directly i do not think this can be done

well if this setup is in a real life production network than you have got to have a firewall infront of the public interface. So if you go to the firewall you can do a port MAP and say any one connecting to your public interface on port 4443 translate the port to 443 and send the traffic to juniper.

Hi,

Thanks for your input.

I've already tried that because I have a SSG in front of the SA, but it didn't work. Gave some strange behaviour in the access...

Right now I have the SA working and I cannot do that much tests.

Thanks anyway, regards,

Rui Cordeiro

One other thought would be to use the virtual port capability to point users to a different port. Normally used for mapping to different URL's but may help you achieve your goal. Network / Internal or External Port / Virtual Port.

Hi all,

I would like to rise this issue again. Same problem. Tried to NAT a virtual port at the front FW

https://host.domain.com:8443 --> SSG-Firewall-NAT --> internal-IP-of-SA:443

The first request is working well and the certificate is loaded. Then the SA replies in the HTTP header to the client WITHOUT the virtual port 8443 and therefore the browser sends the next request to https://host.domain.com:443 which of course never arrives at the SA because it's not NATed at the firewall.

I had the idea to create a special sign-in policy for this: host.domain.com:8443/test But it did not solve the problem unfortunately.

I need to tell the SA to reply with :8443 in its headers to get this working. Did anybody configure the SA with port forwarding successfully?

Thanks!

If you have only one public IP and port 443 of this IP is already in use, you need to NAT to connect to a second server running internally on 443.

I'm not sure how the SA is supposed to know you have a port translation in front of it... That's actually the point of a port translation, for the back end device not to know that it is being done.

To even have a chance for this to work you'd have to have an intelligent port translation in place, like a proxy firewall handling this.

Your best option is probably to contact JTAC support and verify that the default port isn't changeable, or attempting this with a proxy firewall handling your NAT.