443 bud
can you post the output from "show system services web-management"
I only got 1 public address available for this customer. And 443 need to be redirected to the Exchange server. I think I have to use NCP on the client computers and use standard IPSEC like I used to on SSG5?
Not sure if NCP works on SRX bud as Pulse uses SSL.  The only remote access VN on SRX is for Pulse
SOLUTION
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The post inst completely correct as we now have the ability to change the mgmt URL and mgmt port in Junos.

Pulse does indeed use 443 for VPN connections.
it looks however as if the port is embedded in other places as well

http://forums.juniper.net/t5/SSL-VPN/Change-SSL-port/td-p/22841
aha Juniper kb23720 looks good, but you need a login to access.
Does anyone got a login to dowload kb23720? I suppose a lot of people are facing the same problem. So i really want to solve this problem :)
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
so it would seem that for Pulse, you need port 443
I would guess that it is the DTLS component that is "hard wired" to port 443.

In your situation, you need a /29 instead of a single IP address...
Thanks, than it's clear. 29 bit public address space or no dynamic VPN.
I think I exchange the SRX with a SSG5 for this customer. They are only 5 users so extra NCP license costs wil not be a problem. Thanks for all help!