open port internally on Juniper SSG5

I have inherited a Juniper SSG5. We are using UPS World Ship and I need to open specific ports on the internal network and also allow specific SQL instances to flow freely from the client PCs through the router/firewall to the UPS WS Admin PC.

Can someone please help me out, here?
Who is Participating?
briandunkleConnect With a Mentor Commented:
If there's already an entry for the "server" machine in the firewall somewhere, it might not let you add it by IP to the may have to dig out the existing entry instead. You can find those at Objects-->addresses-->list on the left menu.
Also, you'll want /32 after the IP addresses to limit it to that address only, e.g.
In the junipers, there's actually a separate box for the netmask (32) so put the IP in the first box on each line and the netmask in the second.
By "inherited" do you mean you're taking over one that's in place and working, and you need to add some ports/rules to it, or did someone drop one on your desk and you have to set it up from scratch? Big difference.
If the former, it's not too bad. Just need to look at the policies in place and add new ones where needed.
Part 2 is whether you're looking for specifics for that firewall or do you need a background on firewalls in general, too. :)
Should say, if it's the latter (someone dropped one on your desk) it's going to be a little more work...and will require a decent knowledge of your networking setup as it stands.
Never miss a deadline with

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

evaultAuthor Commented:
Inherited as in inherited a mess. I am taking over a project. I know enough about firewalls to feel comfortable working my way around Symantec, SonicWall, Netgear, etc. But Cisco and Juniper are in a different league. I am running UPS World Ship on an XP PC and need to connect to it from remote installs, via the network.  In an ideal world I would install the remote workstation, using software located on the 'server' PC and it would install and then automatically connect over the network, but apparrently I don't live in an ideal world.
 Here's the actual problem: When I install UPS World Ship on the remote system it runs a clean install and everything goes well, but it will not connect to the 'server' PC. The error message I get says that the firewall may be blocking the port used by UPS WS. Problem is, the firewall on the client AND the sever PCs have been diabled. UPS is saying it could be the Juniper as a router/firewall which is blocking the port. I need to be able to convince UPS of two things before I call them back to escalate this. 1) that the Juniper has a rule in place to properly pass through and forward the Port and SQL instance being used by UPS WS; 2) That the port (UDP 1434) on the 'server' PC is actually open and being listened to (which I am not enitrely convinced is happening).
Any assistance would be grealty appreciated.
Sorry for the delay in replying - hopefully you've solved this already, but if not:
On the local (server) PC, you can run NETSTAT -A at a command prompt to see what ports are in use/listening. You could also use a GUI tool like cports (

As for the juniper, I'm assuming it's in place, up and running, and you have a login and password to it...basically that you can get into the interface. If you can, what you want is "policies" on the left. For this purpose, I would make a rule opening all traffic from the client machine to the server machine (assuming you know both IP addresses, also) and tracking it, so you can see how far the client is getting.
I'm also assuming the interface is the same as the 5GTs I'm looking at right now - I think it's similar at least.

So you want a new policy from the outside, untrusted zone to the inside, trusted zone (on mine it's called v1-untrust and v1-trust, look at the existing policies to be sure) - select the right zones in the dropdowns at the top and click "new".
Within the new policy page put the client IP address as the source address, the server as the destination, set the "service" to ANY, and the action to "permit". Make sure the logging checkbox is checked, also check the "position at top" box (that makes it the first rule processed).
OK to save, and then you can go to "reports" on the left bar, and select "policies" from there. Your new policy should be the first one listed, and you can click on "details" to see traffic coming in.

That should open it up to any kind of cennection from the client to the server. Try a connection from the client and see what happens.
evaultAuthor Commented:
Thans for the assist. Turns out the UPS wWorldship did not listen on the port it was supposed to and this setting is buried in the management tools.
Cool, glad it worked out.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.