open port internally on Juniper SSG5

Posted on 2010-08-16
Medium Priority
Last Modified: 2012-05-10
I have inherited a Juniper SSG5. We are using UPS World Ship and I need to open specific ports on the internal network and also allow specific SQL instances to flow freely from the client PCs through the router/firewall to the UPS WS Admin PC.

Can someone please help me out, here?
Question by:evault
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2

Expert Comment

ID: 33450426
By "inherited" do you mean you're taking over one that's in place and working, and you need to add some ports/rules to it, or did someone drop one on your desk and you have to set it up from scratch? Big difference.
If the former, it's not too bad. Just need to look at the policies in place and add new ones where needed.
Part 2 is whether you're looking for specifics for that firewall or do you need a background on firewalls in general, too. :)

Expert Comment

ID: 33450430
Should say, if it's the latter (someone dropped one on your desk) it's going to be a little more work...and will require a decent knowledge of your networking setup as it stands.

Author Comment

ID: 33451604
Inherited as in inherited a mess. I am taking over a project. I know enough about firewalls to feel comfortable working my way around Symantec, SonicWall, Netgear, etc. But Cisco and Juniper are in a different league. I am running UPS World Ship on an XP PC and need to connect to it from remote installs, via the network.  In an ideal world I would install the remote workstation, using software located on the 'server' PC and it would install and then automatically connect over the network, but apparrently I don't live in an ideal world.
 Here's the actual problem: When I install UPS World Ship on the remote system it runs a clean install and everything goes well, but it will not connect to the 'server' PC. The error message I get says that the firewall may be blocking the port used by UPS WS. Problem is, the firewall on the client AND the sever PCs have been diabled. UPS is saying it could be the Juniper as a router/firewall which is blocking the port. I need to be able to convince UPS of two things before I call them back to escalate this. 1) that the Juniper has a rule in place to properly pass through and forward the Port and SQL instance being used by UPS WS; 2) That the port (UDP 1434) on the 'server' PC is actually open and being listened to (which I am not enitrely convinced is happening).
Any assistance would be grealty appreciated.
The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.


Expert Comment

ID: 33480543
Sorry for the delay in replying - hopefully you've solved this already, but if not:
On the local (server) PC, you can run NETSTAT -A at a command prompt to see what ports are in use/listening. You could also use a GUI tool like cports (http://www.nirsoft.net/utils/cports.html)

As for the juniper, I'm assuming it's in place, up and running, and you have a login and password to it...basically that you can get into the interface. If you can, what you want is "policies" on the left. For this purpose, I would make a rule opening all traffic from the client machine to the server machine (assuming you know both IP addresses, also) and tracking it, so you can see how far the client is getting.
I'm also assuming the interface is the same as the 5GTs I'm looking at right now - I think it's similar at least.

So you want a new policy from the outside, untrusted zone to the inside, trusted zone (on mine it's called v1-untrust and v1-trust, look at the existing policies to be sure) - select the right zones in the dropdowns at the top and click "new".
Within the new policy page put the client IP address as the source address, the server as the destination, set the "service" to ANY, and the action to "permit". Make sure the logging checkbox is checked, also check the "position at top" box (that makes it the first rule processed).
OK to save, and then you can go to "reports" on the left bar, and select "policies" from there. Your new policy should be the first one listed, and you can click on "details" to see traffic coming in.

That should open it up to any kind of cennection from the client to the server. Try a connection from the client and see what happens.

Accepted Solution

briandunkle earned 1500 total points
ID: 33480564
If there's already an entry for the "server" machine in the firewall somewhere, it might not let you add it by IP to the rule...you may have to dig out the existing entry instead. You can find those at Objects-->addresses-->list on the left menu.
Also, you'll want /32 after the IP addresses to limit it to that address only, e.g.
In the junipers, there's actually a separate box for the netmask (32) so put the IP in the first box on each line and the netmask in the second.

Author Closing Comment

ID: 33528246
Thans for the assist. Turns out the UPS wWorldship did not listen on the port it was supposed to and this setting is buried in the management tools.

Expert Comment

ID: 33534125
Cool, glad it worked out.

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month10 days, 11 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question