Re: Change SSL port

cordas_ · ‎07-21-2009

Hi all,

Can I change the default SSL port (443) to, let's say, 4443?

Regards,

Rui Cordeiro

Mrkool_ · ‎07-21-2009

directly i do not think this can be done

well if this setup is in a real life production network than you have got to have a firewall infront of the public interface. So if you go to the firewall you can do a port MAP and say any one connecting to your public interface on port 4443 translate the port to 443 and send the traffic to juniper.

cordas_ · ‎07-21-2009

Hi,

Thanks for your input.

I've already tried that because I have a SSG in front of the SA, but it didn't work. Gave some strange behaviour in the access...

Right now I have the SA working and I cannot do that much tests.

Thanks anyway, regards,

Rui Cordeiro

muttbarker_ · ‎07-21-2009

One other thought would be to use the virtual port capability to point users to a different port. Normally used for mapping to different URL's but may help you achieve your goal. Network / Internal or External Port / Virtual Port.

Mrkool_ · ‎07-21-2009

I dont think virtual port is acutally a port it is a virtual IP address and there is no option, that i know of, to point that virtual IP to a different port.

muttbarker_ · ‎07-21-2009

Hey MrKool - you are of course 100% correct. I think my brain just misfired on that one!

bergbock_ · ‎08-30-2010

Hi all,

I would like to rise this issue again. Same problem. Tried to NAT a virtual port at the front FW

https://host.domain.com:8443 --> SSG-Firewall-NAT --> internal-IP-of-SA:443

The first request is working well and the certificate is loaded. Then the SA replies in the HTTP header to the client WITHOUT the virtual port 8443 and therefore the browser sends the next request to https://host.domain.com:443 which of course never arrives at the SA because it's not NATed at the firewall.

I had the idea to create a special sign-in policy for this: host.domain.com:8443/test But it did not solve the problem unfortunately.

I need to tell the SA to reply with :8443 in its headers to get this working. Did anybody configure the SA with port forwarding successfully?

Thanks!

mkelly_uwyo_ · ‎08-30-2010

Out of curiosity, what is the need for this?

bergbock_ · ‎08-30-2010

If you have only one public IP and port 443 of this IP is already in use, you need to NAT to connect to a second server running internally on 443.

rcallanan_ · ‎08-31-2010

I'm not sure how the SA is supposed to know you have a port translation in front of it... That's actually the point of a port translation, for the back end device not to know that it is being done.

To even have a chance for this to work you'd have to have an intelligent port translation in place, like a proxy firewall handling this.

Your best option is probably to contact JTAC support and verify that the default port isn't changeable, or attempting this with a proxy firewall handling your NAT.