Go Premium for a chance to win a PS4. Enter to Win


Open Ports 987 & 1723 on Juniper SSG 520

Posted on 2009-04-14
Medium Priority
Last Modified: 2012-05-06
I have been using Cisco products in my years of networking and now a new company I am at has a Juniper SSG 520 router.

I understand why a lot of people are going to Juniper, but I need to open ports 987 & 1723.

This router was configured before I came to the company and it has everything open as I have looked, but I am not sure where to open these 2 other ports.  

Can someone assist me in opening these ports so SharePoint can work as well as the Windows VPN setup from the Small Business Server 2008?

Another quick question.  What is the proper way to restart the SSG?

Question by:ntbvincebowers
  • 3
  • 3
  • 2
LVL 18

Expert Comment

by:Sanga Collins
ID: 24144588
# reset
from the console should restart the device

there are two ways you can do that depending on your setup. if you have multiple static ip's from your ISP, you can use MIPs with corresponding policies to allow traffic on those ports. this is the best way IMO. if you have a single dynamic ip, you can use a VIP with multi-port enabled to get results.

post some more details so we can provide a better answer
LVL 18

Expert Comment

ID: 24145536
To open up certain ports you will need to do the following:

1.  Confirm that there is a service object for the port you want opened if it is not there, then you must create a new one
2.  Create a policy to allow or deny the required traffic,

ie from untrust to trust any mypc service_1723 permit log

3.  If you want to do any natting on the ports, ie the MIPs, DIPs and VIPs as above, then this can be applied also.

As above, give us a bit more info on what direction you want the traffic to be opened from and also if NAT is to be used

Author Comment

ID: 24147087
We have 24 Public IP's we can use. We are using 6 already. This SSG is using MIP protocol.

I did go to the untrust area of the MIP and map a public IP to a Private for SharePoint server.  I am trying to find where to restart the router to accept this change. I created a (New MIP with UnTrust to Trust) 67.xxx.xxx.xx to This is the SharePoint server private IP and the Public IP it is assigned. I made our Domain Provider see the Public IP to point at the ShrePoint server.

I want to know have the router open incoming and outgoing ports for 987.

I know just doing a Map Ip is not opening up the 987 port. I have it opened on the server. I like to know where to create the rules for port 987 for incoming and outgoing for

Where is the restart option for this Firewall / VPN /Router?  Do I need to telnet or is there an option in the GUI? I ask because I am not seeing any options in the GUI area. As said earlier I am learning this application from scratch.

I just ordered a SSG 20 for my home network so I can study the OS.

I do know how to route traffic but this is a big jump from the Cisco ASA Firewalls and 1800 - 2800 Routers.

Where on the SSG 520 do I go to create the rules? If I am guided to right area, and have it explained to where in the OS to actually open the 987 port as well as 1723, then I can breathe and take some time to really learn this SSG technology.

This device is being used with live production servers so I cannot redo anything. I don't want to pay $$$$ to configure 2 ports at this time.

I do appreciate the assistance here.

Please let me know what other type of information is needed.

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 18

Accepted Solution

deimark earned 2000 total points
ID: 24147289
If the MIP is already confogured successfully, then all we need to do is create the services (if needed) and then apply a policy to allow the traffic

For this example, I am using Screenos 6.2 and the web UI
To create the service, do the following:

1.  Go to Policy > Policy Elements > Services > Predefined
2.  Check the list to see if the service you are looking for on ports 987 amd 1723 are there
3.  If they are there, go to step 6, if not go to step 4
4.  Go to Policy > Policy Elements > Services > Custom
5.  Create new service with required parameters
6.  Ensure you already have an address object for the destination host, ie
7.  Create 2 policies as follows:

To allow incoming traffic to MIP on the required ports

From untrust to trust any MIP<67.xxx.xxx.xx as above> <specific 2 services as created above> permit log

To allow outgoing traffic (if required or not already configured through another policy)

From trust to untrust < address object> <whatever service you want> permit log

Although those policies are using CLI syntax, you can create them easily using the web ui.

Once you created the sevices, objects and policies and clicked OK or aspply, the policies are live.  

There is no need to restart the firewall at all!!!!!!!

You can reboot the firewall by either entering "reset" on CLI or via Web UI at : Configuration > Update > ScreenOS/Keys where there is a reset button.

IN summary tho, the MIP is just the one to one nat mapping for inbound and outbound traffic.  As you correctly say, this does not allow or open any ports, this needs to be done via a policy as above.

LVL 18

Expert Comment

by:Sanga Collins
ID: 24148281
deimark: beat me to the punch!!!!

What i did when first learning the juniper was to create the MIP to the correct LAN ip, create the policy from untrust to trust specifying the MIP as the destination, then i tested to make sure it worked with a policy that didnt restrict any ports or source ips, once i confirmed that it did what it was supposed to do, i then locked down the policy to the specific ports that i required for the server.

you can also post you config. i find it easier to troubleshoot by looking at someones config because it reveals settings that you might not have thought about since you are just starting with juniper devices (which IMO are some of the best out there)

Author Comment

ID: 24165010
I am using Version: 5.4.0r1.0 (Firewall+VPN)

I did find the Custom Option which I gave it the following port config,

SharePoint                   TCP src port: 987-987, dst port: 987-987 30                Edit              In Use

Is the above the proper way to assign ports for sharepoint using a SSG?  I know 987 is MS Default, but please look at the TCP and dst ports.  I don't need to have it showing 0 to 987, do I?

I need to configure the sharepoint software to see if this takes.

I will report back tomorrow and close the question after I give the points.

LVL 18

Assisted Solution

deimark earned 2000 total points
ID: 24165621
For the src port, I would leave this as open as you can, its the dst port thats more important bud.

ie src port of 0-65535 (or whatever the top number is)

Author Closing Comment

ID: 31570208
I am using Junos 5.4 and the solution provided was for Junos 6 which still allowed us to put in the correct numbers

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question