Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Netscreen 5XP - How to Allow VNC

Status
Not open for further replies.
aatari

aatari

Technical User
Sep 26, 2003
12
GB
I have a Netscreen 5XP firewall and I am trying to setup a VNC server on a computer so it can be connected to remotely (outside the internal network via the internet). I have followed the instructions here:


however I can still not connect to the VNC server from a remote PC.

I have listed the VNC service in the policy tab but have no idea what ID number it should be? Should it be lower or higher?

Can someone please help me out please?

Thanks heaps.
- aatari
 
Sort by date Sort by votes
Opening Ports - The simplest way to allow VNC connections in through your firewall is to configure your firewalling software to allow connections to the VNC ports. If N is the display number of a particular VNC server then it will accept connections on port 5900+N. Configuring your firewall to allow connections to this port will allow VNC to work. If you wish to use the in-built web server and Java VNC Viewer then you will also need to allow connections to port 5800+N. Unfortunately, because VNC traffic is not encrypted, this approach weakens the security provided by your firewall, and so is not advisable.

Create a custom port by
1. selecting Objects > Services > Custom
2. Click New button
3. Give service name: VNC Traffic
4. No 1 select TCP radio button, Source: 5900 - 5999, Destination: 5900 - 5999.
5. Click Ok button
Create Policy
1. Select From: Untrust, To: Trust and click New
2. Source Address: internal_network (ip address or predefined)
3. Destination: Any (or specify IP)
4. Service: VNC Traffic (custom port)
5. Action: Permit
6. Click Ok

That should allow VNC traffic. Keep in mind if your trusted interface is in NAT mode and the destination workstation is behind a router in NAT mode, then I don't think it is possible. Also, allowing all traffic through the custom port is not advisable. This config would allow a hacker the ability to gain control of a system via VNC and cause harm to your network.

Good Luck.

Paul
 
Upvote 0 Downvote
Thanks Penauroth!

I appreciate your reply.

I had performed the above however it still didnt allow a connection. I ended up using a MIP service to map an IP to a port number.

This worked fine. Thanks again for your reply - Im not sure why that alone did not work.

Regards,
- aatari
 
Upvote 0 Downvote
Sorry.

Switch the Destination and Source address. You want the NS5XP to allow any incoming traffic through your port. My mistake.



Paul
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
786
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
581
nnaarrnn
nnaarrnn
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
650
Johnkite
Johnkite
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
137
gbayi_omo
gbayi_omo
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
151
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top