open port internally on Juniper SSG5

I have inherited a Juniper SSG5. We are using UPS World Ship and I need to open specific ports on the internal network and also allow specific SQL instances to flow freely from the client PCs through the router/firewall to the UPS WS Admin PC.

Can someone please help me out, here?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

By "inherited" do you mean you're taking over one that's in place and working, and you need to add some ports/rules to it, or did someone drop one on your desk and you have to set it up from scratch? Big difference.
If the former, it's not too bad. Just need to look at the policies in place and add new ones where needed.
Part 2 is whether you're looking for specifics for that firewall or do you need a background on firewalls in general, too. :)
Should say, if it's the latter (someone dropped one on your desk) it's going to be a little more work...and will require a decent knowledge of your networking setup as it stands.
evaultAuthor Commented:
Inherited as in inherited a mess. I am taking over a project. I know enough about firewalls to feel comfortable working my way around Symantec, SonicWall, Netgear, etc. But Cisco and Juniper are in a different league. I am running UPS World Ship on an XP PC and need to connect to it from remote installs, via the network.  In an ideal world I would install the remote workstation, using software located on the 'server' PC and it would install and then automatically connect over the network, but apparrently I don't live in an ideal world.
 Here's the actual problem: When I install UPS World Ship on the remote system it runs a clean install and everything goes well, but it will not connect to the 'server' PC. The error message I get says that the firewall may be blocking the port used by UPS WS. Problem is, the firewall on the client AND the sever PCs have been diabled. UPS is saying it could be the Juniper as a router/firewall which is blocking the port. I need to be able to convince UPS of two things before I call them back to escalate this. 1) that the Juniper has a rule in place to properly pass through and forward the Port and SQL instance being used by UPS WS; 2) That the port (UDP 1434) on the 'server' PC is actually open and being listened to (which I am not enitrely convinced is happening).
Any assistance would be grealty appreciated.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Sorry for the delay in replying - hopefully you've solved this already, but if not:
On the local (server) PC, you can run NETSTAT -A at a command prompt to see what ports are in use/listening. You could also use a GUI tool like cports (

As for the juniper, I'm assuming it's in place, up and running, and you have a login and password to it...basically that you can get into the interface. If you can, what you want is "policies" on the left. For this purpose, I would make a rule opening all traffic from the client machine to the server machine (assuming you know both IP addresses, also) and tracking it, so you can see how far the client is getting.
I'm also assuming the interface is the same as the 5GTs I'm looking at right now - I think it's similar at least.

So you want a new policy from the outside, untrusted zone to the inside, trusted zone (on mine it's called v1-untrust and v1-trust, look at the existing policies to be sure) - select the right zones in the dropdowns at the top and click "new".
Within the new policy page put the client IP address as the source address, the server as the destination, set the "service" to ANY, and the action to "permit". Make sure the logging checkbox is checked, also check the "position at top" box (that makes it the first rule processed).
OK to save, and then you can go to "reports" on the left bar, and select "policies" from there. Your new policy should be the first one listed, and you can click on "details" to see traffic coming in.

That should open it up to any kind of cennection from the client to the server. Try a connection from the client and see what happens.
If there's already an entry for the "server" machine in the firewall somewhere, it might not let you add it by IP to the may have to dig out the existing entry instead. You can find those at Objects-->addresses-->list on the left menu.
Also, you'll want /32 after the IP addresses to limit it to that address only, e.g.
In the junipers, there's actually a separate box for the netmask (32) so put the IP in the first box on each line and the netmask in the second.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
evaultAuthor Commented:
Thans for the assist. Turns out the UPS wWorldship did not listen on the port it was supposed to and this setting is buried in the management tools.
Cool, glad it worked out.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.