We help IT Professionals succeed at work.

Juniper SSG20 Route HTTP traffic through vpn and away from their direct internet connection

glong3008 asked
Last Modified: 2012-02-14
I have a Trust set as NAT which is setup across a private line back to my office in the states.
Currently their (Philippines) internet traffic goes out their Untrust Zone setup as route.

I'm not really sure what tells it to do that.
All of my rules are any any any.

I am trying to change HTTP traffic to go across the Trust, to my cisco router here, to my other juniper and to the internet.

Currently my cisco router seems to send traffic not directly meant for specific ip's to my other Juniper so this should work.
Watch Question

Top Expert 2007

As you wish to have HTTP routed over VPN tunnel, configure policy based VPN.
In the policy where you associate VPN tunnel, configure service as HTTP so only HTTP traffic gets routed over the VPN tunnel.

For steps, look at link below:

For configuring policy based VPN when both sides have static IP and are running 6.x version of SOS:

Main article for configuring policy based VPN:

Please implement and update.

Thank you.


I tried that but it didn't seem to work.
Question, what determines that http traffic goes over the untrust port now when the gateway for all the machines points to trust (my dedicated line from US to Philippines).
The Untrust port is the one that the local internet connection is set to.

With all the rules doing any any any it's unclear.
I have an IP based phone system and I have them on another port for VOIP and they come here also across the dedicated line.


I have a rule trust to trust any any any and when I turn trust to untrust off and leave trust to trust on (trust intra zone policy) no traffic goes over this port and http traffic stops.


I think I have a cisco router in the mix that didn't use to be there that is throwing me off.
I am trying to get a username and password to it no.
I have a feeling the computers go into the router and the router has a rule to send anything not destined for certain ip on to the firewall which then sends it out to their internet connection.
Top Expert 2007
This one is on us!
(Get your first solution completely free - no credit card required)

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.