How to publish web resource using proxy pass-through with different FQDN and certificates

Sometimes you would like to publish certain web resources like Microsoft ActiveSync or Exchange auto discovery URLS on the internet using different FQDN and SSL certificates.

If you have a Juniper SA or MAG you are able to do this without the need of extra user licenses.

In this example I’m using the following Lab setup:


As you can see I have a Juniper SA through which I like to publish two resources on the internet being; the normal juniper SA portal access using the FQDN and a ActiveSync synchronization URL using the FQDN. Apart from that I want both resources to use valid certificates. Note that the use of a wildcard certificate is scenario is not an option as both domain names differ ( vs.

To realize this setup follow the steps below:

  • Login on the Admin portal of you Juniper SA or MAG
  • Browse to System -> Network -> Internal Port -> Virtual Ports

– Create a new Virtual port using the beginning of the FQDN you like the ActivSync clients to connect to:

sa virtual port

  • Browse to System -> Configuration -> Certificates -> Device Certificates

– Import a valid or self-signed certificate for the FQDN you like ActivSync clients to connect to

– In our case this is

– Bind this certificate to the virtual port you created earlier

sa cert

*Note that the certificate is already bound to the internal interface. If you like to use a different certificate for this follow steps 5 and bind the certificate to the internal interface

  • Browse to Users -> User Roles

– Create a new User Role with the following options set:

– Session Options

– UI Options

– Access features -> Web options

sa roles

sa roles-2

  • Browse to Authentication -> Signing In -> Sign-In Policies

– Create a new URL

sa sign-in-01

– Specify it is for  Authorization Only Access & enter the following information:

– Enter the FQDN in the Virtual Hostname field (

– Enter the IP or URL of the backend server *note URL paths are not supported (

– Select No Authorization in the Authorization Server field

– Select the user role you created earlier

* Option select Allow ActiveSync Traffic Only if this is only to be used to mail synchronization

sa sign-in-02

  • Create an external DNS registration for the FQDN you like ActivSync clients to connect to in our example
  • Check you are able to reach the website and check the User Log entries:

sa -log

Geplaatst op augustus 1, 2013, in Juniper, Juniper SA - MAG. Markeer de permalink als favoriet. Een reactie plaatsen.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen. logo

Je reageert onder je account. Log uit /  Bijwerken )

Google photo

Je reageert onder je Google account. Log uit /  Bijwerken )


Je reageert onder je Twitter account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s

Deze site gebruikt Akismet om spam te bestrijden. Ontdek hoe de data van je reactie verwerkt wordt.

%d bloggers liken dit: