elit2007
asked on
SRX Dynamic VPN
After redirecting the web ports to 10443 and 8080 on a SRX-100, dynamic vpn doesn't work anymore. I’m getting an error message in Pulse saying: Failed to initialize authentication
Need help!
Pulse.png
Need help!
Pulse.png
How did you redirect the ports ?
The web ports need to be 443 for pulse bud
we can redirect mgmt traffic to a different URL but 443 needs to stay
we can redirect mgmt traffic to a different URL but 443 needs to stay
ASKER
I used destination nat to redirect 443 and 80 to a local Exchange server.
I used this command to change the management ports:
set system services web-management http port 8080
set system services web-management https port 10443
I used this command to change the management ports:
set system services web-management http port 8080
set system services web-management https port 10443
Do you have more than 1 IP on the WAN?
If you have, redirect the mail traffic to the new IP and revert the mgmt traffic to 443 and set a new mgmt URL to allow mgmt and dynamic VPN traffic to the 443 port.
Pulse uses SSL technology to initiate the VPN and needs to be on 443 bud
If you have, redirect the mail traffic to the new IP and revert the mgmt traffic to 443 and set a new mgmt URL to allow mgmt and dynamic VPN traffic to the 443 port.
Pulse uses SSL technology to initiate the VPN and needs to be on 443 bud
can you post the output from "show system services web-management"
ASKER
I only got 1 public address available for this customer. And 443 need to be redirected to the Exchange server. I think I have to use NCP on the client computers and use standard IPSEC like I used to on SSG5?
Not sure if NCP works on SRX bud as Pulse uses SSL. The only remote access VN on SRX is for Pulse
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The post inst completely correct as we now have the ability to change the mgmt URL and mgmt port in Junos.
Pulse does indeed use 443 for VPN connections.
Pulse does indeed use 443 for VPN connections.
it looks however as if the port is embedded in other places as well
http://forums.juniper.net/t5/SSL-VPN/Change-SSL-port/td-p/22841
http://forums.juniper.net/t5/SSL-VPN/Change-SSL-port/td-p/22841
aha Juniper kb23720 looks good, but you need a login to access.
ASKER
Does anyone got a login to dowload kb23720? I suppose a lot of people are facing the same problem. So i really want to solve this problem :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
so it would seem that for Pulse, you need port 443
I would guess that it is the DTLS component that is "hard wired" to port 443.
In your situation, you need a /29 instead of a single IP address...
In your situation, you need a /29 instead of a single IP address...
ASKER
Thanks, than it's clear. 29 bit public address space or no dynamic VPN.
I think I exchange the SRX with a SSG5 for this customer. They are only 5 users so extra NCP license costs wil not be a problem. Thanks for all help!
I think I exchange the SRX with a SSG5 for this customer. They are only 5 users so extra NCP license costs wil not be a problem. Thanks for all help!