Question : Juniper SRX Firewall - VNC

I have not much experience with juniper FWs.  The following is from Juniper SRX-240 I am trying to allow VNC Viewer to access one server.

I think the issue is with the "untrust-screen", which filters input from the outside world to our network.

It is stateless, anything not predefined is not allowed and dropped.  I have added all addresses to addressbook correctly.  I can access ssh and http, which are configured exactly same as below.

pool VNC {
                address 192.168.x.x/32 port 5900;
            }

                rule VNC_NAT {
                    match {
                        destination-address x.x.x.x/32; 'outside facing address
                        destination-port 5900;
                    }
                    then {
                        destination-nat pool VNC;
                    }


applications {
    application VNC {
        protocol tcp;
        source-port 5900;
        destination-port 5900;
        inactivity-timeout 3000;
    }



            policy MMD-VNC {
                match {
                    source-address x.x.x.x; external address i want to allow in
                    destination-address Test01;  The machine hosting the vnc server
                    application VNC;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }


           screen untrust-screen;
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            https;
                            ping;
                     }

From what I can see ssh, https, and ping are allowed through on the pre-defined addresses.  What would I need to add for VNC in this screen?

There seems to be no defined application in the junos config for it.

Or would I need to configure this in the IPv4 Filter options.  As there is a filter on the incoming interface.


filter from-outside {
            term trusted-mgmt {
                from {
                    source-address {
                        x.x.x.x/32;
                        x.x.x.x/32;  external management IPs
                    }
                    destination-address {
                        x.x.x.x./32;
                        x.x.x.x./32;
                    }
                    protocol tcp;
                    port [ ssh https ];
                }
                then accept;

###### There are more here to do with VPNs etc #########
           
            term default-deny {
                from {
                    destination-address {
                        x.x.x.x/32;
                        x.x.x.x/32;
                    }
                    protocol tcp;
                    tcp-initial;
                }
                then {
                    log;
                    syslog;
                    discard;
                }
            }
            term allowed-traffic {
                then accept;
            }
        }

Ta in Advance

Answer : Juniper SRX Firewall - VNC

Done it with an SSH Tunnel :D