Solved

SRX Dynamic VPN

Posted on 2013-01-30
16
1,540 Views
Last Modified: 2013-02-04
After redirecting the web ports to 10443 and 8080 on a SRX-100, dynamic vpn doesn't work anymore. I’m getting an error message in Pulse saying: Failed to initialize authentication
Need help!
Pulse.png
0
Comment
Question by:elit2007
  • 6
  • 6
  • 4
16 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838016
How did you redirect the ports ?
0
 
LVL 18

Expert Comment

by:deimark
ID: 38838393
The web ports need to be 443 for pulse bud

we can redirect mgmt traffic to a different URL but 443 needs to stay
0
 
LVL 1

Author Comment

by:elit2007
ID: 38838438
I used destination nat to redirect 443 and 80 to a local Exchange server.
I used this command to change the management ports:

set system services web-management http port 8080
set system services web-management https port 10443
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 18

Expert Comment

by:deimark
ID: 38838471
Do you have more than 1 IP on the WAN?

If you have, redirect the mail traffic to the new IP and revert the mgmt traffic to 443 and set a new mgmt URL to allow mgmt and dynamic VPN traffic to the 443 port.

Pulse uses SSL technology to initiate the VPN and needs to be on 443 bud
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838940
can you post the output from "show system services web-management"
0
 
LVL 1

Author Comment

by:elit2007
ID: 38849039
I only got 1 public address available for this customer. And 443 need to be redirected to the Exchange server. I think I have to use NCP on the client computers and use standard IPSEC like I used to on SSG5?
0
 
LVL 18

Expert Comment

by:deimark
ID: 38849230
Not sure if NCP works on SRX bud as Pulse uses SSL.  The only remote access VN on SRX is for Pulse
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
ID: 38850708
I can find no direct reference to pulse not running on a different port, but I can also find no reference to pulse working on a different port.

There is an indirect reference to it not working in the second post here http://www.juniperforum.com/index.php?topic=16961.0
0
 
LVL 18

Expert Comment

by:deimark
ID: 38850715
The post inst completely correct as we now have the ability to change the mgmt URL and mgmt port in Junos.

Pulse does indeed use 443 for VPN connections.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38850740
it looks however as if the port is embedded in other places as well

http://forums.juniper.net/t5/SSL-VPN/Change-SSL-port/td-p/22841
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38850743
aha Juniper kb23720 looks good, but you need a login to access.
0
 
LVL 1

Author Comment

by:elit2007
ID: 38851839
Does anyone got a login to dowload kb23720? I suppose a lot of people are facing the same problem. So i really want to solve this problem :)
0
 
LVL 18

Accepted Solution

by:
deimark earned 250 total points
ID: 38851932
Here is an extract


Summary:
This article provides information about the ports that can be used by Junos Pulse for dynamic VPN.

Problem or Goal:
 Can any other port, apart from 443, be configured for dynamic VPN?

Cause:
 

Solution:

    No other port can be configured for Dynamic-VPN (initial web-auth). For dynamic-VPN requests, the JSRX device has to listen on port 443.

    JSRX dynamic VPN clients (Akedia or Junos Pulse client) initiate a connection on port 443 for web-auth and when web-auth is passed, it starts the phase-1 negotiation and xauth process.

    The Junos Pulse or Akedia client does not have an option to configure the port, on which it has to send the request; it is hard coded.

    If a customer needs the option to configure dynamic VPN, on any other port apart from 443, they have to contact the Juniper Accounts team to file an Enhancement Request.
0
 
LVL 18

Expert Comment

by:deimark
ID: 38851940
so it would seem that for Pulse, you need port 443
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38852057
I would guess that it is the DTLS component that is "hard wired" to port 443.

In your situation, you need a /29 instead of a single IP address...
0
 
LVL 1

Author Comment

by:elit2007
ID: 38852095
Thanks, than it's clear. 29 bit public address space or no dynamic VPN.
I think I exchange the SRX with a SSG5 for this customer. They are only 5 users so extra NCP license costs wil not be a problem. Thanks for all help!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question