Solved

SRX Dynamic VPN

Posted on 2013-01-30
16
1,533 Views
Last Modified: 2013-02-04
After redirecting the web ports to 10443 and 8080 on a SRX-100, dynamic vpn doesn't work anymore. I’m getting an error message in Pulse saying: Failed to initialize authentication
Need help!
Pulse.png
0
Comment
Question by:elit2007
  • 6
  • 6
  • 4
16 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838016
How did you redirect the ports ?
0
 
LVL 18

Expert Comment

by:deimark
ID: 38838393
The web ports need to be 443 for pulse bud

we can redirect mgmt traffic to a different URL but 443 needs to stay
0
 
LVL 1

Author Comment

by:elit2007
ID: 38838438
I used destination nat to redirect 443 and 80 to a local Exchange server.
I used this command to change the management ports:

set system services web-management http port 8080
set system services web-management https port 10443
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 18

Expert Comment

by:deimark
ID: 38838471
Do you have more than 1 IP on the WAN?

If you have, redirect the mail traffic to the new IP and revert the mgmt traffic to 443 and set a new mgmt URL to allow mgmt and dynamic VPN traffic to the 443 port.

Pulse uses SSL technology to initiate the VPN and needs to be on 443 bud
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838940
can you post the output from "show system services web-management"
0
 
LVL 1

Author Comment

by:elit2007
ID: 38849039
I only got 1 public address available for this customer. And 443 need to be redirected to the Exchange server. I think I have to use NCP on the client computers and use standard IPSEC like I used to on SSG5?
0
 
LVL 18

Expert Comment

by:deimark
ID: 38849230
Not sure if NCP works on SRX bud as Pulse uses SSL.  The only remote access VN on SRX is for Pulse
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
ID: 38850708
I can find no direct reference to pulse not running on a different port, but I can also find no reference to pulse working on a different port.

There is an indirect reference to it not working in the second post here http://www.juniperforum.com/index.php?topic=16961.0
0
 
LVL 18

Expert Comment

by:deimark
ID: 38850715
The post inst completely correct as we now have the ability to change the mgmt URL and mgmt port in Junos.

Pulse does indeed use 443 for VPN connections.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38850740
it looks however as if the port is embedded in other places as well

http://forums.juniper.net/t5/SSL-VPN/Change-SSL-port/td-p/22841
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38850743
aha Juniper kb23720 looks good, but you need a login to access.
0
 
LVL 1

Author Comment

by:elit2007
ID: 38851839
Does anyone got a login to dowload kb23720? I suppose a lot of people are facing the same problem. So i really want to solve this problem :)
0
 
LVL 18

Accepted Solution

by:
deimark earned 250 total points
ID: 38851932
Here is an extract


Summary:
This article provides information about the ports that can be used by Junos Pulse for dynamic VPN.

Problem or Goal:
 Can any other port, apart from 443, be configured for dynamic VPN?

Cause:
 

Solution:

    No other port can be configured for Dynamic-VPN (initial web-auth). For dynamic-VPN requests, the JSRX device has to listen on port 443.

    JSRX dynamic VPN clients (Akedia or Junos Pulse client) initiate a connection on port 443 for web-auth and when web-auth is passed, it starts the phase-1 negotiation and xauth process.

    The Junos Pulse or Akedia client does not have an option to configure the port, on which it has to send the request; it is hard coded.

    If a customer needs the option to configure dynamic VPN, on any other port apart from 443, they have to contact the Juniper Accounts team to file an Enhancement Request.
0
 
LVL 18

Expert Comment

by:deimark
ID: 38851940
so it would seem that for Pulse, you need port 443
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38852057
I would guess that it is the DTLS component that is "hard wired" to port 443.

In your situation, you need a /29 instead of a single IP address...
0
 
LVL 1

Author Comment

by:elit2007
ID: 38852095
Thanks, than it's clear. 29 bit public address space or no dynamic VPN.
I think I exchange the SRX with a SSG5 for this customer. They are only 5 users so extra NCP license costs wil not be a problem. Thanks for all help!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now