Open Ports 987 & 1723 on Juniper SSG 520

I have been using Cisco products in my years of networking and now a new company I am at has a Juniper SSG 520 router.

I understand why a lot of people are going to Juniper, but I need to open ports 987 & 1723.

This router was configured before I came to the company and it has everything open as I have looked, but I am not sure where to open these 2 other ports.  

Can someone assist me in opening these ports so SharePoint can work as well as the Windows VPN setup from the Small Business Server 2008?

Another quick question.  What is the proper way to restart the SSG?

Who is Participating?

Improve company productivity with a Business Account.Sign Up

deimarkConnect With a Mentor Commented:
If the MIP is already confogured successfully, then all we need to do is create the services (if needed) and then apply a policy to allow the traffic

For this example, I am using Screenos 6.2 and the web UI
To create the service, do the following:

1.  Go to Policy > Policy Elements > Services > Predefined
2.  Check the list to see if the service you are looking for on ports 987 amd 1723 are there
3.  If they are there, go to step 6, if not go to step 4
4.  Go to Policy > Policy Elements > Services > Custom
5.  Create new service with required parameters
6.  Ensure you already have an address object for the destination host, ie
7.  Create 2 policies as follows:

To allow incoming traffic to MIP on the required ports

From untrust to trust any MIP< as above> <specific 2 services as created above> permit log

To allow outgoing traffic (if required or not already configured through another policy)

From trust to untrust < address object> <whatever service you want> permit log

Although those policies are using CLI syntax, you can create them easily using the web ui.

Once you created the sevices, objects and policies and clicked OK or aspply, the policies are live.  

There is no need to restart the firewall at all!!!!!!!

You can reboot the firewall by either entering "reset" on CLI or via Web UI at : Configuration > Update > ScreenOS/Keys where there is a reset button.

IN summary tho, the MIP is just the one to one nat mapping for inbound and outbound traffic.  As you correctly say, this does not allow or open any ports, this needs to be done via a policy as above.

Sanga CollinsSystems AdminCommented:
# reset
from the console should restart the device

there are two ways you can do that depending on your setup. if you have multiple static ip's from your ISP, you can use MIPs with corresponding policies to allow traffic on those ports. this is the best way IMO. if you have a single dynamic ip, you can use a VIP with multi-port enabled to get results.

post some more details so we can provide a better answer
To open up certain ports you will need to do the following:

1.  Confirm that there is a service object for the port you want opened if it is not there, then you must create a new one
2.  Create a policy to allow or deny the required traffic,

ie from untrust to trust any mypc service_1723 permit log

3.  If you want to do any natting on the ports, ie the MIPs, DIPs and VIPs as above, then this can be applied also.

As above, give us a bit more info on what direction you want the traffic to be opened from and also if NAT is to be used
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

ntbvincebowersAuthor Commented:
We have 24 Public IP's we can use. We are using 6 already. This SSG is using MIP protocol.

I did go to the untrust area of the MIP and map a public IP to a Private for SharePoint server.  I am trying to find where to restart the router to accept this change. I created a (New MIP with UnTrust to Trust) to This is the SharePoint server private IP and the Public IP it is assigned. I made our Domain Provider see the Public IP to point at the ShrePoint server.

I want to know have the router open incoming and outgoing ports for 987.

I know just doing a Map Ip is not opening up the 987 port. I have it opened on the server. I like to know where to create the rules for port 987 for incoming and outgoing for

Where is the restart option for this Firewall / VPN /Router?  Do I need to telnet or is there an option in the GUI? I ask because I am not seeing any options in the GUI area. As said earlier I am learning this application from scratch.

I just ordered a SSG 20 for my home network so I can study the OS.

I do know how to route traffic but this is a big jump from the Cisco ASA Firewalls and 1800 - 2800 Routers.

Where on the SSG 520 do I go to create the rules? If I am guided to right area, and have it explained to where in the OS to actually open the 987 port as well as 1723, then I can breathe and take some time to really learn this SSG technology.

This device is being used with live production servers so I cannot redo anything. I don't want to pay $$$$ to configure 2 ports at this time.

I do appreciate the assistance here.

Please let me know what other type of information is needed.

Sanga CollinsSystems AdminCommented:
deimark: beat me to the punch!!!!

What i did when first learning the juniper was to create the MIP to the correct LAN ip, create the policy from untrust to trust specifying the MIP as the destination, then i tested to make sure it worked with a policy that didnt restrict any ports or source ips, once i confirmed that it did what it was supposed to do, i then locked down the policy to the specific ports that i required for the server.

you can also post you config. i find it easier to troubleshoot by looking at someones config because it reveals settings that you might not have thought about since you are just starting with juniper devices (which IMO are some of the best out there)
ntbvincebowersAuthor Commented:
I am using Version: 5.4.0r1.0 (Firewall+VPN)

I did find the Custom Option which I gave it the following port config,

SharePoint                   TCP src port: 987-987, dst port: 987-987 30                Edit              In Use

Is the above the proper way to assign ports for sharepoint using a SSG?  I know 987 is MS Default, but please look at the TCP and dst ports.  I don't need to have it showing 0 to 987, do I?

I need to configure the sharepoint software to see if this takes.

I will report back tomorrow and close the question after I give the points.

deimarkConnect With a Mentor Commented:
For the src port, I would leave this as open as you can, its the dst port thats more important bud.

ie src port of 0-65535 (or whatever the top number is)
ntbvincebowersAuthor Commented:
I am using Junos 5.4 and the solution provided was for Junos 6 which still allowed us to put in the correct numbers
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.