SSG20 Port Forwarding / VIP Help

  • Hey Guys, so i have a juniper ssg20 in at one of my clients, (have taken over recently)
    I have not worked with these firewalls before and struggling to setup port forwarding, I am using the webgui and have followed some instructions found on the net but no joy.

    I am trying to setup rdp access to the server (3389) - this is what I have done. I suspect the VIP setup may be wrong, but you can advise me.

    Network > Interfaces > List

    bgroup 0 (lan ip zone) Link = up / zone = trust
    ethernet 0/0 (196.x.x.50) Link = up / zone = trust

    Then click on edit go to VIP

    VIP > Configure

    IP address > 196.x.x.51 (should it be different to my ISP address of 196.x.x.50?)
    VIP Services > (Virtual port) 3389 (service port) RDP 3389 > (server ip)

    Then Policies

    11 > Any > VIP( HTTP [Permit]

    anything I am doing wrong, because i try to telnet 3389 and it doesnt work, i suspect its my VIP config

  • You are using the wrong external IP address for your VIP address, and your permit policy is HTTP (port 80), not RDP (port 3389)

    In my Netscreen there is no pre-defined service with a port of 3389, so we have to create a service.

    First you have to go to Objects / Services / Custom and add a new Custom service.  Call it RDP.  The transport protocol is TCP, Source Port (low)=0, Source Port (high)=65535, Destination Port (low)=3389, Destination Port(high)=3389.

    Next go to Network / Interfaces / ethernet 0 / VIP,  New VIP Service

    • The Virtual IP untrust address should 192.x.x.50 (same as your ISP).

    • The Virtual port should be 3389 (but see note below)

    • Map to service: select “RDP” (the custom service you just defined)

    • Map to IP:

    Next go to Policies, Untrust to Trust, add new.
    Source = Any, Destination = VIP(ethernet 0/0), Service=RDP (again the new custom service you just defined), Action=Permit.

    Note: For security reasons you should not use 3389 as the virtual port, but some other non-standard one like 3501.  Then, your mstsc command would be mstsc /v:192.x.x.50:3501 instead of just mstsc /v:192.x.x.50.  Also telnet to port 3501 to test.

  • Sorry small typo

    ethernet 0/0 (196.x.x.50) Link = up / zone = untrust