Knowledge Center Search


 

[SSL VPN] Ports need to be open in the Firewall if you need to configure AD Authentication Server in Juniper IVE

  [KB21482] Show KB Properties

  [KB21482] Hide KB Properties

Categories:
Knowledge Base ID: KB21482
Last Updated: 09 Nov 2011
Version: 2.0

Summary:
For authenticating users to use SSL VPN via the authentication servers, Juniper IVE needs to communicate to the authentication server. Juniper IVE and firewalls can be placed in the network in various modes, as explained in the KB10162- Determine Topology and Connect the SSL VPN(s) to the network.

In those instances, where the traffic from the Juniper IVE is filtered by the Firewall before it can reach the Authentication Servers ( i.e. DMZ to Internal LAN) , we need to open a few ports in the firewall, so that the communication can go on uninterrupted.

Problem or Goal:
What are the ports that we need to open in the firewall (Route: DMZ to Internal LAN), so that the communication can go on uninterrupted for authentication purposes.

Solution:
  1. Open ports for Kerberos – Port 88 (UDP):

  2. 863 36.150683 10.141.x.x 10.130.x.x KRB5 TGS-REQ
    864 36.186508 10.130.x.x 10.141.x.x KRB5 TGS-REP
  3. Juniper IVE will try to set the password for the kadmin. So, we need to open port number 464 in the firewall.

    867 36.188855 10.141.x.x 10.130.x.x KPASSWD Request
    870 36.288080 10.130.x.x 10.141.x.x KPASSWD Reply
    For more information, refer to the following link:

    http://support.microsoft.com/kb/264480

  4. We need to open ports for LDAP / CLDAP - 389 and LDAPs - 636.

  5. We need to open ports for SMB. This protocol is used to carry information between Juniper IVE and the domain controller. In Windows NT, it ran on NetBIOS which is known to work on ports: 135 to 139. So, we need to open the ports: 135 to 139 in the firewall.

  6. Additionally, Microsoft has added a possibility that SMB might work on port 445 for Windows 2000, XP, and 2003.

  7. You need to open all TCP / UDP ports - 1024 to 65535, so that users / IVE can take any dynamic ports to form sockets and to successfully communicate with the Active Directory.

Purpose:
Implementation

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.