Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Open Ports 987 & 1723 on Juniper SSG 520

Posted on 2009-04-14
Medium Priority
Last Modified: 2012-05-06
I have been using Cisco products in my years of networking and now a new company I am at has a Juniper SSG 520 router.

I understand why a lot of people are going to Juniper, but I need to open ports 987 & 1723.

This router was configured before I came to the company and it has everything open as I have looked, but I am not sure where to open these 2 other ports.  

Can someone assist me in opening these ports so SharePoint can work as well as the Windows VPN setup from the Small Business Server 2008?

Another quick question.  What is the proper way to restart the SSG?

Question by:ntbvincebowers
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 18

Expert Comment

by:Sanga Collins
ID: 24144588
# reset
from the console should restart the device

there are two ways you can do that depending on your setup. if you have multiple static ip's from your ISP, you can use MIPs with corresponding policies to allow traffic on those ports. this is the best way IMO. if you have a single dynamic ip, you can use a VIP with multi-port enabled to get results.

post some more details so we can provide a better answer
LVL 18

Expert Comment

ID: 24145536
To open up certain ports you will need to do the following:

1.  Confirm that there is a service object for the port you want opened if it is not there, then you must create a new one
2.  Create a policy to allow or deny the required traffic,

ie from untrust to trust any mypc service_1723 permit log

3.  If you want to do any natting on the ports, ie the MIPs, DIPs and VIPs as above, then this can be applied also.

As above, give us a bit more info on what direction you want the traffic to be opened from and also if NAT is to be used

Author Comment

ID: 24147087
We have 24 Public IP's we can use. We are using 6 already. This SSG is using MIP protocol.

I did go to the untrust area of the MIP and map a public IP to a Private for SharePoint server.  I am trying to find where to restart the router to accept this change. I created a (New MIP with UnTrust to Trust) to This is the SharePoint server private IP and the Public IP it is assigned. I made our Domain Provider see the Public IP to point at the ShrePoint server.

I want to know have the router open incoming and outgoing ports for 987.

I know just doing a Map Ip is not opening up the 987 port. I have it opened on the server. I like to know where to create the rules for port 987 for incoming and outgoing for

Where is the restart option for this Firewall / VPN /Router?  Do I need to telnet or is there an option in the GUI? I ask because I am not seeing any options in the GUI area. As said earlier I am learning this application from scratch.

I just ordered a SSG 20 for my home network so I can study the OS.

I do know how to route traffic but this is a big jump from the Cisco ASA Firewalls and 1800 - 2800 Routers.

Where on the SSG 520 do I go to create the rules? If I am guided to right area, and have it explained to where in the OS to actually open the 987 port as well as 1723, then I can breathe and take some time to really learn this SSG technology.

This device is being used with live production servers so I cannot redo anything. I don't want to pay $$$$ to configure 2 ports at this time.

I do appreciate the assistance here.

Please let me know what other type of information is needed.

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

LVL 18

Accepted Solution

deimark earned 2000 total points
ID: 24147289
If the MIP is already confogured successfully, then all we need to do is create the services (if needed) and then apply a policy to allow the traffic

For this example, I am using Screenos 6.2 and the web UI
To create the service, do the following:

1.  Go to Policy > Policy Elements > Services > Predefined
2.  Check the list to see if the service you are looking for on ports 987 amd 1723 are there
3.  If they are there, go to step 6, if not go to step 4
4.  Go to Policy > Policy Elements > Services > Custom
5.  Create new service with required parameters
6.  Ensure you already have an address object for the destination host, ie
7.  Create 2 policies as follows:

To allow incoming traffic to MIP on the required ports

From untrust to trust any MIP< as above> <specific 2 services as created above> permit log

To allow outgoing traffic (if required or not already configured through another policy)

From trust to untrust < address object> <whatever service you want> permit log

Although those policies are using CLI syntax, you can create them easily using the web ui.

Once you created the sevices, objects and policies and clicked OK or aspply, the policies are live.  

There is no need to restart the firewall at all!!!!!!!

You can reboot the firewall by either entering "reset" on CLI or via Web UI at : Configuration > Update > ScreenOS/Keys where there is a reset button.

IN summary tho, the MIP is just the one to one nat mapping for inbound and outbound traffic.  As you correctly say, this does not allow or open any ports, this needs to be done via a policy as above.

LVL 18

Expert Comment

by:Sanga Collins
ID: 24148281
deimark: beat me to the punch!!!!

What i did when first learning the juniper was to create the MIP to the correct LAN ip, create the policy from untrust to trust specifying the MIP as the destination, then i tested to make sure it worked with a policy that didnt restrict any ports or source ips, once i confirmed that it did what it was supposed to do, i then locked down the policy to the specific ports that i required for the server.

you can also post you config. i find it easier to troubleshoot by looking at someones config because it reveals settings that you might not have thought about since you are just starting with juniper devices (which IMO are some of the best out there)

Author Comment

ID: 24165010
I am using Version: 5.4.0r1.0 (Firewall+VPN)

I did find the Custom Option which I gave it the following port config,

SharePoint                   TCP src port: 987-987, dst port: 987-987 30                Edit              In Use

Is the above the proper way to assign ports for sharepoint using a SSG?  I know 987 is MS Default, but please look at the TCP and dst ports.  I don't need to have it showing 0 to 987, do I?

I need to configure the sharepoint software to see if this takes.

I will report back tomorrow and close the question after I give the points.

LVL 18

Assisted Solution

deimark earned 2000 total points
ID: 24165621
For the src port, I would leave this as open as you can, its the dst port thats more important bud.

ie src port of 0-65535 (or whatever the top number is)

Author Closing Comment

ID: 31570208
I am using Junos 5.4 and the solution provided was for Junos 6 which still allowed us to put in the correct numbers

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question