Solved

open port internally on Juniper SSG5

Posted on 2010-08-16
7
1,112 Views
Last Modified: 2012-05-10
I have inherited a Juniper SSG5. We are using UPS World Ship and I need to open specific ports on the internal network and also allow specific SQL instances to flow freely from the client PCs through the router/firewall to the UPS WS Admin PC.

Can someone please help me out, here?
0
Comment
Question by:evault
  • 5
  • 2
7 Comments
 
LVL 7

Expert Comment

by:briandunkle
Comment Utility
By "inherited" do you mean you're taking over one that's in place and working, and you need to add some ports/rules to it, or did someone drop one on your desk and you have to set it up from scratch? Big difference.
If the former, it's not too bad. Just need to look at the policies in place and add new ones where needed.
Part 2 is whether you're looking for specifics for that firewall or do you need a background on firewalls in general, too. :)
0
 
LVL 7

Expert Comment

by:briandunkle
Comment Utility
Should say, if it's the latter (someone dropped one on your desk) it's going to be a little more work...and will require a decent knowledge of your networking setup as it stands.
0
 
LVL 1

Author Comment

by:evault
Comment Utility
Inherited as in inherited a mess. I am taking over a project. I know enough about firewalls to feel comfortable working my way around Symantec, SonicWall, Netgear, etc. But Cisco and Juniper are in a different league. I am running UPS World Ship on an XP PC and need to connect to it from remote installs, via the network.  In an ideal world I would install the remote workstation, using software located on the 'server' PC and it would install and then automatically connect over the network, but apparrently I don't live in an ideal world.
 Here's the actual problem: When I install UPS World Ship on the remote system it runs a clean install and everything goes well, but it will not connect to the 'server' PC. The error message I get says that the firewall may be blocking the port used by UPS WS. Problem is, the firewall on the client AND the sever PCs have been diabled. UPS is saying it could be the Juniper as a router/firewall which is blocking the port. I need to be able to convince UPS of two things before I call them back to escalate this. 1) that the Juniper has a rule in place to properly pass through and forward the Port and SQL instance being used by UPS WS; 2) That the port (UDP 1434) on the 'server' PC is actually open and being listened to (which I am not enitrely convinced is happening).
Any assistance would be grealty appreciated.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 7

Expert Comment

by:briandunkle
Comment Utility
Sorry for the delay in replying - hopefully you've solved this already, but if not:
On the local (server) PC, you can run NETSTAT -A at a command prompt to see what ports are in use/listening. You could also use a GUI tool like cports (http://www.nirsoft.net/utils/cports.html)

As for the juniper, I'm assuming it's in place, up and running, and you have a login and password to it...basically that you can get into the interface. If you can, what you want is "policies" on the left. For this purpose, I would make a rule opening all traffic from the client machine to the server machine (assuming you know both IP addresses, also) and tracking it, so you can see how far the client is getting.
I'm also assuming the interface is the same as the 5GTs I'm looking at right now - I think it's similar at least.

So you want a new policy from the outside, untrusted zone to the inside, trusted zone (on mine it's called v1-untrust and v1-trust, look at the existing policies to be sure) - select the right zones in the dropdowns at the top and click "new".
Within the new policy page put the client IP address as the source address, the server as the destination, set the "service" to ANY, and the action to "permit". Make sure the logging checkbox is checked, also check the "position at top" box (that makes it the first rule processed).
OK to save, and then you can go to "reports" on the left bar, and select "policies" from there. Your new policy should be the first one listed, and you can click on "details" to see traffic coming in.

That should open it up to any kind of cennection from the client to the server. Try a connection from the client and see what happens.
0
 
LVL 7

Accepted Solution

by:
briandunkle earned 500 total points
Comment Utility
If there's already an entry for the "server" machine in the firewall somewhere, it might not let you add it by IP to the rule...you may have to dig out the existing entry instead. You can find those at Objects-->addresses-->list on the left menu.
Also, you'll want /32 after the IP addresses to limit it to that address only, e.g. 192.168.0.1/32
In the junipers, there's actually a separate box for the netmask (32) so put the IP in the first box on each line and the netmask in the second.
0
 
LVL 1

Author Closing Comment

by:evault
Comment Utility
Thans for the assist. Turns out the UPS wWorldship did not listen on the port it was supposed to and this setting is buried in the management tools.
0
 
LVL 7

Expert Comment

by:briandunkle
Comment Utility
Cool, glad it worked out.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now