cancel
Showing results for 
Search instead for 
Did you mean: 

Change SSL port

Highlighted
Occasional Contributor

Change SSL port

Hi all,

Can I change the default SSL port (443) to, let's say, 4443?

Regards,

Rui Cordeiro

21 REPLIES 21
Highlighted
Super Contributor

Re: Change SSL port

directly i do not think this can be done

well if this setup is in a real life production network than you have got to have a firewall infront of the public interface. So if you go to the firewall you can do a port MAP and say any one connecting to your public interface on port 4443 translate the port to 443 and send the traffic to juniper.

Highlighted
Occasional Contributor

Re: Change SSL port

Hi,

Thanks for your input.

I've already tried that because I have a SSG in front of the SA, but it didn't work. Gave some strange behaviour in the access...

Right now I have the SA working and I cannot do that much tests.

Thanks anyway, regards,

Rui Cordeiro

Highlighted
Valued Contributor

Re: Change SSL port

One other thought would be to use the virtual port capability to point users to a different port. Normally used for mapping to different URL's but may help you achieve your goal. Network / Internal or External Port / Virtual Port.

Highlighted
Super Contributor

Re: Change SSL port

I dont think virtual port is acutally a port it is a virtual IP address and there is no option, that i know of, to point that virtual IP to a different port.
Highlighted
Valued Contributor

Re: Change SSL port

Hey MrKool - you are of course 100% correct. I think my brain just misfired on that one!
Highlighted
Occasional Contributor

Re: Change SSL port

Hi all,

I would like to rise this issue again. Same problem. Tried to NAT a virtual port at the front FW

https://host.domain.com:8443 --> SSG-Firewall-NAT --> internal-IP-of-SA:443

The first request is working well and the certificate is loaded. Then the SA replies in the HTTP header to the client WITHOUT the virtual port 8443 and therefore the browser sends the next request to https://host.domain.com:443 which of course never arrives at the SA because it's not NATed at the firewall.

I had the idea to create a special sign-in policy for this: host.domain.com:8443/test But it did not solve the problem unfortunately.

I need to tell the SA to reply with :8443 in its headers to get this working. Did anybody configure the SA with port forwarding successfully?

Thanks!

Highlighted
Contributor

Re: Change SSL port

Out of curiosity, what is the need for this?
Highlighted
Occasional Contributor

Re: Change SSL port

If you have only one public IP and port 443 of this IP is already in use, you need to NAT to connect to a second server running internally on 443.

Highlighted
Contributor

Re: Change SSL port

I'm not sure how the SA is supposed to know you have a port translation in front of it... That's actually the point of a port translation, for the back end device not to know that it is being done.

To even have a chance for this to work you'd have to have an intelligent port translation in place, like a proxy firewall handling this.

Your best option is probably to contact JTAC support and verify that the default port isn't changeable, or attempting this with a proxy firewall handling your NAT.