How can I change the default port (443) of https on MAG 2600 through the web interface management.
7.1R1 (build 17675)
Thanks in advance for your attention,
to the two people who replied: I'm sorry to say that but your replies are really not smart !
So why would he/we want to do that ? Here are a few examples:
- You don't want people who scan the whole internet to find you have some sort of server running on port 443. And exploit some vulnerabilities
- You just have one IP and port 443 is already taken by your webserver
Now why sshd, mailservers, webservers and a long list of other servers would allow you to change the port and not the Mag ? Because the teams of developpers of these services are stupid enough to spend time to implement this feature ?
akriyosr: You can't change that port, at least in 7.1, 7.2 and 7.3 as far as I know.
Maybe because Juniper hire one of the guys who replied you and they don't feel the need to have this kind of feature. A second reason would be that Juniper doesn't want to hear "it doesn't work" because the flows get filtered by firewalls.
I meant the client might be behind a firewall and destination port 443 is almost always opened behind corporate networks.
I also tried to dnat a port (like 10443) to port 443 on the Mag so you can get the first page on http://@IP:10443 but every time you use a http link to the Mag and redirects you to a web page on port 443. So that way doesn't work as well.
Anyway that would be nice to hear a clever opinion from Juniper.
I am sorry our responses came across as stupid; i just haven't seen a use case where this would be beneficial yet (I've been supporting the appliance for almost 9 years). that's not to say it doesn't exist; just that it hasn't crossed my desk nor any of my colleagues.
the servers you point out are ones in which multiple different ports make sense. and, as you pointed out, there could be a case made in which this would be beneficial on the MAG appliances.
what type of http link are you referring to that fails: one from another web service that links to the login page that does not include the correct port OR a link that is accessed through the rewriting engine? The former I would expect to fail as the web server on the appliance only listens on 80 (to redirect to 443) and 443. The latter...I cannot think of a reason why this would fail; unfortunately, i just moved and my home lab is not yet setup for me to be able to test this.
I would recommend talking to your account team and asking them to put in an enhancement request for this. I do not know the feasibility of it from a product/testing/production standpoint; however, I can only see one request for this in the last 10 years or so of the product being in existence. While I would not expect it to happen soon, I could be wrong and it is always good to make the product team aware of the use cases in the real world.
An alternative, if your device is separated from the internet by a firewall is to do port translation on your firewall, but if you do this, I'd definitely test everything before giving customers/clients access.