You need a security policy.
Say you have this topology:
![ZONES.png ZONES.png](https://higherlogicdownload.s3.amazonaws.com/JUNIPER/MigratedInlineFiles/627a6571920a45bd972d192704a82856_43d0320c89c541b59c7e729346783904)
Configure this:
set security-zone OUTSIDE interfaces ge-0/0/1.0
set security-zone WEB interfaces ge-0/0/2.0
set from-zone OUTSIDE to-zone WEB policy 1 match source-address any
set from-zone OUTSIDE to-zone WEB policy 1 match destination-address WEB SERVER
set from-zone OUTSIDE to-zone WEB policy 1 match application CUSTOM-WEB
set from-zone OUTSIDE to-zone WEB policy 1 then permit
set security address-book global address WEB-SERVER 10.1.1.1
set applications application CUSTOM-WEB protocols tcp
set applications application CUSTOM-WEB destination port 8080
set applications application CUSTOM-WEB application-protocol http
HTH,