This document describes why VNC traffic is blocked by SRX when the junos-vnc application is permitted in the security policies.
By default, the predefined junos-vnc application is set to point to TCP port number 5800, one of the ports used by VNC applications.
Multiple TCP ports can be used by VNC clients and servers, depending on the implementation.
If junos-vnc is the only application permitted in a Security Policy configuration, the SRX may block the VNC services that are not using TCP port 5800.
Example:
SRX configuration:
root# show security policies
from-zone trust to-zone untrust {
policy vnc {
match {
source-address any;
destination-address any;
application junos-vnc;
}
The following command can be used to check the detail of the predefined junos-vnc in Junos:
root> show configuration groups junos-defaults applications | display set | match junos-vnc
set groups junos-defaults applications application junos-vnc term t1 protocol tcp
set groups junos-defaults applications application junos-vnc term t1 destination-port 5800
SRX may be dropping the VNC service that is not using TCP port 5800.
If the VNC clients or servers are not using TCP port 5800:
- Create a custom application.
- Reference the custom application in the Security Policies to allow the VNC service through the SRX device.
Note: It is not advisable to edit the predefined junos-vnc application to add more ports to it.
For more information on how to create a custom application, refer to this article: KB10140 - How to create and use a custom application on SRX and J Series devices