[j-nsp] JUNOS and MS RPC
Glenn Krutsinger
GKrutsinger at compassion.com
Sun Apr 3 09:56:49 EDT 2011
Thanks for the feedback.
Is this common for firewall vendors, where the full dynamic range needs to be opened to support RPC, or is this a failing of JUNOS? I've only dealt with ScreenOS and JUNOS. I'm looking for more information to take back to the governance folks. The other options, I suppose, are to go through all of our DC's and define static RPC ports in the registry or setup IPSec sessions between the servers.
Glenn
From: "Scott T. Cameron" <routehero at gmail.com<mailto:routehero at gmail.com>>
Date: Sat, 2 Apr 2011 15:38:22 -0600
To: Glenn Krutsinger <gkrutsinger at compassion.com<mailto:gkrutsinger at compassion.com>>
Cc: "juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>" <juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>>
Subject: Re: [j-nsp] JUNOS and MS RPC
I've got two sets of SRX3400 clusters, and the ALGs should come with: caveat emptor.
Nice on paper and very similar to Linux conntrack modules, but in reality the rule of thumb is it's better to have them disabled.
In the case of Microsoft, their technical papers will say your firewall should allow 1024-65535 open. In my datacenters, the only place where I find this to be necessary is to domain controllers. Most other MS software can happily run off a specific TCP port.
YMMV.
Scott
On Sat, Apr 2, 2011 at 4:33 PM, Glenn Krutsinger <GKrutsinger at compassion.com<mailto:GKrutsinger at compassion.com>> wrote:
Hello all,
Is anyone running MS products through SRX firewalls? How are you getting RPC to work? According to engineering, the ScreenOS "ms-rpc-any" isn't included in JUNOS, although, I do see the ALG catching the info based off of endpoint mapper sessions. Add to that the fact that MS changed their port range for RPC with Server 2008 has given me some real fun conversations with our server team.
Thanks,
Glenn
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list