Agreed. ALGs seem to always cause headaches. Turn them off and pretend they don't exist and you'll be better off. (Think of them like that crazy guy/girl you wanted to date in High School... Same thing really.)
On Apr 2, 2011, at 4:38 PM, Scott T. Cameron wrote: > I've got two sets of SRX3400 clusters, and the ALGs should come with: > caveat emptor. > > Nice on paper and very similar to Linux conntrack modules, but in reality > the rule of thumb is it's better to have them disabled. > > In the case of Microsoft, their technical papers will say your firewall > should allow 1024-65535 open. In my datacenters, the only place where I > find this to be necessary is to domain controllers. Most other MS software > can happily run off a specific TCP port. > > YMMV. > > Scott > > On Sat, Apr 2, 2011 at 4:33 PM, Glenn Krutsinger <gkrutsin...@compassion.com >> wrote: > >> Hello all, >> >> Is anyone running MS products through SRX firewalls? How are you getting >> RPC to work? According to engineering, the ScreenOS "ms-rpc-any" isn't >> included in JUNOS, although, I do see the ALG catching the info based off of >> endpoint mapper sessions. Add to that the fact that MS changed their port >> range for RPC with Server 2008 has given me some real fun conversations with >> our server team. >> >> Thanks, >> Glenn >> >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp