?
Solved

SRX Dynamic VPN

Posted on 2013-01-30
16
Medium Priority
?
1,590 Views
Last Modified: 2013-02-04
After redirecting the web ports to 10443 and 8080 on a SRX-100, dynamic vpn doesn't work anymore. I’m getting an error message in Pulse saying: Failed to initialize authentication
Need help!
Pulse.png
0
Comment
Question by:elit2007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 4
16 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838016
How did you redirect the ports ?
0
 
LVL 18

Expert Comment

by:deimark
ID: 38838393
The web ports need to be 443 for pulse bud

we can redirect mgmt traffic to a different URL but 443 needs to stay
0
 
LVL 1

Author Comment

by:elit2007
ID: 38838438
I used destination nat to redirect 443 and 80 to a local Exchange server.
I used this command to change the management ports:

set system services web-management http port 8080
set system services web-management https port 10443
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 18

Expert Comment

by:deimark
ID: 38838471
Do you have more than 1 IP on the WAN?

If you have, redirect the mail traffic to the new IP and revert the mgmt traffic to 443 and set a new mgmt URL to allow mgmt and dynamic VPN traffic to the 443 port.

Pulse uses SSL technology to initiate the VPN and needs to be on 443 bud
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838940
can you post the output from "show system services web-management"
0
 
LVL 1

Author Comment

by:elit2007
ID: 38849039
I only got 1 public address available for this customer. And 443 need to be redirected to the Exchange server. I think I have to use NCP on the client computers and use standard IPSEC like I used to on SSG5?
0
 
LVL 18

Expert Comment

by:deimark
ID: 38849230
Not sure if NCP works on SRX bud as Pulse uses SSL.  The only remote access VN on SRX is for Pulse
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 1000 total points
ID: 38850708
I can find no direct reference to pulse not running on a different port, but I can also find no reference to pulse working on a different port.

There is an indirect reference to it not working in the second post here http://www.juniperforum.com/index.php?topic=16961.0
0
 
LVL 18

Expert Comment

by:deimark
ID: 38850715
The post inst completely correct as we now have the ability to change the mgmt URL and mgmt port in Junos.

Pulse does indeed use 443 for VPN connections.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38850740
it looks however as if the port is embedded in other places as well

http://forums.juniper.net/t5/SSL-VPN/Change-SSL-port/td-p/22841
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38850743
aha Juniper kb23720 looks good, but you need a login to access.
0
 
LVL 1

Author Comment

by:elit2007
ID: 38851839
Does anyone got a login to dowload kb23720? I suppose a lot of people are facing the same problem. So i really want to solve this problem :)
0
 
LVL 18

Accepted Solution

by:
deimark earned 1000 total points
ID: 38851932
Here is an extract


Summary:
This article provides information about the ports that can be used by Junos Pulse for dynamic VPN.

Problem or Goal:
 Can any other port, apart from 443, be configured for dynamic VPN?

Cause:
 

Solution:

    No other port can be configured for Dynamic-VPN (initial web-auth). For dynamic-VPN requests, the JSRX device has to listen on port 443.

    JSRX dynamic VPN clients (Akedia or Junos Pulse client) initiate a connection on port 443 for web-auth and when web-auth is passed, it starts the phase-1 negotiation and xauth process.

    The Junos Pulse or Akedia client does not have an option to configure the port, on which it has to send the request; it is hard coded.

    If a customer needs the option to configure dynamic VPN, on any other port apart from 443, they have to contact the Juniper Accounts team to file an Enhancement Request.
0
 
LVL 18

Expert Comment

by:deimark
ID: 38851940
so it would seem that for Pulse, you need port 443
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38852057
I would guess that it is the DTLS component that is "hard wired" to port 443.

In your situation, you need a /29 instead of a single IP address...
0
 
LVL 1

Author Comment

by:elit2007
ID: 38852095
Thanks, than it's clear. 29 bit public address space or no dynamic VPN.
I think I exchange the SRX with a SSG5 for this customer. They are only 5 users so extra NCP license costs wil not be a problem. Thanks for all help!
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question