[j-nsp] JUNOS and MS RPC

OBrien, Will ObrienH at missouri.edu
Sun Apr 3 12:02:27 EDT 2011


I've run into similar odd issues even with cisco - for instance the ASA seems to enjoy eating email (not even dynamic here) when a certain logging feature is turned on.

The best argument for an ALG that I've seen is for SIP connectivity, but those ALGs are usually somewhat lame too.

On Apr 3, 2011, at 8:56 AM, Glenn Krutsinger wrote:

> Thanks for the feedback.
> 
> Is this common for firewall vendors, where the full dynamic range needs to be opened to support RPC, or is this a failing of JUNOS? I've only dealt with ScreenOS and JUNOS. I'm looking for more information to take back to the governance folks. The other options, I suppose, are to go through all of our DC's and define static RPC ports in the registry or setup IPSec sessions between the servers.
> 
> Glenn
> 
> From: "Scott T. Cameron" <routehero at gmail.com<mailto:routehero at gmail.com>>
> Date: Sat, 2 Apr 2011 15:38:22 -0600
> To: Glenn Krutsinger <gkrutsinger at compassion.com<mailto:gkrutsinger at compassion.com>>
> Cc: "juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>" <juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>>
> Subject: Re: [j-nsp] JUNOS and MS RPC
> 
> I've got two sets of SRX3400 clusters, and the ALGs should come with:  caveat emptor.
> 
> Nice on paper and very similar to Linux conntrack modules, but in reality the rule of thumb is it's better to have them disabled.
> 
> In the case of Microsoft, their technical papers will say your firewall should allow 1024-65535 open.  In my datacenters, the only place where I find this to be necessary is to domain controllers.  Most other MS software can happily run off a specific TCP port.
> 
> YMMV.
> 
> Scott
> 
> On Sat, Apr 2, 2011 at 4:33 PM, Glenn Krutsinger <GKrutsinger at compassion.com<mailto:GKrutsinger at compassion.com>> wrote:
> Hello all,
> 
> Is anyone running MS products through SRX firewalls? How are you getting RPC to work? According to engineering, the ScreenOS "ms-rpc-any" isn't included in JUNOS, although, I do see the ALG catching the info based off of endpoint mapper sessions. Add to that the fact that MS changed their port range for RPC with Server 2008 has given me some real fun conversations with our server team.
> 
> Thanks,
> Glenn
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list