Juniper SSG20 Firewall Blocking SSL

Hi all,

I have a Plesk web server behind a Juniper firewall.  The firewall is configured as per these instructions:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4216

Now while most of the services are working fine (http, smtp, pop) some are not such as SSL (port 443), the plesk webadmin (port 8443)

Does anyone know if there is something special that needs to be configured on the VIP or policy to allow SSL related traffic through?

Thanks

Bob
LVL 1
Mango-ManAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
Few questions:
1. Is the VIP using the same IP as interface IP.
2. Is VIP IP in different subnet that interface IP subnet.
3. Are you using HTTPS to manage SSG; if yes, then changing management port would do the trick, have a look at link below:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4773

If you already are using different port for webUI other than 443 or 8443 and have configured VIP then it should work. Can you please post sanitized configuration.

Thank you.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
To get an overview to anything related to those ports, use a cli command (e.g. in telnet):
   get config | incl 443
That might give you too many lines, but you should still see the important configuration parts.
0
Mango-ManAuthor Commented:
Hi dpk_wal,

Note: One thing to clarify - many of the ports *are* for this VIP/private IP mapping are working perfectly so it's not a general configuration issue,

1. Is the VIP using the same IP as interface IP.
No - the VIP is a public IP, the trusted interface is a private IP (192.168.40.10)

2. Is VIP IP in different subnet that interface IP subnet.
Yes (see above answer) and above note

3. Are you using HTTPS to manage SSG; if yes, then changing management port would do the trick
The Juniper unit is on a separate port and given that port 80 is working fine on my other IPs (so the WebGUI isn't likely to be inteferring with 443 either), I don't think that's the problem.

Does anyone want to do some remote consulting on this?  It's a simple setup on blanks servers at the moment so I can provide TeamViewer access.  All I need is:

All required services accessible (a short list include https, https on 8443, etc).
A brief explanation of what was done.
A backup of the router configuration.

Thanks

Bob
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

dpk_walCommented:
Sry but looks like attachment didnt make it; can you repost.

Thank you.
0
Mango-ManAuthor Commented:
dpk_wal,

Can you advise where in the GUI I would find the option to export the configuration?  I can't see anything appropriate under management or reports.

Thanks!

Bob
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
WebUI - get config
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Q1 and Q2 are not answered correctly. The question is whether the VIP uses a different public IP than the Untrust interface it is defined on.

Unless you haven't set the WebUI SSL port different, it is 443 - and you might not even know that. Please check in Configuration » Admin » Management for the SSL port. It might be 443 or 8443, which would both interfere.
0
dpk_walCommented:
Thanks Qlemo! :)
0
Mango-ManAuthor Commented:
Thanks both for your help!

Apologies for the confusion on the questions, to answer correctly:

Q1) Yes the VIP uses a different IP to the one defined on its interface (see images below)
Q2) The VIP is on the same subnet as the interface IP (/24) (see images below)

As requested, here is the sanitized config export:

unset key protection enable
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Spandex" protocol tcp src-port 6060-6061 dst-port 6060-6061 
set service "Spandex" + tcp src-port 32004-32004 dst-port 32004-32004 
set service "Spandex" + tcp src-port 32007-32007 dst-port 32007-32007 
set service "FTP-DATA" protocol tcp src-port 20-20 dst-port 20-20 
set service "SMTPS" protocol tcp src-port 465-465 dst-port 465-465 
set service "FTPS" protocol tcp src-port 990-990 dst-port 990-990 
set service "IMAPS" protocol tcp src-port 993-993 dst-port 993-993 
set service "POP3S" protocol tcp src-port 995-995 dst-port 995-995 
set service "Plesk HTTPS" protocol tcp src-port 8443-8443 dst-port 8443-8443 
set service "Plesk HTTP" protocol tcp src-port 8880-8880 dst-port 8880-8880 
set service "Web Service Requests" protocol tcp src-port 6061-6061 dst-port 6061-6061 
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "expert-sexchange"
set admin password "nDZlSpoodleDoodleDingoDongdfdfn"
set admin http redirect
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "OurSpandexServer / Spandex"
set zone id 101 "OurWebServer / Plesk"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
unset zone "V1-DMZ" tcp-rst 
unset zone "VLAN" tcp-rst 
set zone "OurSpandexServer / Spandex" tcp-rst 
set zone "OurWebServer / Plesk" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface adsl1/0 phy operating-mode auto
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/3" zone "OurSpandexServer / Spandex"
set interface "ethernet0/4" zone "OurWebServer / Plesk"
set interface "wireless0/0" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface "adsl1/0" pvc 8 35 mux llc protocol bridged qos ubr zone "Untrust"
set interface bgroup0 port ethernet0/2
unset interface vlan1 ip
set interface ethernet0/0 ip 12.345.79.162/29
set interface ethernet0/0 route
set interface ethernet0/1 ip 192.168.10.1/24
set interface ethernet0/1 nat
set interface ethernet0/3 ip 192.168.30.1/24
set interface ethernet0/3 route
set interface ethernet0/4 ip 192.168.40.1/24
set interface ethernet0/4 route
set interface wireless0/0 ip 192.168.5.1/24
set interface wireless0/0 nat
set interface bgroup0 ip 192.168.20.1/24
set interface bgroup0 nat
set interface ethernet0/0 gateway 12.345.79.161
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/3 ip manageable
set interface ethernet0/4 ip manageable
set interface wireless0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/3 manage ping
set interface ethernet0/3 manage ssh
set interface ethernet0/3 manage telnet
set interface ethernet0/3 manage snmp
set interface ethernet0/3 manage ssl
set interface ethernet0/3 manage web
set interface ethernet0/4 manage ping
set interface ethernet0/4 manage ssh
set interface ethernet0/4 manage telnet
set interface ethernet0/4 manage snmp
set interface ethernet0/4 manage ssl
set interface ethernet0/4 manage web
set interface bgroup0 manage mtrace
set interface ethernet0/0 vip 12.345.79.165 80 "HTTP" 192.168.40.11
set interface ethernet0/0 vip 12.345.79.165 + 443 "HTTPS" 192.168.40.11
set interface ethernet0/0 vip 12.345.79.165 + 25 "MAIL" 192.168.40.11
set interface ethernet0/0 vip 12.345.79.165 + 143 "IMAP" 192.168.40.11
set interface ethernet0/0 vip 12.345.79.165 + 8443 "Plesk HTTPS" 192.168.40.11
set interface ethernet0/0 vip 12.345.79.165 + 8880 "Plesk HTTP" 192.168.40.11
set interface ethernet0/0 vip 12.345.79.165 + 21 "FTP" 192.168.40.11
set interface ethernet0/0 vip 12.345.79.165 + 110 "POP3" 192.168.40.11
set interface ethernet0/0 vip 12.345.79.163 6060 "Spandex" 192.168.30.10
set interface ethernet0/0 vip 12.345.79.164 80 "HTTP" 192.168.40.10
set interface ethernet0/0 vip 12.345.79.164 + 143 "IMAP" 192.168.40.10
set interface ethernet0/0 vip 12.345.79.164 + 443 "HTTPS" 192.168.40.10
set interface ethernet0/0 vip 12.345.79.164 + 110 "POP3" 192.168.40.10
set interface ethernet0/0 vip 12.345.79.164 + 25 "SMTP" 192.168.40.10
set interface ethernet0/0 vip 12.345.79.164 + 21 "FTP" 192.168.40.10
set interface ethernet0/0 vip 12.345.79.164 + 53 "DNS" 192.168.40.10
set interface ethernet0/0 vip 12.345.79.164 + 990 "FTPS" 192.168.40.10
set interface ethernet0/0 vip 12.345.79.164 + 993 "IMAPS" 192.168.40.10
set interface ethernet0/0 vip 12.345.79.164 + 995 "POP3S" 192.168.40.10
set interface ethernet0/0 vip 12.345.79.164 + 8443 "Plesk HTTPS" 192.168.40.10
set interface ethernet0/0 vip 12.345.79.164 + 8880 "Plesk HTTP" 192.168.40.10
set interface wireless0/0 dhcp server service
set interface wireless0/0 dhcp server auto
set interface wireless0/0 dhcp server option dns1 64.54.126.22 
set interface wireless0/0 dhcp server option dns2 64.54.116.4 
set interface wireless0/0 dhcp server ip 192.168.5.55 to 192.168.5.85 
unset interface wireless0/0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set interface wireless0 wlan 0
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname FMJUNI
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 64.54.126.22 src-interface ethernet0/0
set dns host dns2 64.54.116.4 src-interface ethernet0/0
set dns host dns3 208.67.222.222 src-interface ethernet0/0
set address "Trust" "192.168.20.10/24" 192.168.20.10 255.255.255.0
set address "OurSpandexServer / Spandex" "192.168.30.10/24" 192.168.30.10 255.255.255.0
set address "OurSpandexServer / Spandex" "192.168.30.10/32" 192.168.30.10 255.255.255.255
set address "OurWebServer / Plesk" "192.168.30.10/32" 192.168.30.10 255.255.255.255
set address "OurWebServer / Plesk" "192.168.40.10/24" 192.168.40.10 255.255.255.0
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 3 from "OurWebServer / Plesk" to "Untrust"  "Any" "Any" "ANY" nat src permit log 
set policy id 3
exit
set policy id 2 from "OurSpandexServer / Spandex" to "Untrust"  "Any" "Any" "ANY" nat src permit log 
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 1
exit
set policy id 9 name "Bob`s Alternative OurWebServer Rule" from "Untrust" to "Trust"  "Any" "VIP(12.345.79.165)" "DNS" permit 
set policy id 9
set service "FTP"
set service "HTTP"
set service "HTTPS"
set service "IMAPS"
set service "Plesk HTTP"
set service "Plesk HTTPS"
set service "POP3S"
set service "SMTP"
set service "SMTPS"
set service "TFTP"
exit
set policy id 10 name "Spandex Inbound via VIP" from "Untrust" to "Trust"  "Any" "VIP(12.345.79.163)" "HTTP" permit 
set policy id 10
set service "HTTPS"
set service "Spandex"
exit
set policy id 13 name "OurWebServer Webserver via VIP" from "Untrust" to "Trust"  "Any" "VIP(12.345.79.164)" "DNS" permit 
set policy id 13
set service "FTP"
set service "HTTP"
set service "HTTPS"
set service "IMAPS"
set service "MAIL"
set service "PING"
set service "Plesk HTTP"
set service "Plesk HTTPS"
set service "POP3"
set service "POP3S"
set service "SMTP"
set service "SMTPS"
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set wlan 0 channel auto
set wlan 1 channel auto
set ssid name POTATO
set ssid POTATO authentication wpa2-psk passphrase 4BHCt5bENBiNGoBangOILoveBongosnCeF1+iKyIYHBuNI= encryption aes
set ssid POTATO interface wireless0
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Open in new window


Juniper Interface Overview
Juniper Interface VIP Details
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
First step, if you do not know better, is to enable traffic logging (on session begin) in the corresponding policies (9 and 13 here). Then try to use the failing services, and watch whether the attempts are logged. You then also see whether the correct endpoint (IP and port) is used.

BTW, I would have chosen MIPs here. You are mapping one public IP to exact one private IP. Doing that 1:1 mapping via MIP is more straight-forward, and less prone to issues; restrictions can be applied by the policy allowing traffic.
On another note, you do not need to apply restrictions in the VIP policies, unless you want to block services configured in the VIP table temporarily. The VIP table definition itself is the restriction, and suffices.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mango-ManAuthor Commented:
Qlemo,

Thanks again for your help!

First step, if you do not know better, is to enable traffic logging (on session begin) in the corresponding policies (9 and 13 here). Then try to use the failing services, and watch whether the attempts are logged.
I've enabled logging for all three policies (on session begin checked) and nothing is being logged at all (I'm going to Reports > System Log > Event).  I went in to Configuration > Report Settings > Log Settings and ticked *everything* but still no luck.

I would have chosen MIPs here. You are mapping one public IP to exact one private IP.
Understood - they were actually originally MIPs but I was following advice given elsewhere and the walkthrough for publishing a web server on the Juniper website said either. If either works, I'd prefer to use VIPs as it means I can split services between different internal servers later on (with the same public IP which means clients don't have to change any settings!)

On another note, you do not need to apply restrictions in the VIP policies, unless you want to block services configured in the VIP table temporarily. The VIP table definition itself is the restriction, and suffices.
Ok so if I understand correctly, I keep the policy allowing 'ANY to VIP' but don't select any services?  As there doesn't seem to be an *any* or *all* option, will this not simply completely block traffic or doesn't not selecting a service tell the system to allow any?  Screenshot:

VIP Policy Details Showing Services Dropdown
0
Mango-ManAuthor Commented:
Again, if you're interested - I'd be happy to arrange remote access and pay you via PayPal to simply fix this for us.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
We are not that far you'll need online consulting ;-). Anyway, it is not allowed on EE to solicit, and the exception is if there is no other way.

The traffic/session logs are available in each individual policy, not in the system event log.

Your intentions for using VIPs are sound, their purpose is to split services between different internal IPs using a common public IP.

At your screenshot, I definitely see an ANY service ;-).
0
Mango-ManAuthor Commented:
Hi Qlemo,

Whoops!  I didn't realize it was against the rules!

So I changed the services list to ANY (I was blind but now I see) on the policy for one of the interfaces and hey presto, port 8443 immediately started working and I could view the GUI in a browser!  I tried telnetting to and yep connection made.

I removed those entries from the defined VIP services and I was unable to access them so I'm all good - everything is blocked except the services explicitly defined in the VIP definition!

One thing is still baffling me - I would break it out to a seperate question but I suspect you'll answer it in two seconds: the list of 'services' available in the VIP definition page doesn't seem to be the same list as the one available in policies (or if it is, it's only registering the first port of one of my entries).  Is it the same list or are services defined for VIPs configured somewhere else (not Policy Elements > Services > Custom)

Many thanks for all your help with this!

Bob
0
Mango-ManAuthor Commented:
Apologies - disregard the last query - it *is* the same list but when applying these services to VIPs, the firewall only seems to take notice of the first port if that service has multiple ports defined.

I have therefore changed the services to only have one port per entry.

Thanks again!
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This is only a visibility issue. Port ranges are working with VIPs, but you will see only the first port in the list. On the other hand it doesn't matter much if you split services in a way only one port is assigned.
0
Mango-ManAuthor Commented:
Hey Qlemo,

That's what I assumed but until I split the services, one of my custom ports just wasn't working - as soon as I split it, it started working.

I'm so happy its working that I'm not going to worry too much about the why!

Thanks again for all your help!

Bob
0
Mango-ManAuthor Commented:
Qlemo should get paid by Juniper!  He spent a lot of time guiding me through my problem without getting frustrated with my lack of knowledge - wonderful.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I forgot to mention you need a special setting, only available in the CLI (telnet, SSH or serial), to allow for multi-port VIP services ... Thought that is the default meanwhile with current firmware releases.
set vip multi-port
save
reset

Open in new window

The last command will reboot the device, which is necessary to have the setting active.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.