Solved

How to open Juniper SSG port for Openfire Fastpath Webchat

Posted on 2009-04-07
3
1,061 Views
Last Modified: 2012-05-06
I'm trying to use an Openfire Fastpath Webchat on our website. But I'm having problem with the ports in our firewall, a Juniper SSG20.

Basically, I needed to allow port 9090 from our website (so I think the internet is the initiator) to our IM Server (Say 196.0.0.100).

Can someone please tell me how to go about doing this?

Our firewall setup is:
1. Internet Zone, public ip
2. DMZ (The IM Server is in DMZ), 192.0.0.0
3. Local Intranet Zone, 193.0.0.0
0
Comment
Question by:SW111
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 500 total points
ID: 24091692
OK, here is the basic setup for this. If you have to use the same public ip for multiple services hosted on different servers in the dmz, that is a little more involved. Let me know, and I can post directions on how to do that as well.
(Ignore this first step if you have already created a MIP (Mapped IP) for this server from untrust to trust) 1. Create a MIP for the IM server in your dmz. On your firewall go to network > interfaces and selscte edit next to untrust. At the properties up top choose MIP the select New at the right. Use an untrust IP for the server and a dmz ip for the dmz address of the IM. Press OK
(Ignore this second step if you have already created a custom service for this)
2. Create the custom service for the port. Go to Objects > Services > Custom. Click new. Select TCP or UDP or both and use the destination 9090 for the low and high port. Choose a port timeout for it. This usually requires some research into how the protocol you are using works and how long the session needs to be open for packets to pass through before a new session is initialized in the packet header. Make a name for it then press OK.
3. Create a policy for untrust to dmz. For the untrust address choose "Any". For the trust address choose the MIP that you created. For the service use the custom service you created. Press OK.
4. Move the policy as high up the list as possible so that nothing else in the policy list denies this service. You can usually test to make sure that this is open by first using telnet to the 9090 port for the server ip in the dmz, then check to see if you get the same results by telnetting to the same port but on the ip address of the MIP. If the protocol will not connect or give you a blank screen add ping to the policy by selecting multiple services in the policy and adding PING to it. Make sure you can ping the server in the DMZ before you decide that the policy is not working.
0
 

Author Comment

by:SW111
ID: 24093920
Thanks for your reply ccreamer22.
I will, in fact, be using multiple servers with  only 1 public IP. So it is much preferable to be able to assign/map different ports to different servers in the DMZ.
0
 

Author Closing Comment

by:SW111
ID: 31567681
Ok. Figured out what to do. So instead of MIP, we're using VIP now, for port specific forwarding.
Thanks ccreamer22
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Developer tools in browsers have been around for a while, yet they are still heavily underused by developers. Developers still fix html or CSS then refresh page to see effect, or they put alert or debugger in JavaScript and then try again and again …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now