Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SA 4000 - Outbound ports

mnauta_
New Contributor
‎01-20-2009 10:21:AM
‎01-20-2009 10:21:AM

SA 4000 - Outbound ports

I am working on egress filtering at our border router and need to know what ports or port ranges the SA 4000 needs for outbound connections. I would have expected that just allowing all prevously established inbound connections would do the trick, but it doesn't. It seems as though a new session is initiated from the Juniper VPN to the client on a random port above 1024. Without doing a full packet capture, this is the best description I can come up with. Any help would be greatly appreciated.
0 Kudos
6 REPLIES 6
muttbarker_
Valued Contributor
‎01-20-2009 10:54:AM
‎01-20-2009 10:54:AM

Re: SA 4000 - Outbound ports

Are you talking basic SSL connectivty or VPN via network connect? NC uses UDP port 4500 for ESP connections.
0 Kudos
mnauta_
New Contributor
‎01-20-2009 10:58:AM
‎01-20-2009 10:58:AM

Re: SA 4000 - Outbound ports

Thanks for the reply muttbarker, I was just getting ready to update my post with this information. I did verify this is only regarding connectivity via Network Connect.
0 Kudos
mnauta_
New Contributor
‎01-20-2009 11:05:AM
‎01-20-2009 11:05:AM

Re: SA 4000 - Outbound ports

I forgot to mention this in my last post, but I am allowing UDP 4500 outbound from the Juniper box.
0 Kudos
muttbarker_
Valued Contributor
‎01-20-2009 11:49:AM
‎01-20-2009 11:49:AM

Re: SA 4000 - Outbound ports

FYI - I just initiated a network connection session on a PC into my SSL box through my Juniper SSG20 firewall. When I did a flow capture on the SSG20 I saw traffic flowing to/from the PC on ports 1111 and 1129. Killed and restarted the NC session and saw new traffic on 1139. Hope that helps a bit.

0 Kudos
mnauta_
New Contributor
‎01-20-2009 12:20:PM
‎01-20-2009 12:20:PM

Re: SA 4000 - Outbound ports

Yeah, I did the same thing. I get a different port each time. I don't want to allow all UDP traffic out from this box..but I may have to. It would be nice if I could configure a range of ports. Thanks for the help.
0 Kudos
kenlars_
Super Contributor
‎01-23-2009 02:56:PM
‎01-23-2009 02:56:PM

Re: SA 4000 - Outbound ports

My IVEs sit behind internet-facing routers which allow only the following inbound traffic -

  • TCP dest port 443 (for SSL)
  • TCP dest port 80 (in case the user enters a "http..." URL, the IVE wil redirect to "https..."
  • ESP (an IP protocol like ICMP or UDP, but with no ports in the specification
  • UDP 4500 (in case the ESP fails because a NATing device corrupts it)
  • ICMP (for ping, etc.)

I'm wondering if the traffic you are seeing is the ESP traffic. NC will attempt to use ESP before switching to UDP 4500 or NCP.

Ken

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.