Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX is blocking VNC traffic when junos-vnc application is permitted in the Security Policies

0

0

Article ID: KB25123 KB Last Updated: 19 Mar 2014Version: 2.0
Summary:

This document describes why VNC traffic is blocked by SRX when the junos-vnc application is permitted in the security policies.

Symptoms:

By default, the predefined junos-vnc application is set to point to TCP port number 5800, one of the ports used by VNC applications. 

Multiple TCP ports can be used by VNC clients and servers, depending on the implementation. 

If junos-vnc is the only application permitted in a Security Policy configuration, the SRX may block the VNC services that are not using TCP port 5800. 

Example:

SRX configuration:

root# show security policies
from-zone trust to-zone untrust {
    policy vnc {
        match {
            source-address any;
            destination-address any;
            application junos-vnc;          
}


The following command can be used to check the detail of the predefined junos-vnc in Junos:

root> show configuration groups junos-defaults applications | display set | match junos-vnc
set groups junos-defaults applications application junos-vnc term t1 protocol tcp
set groups junos-defaults applications application junos-vnc term t1 destination-port 5800
Cause:

SRX may be dropping the VNC service that is not using TCP port 5800.

Solution:

If the VNC clients or servers are not using TCP port 5800:

  • Create a custom application.
  • Reference the custom application in the Security Policies to allow the VNC service through the SRX device. 

Note: It is not advisable to edit the predefined junos-vnc application to add more ports to it.

For more information on how to create a custom application, refer to this article: KB10140 - How to create and use a custom application on SRX and J Series devices

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search