Re: [j-nsp] JUNOS and MS RPC
Clarke,
Thanks for the examples.
My first thought was to build custom UUID applications, but I soon decided
that wasn't an option. MS can't even provide a accurate list of UUID's,
without going to the individual product teams. Managing the list, with MS'
almost whimsical approach to standards and consistency, would also be a
nightmare.
With all the active JUNOS code lines, it's hard to find out where things
are patched, and what those patch comments really mean. I haven't tested
any code beyond the current JTAC recommended.
Glenn
On 4/13/11 9:03 AM, "Clarke Morledge" wrote:
>Glenn said:
>
>> Is anyone running MS products through SRX firewalls? How are you getting
>> RPC to work? According to engineering, the ScreenOS "ms-rpc-any" isn't
>> included in JUNOS, although, I do see the ALG catching the info based
>> off of endpoint mapper sessions.
>
>---
>
>Glenn,
>
>I have been struggling with the MS-RPC ALG for weeks now in version
>10.1R4
>without any success. My workaround has been to leave the entire range
>of
>ephemeral ports above 1024/tcp open, which isn't ideal.
>
>What I have been able to learn is that in addition to allowing the
>control
>session for RPC to go through via the "junos-ms-rpc" default application,
>you have to also specify the application for the dynamic port. In my
>case, the UUID for my MS RPC application does not have a corresponding
>default defined in the hidden junos-defaults config group, so I have to
>define my own, "ms-rpc-epm-dynamic", as in my example below.
>
>Here is how I found out what my version of Junos has defined for the
>defaults:
>
>show configuration groups junos-defaults | find junos-ms-rpc
> application junos-ms-rpc-tcp {
> term t1 alg ms-rpc protocol tcp destination-port 135;
> }
> application junos-ms-rpc-udp {
> term t1 alg ms-rpc protocol udp destination-port 135;
> }
> #
> # Microsoft RPC EPM (End Point Mapper)
> #
> application junos-ms-rpc-epm {
> term t1 protocol tcp uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa;
> }
>
>etc
>
>
>Here is a snippet of the type of config I have been using (I am assuming
>this is all TCP, not UDP):
>
>policy Test-Inbound {
> match {
> source-address Campus;
> destination-address MS-RPC-Servers;
> application [ ms-rpc-epm-dynamic junos-ms-rpc-tcp ];
> }
> then {
> permit;
> log {
> session-init;
> session-close;
> }
> }
>}
>application ms-rpc-epm-dynamic {
> term t1 protocol tcp uuid ----;
>}
>
>
>Unfortunately, the SRX is dropping the dynamic session (via subsequent
>deny policy, or the default deny policy) about a half a dozen or a dozen
>packets into the session. And like you I see that the SRX is cotching
>the endport mapper sessions correctly, but it just isn't maintaining the
>context correctly throughout the life of the dynamic connection.
>
>Supposedly, according to JTAC, there are MS RPC ALG fixes in 10.4R3, but
>I
>have not tested it that far yet.
>
>I'd be curious to know if you have found any success.
>
>Clarke Morledge
>College of William and Mary
>Information Technology - Network Engineering
>Jones Hall (Room 18)
>Williamsburg VA 23187
>
>___
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS and MS RPC
Is anyone running MS products through SRX firewalls? How are you getting RPC to work? According to engineering, the ScreenOS "ms-rpc-any" isn't included in JUNOS, although, I do see the ALG catching the info based off of endpoint mapper sessions. [….] Supposedly, according to JTAC, there are MS RPC ALG fixes in 10.4R3, but I have not tested it that far yet. I'd be curious to know if you have found any success. Skimmed very quickly through the tread and haven't found any mention of JUNOS version, on which you are trying to make it work. I didn't really much tried to sort out the details of your issue, so excuse me if that's not the case. We've bumped into PR537186 with, I think, 10.3R1 quite half a year ago trying to find a version, which works sable for clusters. It had been just before 10.2R3 was released (in which this PR was fixed). If you trace the MS-RPC traffic using security-flow-traceoptions, and see "packet dropped, denied by gate_hit callback", it seems to be the case of this PR. According to its description, it should be fixed in 10.2R3 (which I can confirm), 10.3R2, 11.1R1. No mention about 10.4 at all somehow. Have no idea why. -- Regards, Pavel ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS and MS RPC
Glenn said:
Is anyone running MS products through SRX firewalls? How are you getting
RPC to work? According to engineering, the ScreenOS "ms-rpc-any" isn't
included in JUNOS, although, I do see the ALG catching the info based
off of endpoint mapper sessions.
---
Glenn,
I have been struggling with the MS-RPC ALG for weeks now in version 10.1R4
without any success. My workaround has been to leave the entire range of
ephemeral ports above 1024/tcp open, which isn't ideal.
What I have been able to learn is that in addition to allowing the control
session for RPC to go through via the "junos-ms-rpc" default application,
you have to also specify the application for the dynamic port. In my
case, the UUID for my MS RPC application does not have a corresponding
default defined in the hidden junos-defaults config group, so I have to
define my own, "ms-rpc-epm-dynamic", as in my example below.
Here is how I found out what my version of Junos has defined for the
defaults:
show configuration groups junos-defaults | find junos-ms-rpc
application junos-ms-rpc-tcp {
term t1 alg ms-rpc protocol tcp destination-port 135;
}
application junos-ms-rpc-udp {
term t1 alg ms-rpc protocol udp destination-port 135;
}
#
# Microsoft RPC EPM (End Point Mapper)
#
application junos-ms-rpc-epm {
term t1 protocol tcp uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa;
}
etc
Here is a snippet of the type of config I have been using (I am assuming
this is all TCP, not UDP):
policy Test-Inbound {
match {
source-address Campus;
destination-address MS-RPC-Servers;
application [ ms-rpc-epm-dynamic junos-ms-rpc-tcp ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
application ms-rpc-epm-dynamic {
term t1 protocol tcp uuid ----;
}
Unfortunately, the SRX is dropping the dynamic session (via subsequent
deny policy, or the default deny policy) about a half a dozen or a dozen
packets into the session. And like you I see that the SRX is cotching
the endport mapper sessions correctly, but it just isn't maintaining the
context correctly throughout the life of the dynamic connection.
Supposedly, according to JTAC, there are MS RPC ALG fixes in 10.4R3, but I
have not tested it that far yet.
I'd be curious to know if you have found any success.
Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS and MS RPC
I've run into similar odd issues even with cisco - for instance the ASA seems to enjoy eating email (not even dynamic here) when a certain logging feature is turned on. The best argument for an ALG that I've seen is for SIP connectivity, but those ALGs are usually somewhat lame too. On Apr 3, 2011, at 8:56 AM, Glenn Krutsinger wrote: > Thanks for the feedback. > > Is this common for firewall vendors, where the full dynamic range needs to be > opened to support RPC, or is this a failing of JUNOS? I've only dealt with > ScreenOS and JUNOS. I'm looking for more information to take back to the > governance folks. The other options, I suppose, are to go through all of our > DC's and define static RPC ports in the registry or setup IPSec sessions > between the servers. > > Glenn > > From: "Scott T. Cameron" mailto:routeh...@gmail.com>> > Date: Sat, 2 Apr 2011 15:38:22 -0600 > To: Glenn Krutsinger > mailto:gkrutsin...@compassion.com>> > Cc: "juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>" > mailto:juniper-nsp@puck.nether.net>> > Subject: Re: [j-nsp] JUNOS and MS RPC > > I've got two sets of SRX3400 clusters, and the ALGs should come with: caveat > emptor. > > Nice on paper and very similar to Linux conntrack modules, but in reality the > rule of thumb is it's better to have them disabled. > > In the case of Microsoft, their technical papers will say your firewall > should allow 1024-65535 open. In my datacenters, the only place where I find > this to be necessary is to domain controllers. Most other MS software can > happily run off a specific TCP port. > > YMMV. > > Scott > > On Sat, Apr 2, 2011 at 4:33 PM, Glenn Krutsinger > mailto:gkrutsin...@compassion.com>> wrote: > Hello all, > > Is anyone running MS products through SRX firewalls? How are you getting RPC > to work? According to engineering, the ScreenOS "ms-rpc-any" isn't included > in JUNOS, although, I do see the ALG catching the info based off of endpoint > mapper sessions. Add to that the fact that MS changed their port range for > RPC with Server 2008 has given me some real fun conversations with our server > team. > > Thanks, > Glenn > > > ___ > juniper-nsp mailing list > juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS and MS RPC
Thanks for the feedback. Is this common for firewall vendors, where the full dynamic range needs to be opened to support RPC, or is this a failing of JUNOS? I've only dealt with ScreenOS and JUNOS. I'm looking for more information to take back to the governance folks. The other options, I suppose, are to go through all of our DC's and define static RPC ports in the registry or setup IPSec sessions between the servers. Glenn From: "Scott T. Cameron" mailto:routeh...@gmail.com>> Date: Sat, 2 Apr 2011 15:38:22 -0600 To: Glenn Krutsinger mailto:gkrutsin...@compassion.com>> Cc: "juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>" mailto:juniper-nsp@puck.nether.net>> Subject: Re: [j-nsp] JUNOS and MS RPC I've got two sets of SRX3400 clusters, and the ALGs should come with: caveat emptor. Nice on paper and very similar to Linux conntrack modules, but in reality the rule of thumb is it's better to have them disabled. In the case of Microsoft, their technical papers will say your firewall should allow 1024-65535 open. In my datacenters, the only place where I find this to be necessary is to domain controllers. Most other MS software can happily run off a specific TCP port. YMMV. Scott On Sat, Apr 2, 2011 at 4:33 PM, Glenn Krutsinger mailto:gkrutsin...@compassion.com>> wrote: Hello all, Is anyone running MS products through SRX firewalls? How are you getting RPC to work? According to engineering, the ScreenOS "ms-rpc-any" isn't included in JUNOS, although, I do see the ALG catching the info based off of endpoint mapper sessions. Add to that the fact that MS changed their port range for RPC with Server 2008 has given me some real fun conversations with our server team. Thanks, Glenn ___ juniper-nsp mailing list juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS and MS RPC
Agreed. ALGs seem to always cause headaches. Turn them off and pretend they don't exist and you'll be better off. (Think of them like that crazy guy/girl you wanted to date in High School... Same thing really.) On Apr 2, 2011, at 4:38 PM, Scott T. Cameron wrote: > I've got two sets of SRX3400 clusters, and the ALGs should come with: > caveat emptor. > > Nice on paper and very similar to Linux conntrack modules, but in reality > the rule of thumb is it's better to have them disabled. > > In the case of Microsoft, their technical papers will say your firewall > should allow 1024-65535 open. In my datacenters, the only place where I > find this to be necessary is to domain controllers. Most other MS software > can happily run off a specific TCP port. > > YMMV. > > Scott > > On Sat, Apr 2, 2011 at 4:33 PM, Glenn Krutsinger > wrote: > >> Hello all, >> >> Is anyone running MS products through SRX firewalls? How are you getting >> RPC to work? According to engineering, the ScreenOS "ms-rpc-any" isn't >> included in JUNOS, although, I do see the ALG catching the info based off of >> endpoint mapper sessions. Add to that the fact that MS changed their port >> range for RPC with Server 2008 has given me some real fun conversations with >> our server team. >> >> Thanks, >> Glenn >> >> >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS and MS RPC
I've got two sets of SRX3400 clusters, and the ALGs should come with: caveat emptor. Nice on paper and very similar to Linux conntrack modules, but in reality the rule of thumb is it's better to have them disabled. In the case of Microsoft, their technical papers will say your firewall should allow 1024-65535 open. In my datacenters, the only place where I find this to be necessary is to domain controllers. Most other MS software can happily run off a specific TCP port. YMMV. Scott On Sat, Apr 2, 2011 at 4:33 PM, Glenn Krutsinger wrote: > Hello all, > > Is anyone running MS products through SRX firewalls? How are you getting > RPC to work? According to engineering, the ScreenOS "ms-rpc-any" isn't > included in JUNOS, although, I do see the ALG catching the info based off of > endpoint mapper sessions. Add to that the fact that MS changed their port > range for RPC with Server 2008 has given me some real fun conversations with > our server team. > > Thanks, > Glenn > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JUNOS and MS RPC
Hello all, Is anyone running MS products through SRX firewalls? How are you getting RPC to work? According to engineering, the ScreenOS "ms-rpc-any" isn't included in JUNOS, although, I do see the ALG catching the info based off of endpoint mapper sessions. Add to that the fact that MS changed their port range for RPC with Server 2008 has given me some real fun conversations with our server team. Thanks, Glenn ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
