Moving the external interface of a Juniper SA 4500 SSL-VPN appliance to a different IP subnet is not an entirely illogical procedure, but due to the many interdependencies between configuration elements, the exact workflow is somewhat non-obvious... It's also not mentioned in the official system documentation. In this case, I was working on an SA 4500 active/passive - cluster running R7.1 sofware.
The main problem is that all IP addresses on the external interface have to be from the same subnet - and it's not possible to define additional VLANs with other address ranges on the external side. It's also not possible to move any part of the external interface configuration to a new subnet as long as there's still configuration from the old address range somewhere on the system.
2. Useful preparation steps
- Configuration backup: Archiving -> Local Backups -> Save Configuration
- Sort of a migration plan: A mapping from old to new external IP addresses on the system, and preparation for the required DNS changes. You'll need Netmask and Default Gateway of your external port, external IP addresses from all cluster members, the external cluster VIP, and any addresses used on external virtual ports.
- As long as you are only using SSL transport (and not IPSEC), having a NAT gateway in front of the SA is also a great help - just do destination NAT from old to new addresses, and DNS changes can be postponed to any time later on without further interruption of service.
3. Sequence of configuration changes to remove all external IP addresses
- Configuration -> Certificates -> Device Certificates has a list of SSL certs for all hostnames on the appliance. Each Certificate is bound to one or more Internal or External Virtual Ports. Remove all Selected Virtual Ports from any Certificate that's bound to an External Virtual Port.
- Network -> External Port -> Virtual Ports shows all the additional external addresses configured on the SSL VPN gateway. Select "Settings for: Entire Cluster" and delete all external Virtual Ports.
- Now that all External Virtual Ports are gone, it's possible to disable the External Interface entirely (in fact, it can be disabled any time, but then the Virtual Ports are locked and can't be deleted): Go to Network -> External Port -> Settings, make shure to select Settings For: Entire Cluster and change Use Port? to Disabled. When navigating away from the page, note that the UI likes to jump to the configuration of the active cluster member, and Settings For: Entire Cluster has to be reselected from the Network Settings menu.
- On the disabled port, all IP configuration can be removed - just delete Netmask and Default Gateway for the Cluster.
- Delete IP Addresses for each cluster member: Network -> External Port -> Settings, switch the view between all nodes using the Settings For: - dropdown
- Remove the External VIP from Clustering -> Properties
4. Reenable networking on the external interface
With this, all external IP configuration is removed, and it's possible to reconfigure everything, starting from cluster settings for the external interface:
- Network -> External Port -> Settings, choose Settings For: Entire Cluster, enter Default Gateway and Netmask (which defines the subnet used on the external port)
- Switch through the cluster nodes and add an external IP Address from that subnet on each member
- Clustering -> Properties, add a new External VIP from the same network
- Reenable networking on the external Port: Network -> External Port -> Settings, Use Port? Enabled
- Add all the new Virtual Ports under Network -> External Port -> Virtual Ports
- Restore the binding between SSL certificates and your Virtual Ports on the Configuration -> Certificates -> Device Certificates page.
That's it for the SSL-VPN configuration - now you just need to make shure your destination NAT is in place (or that all DNS entries for addresses on your gateway have been changed to the new addresses).