zones { security-zone dmz { address-book { address houtxrodc1 10.199.1.31/32; address houtxrodc2 10.199.1.32/32; address-set rodc-servers { address houtxrodc1; address houtxrodc2; } } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth0.901; } } security-zone trust { address-book { address houtxdc1 10.199.0.11/32; address houtxdc2 10.199.0.12/32; address-set rwdc-servers { address houtxdc1; address houtxdc2; } } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth0.900; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { http; https; ike; ping; ssh; } } interfaces { reth1.0; } } } policies { from-zone untrust to-zone dmz { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-close; } } } } from-zone dmz to-zone untrust { policy default-permit { match { source-address any; destination-address any; application [ junos-dns-tcp junos-dns-udp junos-ftp junos-http junos-https junos-ntp junos-ping ]; } then { permit; log { session-close; } } } } from-zone dmz to-zone trust { policy intradomain-communication { match { source-address rodc-servers; destination-address rwdc-servers; application [ junos-dns-tcp junos-dns-udp junos-ldap junos-ms-rpc-tcp junos-ntp junos-ping custom-dfs-r custom-kerberos custom-kpasswd-tcp custom-kpasswd-udp custom-ldap-gc custom-ldap-udp custom-lsass custom-smb ]; } then { permit; log { session-close; } } } policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-close; } } } } from-zone untrust to-zone trust { policy permit-dynamic-vpn-access { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn dyn-vpn; } } log { session-close; } } } policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-close; } } } } from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application [ junos-dns-tcp junos-dns-udp junos-ftp junos-http junos-https junos-ntp junos-ping ]; } then { permit; log { session-close; } } } } from-zone trust to-zone dmz { policy intradomain-communication { match { source-address rwdc-servers; destination-address rodc-servers; application any; } then { permit; log { session-close; } } } policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-close; } } } } } alg { dns disable; msrpc disable; } dynamic-vpn { access-profile dyn-vpn-access-profile; clients { dynamic-vpn { remote-protected-resources { 10.199.0.0/24; 10.199.1.0/24; } ipsec-vpn dyn-vpn; user { happyhappyjoyjoy; } } } } } access { profile dyn-vpn-access-profile { client happyhappyjoyjoy{ firewall-user { password "happyhappyjoyjoy"; } } address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dyn-vpn-address-pool { family inet { network 10.199.0.0/24; range dvpn-range { low 10.199.0.220; high 10.199.0.225; } xauth-attributes { primary-dns 10.199.0.11/32; secondary-dns 10.199.0.12/32; } } } } firewall-authentication { web-authentication { default-profile dyn-vpn-access-profile; } } } applications { application custom-dfs-r { protocol tcp; destination-port 5722; } application custom-kerberos { protocol tcp; destination-port 88; } application custom-kpasswd-tcp { protocol tcp; destination-port 464; } application custom-kpasswd-udp { protocol udp; destination-port 464; } application custom-ldap-gc { protocol tcp; destination-port 3268; } application custom-ldap-udp { protocol udp; destination-port 389; } application custom-lsass { protocol tcp; destination-port 49152-65535; } application custom-smb { protocol tcp; destination-port 445; } }