SRX

Expand all | Collapse all

SRX300 - Application outside network

Jump to Best Answer
  • 1.  SRX300 - Application outside network

    Posted 09-11-2018 13:42

    Hello,

     

    I have a HR service running on my IIS inside a server I have in my network.

    All people from my network can access it but now it needs to be accessed by people from outside my network.

     

    Today we have a IT ticket system running on the same server (10.196.24.31:8085) and it is accessible from outside our network. This configuration was done for a person who is not here anymore.

     

    My HR system works on port 8090.

    I would like to have this (10.196.24.31:8090) accessed by outside also.

     

    My external IP is 187.72.138.193, so if you try to access 187.72.138.193:8085 you will find my IT ticket system.

    I want the same for 187.72.138.193:8090 (my HR system)

     

    I am quite new in this Juniper devices and I do not understand much about that.

     

    I would be glad if someone can help me to let it accessible from outside my network.

     

    I think part of the service is already done, since we can access the 8085 port, in my conception it is needed to only allow the 8090 port, right?

     

    Please find below my current configuration:

     

        
    applications {
        application HTTP {
            protocol tcp;
            destination-port 8085;
        }
    }
    
    
    

     



  • 2.  RE: SRX300 - Application outside network

     
    Posted 09-11-2018 22:38

    As per the attached config the connections to port 8085 is directed to port 80 on the actual server .

    For port 8090 whats the actual port number on Server?

     

     

     

     

     

     



  • 3.  RE: SRX300 - Application outside network

    Posted 09-11-2018 23:25

    Hi, rdgcatelli

     

    What you are looking to configure is a port-forwarding which is quite simple, so dont worry 😉 It includes:

     

    1. Creating a destination NAT rule that will forward traffic destined to public address 187.72.138.193 on port 8090 to internal address  10.196.24.31 on the same 8090 port. Add these commands to your config:

     

    set security nat destination rule-set Webserver1 rule HR match destination-address 187.72.138.193
    set security nat destination rule-set Webserver1 rule HR match destination-port 8090
    set security nat destination rule-set Webserver1 rule HR then destination-nat pool Webserver2
    
    set security nat destination pool Webserver2 address 10.196.24.31/32 port 8090

    2. Creating an application that matches destination port 8090:

     

    set applications application HR destination-port 8090

    3. Adding this new application to the security-policy that is already in place, allowing the IT ticket system traffic to the same internal server.

     

    set security policies from-zone untrust to-zone trust policy Allow-Webserver1 match application HR

    4. Commit the configuration and test. You can use "commit confirmed 5" so that if anything goes wrong in 5 minutes the configuration will rollback automatically.

     

    I hope this info is helpful.

     

     

     

     

     



  • 4.  RE: SRX300 - Application outside network

    Posted 09-12-2018 04:49

    Hello,

     

    Please find below the error I got:

     

    root@1# commit confirmed 5
    [edit security utm feature-profile web-filtering type]
      'type surf-control-integrated'
        warning: requires 'wf_key_surfcontrol_cpa' license
    [edit applications]
      'application HR'
        protocol is missing for application HR
    [edit applications]
      'application'
        Error processing application object
    error: configuration check-out failed


  • 5.  RE: SRX300 - Application outside network
    Best Answer

    Posted 09-12-2018 09:09

    rdgcatelli,

     

    You are seeing 2 errors:

     

    1. You have configured web-filtering feature but you dont have a valid license installed. Still this error is not related to our configuration and I believe it wont cause the commit failure, it is just a warning.

     

    2. The new application we created, "HR", needs to have the protocol specied. If the traffic that your HR application uses is TCP traffic, please add the following line:

     

    set applications application HR protocol tcp

     

     



  • 6.  RE: SRX300 - Application outside network

    Posted 09-12-2018 09:32

    You are a God I'd hug you now

     

    Thank you very much



  • 7.  RE: SRX300 - Application outside network

    Posted 09-12-2018 09:42

    You are very welcome, anytime! Smiley Happy