Juniper SSG5, VIP and FTP server

I had a lot of problems to get my ftp server to work behind my Juniper SSG 5.
There are a couple of things you need to configure to get it to work.
The things you need to do is:

  • Enable vip multi-port
  • Configure a custom service.
  • Configure a VIP port
  • Configure a rule that allow the traffic from untrust to VIP


First you have to enable VIP multi-port, (The reason we are doing this is because otherwise the VIP service will only read the first line in the custom service.)

So start PuTTY and logon to your Juniper SSG 5. When you have loged in write:

set vip multi-port [enter]
save [enter]
reset [enter] (this will restart your Juniper SSG 5)

When the Juniper SSG has restarted logon to the web interface and go to Policy – Policy Elements – Services – Custom make a new Custom Policy.

I used the ports 5000 – 5006 as my passive ports. When you have configured the custom service the way you want it press ok to save it.

Now it’s time to configure the VIP. Go to Network – Interfaces – List

On the Interface with your external IP click Edit and then VIP. Create your VIP service. And choose your custom service as the service. The Virtual IP is your external IP

The final step is to configure a policy that will allow the traffic from internet (untrust) to your FTP sever (Trust). Go to Policy – Policies and create a new policy between untrust and trust.

The Source address should be Any and the destination address should be VIP,
Service is your custom service that we created earlier, and the application is FTP.


If you don’t get it to work check your ALG settings, The ALG can be found under Security – ALG make sure that FTP is checked.

This entry was posted in Security and tagged . Bookmark the permalink.

One Response to Juniper SSG5, VIP and FTP server

  1. Brian says:

    You use port 21 in your custom service definition, but port 990 in your VIP defintion. Which is correct?

Leave a Reply

Your email address will not be published. Required fields are marked *