SRX Services Gateway
Reply
Visitor
rsharpe@otn.ca
Posts: 2
Registered: ‎04-08-2011
0

Active Directory Firewall Policy

I have been trying for the last couple of days to allow a Win2008R2 Server to be promoted to a domain controller, however my current rule set has been unsuccessfull in allowing this communication. My goal is permit this using the UUIDs specified in the RPC commuication, however the server keeps erroring out with "The RPC server is unavailable".

 

Attached is my config, as well a flow trace. I have also used the references below to allow the communication.

 

In the trace I can see the flow being dropped, but I can't figure out why because I've allowed the proper UUIDs and ports. Why isn't the dynamic port being opened as it should.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB12057

http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewal...

http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/understandin...

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Active Directory Firewall Policy

Can you add some tracceoptions: set security traceoptions file tt set security traceoptions flag all set security alg msrpc traceoptions flag all The ALG traceoption output should go to the above mentioned file. Looks like there was no dynamic gate opened for the traffic so you will need to take alook at the traceoptions to see why the mapping was not created. Also: show security resource-manager group active This should show you if the mapping is there or not. I would also suggest a packet capture together with the flow trace at the same time just to make sure that the OIDs and the port mapping is correct.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Visitor
rsharpe@otn.ca
Posts: 2
Registered: ‎04-08-2011
0

Re: Active Directory Firewall Policy

I applied the traceoptions and tried the DCPROMO. I have attached the packet captures and trace output in the zip file. I have also modified the policy slightly to include the "junos-ms-rpc-epm" application as opposed to just the "junos-ms-rpc" application-set. Also to note when I did the "show security resource-manager groups active" it told me there were 677 groups, and 0 were active.

 

admin@srx-qa> show configuration security traceoptions
file jtac-trace-for-alg size 5m files 5 world-readable;
flag all;

{primary:node0}
admin@srx-qa> show configuration security alg
h323 disable;
mgcp disable;
msrpc traceoptions flag all;
sccp disable;

{primary:node0}
admin@srx-qa> show configuration security flow traceoptions
file jtac-trace-for-alg size 2m files 5 world-readable;
flag all;
packet-filter f1 {
    source-prefix 192.168.129.101/32;
    destination-prefix 192.168.130.101/32;
}
packet-filter f2 {
    source-prefix 192.168.130.101/32;
    destination-prefix 192.168.129.101/32;
}
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Active Directory Firewall Policy

Hi there which release are you running? There was an issue previously which should be fixed in the following releases: 10.2R3 11.1R1 10.3R2 (PR537186) where traffic was dropped due to no UUID match Was this working previously for you? Also, could you change the debug filename for the following to a different file so that its not the same one as in the flow traceoptions? We need to take a look at the traces separately.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.