ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Ante
Posts: 6
Registered: ‎08-17-2009
0

Application using DCOM

Hi,

 

The company I work for has recently bought a IP-phone solution with a remote dialer hosted by another company. I have established a vpn connection to that company and most of the communication is working fine (SIP, MSSQL...)

The problem is that there is an application in this solution that uses DCOM and I can't seem to get this working, and I have no intention of opening 64000 ports or something like that to get this to work.

I think I have tried all variations of RPC services, and turning ALG:s on and off, but I still get packet drops on these random tcp ports that dcom/rpc assigns.

Is there someone that can give me a hint on a solution, if there even is one...?

Our firewall is a SSG5 running OS version 6.1.0r6.0

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: Application using DCOM

hi

 

i think you should be enable ALG MS RPC ans apply on the polcy service RPC and applcation MS-RPC-EPM 

 

question : 

 

what are the ports are droped by firwall  ?

 

thanks 

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Trusted Contributor
Nemanja
Posts: 23
Registered: ‎03-17-2009
0

Re: Application using DCOM

Hi Ante,

 

First please make sure that your DCE/MSRPC service is using TCP. (port 135 is initially used by EPM and then  some high port >1024 is used for the application).

MSRPC can also use UDP/SMB/HTTP - these are not supported by MSRPC ALG.

 

 You should configure a policy between client and server like this:

 set policy from <zone-x> to <zone-y> <client-ip> <server-ip> MS-RPC-ANY permit

 

This should allow all MSRPC communication including EPM on port 135 and a high port that is dynamically open by the ALG. 

 

The ALG decodes MSRPC communication on port 135 and creates a table of IPs and ports that are sent to the client by the server.

You can see this table using the command:

get service map-ms-rpc

 

 

If you still have problems then you might want to collect "debug flow basic" information for this traffic.

 

Hope this helps.

 

Thanks,

Nemanja

 

Visitor
Ante
Posts: 6
Registered: ‎08-17-2009
0

Re: Application using DCOM

[ Edited ]

Hi,

 

Am I doing something wrong when i'm configuring my FW. I have a policy/rule were the MS-RPC-EPM service is (and the MS-RPC-ANY, could this be causing any problems??).

The services above is place in both the client to server policy, and in the server to client policy. Wrong?

I also have the MSRPC ALG enabled. Is there something more I should be doing??

 

The ports that were dropped during my latest three tests was tcp1385, tcp1369 and tcp1420.

 

thanks.

Message Edited by Ante on 08-18-2009 07:18 AM
Message Edited by Ante on 08-18-2009 07:23 AM
Trusted Contributor
Nemanja
Posts: 23
Registered: ‎03-17-2009
0

Re: Application using DCOM

Hi Ante,

 

You only need sevice MS-RPC-ANY in the policy. 

 

Are you using NAT?

 

Please collect following debugs 

 

- prepare for debugs

undebug all

set db size 4096

set ff src-ip a.b.c.d dst-ip e.f.g.h  - replace a.b.c.d and e.f.g.h with the addresses of client and server

set ff src-ip e.f.g.h dst-ip a.b.c.d

clear db

 

 

- start debugs

debug rpc all

debug flow basic

 

- do the test that fails 

 

 

- stop the debugs

undebug all

 

- collect the ouput of  command

get service map-ms-rpc

 

- collect the data

get db s

 

 

 - attach the requested data to the forum

 

 

Thanks,

Nemanja

Trusted Contributor
Nemanja
Posts: 23
Registered: ‎03-17-2009
0

Re: Application using DCOM

One more thing. Before starting debugs make sure that flow filter does not contain other filters exept the ones that you have defined.

"get ff" shows the filters.

 

Thanks,

Nemanja

Visitor
Ante
Posts: 6
Registered: ‎08-17-2009
0

Re: Application using DCOM

Hi Nemanja,

 

No, there is no NAT

 

I have run a debug on my FW device and gotten quite a large db with info. I think that it will be easier if I attach som txt files instead of pasting it all in to the forum.

The first file contains info on both "get service map-ms-rpc" and "get db s", and the second file contains db info.

If ther is something missing I will get it.

 

Thanks

Ante

Trusted Contributor
Nemanja
Posts: 23
Registered: ‎03-17-2009
0

Re: Application using DCOM

Hi Ante,

 

 Is 172.25.120.100   client and 192.168.30.58 server?

 

From the debugs this traffic is allowed by policy id 6.

Can you return the output of "get policy id 6"

 

I can not see any drops in the debug.

 

Is the attached debug complete?

 

 Thanks,

Nemanja

 

Visitor
Ante
Posts: 6
Registered: ‎08-17-2009
0

Re: Application using DCOM

Hi,

 

Yes, 172.25.120.100 is one of the clients and 192.168.30.58 is the server.

The debug is not complete, but I attached a complete debug in this reply.

To clarify my problem, I don't get any drops in this rule but I get blocked tcp-ports in the bottom policy that block all other traffic from the server net to my client net.

 

Output from policy id 6:

 

Proxy24-> get policy id 6
name:"none" (id 6), zone Trust -> Untrust,action Permit, status "enabled"
1 source: "172.25.120.0"
1 destination: "192.168.30.0 (SPN)"
6 services: "Microsoft-DS", "MS-RPC-ANY", "MS-SQL", "PING", "RDP", "SPN_BASELINE
"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00011c00, session backup: on, idle reset: on
traffic shaping off, scheduler n/a, serv flag 00
log init close, log count 190356, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 375250892, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
No Authentication
No User, User Group or Group expression set
sun/ms rpc service configured

 

Thanks

Ante

Visitor
Ante
Posts: 6
Registered: ‎08-17-2009
0

Re: Application using DCOM

Policy id 7 is the one that permit traffic from the server net to the client net:

 

Proxy24-> get policy id 7
name:"none" (id 7), zone Untrust -> Trust,action Permit, status "enabled"
1 source: "192.168.30.0 (SPN)"
1 destination: "172.25.120.0"
2 services: "MS-RPC-ANY", "SPN_BASELINE"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00011c00, session backup: on, idle reset: on
traffic shaping off, scheduler n/a, serv flag 00
log init close, log count 332, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 303084, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
No Authentication
No User, User Group or Group expression set
sun/ms rpc service configured

 

The custom service "SPN_Baseline" is just permitting SIP and regular http traffic.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.