Like all firewalls that have ‘web management’ the default ports are 80 and 443 for insecure and secure management. IF you have secure (https) management on the outside interface of your firewall on the normal TCP port of 443. Then you can’t use the same interface to terminal SSL–VPNs. So you will need to change the FortiGate Management Port.
You can set SSL-VPN to use a different port of course, but for your remote workers who may be in hotels, or in locations where only web (port 80) and secure web/HTTP (port 443) are only allowed that’s going to be a problem.
The lesser of the two evils is to change the secure web management port to something that is not 443!
Changing the Fortigate Management Port (HTTPS)
Note: I’m talking about changing the TCP port, NOT the physical management port, if that’s what you are trying to do, then you simply enable that on the INTERFACE on the firewall like so;
FortiGate Change Management Port via CLI
Firstly to find out/check the port that https is currently configured on use;
[box]
show full | grep admin-sport
[/box]
Then to change the port number (in this case to 4433) use;
[box]
config system global
set admin-sport 4433
[/box]
FortiGate Change Management Port via GUI
System > Settings > Administration Settings > HTTPS Port.
Change the port number accordingly > Apply >After a while it will try and reconnect and probably fail, (that’s OK).
Reconnect to the firewall using https://{IP-or-Hostname}:{Port-Number}
Related Articles, References, Credits, or External Links
A while ago my colleague was struggling to get into a vCenter server. Normal https (TCP 443) wasn’t letting him in, I knew you could manage the appliance directly, (but I couldn’t remember the port number!) He knew there was an alternate port number, but we didn’t know what it was.
Solution
vCenter Appliance (Direct) Management Port
TCP: 5480
i.e. https://{ip-or-host-name}:5480
vCenter / vSphere Management Port
TCP: 443
i.e. https://{ip-or-host-name}
vCenter / vSphere Alternative Management Port
TCP: 9443
i.e. https://{ip-or-host-name}:9443
Note: You can also connect to the PSC, (Platform Services Controller) If you installed this role on the same appliance. The URL for that is https://{ip-or-host-name}/psc
Related Articles, References, Credits, or External Links
This is a pretty generic error. It basically means “I cant connect to what you are asking me to connect to, on TCP Port 443 (https)”.
Solution
Internet searching for this error is very frustrating, everyone who was posting this error was seeing it because, instead of putting the IP address or name in the box (that actually tells you to put in the IP address or name (see image above)). If you put in https://{Name or IP Address}, you will see this error. However this was NOT MY PROBLEM.
This is happening because there is no communication between you and the ESX/vCenter you are trying to connect to. The first thing you need to do is see if HTTPS is open. On the affected machine open a web browser and point it to the same target and make sure you see the web console of the ESX/vCenter server. If you can’t see this, check firewalls (and proxies) and make sure HTTPS is not getting blocked.
In my case I could see this but it still did not work! Then I was reminded we have had strange comms problems on this site before, which I have documented here. Sure enough, when I dropped the MTU on the server I was trying to connect from (which was over a site to site VPN tunnel). It started to work fine.
Related Articles, References, Credits, or External Links
Error
Task Failed Error: No connections could be made because the target machine actively refused it
Also when trying to connect to VMware VCenter from the Backup and Replication management console;
Error
Failed to connect to “Host-name” by SOAP, port 443, user “User-Name”, proxy srv: port:0
Unable to connect to the remote server No connections could be made because the target machine actively refused it {IP-Address}:443
Solution
There are a few things that might cause this, make sure the Veeam Server can “Ping” the VCenter and the hosts. Also make sure if you use a proxy server there is an exception for traffic going to this IP address.
In my case the problem was simply that the VMware Server service was not running on the Virtual Center.
Related Articles, References, Credits, or External Links
This procedure was carried out on a Draytek Vigor 2800 Router, for this I needed to forward RDP (That’s on TCP Port 3389).
Warning: If you need to forward any of the following ports 23 (Telnet), 80 (HTTP) , 443 HTTPS/SSL), 21 (FTP), or 22 (SSH). The Draytek has these reserved for remote management. You will need to change the port number (system Maintenance > Management > Management Port Setup).
Solution
1. Log into the routers web console (default will be a blank username and password, or admin and admin, or admin and blank password).
2. Give the service a name (Like RDP) > Enter the protocol type TCP or UDP > Enter the internal IP that you want to forward the port to > Tick active > Click OK.
Note: Depending on setup you may see this instead (if that’s the case select the correct public IP)
3. That should be all you need to do, unless the firewall is turned on, if that’s the case expand NAT > Open Ports.
4. Again enter a name in the comment box > The local IP of the machine > and the port details > OK.
Related Articles, References, Credits, or External Links
After being unable to access my Exchange Management console, it turns out the default website had stopped. When I attempted to start it I was greeted with this error.
Solution
1. Nothing was using the usual web ports (80 and 443) which I found out by running the following two commands;
Note: If you do have a process using these ports, it will be sown with its PID. To find out what that PID is, right click your Task bar > Launch Task Manager > Processes Tab > View > Select Columns > Turn on the PID column > locate the PID and investigate.
2. My problem was there was a ‘Binding’ to https that had no information in it? Right click the website > Edit Bindings > here you can remove any spurious entries. (Warning: if you’re unsure, document any binding before you remove it – just in case).
Related Articles, References, Credits, or External Links
Out of the box, Exchange (quite rightly) secures Outlook Web Access so that you have to access it via https. The problem is some of your users are used to accessing websites via http, (or simply typing a URL in their browser, without typing any prefix, so it defaults to http).
If you try and access OWA via http://server.domain.com/owa..
There are a number of ways to get round this, the simplest is to redirect that error message (above) back to the correct OWAURL.
WARNING: DO NOT do this on a Microsoft SBS Server. (For SBS you need to create the custom error messages on the OWA Virtual Directory (directly)). This procedure assumes you have a stand alone Exchange CAS server with no other web services or virtual directories being served from its IIS.
Solution
1. Open IIS Manager and drill down to the Default Web Site > Error Pages.
2. Add > Status code = 403.4 > Select “Respond with a 302 Request” > Type in the correct (https) URL for your OWA site > OK.
3. Then restart the website (or reboot the server).
Note: DONT attempt to test this in the Exchange server itself! That will always show the original error, you need to test it from a client machine.
Related Articles, References, Credits, or External Links
If you have a server or host that you want to be publicly addressable and only have one public IP address then port forwarding is what you require.
Solution
Assumptions
1. You have a public IP on the outside of your Router.
2. You are performing NAT from your internal range of IP address to your External IP address.
To Make Sure
1. Run the following command:
[box]PetesRouter#show run | include ip nat inside[/box]
You should see a line like,
[box]ip nat inside source list 101 interface Dialer0 overload[/box]
2. That means NAT all traffic that access-list 101 applies to, to Dialer0 (this is an ADSL router and that’s it’s outside interface). To see what traffic is in access-list 101 is issue the following command:
[box]PetesRouter#show run | include access-list 101[/box]
You should see a line like,
[box]access-list 101 permit ip 10.10.0.0 0.0.255.255 any[/box]
3. This means permit (apply this ACL) to all traffic from 10.10.0.0/16 to anywhere. So its set to NAT all traffic from the inside network to the outside network.
4. Finally to see what IP is on your Dialer0 issue the following command:
[box]PetesRouter#show ip interface brief | exclude unassigned[/box]
You should see something like this
Now we know all traffic from 10.10.0.0/24 (All inside traffic) will be NAT translated to 123.123.123.123
Set up Port Forwarding
In this case Ill port forward TCP Port 443 (HTTPS) and TCP Port 25 (SMTP) to an internal Server (10.10.0.1).
1. First set up the static NAT translations.
[box]
PetesRouter#ip nat inside source static tcp 10.10.0.1 443 123.123.123.123 443 extendable
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 123.123.123.123 extendableOR If you are running with a Public DHCP address
PetesRouter#ip nat inside source static tcp 10.10.0.1 443 interface Dialer0 443
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 interface Dialer0 25
[/box]
2. Second stop that traffic being NATTED with everything else.
[box]
PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 443 any
PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 25 any
[/box]
3. Save the changes with “copy run start”, then press enter to access the default name of startup-config:
[box]
PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#
[/box]
Setup port forwarding and restrict it to an IP or network
For things like HTTPS and SMTP you might want them accessible from anywhere but you might want to lock down access for something like RDP, (TCP port 3389) if that’s the case then you need to do the following.
1. Create a new ACL that allows traffic from you but denies it from everyone else (remember to put an allow a permit at the end).
[box]
PetesRouter#access-list 199 permit tcp host 234.234.234.234 host 123.123.123.123 eq 3389
PetesRouter#access-list 199 deny tcp any host 123.123.123.123 eq 3389
PetesRouter#access-list 199 permit ip any any
[/box]
Note: To allow a network substitute the first line for,
4. Finally apply the ACL you created inbound on the Dialer0 interface.
[box]
PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#interface Dialer0
PetesRouter(config-if)#ip access-group 199 in
PetesRouter(config-if)#exit
PetesRouter#
[/box]
5. Save the changes with “copy run start”, then press enter to access the default name of startup-config:
[box]
PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#
[/box]
Related Articles, References, Credits, or External Links
2. Save the new config > File > “Save Running Configuration to flash”.
Cisco PIX (Version 6) Firewalls – Disable Web Management
If you are stuck on version 6, i.e. you are running a PIX 506E or PIX 501, then you CANNOT change the PDM port. you only option is to disable the PDM if you want to port forward https / ssl / TCP Port 443.
Related Articles, References, Credits, or External Links
AnyConnect runs over TCP port 443 (That’s HTTPS/SSL), but if you only have one public IP and need to forward that port to a web server or internal host then you are a bit snookered. You can of course change the port that AnyConnect runs over, so that it’s no longer on TCP port 443.
Why you would NOT want to do this.
Bear in mind that https is a well known port, and its open in most places for secure web traffic. You use it when you purchase things over the internet, or do your banking. For that reason it’s allowed from most networks, and through most firewalls. Which is what makes AnyConnect so handy, if you change the port then you may have some connection problems.
Solution
Assuming you accept the potential problems and want to swap the port over then do the following.
3. You can’t change the port while AnyConnect is enabled, so you need to disable it, change the port then re-enable it again (in this example I’ve changed it to port 444).
[box]
PetesASA(config)# webvpn
PetesASA(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
PetesASA(config-webvpn)# port 444
PetesASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
PetesASA(config-webvpn)#
[/box]
4. Save the changes with a write mem command.
[box]
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948
9830 bytes copied in 1.550 secs (9830 bytes/sec)
[OK]
PetesASA(config)#