Solved

SRX Dynamic VPN

Posted on 2013-01-30
16
1,552 Views
Last Modified: 2013-02-04
After redirecting the web ports to 10443 and 8080 on a SRX-100, dynamic vpn doesn't work anymore. I’m getting an error message in Pulse saying: Failed to initialize authentication
Need help!
Pulse.png
0
Comment
Question by:elit2007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 4
16 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838016
How did you redirect the ports ?
0
 
LVL 18

Expert Comment

by:deimark
ID: 38838393
The web ports need to be 443 for pulse bud

we can redirect mgmt traffic to a different URL but 443 needs to stay
0
 
LVL 1

Author Comment

by:elit2007
ID: 38838438
I used destination nat to redirect 443 and 80 to a local Exchange server.
I used this command to change the management ports:

set system services web-management http port 8080
set system services web-management https port 10443
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Expert Comment

by:deimark
ID: 38838471
Do you have more than 1 IP on the WAN?

If you have, redirect the mail traffic to the new IP and revert the mgmt traffic to 443 and set a new mgmt URL to allow mgmt and dynamic VPN traffic to the 443 port.

Pulse uses SSL technology to initiate the VPN and needs to be on 443 bud
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838940
can you post the output from "show system services web-management"
0
 
LVL 1

Author Comment

by:elit2007
ID: 38849039
I only got 1 public address available for this customer. And 443 need to be redirected to the Exchange server. I think I have to use NCP on the client computers and use standard IPSEC like I used to on SSG5?
0
 
LVL 18

Expert Comment

by:deimark
ID: 38849230
Not sure if NCP works on SRX bud as Pulse uses SSL.  The only remote access VN on SRX is for Pulse
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
ID: 38850708
I can find no direct reference to pulse not running on a different port, but I can also find no reference to pulse working on a different port.

There is an indirect reference to it not working in the second post here http://www.juniperforum.com/index.php?topic=16961.0
0
 
LVL 18

Expert Comment

by:deimark
ID: 38850715
The post inst completely correct as we now have the ability to change the mgmt URL and mgmt port in Junos.

Pulse does indeed use 443 for VPN connections.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38850740
it looks however as if the port is embedded in other places as well

http://forums.juniper.net/t5/SSL-VPN/Change-SSL-port/td-p/22841
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38850743
aha Juniper kb23720 looks good, but you need a login to access.
0
 
LVL 1

Author Comment

by:elit2007
ID: 38851839
Does anyone got a login to dowload kb23720? I suppose a lot of people are facing the same problem. So i really want to solve this problem :)
0
 
LVL 18

Accepted Solution

by:
deimark earned 250 total points
ID: 38851932
Here is an extract


Summary:
This article provides information about the ports that can be used by Junos Pulse for dynamic VPN.

Problem or Goal:
 Can any other port, apart from 443, be configured for dynamic VPN?

Cause:
 

Solution:

    No other port can be configured for Dynamic-VPN (initial web-auth). For dynamic-VPN requests, the JSRX device has to listen on port 443.

    JSRX dynamic VPN clients (Akedia or Junos Pulse client) initiate a connection on port 443 for web-auth and when web-auth is passed, it starts the phase-1 negotiation and xauth process.

    The Junos Pulse or Akedia client does not have an option to configure the port, on which it has to send the request; it is hard coded.

    If a customer needs the option to configure dynamic VPN, on any other port apart from 443, they have to contact the Juniper Accounts team to file an Enhancement Request.
0
 
LVL 18

Expert Comment

by:deimark
ID: 38851940
so it would seem that for Pulse, you need port 443
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38852057
I would guess that it is the DTLS component that is "hard wired" to port 443.

In your situation, you need a /29 instead of a single IP address...
0
 
LVL 1

Author Comment

by:elit2007
ID: 38852095
Thanks, than it's clear. 29 bit public address space or no dynamic VPN.
I think I exchange the SRX with a SSG5 for this customer. They are only 5 users so extra NCP license costs wil not be a problem. Thanks for all help!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question