I've run into similar odd issues even with cisco - for instance the ASA seems to enjoy eating email (not even dynamic here) when a certain logging feature is turned on.
The best argument for an ALG that I've seen is for SIP connectivity, but those ALGs are usually somewhat lame too. On Apr 3, 2011, at 8:56 AM, Glenn Krutsinger wrote: > Thanks for the feedback. > > Is this common for firewall vendors, where the full dynamic range needs to be > opened to support RPC, or is this a failing of JUNOS? I've only dealt with > ScreenOS and JUNOS. I'm looking for more information to take back to the > governance folks. The other options, I suppose, are to go through all of our > DC's and define static RPC ports in the registry or setup IPSec sessions > between the servers. > > Glenn > > From: "Scott T. Cameron" <routeh...@gmail.com<mailto:routeh...@gmail.com>> > Date: Sat, 2 Apr 2011 15:38:22 -0600 > To: Glenn Krutsinger > <gkrutsin...@compassion.com<mailto:gkrutsin...@compassion.com>> > Cc: "juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>" > <juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>> > Subject: Re: [j-nsp] JUNOS and MS RPC > > I've got two sets of SRX3400 clusters, and the ALGs should come with: caveat > emptor. > > Nice on paper and very similar to Linux conntrack modules, but in reality the > rule of thumb is it's better to have them disabled. > > In the case of Microsoft, their technical papers will say your firewall > should allow 1024-65535 open. In my datacenters, the only place where I find > this to be necessary is to domain controllers. Most other MS software can > happily run off a specific TCP port. > > YMMV. > > Scott > > On Sat, Apr 2, 2011 at 4:33 PM, Glenn Krutsinger > <gkrutsin...@compassion.com<mailto:gkrutsin...@compassion.com>> wrote: > Hello all, > > Is anyone running MS products through SRX firewalls? How are you getting RPC > to work? According to engineering, the ScreenOS "ms-rpc-any" isn't included > in JUNOS, although, I do see the ALG catching the info based off of endpoint > mapper sessions. Add to that the fact that MS changed their port range for > RPC with Server 2008 has given me some real fun conversations with our server > team. > > Thanks, > Glenn > > > _______________________________________________ > juniper-nsp mailing list > juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
