Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Open Ports 987 & 1723 on Juniper SSG 520

Posted on 2009-04-14
Medium Priority
Last Modified: 2012-05-06
I have been using Cisco products in my years of networking and now a new company I am at has a Juniper SSG 520 router.

I understand why a lot of people are going to Juniper, but I need to open ports 987 & 1723.

This router was configured before I came to the company and it has everything open as I have looked, but I am not sure where to open these 2 other ports.  

Can someone assist me in opening these ports so SharePoint can work as well as the Windows VPN setup from the Small Business Server 2008?

Another quick question.  What is the proper way to restart the SSG?

Question by:ntbvincebowers
  • 3
  • 3
  • 2
LVL 18

Expert Comment

by:Sanga Collins
ID: 24144588
# reset
from the console should restart the device

there are two ways you can do that depending on your setup. if you have multiple static ip's from your ISP, you can use MIPs with corresponding policies to allow traffic on those ports. this is the best way IMO. if you have a single dynamic ip, you can use a VIP with multi-port enabled to get results.

post some more details so we can provide a better answer
LVL 18

Expert Comment

ID: 24145536
To open up certain ports you will need to do the following:

1.  Confirm that there is a service object for the port you want opened if it is not there, then you must create a new one
2.  Create a policy to allow or deny the required traffic,

ie from untrust to trust any mypc service_1723 permit log

3.  If you want to do any natting on the ports, ie the MIPs, DIPs and VIPs as above, then this can be applied also.

As above, give us a bit more info on what direction you want the traffic to be opened from and also if NAT is to be used

Author Comment

ID: 24147087
We have 24 Public IP's we can use. We are using 6 already. This SSG is using MIP protocol.

I did go to the untrust area of the MIP and map a public IP to a Private for SharePoint server.  I am trying to find where to restart the router to accept this change. I created a (New MIP with UnTrust to Trust) 67.xxx.xxx.xx to This is the SharePoint server private IP and the Public IP it is assigned. I made our Domain Provider see the Public IP to point at the ShrePoint server.

I want to know have the router open incoming and outgoing ports for 987.

I know just doing a Map Ip is not opening up the 987 port. I have it opened on the server. I like to know where to create the rules for port 987 for incoming and outgoing for

Where is the restart option for this Firewall / VPN /Router?  Do I need to telnet or is there an option in the GUI? I ask because I am not seeing any options in the GUI area. As said earlier I am learning this application from scratch.

I just ordered a SSG 20 for my home network so I can study the OS.

I do know how to route traffic but this is a big jump from the Cisco ASA Firewalls and 1800 - 2800 Routers.

Where on the SSG 520 do I go to create the rules? If I am guided to right area, and have it explained to where in the OS to actually open the 987 port as well as 1723, then I can breathe and take some time to really learn this SSG technology.

This device is being used with live production servers so I cannot redo anything. I don't want to pay $$$$ to configure 2 ports at this time.

I do appreciate the assistance here.

Please let me know what other type of information is needed.

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

LVL 18

Accepted Solution

deimark earned 2000 total points
ID: 24147289
If the MIP is already confogured successfully, then all we need to do is create the services (if needed) and then apply a policy to allow the traffic

For this example, I am using Screenos 6.2 and the web UI
To create the service, do the following:

1.  Go to Policy > Policy Elements > Services > Predefined
2.  Check the list to see if the service you are looking for on ports 987 amd 1723 are there
3.  If they are there, go to step 6, if not go to step 4
4.  Go to Policy > Policy Elements > Services > Custom
5.  Create new service with required parameters
6.  Ensure you already have an address object for the destination host, ie
7.  Create 2 policies as follows:

To allow incoming traffic to MIP on the required ports

From untrust to trust any MIP<67.xxx.xxx.xx as above> <specific 2 services as created above> permit log

To allow outgoing traffic (if required or not already configured through another policy)

From trust to untrust < address object> <whatever service you want> permit log

Although those policies are using CLI syntax, you can create them easily using the web ui.

Once you created the sevices, objects and policies and clicked OK or aspply, the policies are live.  

There is no need to restart the firewall at all!!!!!!!

You can reboot the firewall by either entering "reset" on CLI or via Web UI at : Configuration > Update > ScreenOS/Keys where there is a reset button.

IN summary tho, the MIP is just the one to one nat mapping for inbound and outbound traffic.  As you correctly say, this does not allow or open any ports, this needs to be done via a policy as above.

LVL 18

Expert Comment

by:Sanga Collins
ID: 24148281
deimark: beat me to the punch!!!!

What i did when first learning the juniper was to create the MIP to the correct LAN ip, create the policy from untrust to trust specifying the MIP as the destination, then i tested to make sure it worked with a policy that didnt restrict any ports or source ips, once i confirmed that it did what it was supposed to do, i then locked down the policy to the specific ports that i required for the server.

you can also post you config. i find it easier to troubleshoot by looking at someones config because it reveals settings that you might not have thought about since you are just starting with juniper devices (which IMO are some of the best out there)

Author Comment

ID: 24165010
I am using Version: 5.4.0r1.0 (Firewall+VPN)

I did find the Custom Option which I gave it the following port config,

SharePoint                   TCP src port: 987-987, dst port: 987-987 30                Edit              In Use

Is the above the proper way to assign ports for sharepoint using a SSG?  I know 987 is MS Default, but please look at the TCP and dst ports.  I don't need to have it showing 0 to 987, do I?

I need to configure the sharepoint software to see if this takes.

I will report back tomorrow and close the question after I give the points.

LVL 18

Assisted Solution

deimark earned 2000 total points
ID: 24165621
For the src port, I would leave this as open as you can, its the dst port thats more important bud.

ie src port of 0-65535 (or whatever the top number is)

Author Closing Comment

ID: 31570208
I am using Junos 5.4 and the solution provided was for Junos 6 which still allowed us to put in the correct numbers

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question