Sign In »
Register Now!
Help
I've got everything set up and working on the LAN side, three computers have wireless access to the WHS (in this case it's the HP Mediasmart). The router I have, which I'm not about to get rid of because it cost a small fortune and is considered a pretty good security appliance, is a pain to set up. The Juniper Networks 5GT wasn't really meant to be a consumer based product, so it doesn't have UPnP. No problem, right? I can just go in and set up 'port forwarding' just like any other router on the planet (most of which I've owned). Only problem is there is nothing at all in the configuration settings called 'port forwarding.
So, I throw myself at the mercy of the board, and beg your help here. If anyone at all knows how to set up a Juniper Netscreen 5GT (this is the wireless one, ADSL option, set up in standard configuration of Trust/Untrust) then please let me know how to do it. So far I've seen three different people give three different ways to set it up on three different boards (including the juniper board), but I haven't been able to find anything specific to the WHS setup.
Thanks in advance for any help provided, it is VERY much appreciated.
Scott
Page 1 of 1
WHS with Juniper Netscreen 5GT Manual Port Forwarding
Back to top
#2
Posted 10 February 2008 - 06:52 AM
- Member
-
- Group: Members
- Posts: 63
- Joined: 23-January 08
- Gender:Male
- Location:Vancouver, BC
I use a NS5GT at work, and I would have to agree, it is a very user unfriendly pain in the butt to configure. The only other system I can remember having to configure that was that (unnecessarily) unintuitive was our old SCO Unix 3.2 servers... In hindsight, I probably should have bought the Cisco equivalent, but the Juniper was a good price, and had the advantage of being a bit more obscure than the cisco from a security attack standpoint. Also, I have to agree, the Juniper documentation and online support is among the worse I have ever encountered from any company, undoubtedly so they can sell more support contracts.
Anyways, the NS5GT, while not easy to use, does offer tons of features and flexibility for a router/firewall in its class, including port forwarding, once you can figure it out. There is nothing special about WHS, the setup on the router is the same as if you were running any other type of server (w2k3, linux, or even an xp box with server software). There are innumerable walkthroughs that list the ports you need to forward (WHS default ports are 80, 443 and 4125), and of course, you do need to assign a permanent IP address to your WHS. I won't go into this since it has already been extremely well covered on this site and others. The tricky part is just finding the section in the router config to actually do it.
In case you need help with the above, here are a couple links:
How to configure a Static IP for WHS
and
Manually configure a router for WHS
On the NS5GT, Port Forwarding is actually part of what is referred to as "VIP Services" and to make matters worse, it is buried several layers deep in the config where you would likely never find it. Here are the steps required:
1) Logon to NS5GT Web GUI as administrator (or other user with admin privileges)
2) On the left hand navigation, under the NETWORK tree, select "Interfaces"
3) In the main window area, there should be a list of interfaces, you are looking for "Untrust", which is the third down the list for me. This is the WAN side of the router. Select EDIT on Untrust.
4) Along the top navigation pane, select "VIP"
At this point, I am going to assume that you have no VIP addresses configured yet.
5) Add a VIP Entry. You have two choices here, "Same as untrust interface IP address" (your WAN address from the ISP), or a custom "Virtual IP Address". Most likely, you will want to choose the first "same as untrust interface". The second option would only be if you have multiple FIXED (not dhcp) wan IP addresses from your ISP, AND you are not currently using them all. For simplicity sake, I am going to assume you fall into the first category, so you should choose "Same as untrusted interface IP address" and click ADD.
I should mention that in my case at work, we actually do have 5 fixed permanent IPs from our ISP, and our VIP services are setup using some of those, and not the same one as the untrust interface. I wouldn't think that the configuration would be any different other than choosing the correct option in step 5, but I can't be sure as I have only configured this using separate IPs.
6) You should now see an entry listing your wan IP address in the VIP list below, which will not yet have any "VIP Services" activated for it. At this point, you might think that you should click on the "Edit" link next to the newly listed VIP address, however that in fact does not do anything. Instead, click on the "New VIP Service" button located at the very top right of the screen.
7) You will now, finally, see a screen that looks like the typical port forwarding setup on most routers. Ensure the Virtual IP address drop down at the top lists the correct address (should be the untrust wan IP address you added in step 5).
8) In the "Virtual Port" box, enter the port number that people will be externally accessing (such as "80" for HTTP)
9) In the "Map to Service" box, select the service/port number on your WHS box that should be mapped to the above (again, such as "HTTP / 80"). It is not required that the ports listed in steps 8 and 9 be the same. If your ISP blocks port 80, you might choose to use port 8080 instead, but still map it to port 80 internally on your WHS. This is much easier than reconfiguring the ports in the IIS setup on WHS. If the service/port that you need is not listed in the drop down box, you can add it manually in the OBJECTS->SERVICES->CUSTOM configuration from the left hand navigation pane. HTTP (80) and HTTPS (443) are already listed in the drop down, however you will need to manually setup a service for Port 4125 before you can setup the port forwarding here.
10) In the "Map to IP" box, specify the internal LAN IP address of your WHS server box (such as 192.168.0.10, or whatever you set it up as - again, you need a to have assigned a fixed IP to the WHS box)
11) In the "Server Auto Detection" box, I recommend unticking that, unless you like pointless filling up the router event log every time your WHS reboots/goes offline, etc
12) Click OK
13) Repeat Steps 6 though 12 for each port forwarding mapping you need to setup and then you are done. For a standard WHS setup, you need to configure ports 80, 443 and 4125.
I should mention that I am running firmware version 5.2.0r3.0 on my NS5GT, so it is possible some options may be different depending on your version of the firmware, however it should be pretty similar.
I hope this gets you up and running with your WHS - Good Luck!
/-Tim
Anyways, the NS5GT, while not easy to use, does offer tons of features and flexibility for a router/firewall in its class, including port forwarding, once you can figure it out. There is nothing special about WHS, the setup on the router is the same as if you were running any other type of server (w2k3, linux, or even an xp box with server software). There are innumerable walkthroughs that list the ports you need to forward (WHS default ports are 80, 443 and 4125), and of course, you do need to assign a permanent IP address to your WHS. I won't go into this since it has already been extremely well covered on this site and others. The tricky part is just finding the section in the router config to actually do it.
In case you need help with the above, here are a couple links:
How to configure a Static IP for WHS
and
Manually configure a router for WHS
On the NS5GT, Port Forwarding is actually part of what is referred to as "VIP Services" and to make matters worse, it is buried several layers deep in the config where you would likely never find it. Here are the steps required:
1) Logon to NS5GT Web GUI as administrator (or other user with admin privileges)
2) On the left hand navigation, under the NETWORK tree, select "Interfaces"
3) In the main window area, there should be a list of interfaces, you are looking for "Untrust", which is the third down the list for me. This is the WAN side of the router. Select EDIT on Untrust.
4) Along the top navigation pane, select "VIP"
At this point, I am going to assume that you have no VIP addresses configured yet.
5) Add a VIP Entry. You have two choices here, "Same as untrust interface IP address" (your WAN address from the ISP), or a custom "Virtual IP Address". Most likely, you will want to choose the first "same as untrust interface". The second option would only be if you have multiple FIXED (not dhcp) wan IP addresses from your ISP, AND you are not currently using them all. For simplicity sake, I am going to assume you fall into the first category, so you should choose "Same as untrusted interface IP address" and click ADD.
I should mention that in my case at work, we actually do have 5 fixed permanent IPs from our ISP, and our VIP services are setup using some of those, and not the same one as the untrust interface. I wouldn't think that the configuration would be any different other than choosing the correct option in step 5, but I can't be sure as I have only configured this using separate IPs.
6) You should now see an entry listing your wan IP address in the VIP list below, which will not yet have any "VIP Services" activated for it. At this point, you might think that you should click on the "Edit" link next to the newly listed VIP address, however that in fact does not do anything. Instead, click on the "New VIP Service" button located at the very top right of the screen.
7) You will now, finally, see a screen that looks like the typical port forwarding setup on most routers. Ensure the Virtual IP address drop down at the top lists the correct address (should be the untrust wan IP address you added in step 5).
8) In the "Virtual Port" box, enter the port number that people will be externally accessing (such as "80" for HTTP)
9) In the "Map to Service" box, select the service/port number on your WHS box that should be mapped to the above (again, such as "HTTP / 80"). It is not required that the ports listed in steps 8 and 9 be the same. If your ISP blocks port 80, you might choose to use port 8080 instead, but still map it to port 80 internally on your WHS. This is much easier than reconfiguring the ports in the IIS setup on WHS. If the service/port that you need is not listed in the drop down box, you can add it manually in the OBJECTS->SERVICES->CUSTOM configuration from the left hand navigation pane. HTTP (80) and HTTPS (443) are already listed in the drop down, however you will need to manually setup a service for Port 4125 before you can setup the port forwarding here.
10) In the "Map to IP" box, specify the internal LAN IP address of your WHS server box (such as 192.168.0.10, or whatever you set it up as - again, you need a to have assigned a fixed IP to the WHS box)
11) In the "Server Auto Detection" box, I recommend unticking that, unless you like pointless filling up the router event log every time your WHS reboots/goes offline, etc
12) Click OK
13) Repeat Steps 6 though 12 for each port forwarding mapping you need to setup and then you are done. For a standard WHS setup, you need to configure ports 80, 443 and 4125.
I should mention that I am running firmware version 5.2.0r3.0 on my NS5GT, so it is possible some options may be different depending on your version of the firmware, however it should be pretty similar.
I hope this gets you up and running with your WHS - Good Luck!
/-Tim
#3
Posted 10 February 2008 - 03:35 PM
- Newbie
-
- Group: Members
- Posts: 3
- Joined: 09-February 08
AHA! Thanks for your very quick reply. I had worked through some of this after reading several posts on different boards, but I wasn't able to map to port 80. You got me the answer that worked. THANKS!
Tim Lang, on Feb 10 2008, 07:52 AM, said:
I use a NS5GT at work, and I would have to agree, it is a very user unfriendly pain in the butt to configure. The only other system I can remember having to configure that was that (unnecessarily) unintuitive was our old SCO Unix 3.2 servers... In hindsight, I probably should have bought the Cisco equivalent, but the Juniper was a good price, and had the advantage of being a bit more obscure than the cisco from a security attack standpoint. Also, I have to agree, the Juniper documentation and online support is among the worse I have ever encountered from any company, undoubtedly so they can sell more support contracts.
Anyways, the NS5GT, while not easy to use, does offer tons of features and flexibility for a router/firewall in its class, including port forwarding, once you can figure it out. There is nothing special about WHS, the setup on the router is the same as if you were running any other type of server (w2k3, linux, or even an xp box with server software). There are innumerable walkthroughs that list the ports you need to forward (WHS default ports are 80, 443 and 4125), and of course, you do need to assign a permanent IP address to your WHS. I won't go into this since it has already been extremely well covered on this site and others. The tricky part is just finding the section in the router config to actually do it.
In case you need help with the above, here are a couple links:
How to configure a Static IP for WHS
and
Manually configure a router for WHS
On the NS5GT, Port Forwarding is actually part of what is referred to as "VIP Services" and to make matters worse, it is buried several layers deep in the config where you would likely never find it. Here are the steps required:
1) Logon to NS5GT Web GUI as administrator (or other user with admin privileges)
2) On the left hand navigation, under the NETWORK tree, select "Interfaces"
3) In the main window area, there should be a list of interfaces, you are looking for "Untrust", which is the third down the list for me. This is the WAN side of the router. Select EDIT on Untrust.
4) Along the top navigation pane, select "VIP"
At this point, I am going to assume that you have no VIP addresses configured yet.
5) Add a VIP Entry. You have two choices here, "Same as untrust interface IP address" (your WAN address from the ISP), or a custom "Virtual IP Address". Most likely, you will want to choose the first "same as untrust interface". The second option would only be if you have multiple FIXED (not dhcp) wan IP addresses from your ISP, AND you are not currently using them all. For simplicity sake, I am going to assume you fall into the first category, so you should choose "Same as untrusted interface IP address" and click ADD.
I should mention that in my case at work, we actually do have 5 fixed permanent IPs from our ISP, and our VIP services are setup using some of those, and not the same one as the untrust interface. I wouldn't think that the configuration would be any different other than choosing the correct option in step 5, but I can't be sure as I have only configured this using separate IPs.
6) You should now see an entry listing your wan IP address in the VIP list below, which will not yet have any "VIP Services" activated for it. At this point, you might think that you should click on the "Edit" link next to the newly listed VIP address, however that in fact does not do anything. Instead, click on the "New VIP Service" button located at the very top right of the screen.
7) You will now, finally, see a screen that looks like the typical port forwarding setup on most routers. Ensure the Virtual IP address drop down at the top lists the correct address (should be the untrust wan IP address you added in step 5).
8) In the "Virtual Port" box, enter the port number that people will be externally accessing (such as "80" for HTTP)
9) In the "Map to Service" box, select the service/port number on your WHS box that should be mapped to the above (again, such as "HTTP / 80"). It is not required that the ports listed in steps 8 and 9 be the same. If your ISP blocks port 80, you might choose to use port 8080 instead, but still map it to port 80 internally on your WHS. This is much easier than reconfiguring the ports in the IIS setup on WHS. If the service/port that you need is not listed in the drop down box, you can add it manually in the OBJECTS->SERVICES->CUSTOM configuration from the left hand navigation pane. HTTP (80) and HTTPS (443) are already listed in the drop down, however you will need to manually setup a service for Port 4125 before you can setup the port forwarding here.
10) In the "Map to IP" box, specify the internal LAN IP address of your WHS server box (such as 192.168.0.10, or whatever you set it up as - again, you need a to have assigned a fixed IP to the WHS box)
11) In the "Server Auto Detection" box, I recommend unticking that, unless you like pointless filling up the router event log every time your WHS reboots/goes offline, etc
12) Click OK
13) Repeat Steps 6 though 12 for each port forwarding mapping you need to setup and then you are done. For a standard WHS setup, you need to configure ports 80, 443 and 4125.
I should mention that I am running firmware version 5.2.0r3.0 on my NS5GT, so it is possible some options may be different depending on your version of the firmware, however it should be pretty similar.
I hope this gets you up and running with your WHS - Good Luck!
/-Tim
Anyways, the NS5GT, while not easy to use, does offer tons of features and flexibility for a router/firewall in its class, including port forwarding, once you can figure it out. There is nothing special about WHS, the setup on the router is the same as if you were running any other type of server (w2k3, linux, or even an xp box with server software). There are innumerable walkthroughs that list the ports you need to forward (WHS default ports are 80, 443 and 4125), and of course, you do need to assign a permanent IP address to your WHS. I won't go into this since it has already been extremely well covered on this site and others. The tricky part is just finding the section in the router config to actually do it.
In case you need help with the above, here are a couple links:
How to configure a Static IP for WHS
and
Manually configure a router for WHS
On the NS5GT, Port Forwarding is actually part of what is referred to as "VIP Services" and to make matters worse, it is buried several layers deep in the config where you would likely never find it. Here are the steps required:
1) Logon to NS5GT Web GUI as administrator (or other user with admin privileges)
2) On the left hand navigation, under the NETWORK tree, select "Interfaces"
3) In the main window area, there should be a list of interfaces, you are looking for "Untrust", which is the third down the list for me. This is the WAN side of the router. Select EDIT on Untrust.
4) Along the top navigation pane, select "VIP"
At this point, I am going to assume that you have no VIP addresses configured yet.
5) Add a VIP Entry. You have two choices here, "Same as untrust interface IP address" (your WAN address from the ISP), or a custom "Virtual IP Address". Most likely, you will want to choose the first "same as untrust interface". The second option would only be if you have multiple FIXED (not dhcp) wan IP addresses from your ISP, AND you are not currently using them all. For simplicity sake, I am going to assume you fall into the first category, so you should choose "Same as untrusted interface IP address" and click ADD.
I should mention that in my case at work, we actually do have 5 fixed permanent IPs from our ISP, and our VIP services are setup using some of those, and not the same one as the untrust interface. I wouldn't think that the configuration would be any different other than choosing the correct option in step 5, but I can't be sure as I have only configured this using separate IPs.
6) You should now see an entry listing your wan IP address in the VIP list below, which will not yet have any "VIP Services" activated for it. At this point, you might think that you should click on the "Edit" link next to the newly listed VIP address, however that in fact does not do anything. Instead, click on the "New VIP Service" button located at the very top right of the screen.
7) You will now, finally, see a screen that looks like the typical port forwarding setup on most routers. Ensure the Virtual IP address drop down at the top lists the correct address (should be the untrust wan IP address you added in step 5).
8) In the "Virtual Port" box, enter the port number that people will be externally accessing (such as "80" for HTTP)
9) In the "Map to Service" box, select the service/port number on your WHS box that should be mapped to the above (again, such as "HTTP / 80"). It is not required that the ports listed in steps 8 and 9 be the same. If your ISP blocks port 80, you might choose to use port 8080 instead, but still map it to port 80 internally on your WHS. This is much easier than reconfiguring the ports in the IIS setup on WHS. If the service/port that you need is not listed in the drop down box, you can add it manually in the OBJECTS->SERVICES->CUSTOM configuration from the left hand navigation pane. HTTP (80) and HTTPS (443) are already listed in the drop down, however you will need to manually setup a service for Port 4125 before you can setup the port forwarding here.
10) In the "Map to IP" box, specify the internal LAN IP address of your WHS server box (such as 192.168.0.10, or whatever you set it up as - again, you need a to have assigned a fixed IP to the WHS box)
11) In the "Server Auto Detection" box, I recommend unticking that, unless you like pointless filling up the router event log every time your WHS reboots/goes offline, etc
12) Click OK
13) Repeat Steps 6 though 12 for each port forwarding mapping you need to setup and then you are done. For a standard WHS setup, you need to configure ports 80, 443 and 4125.
I should mention that I am running firmware version 5.2.0r3.0 on my NS5GT, so it is possible some options may be different depending on your version of the firmware, however it should be pretty similar.
I hope this gets you up and running with your WHS - Good Luck!
/-Tim
#4
Posted 10 February 2008 - 04:13 PM
- Newbie
-
- Group: Members
- Posts: 3
- Joined: 09-February 08
U-oh, spoke too soon. Everything seems to be right in the NS5GT, all systems go. But I just tested the WHS and it's still showing that it's not connecting to the outside world. This is odd because it appeared to connect to set up the personal web address.
This is what I see:
router is accepting website connections (nope)
router is accepting remote access connections (nope)
This could be because my ISP is blocking port 80, but I set it up as 8080 in the NS5GT mapped to 80 in WHS. Is there some way to change the port within WHS? Or, is there a workaround for ISP block? Or am I just way off on what the problem is here.
Again, I really appreciate the help, the advice you gave did seem to be the right setting within the NS5GT.
Thanks
Scott
This is what I see:
router is accepting website connections (nope)
router is accepting remote access connections (nope)
This could be because my ISP is blocking port 80, but I set it up as 8080 in the NS5GT mapped to 80 in WHS. Is there some way to change the port within WHS? Or, is there a workaround for ISP block? Or am I just way off on what the problem is here.
Again, I really appreciate the help, the advice you gave did seem to be the right setting within the NS5GT.
Thanks
Scott
mscottring, on Feb 10 2008, 04:35 PM, said:
AHA! Thanks for your very quick reply. I had worked through some of this after reading several posts on different boards, but I wasn't able to map to port 80. You got me the answer that worked. THANKS!
#5
Posted 10 February 2008 - 07:54 PM
- Member
-
- Group: Members
- Posts: 63
- Joined: 23-January 08
- Gender:Male
- Location:Vancouver, BC
Oh, I forgot to tell you about setting the the policies to match your VIP settings, which also needs to be done.
1) On the left hand navigation pane, select Policies
2) On the upper pane, choose "UNTRUST" in the "From" drop-down box, choose "TRUST" in the "To" drop-down box, and click the NEW button
3) Fill out the options on this screen as follows:
NAME: Whatever you want, I recommend something like "WHS Settings"
SOURCE ADDRESS: Select the "Address Book Entry" button, and choose "ANY" from the drop down
DESTINATION ADDRESS: Select the "Address Book Entry" button, and choose the option that says VIP with your wan IP in brackets
SERVICE: Click on the "Multiple" button, you will get a box listing all the services your router has configured - this is from the same list that was used when you setup the VIP entries, so the custom service you setup for port 4125 should be listed as whatever name you gave it. Using the "<<" button, choose HTTP, HTTPS, and your port 4125 service to the left hand box. When you are done, click on OK
APPLICATION: None (leave it on none - do not select any applications here)
The options below this should be fine with the defaults, make sure that URL filtering is NOT selected. VPN should be "Done", L2TP should be "Done". Logging is up to you.
When you are finished, click on OK.
You should now be back at the policies screen, and you should see your new policy in the Untrust to Trust policy area. Make sure the policy is set tp "ENABLE" (tick box field on far right).
Now everything should work. Dont forget to go back into the VIP set area and set the HTTP ports back to 80 if you still have them changed to 8080 (or whatever).
Good Luck
1) On the left hand navigation pane, select Policies
2) On the upper pane, choose "UNTRUST" in the "From" drop-down box, choose "TRUST" in the "To" drop-down box, and click the NEW button
3) Fill out the options on this screen as follows:
NAME: Whatever you want, I recommend something like "WHS Settings"
SOURCE ADDRESS: Select the "Address Book Entry" button, and choose "ANY" from the drop down
DESTINATION ADDRESS: Select the "Address Book Entry" button, and choose the option that says VIP with your wan IP in brackets
SERVICE: Click on the "Multiple" button, you will get a box listing all the services your router has configured - this is from the same list that was used when you setup the VIP entries, so the custom service you setup for port 4125 should be listed as whatever name you gave it. Using the "<<" button, choose HTTP, HTTPS, and your port 4125 service to the left hand box. When you are done, click on OK
APPLICATION: None (leave it on none - do not select any applications here)
The options below this should be fine with the defaults, make sure that URL filtering is NOT selected. VPN should be "Done", L2TP should be "Done". Logging is up to you.
When you are finished, click on OK.
You should now be back at the policies screen, and you should see your new policy in the Untrust to Trust policy area. Make sure the policy is set tp "ENABLE" (tick box field on far right).
Now everything should work. Dont forget to go back into the VIP set area and set the HTTP ports back to 80 if you still have them changed to 8080 (or whatever).
Good Luck
Share this topic:
Page 1 of 1
