FortiGate: Change the HTTPS Fortigate Management Port

KB ID 0001723

Problem

Like all firewalls that have ‘web management’ the default ports are 80 and 443 for insecure and secure management. IF you have secure (https) management on the outside interface of your firewall on the normal TCP port of 443. Then you can’t use the same interface to terminal SSLVPNs. So you will need to change the FortiGate Management Port.

You can set SSL-VPN to use a different port of course, but for your remote workers who may be in hotels, or in locations where only web (port 80) and secure web/HTTP (port 443) are only allowed that’s going to be a problem.

The lesser of the two evils is to change the secure web management port to something that is not 443!

Changing the Fortigate Management Port (HTTPS)

Note: I’m talking about changing the TCP port, NOT the physical management port, if that’s what you are trying to do, then you simply enable that on the INTERFACE on the firewall like so;

FortiGate Change Management Port via CLI

Firstly to find out/check the port that https is currently configured on use;

[box]

show full | grep admin-sport

[/box]

Then to change the port number (in this case to 4433) use;

[box]

config system global
set admin-sport 4433

[/box]

FortiGate Change Management Port via GUI

System > Settings  > Administration Settings > HTTPS Port.

Change the port number accordingly > Apply  >After a while it will try and reconnect and probably fail, (that’s OK).

Reconnect to the firewall using https://{IP-or-Hostname}:{Port-Number}

Related Articles, References, Credits, or External Links

NA

vCenter – Management Ports

KB ID 0001324 

Problem

A while ago my colleague was struggling to get into a vCenter server. Normal https (TCP 443) wasn’t letting him in, I knew you could manage the appliance directly, (but I couldn’t remember the port number!) He knew there was an alternate port number, but we didn’t know what it was.

Solution

vCenter Appliance (Direct) Management Port

TCP: 5480

i.e. https://{ip-or-host-name}:5480

vCenter / vSphere Management Port

TCP: 443

i.e. https://{ip-or-host-name}

vCenter / vSphere Alternative Management Port

TCP: 9443

i.e. https://{ip-or-host-name}:9443

Note: You can also connect to the PSC, (Platform Services Controller) If you installed this role on the same appliance. The URL for that is https://{ip-or-host-name}/psc 

Related Articles, References, Credits, or External Links

NA

VMware VI Client Error ‘Call “ServiceInstance.RetrieveContent” for object “ServiceInstance” on Server “IP-Address” failed’

KB ID 0000870 

Problem

This is a pretty generic error. It basically means “I cant connect to what you are asking me to connect to, on TCP Port 443 (https)”.

Solution

Internet searching for this error is very frustrating, everyone who was posting this error was seeing it because, instead of putting the IP address or name in the box (that actually tells you to put in the IP address or name (see image above)). If you put in https://{Name or IP Address}, you will see this error. However this was NOT MY PROBLEM.

This is happening because there is no communication between you and the ESX/vCenter you are trying to connect to. The first thing you need to do is see if HTTPS is open. On the affected machine open a web browser and point it to the same target and make sure you see the web console of the ESX/vCenter server. If you can’t see this, check firewalls (and proxies) and make sure HTTPS is not getting blocked.

In my case I could see this but it still did not work! Then I was reminded we have had strange comms problems on this site before, which I have documented here. Sure enough, when I dropped the MTU on the server I was trying to connect from (which was over a site to site VPN tunnel). It started to work fine.

Related Articles, References, Credits, or External Links

NA

Veeam – “Task Failed Error: No connections could be made because the target machine actively refused it”

KB ID 0000758

Problem

Seen when running Veeam Backup and Replication.

Error
Task Failed Error: No connections could be made because the target machine actively refused it

Also when trying to connect to VMware VCenter from the Backup and Replication management console;

Error
Failed to connect to “Host-name” by SOAP, port 443, user “User-Name”, proxy srv: port:0
Unable to connect to the remote server
No connections could be made because the target machine actively refused it {IP-Address}:443

Solution

There are a few things that might cause this, make sure the Veeam Server can “Ping” the VCenter and the hosts. Also make sure if you use a proxy server there is an exception for traffic going to this IP address.

In my case the problem was simply that the VMware Server service was not running on the Virtual Center.

Related Articles, References, Credits, or External Links

Veeam Backup and Recovery Download

Veeam Availability Suite Download

Veeam Backup For Office 365 Download

Veeam Backup For Azure Download

Veeam Backup for AWS Download

Draytek Vigor Router Port Forwarding

KB ID 0000425 

Problem

This procedure was carried out on a Draytek Vigor 2800 Router, for this I needed to forward RDP (That’s on TCP Port 3389).

Warning: If you need to forward any of the following ports 23 (Telnet), 80 (HTTP) , 443 HTTPS/SSL), 21 (FTP), or 22 (SSH). The Draytek has these reserved for remote management. You will need to change the port number (system Maintenance > Management > Management Port Setup).

Solution

1. Log into the routers web console (default will be a blank username and password, or admin and admin, or admin and blank password).

2. Expand NAT > Select Port Redirection.

2. Give the service a name (Like RDP) > Enter the protocol type TCP or UDP > Enter the internal IP that you want to forward the port to > Tick active > Click OK.

Note: Depending on setup you may see this instead (if that’s the case select the correct public IP)

3. That should be all you need to do, unless the firewall is turned on, if that’s the case expand NAT > Open Ports.

4. Again enter a name in the comment box > The local IP of the machine > and the port details > OK.

 

Related Articles, References, Credits, or External Links

Draytek Router – Firmware Update

DrayTek Vigor – Reset To Factory Settings

IIS – ‘This Web site cannot be started. Another Web site may be using the same port’.

KB ID 0000660 

Problem

After being unable to access my Exchange Management console, it turns out the default website had stopped. When I attempted to start it I was greeted with this error.

Solution

1. Nothing was using the usual web ports (80 and 443) which I found out by running the following two commands;

[box]netstat -aon | find “:80″</p> <p>netstat -aon | find “:443″[/box]

Note: If you do have a process using these ports, it will be sown with its PID. To find out what that PID is, right click your Task bar > Launch Task Manager > Processes Tab > View > Select Columns > Turn on the PID column > locate the PID and investigate.

2. My problem was there was a ‘Binding’ to https that had no information in it? Right click the website > Edit Bindings > here you can remove any spurious entries. (Warning: if you’re unsure, document any binding before you remove it – just in case).

Related Articles, References, Credits, or External Links

NA

Exchange – Redirect OWA (HTTP to HTTPS)

KB ID 0000697 

Problem

Out of the box, Exchange (quite rightly) secures Outlook Web Access so that you have to access it via https. The problem is some of your users are used to accessing websites via http, (or simply typing a URL in their browser, without typing any prefix, so it defaults to http).

If you try and access OWA via http://server.domain.com/owa..

There are a number of ways to get round this, the simplest is to redirect that error message (above) back to the correct OWA URL.

WARNING: DO NOT do this on a Microsoft SBS Server. (For SBS you need to create the custom error messages on the OWA Virtual Directory (directly)). This procedure assumes you have a stand alone Exchange CAS server with no other web services or virtual directories being served from its IIS.

Solution

1. Open IIS Manager and drill down to the Default Web Site > Error Pages.

2. Add > Status code = 403.4 > Select “Respond with a 302 Request” > Type in the correct (https) URL for your OWA site > OK.

3. Then restart the website (or reboot the server).

Note: DONT attempt to test this in the Exchange server itself! That will always show the original error, you need to test it from a client machine.

Related Articles, References, Credits, or External Links

NA

Cisco Routers – Port Forwarding

KB ID 0000533 

Problem

If you have a server or host that you want to be publicly addressable and only have one public IP address then port forwarding is what you require.

Solution

Assumptions

1. You have a public IP on the outside of your Router.

2. You are performing NAT from your internal range of IP address to your External IP address.

To Make Sure

1. Run the following command:

[box]PetesRouter#show run | include ip nat inside[/box]

You should see a line like,

[box]ip nat inside source list 101 interface Dialer0 overload[/box]

2. That means NAT all traffic that access-list 101 applies to, to Dialer0 (this is an ADSL router and that’s it’s outside interface). To see what traffic is in access-list 101 is issue the following command:

[box]PetesRouter#show run | include access-list 101[/box]

You should see a line like,

[box]access-list 101 permit ip 10.10.0.0 0.0.255.255 any[/box]

3. This means permit (apply this ACL) to all traffic from 10.10.0.0/16 to anywhere. So its set to NAT all traffic from the inside network to the outside network.

4. Finally to see what IP is on your Dialer0 issue the following command:

[box]PetesRouter#show ip interface brief | exclude unassigned[/box]

You should see something like this

Now we know all traffic from 10.10.0.0/24 (All inside traffic) will be NAT translated to 123.123.123.123

Set up Port Forwarding

In this case Ill port forward TCP Port 443 (HTTPS) and TCP Port 25 (SMTP) to an internal Server (10.10.0.1).

1. First set up the static NAT translations.

[box]

PetesRouter#ip nat inside source static tcp 10.10.0.1 443 123.123.123.123 443 extendable
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 123.123.123.123 extendable
OR If you are running with a Public DHCP address

PetesRouter#ip nat inside source static tcp 10.10.0.1 443 interface Dialer0 443
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 interface Dialer0 25

[/box]

2. Second stop that traffic being NATTED with everything else.

[box]

PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 443 any
PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 25 any

[/box]

3. Save the changes with “copy run start”, then press enter to access the default name of startup-config:

[box]

PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#

[/box]

Setup port forwarding and restrict it to an IP or network

For things like HTTPS and SMTP you might want them accessible from anywhere but you might want to lock down access for something like RDP, (TCP port 3389) if that’s the case then you need to do the following.

1. Create a new ACL that allows traffic from you but denies it from everyone else (remember to put an allow a permit at the end).

[box]

PetesRouter#access-list 199 permit tcp host 234.234.234.234 host 123.123.123.123 eq 3389
PetesRouter#access-list 199 deny tcp any host 123.123.123.123 eq 3389
PetesRouter#access-list 199 permit ip any any

[/box]

Note: To allow a network substitute the first line for,

[box]PetesRouter#access-list 199 permit tcp 234.234.234.232 0.0.0.7 host 123.123.123.123 eq 3389[/box]

Note: Cisco Routers use inverted masks, so 234.234.234.232 0.0.0.7 is 234.234.234.232 255.255.255.248 (or/29)

2. Then (as in the example above) create the static NAT translation.

[box]PetesRouter#ip nat inside source static tcp 10.10.0.1 3389 123.123.123.123 3389 extendable[/box]

3. Then (as in the example above) exempt this traffic from the default NAT ACL.

[box]PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 3389 any[/box]

4. Finally apply the ACL you created inbound on the Dialer0 interface.

[box]

PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#interface Dialer0
PetesRouter(config-if)#ip access-group 199 in
PetesRouter(config-if)#exit
PetesRouter#

[/box]

5. Save the changes with “copy run start”, then press enter to access the default name of startup-config:

[box]

PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#

[/box]

Related Articles, References, Credits, or External Links

Cisco PIX / ASA Port Forwarding

Cisco Firewalls Changing the Web Management Port

Cisco 5500 Changing the ASDM Port
Unable to Port Forward HTTPS

KB ID 0000268

Problem

You want to change the port that the Cisco ASDM runs over, or you are attempting to port forward https/ssl and see the following error

Error:
ERROR: unable to reserve port 443 for static PAT
ERROR: unable to download policy

You are trying to port forward (Create a static PAT entry) on a Cisco ASA for port 443 / https. This port is in use by the ASDM.

Solution

Change the Cisco ASA ASDM Port via Command Line

Connect to the ASA via command line. (In the following example I’ll change the ASDM to use TCP port 2456).

code?

Change the Cisco ASA ASDM Port via ASDM

1. Connect to the the Cisco ASDM > Configuration > Device Management > Management access > ASDM/HTTPS/Telnet/SSH > http Settings > Port Number > Change accordingly > Apply.

2. Save the new config > File > “Save Running Configuration to flash”.

Cisco PIX (Version 6) Firewalls – Disable Web Management

If you are stuck on version 6, i.e. you are running a PIX 506E or PIX 501, then you CANNOT change the PDM port. you only option is to disable the PDM if you want to port forward https / ssl / TCP Port 443.

 

Related Articles, References, Credits, or External Links

Cisco ASA – Allow Remote Management

Original Article Written 25/03/11

Cisco ASA5500 Change the AnyConnect Port

KB ID 0000422 

Problem

AnyConnect runs over TCP port 443 (That’s HTTPS/SSL), but if you only have one public IP and need to forward that port to a web server or internal host then you are a bit snookered. You can of course change the port that AnyConnect runs over, so that it’s no longer on TCP port 443.

Why you would NOT want to do this.

Bear in mind that https is a well known port, and its open in most places for secure web traffic. You use it when you purchase things over the internet, or do your banking. For that reason it’s allowed from most networks, and through most firewalls. Which is what makes AnyConnect so handy, if you change the port then you may have some connection problems.

Solution

Assuming you accept the potential problems and want to swap the port over then do the following.

Via Command Line

1. Connect to the ASA via Telnet, SSH or Console Cable.

2. Log in and go to “configure terminal” mode.

[box]

PetesASA> enable
Password: ***********
PetesASA# configure terminal
PetesASA(config)#

[/box]

3. You can’t change the port while AnyConnect is enabled, so you need to disable it, change the port then re-enable it again (in this example I’ve changed it to port 444).

[box]

PetesASA(config)# webvpn
PetesASA(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
PetesASA(config-webvpn)# port 444
PetesASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
PetesASA(config-webvpn)#

[/box]

4. Save the changes with a write mem command.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948

9830 bytes copied in 1.550 secs (9830 bytes/sec)
[OK]
PetesASA(config)#

[/box]

Via ASDM

1. Connect to the ASDM.

2. Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection profiles.

3. You will need to un-tick the allow access on the outside option, then change the port, then re-tick to allow access, then click Apply.

Update 01/10/12

4. When done, click File > Save Running configuration to flash, to save the changes.

BE AWARE

Your clients would now need to connect to the portal on,

https://{name or IP address}:444

Or if using the client software, they will need to tag the port number on the end like so,

Related Articles, References, Credits, or External Links

Changing the ASDM Port