Appendix 3: vSRX configuration

Final vSRX JunOS configuration

set version 12.1X47-D20.7
set system services ssh
set interfaces ge-0/0/0 unit 0 family inet address 172.20.0.248/20
set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.1/16
set interfaces ge-0/0/2 unit 0 family inet address 10.1.2.1/24
set routing-options static route 0.0.0.0/0 next-hop 172.20.0.1
set security nat source rule-set outgoing from zone dmz
set security nat source rule-set outgoing from zone trust
set security nat source rule-set outgoing to zone untrust
set security nat source rule-set outgoing rule outgoing match source-address 0.0.0.0/0
set security nat source rule-set outgoing rule outgoing match destination-address 0.0.0.0/0
set security nat source rule-set outgoing rule outgoing then source-nat interface
set security nat static rule-set static-nat-untrust from zone untrust
set security nat static rule-set static-nat-untrust rule rule-view-pcoip match destination-address 172.20.0.249/32
set security nat static rule-set static-nat-untrust rule rule-view-pcoip then static-nat prefix 10.1.2.2/32
set security nat proxy-arp interface ge-0/0/0.0 address 172.20.0.249/32
set security policies from-zone trust to-zone untrust policy outgoing match source-address any
set security policies from-zone trust to-zone untrust policy outgoing match destination-address any
set security policies from-zone trust to-zone untrust policy outgoing match application any
set security policies from-zone trust to-zone untrust policy outgoing then permit
set security policies from-zone dmz to-zone untrust policy outgoing match source-address dmz
set security policies from-zone dmz to-zone untrust policy outgoing match destination-address any
set security policies from-zone dmz to-zone untrust policy outgoing match application any
set security policies from-zone dmz to-zone untrust policy outgoing then permit
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match source-address vss01
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match destination-address vcs02
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match application esp
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match application junos-ike
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match application view-jms
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match application view-jms-ssl
set security policies from-zone dmz to-zone trust policy policy-vss-vcs match application view-ajp13
set security policies from-zone dmz to-zone trust policy policy-vss-vcs then permit
set security policies from-zone dmz to-zone trust policy policy-vss-desktop match source-address vss01
set security policies from-zone dmz to-zone trust policy policy-vss-desktop match destination-address lan
set security policies from-zone dmz to-zone trust policy policy-vss-desktop match application view-pcoip
set security policies from-zone dmz to-zone trust policy policy-vss-desktop match application view-agent-blast
set security policies from-zone dmz to-zone trust policy policy-vss-desktop match application view-agent-usb
set security policies from-zone dmz to-zone trust policy policy-vss-desktop then permit
set security policies from-zone dmz to-zone trust policy policy-dns match source-address dmz
set security policies from-zone dmz to-zone trust policy policy-dns match destination-address dc01
set security policies from-zone dmz to-zone trust policy policy-dns match application junos-dns-tcp
set security policies from-zone dmz to-zone trust policy policy-dns match application junos-dns-udp
set security policies from-zone dmz to-zone trust policy policy-dns then permit
set security policies from-zone untrust to-zone dmz policy policy-vss match source-address any
set security policies from-zone untrust to-zone dmz policy policy-vss match destination-address vss01
set security policies from-zone untrust to-zone dmz policy policy-vss match application view-blast
set security policies from-zone untrust to-zone dmz policy policy-vss match application view-pcoip
set security policies from-zone untrust to-zone dmz policy policy-vss match application junos-http
set security policies from-zone untrust to-zone dmz policy policy-vss match application junos-https
set security policies from-zone untrust to-zone dmz policy policy-vss then permit
set security policies from-zone trust to-zone dmz policy policy-vcs-vss match source-address vcs02
set security policies from-zone trust to-zone dmz policy policy-vcs-vss match destination-address vss01
set security policies from-zone trust to-zone dmz policy policy-vcs-vss match application esp
set security policies from-zone trust to-zone dmz policy policy-vcs-vss match application junos-ike
set security policies from-zone trust to-zone dmz policy policy-vcs-vss then permit
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone trust address-book address vcs02 10.0.1.12/32
set security zones security-zone trust address-book address dc01 10.0.1.5/32
set security zones security-zone trust address-book address lan 10.0.0.0/16
set security zones security-zone trust address-book address vcs01 10.0.1.9/32
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone dmz address-book address vss01 10.1.2.2/32
set security zones security-zone dmz address-book address dmz 10.1.2.0/24
set security zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set applications application view-pcoip term tcp-4172 protocol tcp
set applications application view-pcoip term tcp-4172 source-port 0-65535
set applications application view-pcoip term tcp-4172 destination-port 4172
set applications application view-pcoip term udp-4172 protocol udp
set applications application view-pcoip term udp-4172 source-port 0-65535
set applications application view-pcoip term udp-4172 destination-port 4172
set applications application view-blast term tcp-8443 protocol tcp
set applications application view-blast term tcp-8443 source-port 0-65535
set applications application view-blast term tcp-8443 destination-port 8443
set applications application esp term ip50 protocol 50
set applications application esp term ip50 source-port 0-65535
set applications application esp term ip50 destination-port 0-65535
set applications application view-agent-blast term tcp-22443 protocol tcp
set applications application view-agent-blast term tcp-22443 source-port 0-65535
set applications application view-agent-blast term tcp-22443 destination-port 22443
set applications application view-agent-usb term tcp-32111 protocol tcp
set applications application view-agent-usb term tcp-32111 source-port 0-65535
set applications application view-agent-usb term tcp-32111 destination-port 32111
set applications application view-jms term tcp-4001 protocol tcp
set applications application view-jms term tcp-4001 source-port 0-65535
set applications application view-jms term tcp-4001 destination-port 4001
set applications application view-jms-ssl term tcp-4002 protocol tcp
set applications application view-jms-ssl term tcp-4002 source-port 0-65535
set applications application view-jms-ssl term tcp-4002 destination-port 4002
set applications application view-ajp13 term tcp-8009 protocol tcp
set applications application view-ajp13 term tcp-8009 source-port 0-65535
set applications application view-ajp13 term tcp-8009 destination-port 8009