If your DMZ is publicly addressed, this should be pretty straight forward.
1.) You will need an interface assigned to the DMZ zone
On the Juniper SSG5 interface ethernet0/1 is set to the DMZ zone by default.
2.) You will need the IP address setup on that interface.
set interface ethernet0/1 ip x.x.x.x/x
3.) You will need policies applied to allow access.
Create a group for the services.
set group service "Web_Services"
set group service "Web_Services" add "HTTPS"
set group service "Web_Services" add "HTTP"
Create an address group for your web servers on your DMZ. Here is an example.
set address "DMZ" "httpserver1" 10.10.10.10 255.255.255.255
set address "DMZ" "httpserver2" 10.10.10.11 255.255.255.255
set group address "DMZ" "Web_Sites"
set group address "DMZ" "Web_Sites" add "httpserver1"
set group address "DMZ" "Web_Sites" add "httpserver2"
Then create a policy. If you cross a zone boundary you must apply a policy to allow traffic.
set policy from "Trust" to "DMZ" "Any" "Web_Sites" "Web_Services" permit log count
set policy from "Untrust" to "DMZ" "Any" "Web_Sites" "Web_Services" permit log count
If you need the web servers to access outbound
set policy from "DMZ" to "Untrust" "Web_Sites" "Any" "Web_Services" permit log count
If you have a private address DMZ, and need to perform one to one NAT. Then you can create MIPs. I go under the assumption that you have e0/0 configured as your untrust IP and that you have a allocation assigned to that range.
set interface "ethernet0/0" mip X.X.X.X/X host 172.16.1.5 netmask 255.255.255.255 vr "trust-vr"
Then apply the policies listed above to the MIP object.
set policy id 6 from "Untrust" to "DMZ" "Any" "MIP(X.X.X.X)" "Web_Services" permit log count
Hopefully this helps.
Message Edited by shadow on 04-30-2008 11:34 PM