Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Junos Pulse SSL VPN

SOLVED
Go to solution
Gunner247_
New Contributor
‎06-24-2015 04:24:AM
‎06-24-2015 04:24:AM

Junos Pulse SSL VPN

Hello!

Using the junos pulse client to connect to a juniper MAG which ports does it use to connect and create a tunnel ?? I am trying to create a tunnel from one private network to another which goes through a FW.

Currently you can connect to the MAG of 443 and it loads the weg page up and you can login fine. Although when using the client it is complaining that 'Unable to communicate with the server'

Many Thanks,

Nick

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
spuluka
Super Contributor
‎06-26-2015 03:06:PM
‎06-26-2015 03:06:PM

Re: Junos Pulse SSL VPN

I think there are two areas to look into on the firewall.

Port forwarding

If you are usin policy based destination NAT be sure to add the udp 4500 port to your rule so this is also forwarded

If you are using vip on the interface, then create multiple vip objects to forward both ssl and udp 4500

Security Policy

Once connected do your pool addresses have security policies that permit access to the hosts. Check the logging on your deny policies to see what the traffic may be hitting.

On the SSL VPN applicance

do you have the pool setup and assigned to the role

Do you have the tunneling options configured for the role

Are there ACL attached to the role

Is the Pulse connection option enabled on the role

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home

View solution in original post

0 Kudos
7 REPLIES 7
MarcTB_
Occasional Contributor
‎06-24-2015 05:31:AM
‎06-24-2015 05:31:AM

Re: Junos Pulse SSL VPN

Hi,

You need to open port 500 udp

0 Kudos
spuluka
Super Contributor
‎06-24-2015 05:30:PM
‎06-24-2015 05:30:PM

Re: Junos Pulse SSL VPN

The port needed for ESP with a dynamic ip address is UDP 4500. UDP 500 is the port used for two static addressed tunnels.

you can see the details of the DMZ setup and port rules in KB10162

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB10162

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
0 Kudos
ruc_
Regular Contributor
‎06-24-2015 06:57:PM
‎06-24-2015 06:57:PM

Re: Junos Pulse SSL VPN

If you are able to connect from browser (on the same machine) then Pulse client should work (atleast in TLS mode) without any further firewall changes (though ESP mode is recommended for better throughput performance).

 

In the past I have seen this 'Unable to communicate with the server' issue due to below reasons:

 

1. A security program on client that allows the browser to make outgoing tcp port 443 connections but does not allow pulse client to do so. 

 

2. Incorrectly entering the server URL field in the Pulse client (recommended format is https://mag-dns-hostanme/ or a special sign-in URL if you are not using default example https://mag-dns-hostname/contractors) 

 

3. Proxy settings on client browser that Pulse client is unable to interpret and apply correctly 

 

0 Kudos
MarcTB_
Occasional Contributor
‎06-24-2015 09:56:PM
‎06-24-2015 09:56:PM

Re: Junos Pulse SSL VPN

@spuluka wrote:

The port needed for ESP with a dynamic ip address is UDP 4500. UDP 500 is the port used for two static addressed tunnels.

you can see the details of the DMZ setup and port rules in KB10162

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB10162

@Yes you are right @spuluka! Thanks for correcting me!

0 Kudos
braker_
Frequent Contributor
‎06-25-2015 12:17:PM
‎06-25-2015 12:17:PM

Re: Junos Pulse SSL VPN

While UDP 4500 is the default for ESP mode, the setting can be change and ESP can be disabled entirely. Also, when using ESP, SSL fallback can be enabled or disabled.

Always best to check the actual VPN connection profile/profiles to ensure firewall rules are properly aligned with your specific deployment.

0 Kudos
Gunner247_
New Contributor
‎06-26-2015 08:04:AM
‎06-26-2015 08:04:AM

Re: Junos Pulse SSL VPN

Thanks for the advice I can now connect and authenticate with the MAG ok.

Although the connection will go through the authentication and look to connect ok but it doesn't create a tunnel and the LAN segments cannot be contacted...

It is a bit of a strange setup and I had to put some destionation NAT on the interface of a SSG550 to forward traffic on 443 to the MAG which is on the LAN connected to another interface on the SSG550.

Is there anything else I will need to allow or change to get the tunnel and traffic to be able to flow ?

0 Kudos
spuluka
Super Contributor
‎06-26-2015 03:06:PM
‎06-26-2015 03:06:PM

Re: Junos Pulse SSL VPN

I think there are two areas to look into on the firewall.

Port forwarding

If you are usin policy based destination NAT be sure to add the udp 4500 port to your rule so this is also forwarded

If you are using vip on the interface, then create multiple vip objects to forward both ssl and udp 4500

Security Policy

Once connected do your pool addresses have security policies that permit access to the hosts. Check the logging on your deny policies to see what the traffic may be hitting.

On the SSL VPN applicance

do you have the pool setup and assigned to the role

Do you have the tunneling options configured for the role

Are there ACL attached to the role

Is the Pulse connection option enabled on the role

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.