Community Talk

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

  • 1.  juniper SA 2500 to modify the port 443

    Posted 07-04-2021 08:20

    The company needs to change the external port of ssl vpn to a port other than 443 for some reasons. I changed the external port of the firewall policy to 4430. The external network cannot open the ssl vpn login interface. The external port of the firewall policy must be port 443 to open the ssl vpn login interface. I can't find the relevant information on the official website. Has anyone encountered the same problem?



    ------------------------------
    yongjie ren
    ------------------------------


  • 2.  RE: juniper SA 2500 to modify the port 443

     
    Posted 07-04-2021 12:04
    Are you looking to do port translation on your firewall where you get a request on tcp port 4430 and convert that to a tcp 443 request that goes on to the SR 2500?

    Or do you need to change the SA 2500 to accept that request on port tcp 4430 instead of tcp 443?
    I am pretty sure this is not supported.  You can change the ESP port to a custom one, but I don't think changing the SSL port is even supported in current versions with Pulse Secure much less the old SA2500 boxes.

    I also do not think you can change the port used by the client software used with SA2500 so this would only work with web browser based connections and not client based ones in either case for the forwarding option.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: juniper SA 2500 to modify the port 443

    Posted 07-05-2021 09:41
    Hello Spruka
    Thank you for answering my question
    Just use the web page to log in, there is no client software used together. I performed port conversion on the firewall. The request of TCP port 4430 is received, converted into TCP 443 request, and then forwarded to SA 2500. But unsuccessful, unable to open the ssl vpn web login page. Is the device unable to modify the port?

    ------------------------------
    yongjie ren
    ------------------------------



  • 4.  RE: juniper SA 2500 to modify the port 443

     
    Posted 07-05-2021 20:20
    Thanks for the additional details.

    There are no changes needed then for this to work on the SA2500.  So the issue will be with the firewall port forwarding operations changes.

    What is the firewall model and configuration to review?
    With the SRX you will need to use both a destination nat rule for the port forward and change and also a security policy to permit the traffic.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: juniper SA 2500 to modify the port 443

    Posted 07-05-2021 22:15
    Thanks for your answer

    I use Fortinet's 100D  firewall, which uses PAT port conversion and a security policy that allows traffic. The ip address service port 443 of SA 2500 in the local area network is converted to the ISP’s ip address service port 4430 on the external network and the security policy that allows traffic is turned on. When I open the web login interface of ssl vpn, the firewall can see an increase in the number of sessions, but the web page cannot be opened normally. When I try to change the service port of the external network to 443, the web login interface of ssl vpn can be opened normally.
    ------------------------------
    yongjie ren
    ------------------------------