ON THIS PAGE
RPC ALG
The Remote Procedure Call (RPC) ALG uses well-known ports TCP 111 and UDP 111 for port mapping, which dynamically assigns and opens ports for RPC services. The RPC Portmap ALG keeps track of port requests and dynamically opens the firewall for these requested ports. The RPC ALG can further restrict the RPC protocol by specifying the allowed program numbers.
Understanding RPC ALGs
Junos OS supports basic Remote Procedure Call Application Layer Gateway (RPC ALG) services. RPC is a protocol that allows an application running in one address space to access the resources of applications running in another address space as if the resources were local to the first address space. The RPC ALG is responsible for RPC packet processing.
The RPC ALG in Junos OS supports the following services and features:
Sun Microsystems RPC Open Network Computing (ONC)
Microsoft RPC Distributed Computing Environment (DCE)
Dynamic port negotiation
Ability to allow and deny specific RPC services
Static Network Address Translation (NAT) and source NAT (with no port translation)
RPC applications in security policies
Use the RPC ALG if you need to run RPC-based applications such as NFS or Microsoft Outlook. The RPC ALG functionality is enabled by default.
Understanding Sun RPC ALGs
Sun Microsystems Remote Procedure Call (Sun RPC)—also known as Open Network Computing Remote Procedure Call (ONC RPC)—provides a way for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service's program number and version number. Several binding protocols are defined for mapping the RPC program number and version number to a transport address.
Junos OS supports the Sun RPC as a predefined service and allows and denies traffic based on a security policy you configure. The Application Layer Gateway (ALG) provides the functionality for Juniper Networks devices to handle the dynamic transport address negotiation mechanism of the Sun RPC and to ensure program number-based security policy enforcement. You can define a security policy to permit or deny all RPC requests, or to permit or deny by specific program number. The ALG also supports route mode and Network Address Translation (NAT) mode for incoming and outgoing requests.
When an application or a PC client calls a remote service, it needs to find the transport address of the service. In the case of TCP/UDP, the address is a port number. A typical procedure for this case is as follows:
The client sends the GETPORT message to the RPCBIND service on the remote machine. The GETPORT message contains the program number, and version and procedure number of the remote service it is attempting to call.
The RPCBIND service replies with a port number.
The client calls the remote service using the port number returned.
The remote service replies to the client.
A client also can use the CALLIT message to call the remote service directly, without determining the port number of the service. In this case, the procedure is as follows:
The client sends a CALLIT message to the RPCBIND service on the remote machine. The CALLIT message contains the program number and the version and procedure number of the remote service it attempting to call.
RPCBIND calls the service for the client.
RCPBIND replies to the client if the call has been successful. The reply contains the call result and the service's port number.
The Sun RPC ALG dynamically allocates new mapping entries instead of using a default size (512 entries). It also offers a flexible time-based RPC mapping entry that removes the mapping entry (auto-clean) without affecting the associated active RPC sessions, including both control session and data session.
Starting in Junos
OS 15.1X49-D10 and Junos OS Release 17.3R1, you can define the Sun
RPC mapping entry ageout value. Use the set security alg sunrpc map-entry-timeout value command. The
ageout value ranges from 1 hour to 72 hours, and the default value
is 32 hours. If the Sun RPC ALG service does not trigger the control
negotiation even after 72 hours, the maximum RPC ALG mapping entry
value times out and the new data connection to the service fails.
Enabling Sun RPC ALGs
The Sun RPC ALG is enabled by default and requires no configuration.
Enabling Sun RPC ALGs (CLI Procedure)
To disable the Sun RPC ALG, enter the following command:
user@host# set security alg sunrpc disable
To re-enable the Sun RPC ALG, enter the following command:
user@host# delete security alg sunrpc
Customizing Sun RPC Applications (CLI Procedure)
All Sun RPC applications can be customized by using a predefined application set.
For example, an application can be customized to open the control session only and not allow any data sessions:
application-set junos-sun-rpc {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
}
In the following example, the predefined application set allows data sessions only. It will not work without the control session:
application-set junos-sun-rpc-portmap {
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
}
To customize all Sun RPC applications with predefined application sets, use both application sets in the policy:
application-set [junos-sun-rpc junos-sun-rpc-portmap]
MS RPC applications are customized in the same way as Sun RPC applications.
Understanding Sun RPC Services
Sun RPC, also known as Open Network computing remote procedure call (ONC RPC), provides a way for a program running on one host to call procedures in a program running on another host. Sun RPC services are defined by a program identifier. The program identifier is independent of any transport address, and most of the Sun RPC sessions are initiated through TCP or UDP port 111. Each host links the required RPC service to a dynamic TCP or UDP port that is negotiated over the port 111 control channel, allowing the client to connect to either TCP or UDP port 111.
Predefined Sun Microsystems remote procedure call (Sun RPC) services include:
junos-sun-rpc-tcpjunos-sun-rpc-udp
The Sun RPC ALG can be applied by using the following methods:
ALG default application—Use one of the following predefined applications for control and data connections in your policy:
junos-sun-rpc-any-tcpjunos-sun-rpc-any-udpjunos-sun-rpc-mountd-tcpjunos-sun-rpc-mountd-udpjunos-sun-rpc-nfs-tcpjunos-sun-rpc-nfs-udpjunos-sun-rpc-nlockmgr-tcpjunos-sun-rpc-nlockmgr-udpjunos-sun-rpc-portmap-tcpjunos-sun-rpc-portmap-udpjunos-sun-rpc-rquotad-tcpjunos-sun-rpc-rquotad-udpjunos-sun-rpc-ruserd-tcpjunos-sun-rpc-ruserd-udpjunos-sun-rpc-sadmind-tcpjunos-sun-rpc-sadmind-udpjunos-sun-rpc-sprayd-tcpjunos-sun-rpc-sprayd-udpjunos-sun-rpc-status-tcpjunos-sun-rpc-status-udpjunos-sun-rpc-walld-tcpjunos-sun-rpc-walld-udpjunos-sun-rpc-ypbind-tcpjunos-sun-rpc-ypbind-udpjunos-sun-rpc-ypserv-tcpjunos-sun-rpc-ypserv-udp
Default control application—Use the predefined control through
junos-sun-rpc:Create an application for data (
USER_DEFINED_DATA). You can make a set of your own data (for example,my_rpc_application_set) and use it in the policy.ALG default application set—Use the predefined application set for control and customized data application in the policy:
junos-sun-rpc(for control sessions)junos-sun-rpc-anyjunos-sun-rpc-mountdjunos-sun-rpc-nfsjunos-sun-rpc-nfs-accessjunos-sun-rpc-nlockmgrjunos-sun-rpc-portmap(for data sessions)junos-sun-rpc-rquotadjunos-sun-rpc-ruserdjunos-sun-rpc-sadmindjunos-sun-rpc-spraydjunos-sun-rpc-statusjunos-sun-rpc-walldjunos-sun-rpc-ypbindjunos-sun-rpc-ypserv
Custom control and custom data application—Use a customized application:
Create an application for control (
USER_DEFINED_CONTROL) and data (USER_DEFINED_DATA).In the policy, use the user-defined application set for a control and customized data application:
USER_DEFINED_CONTROLUSER_DEFINED_DATA
Table 1 lists predefined Sun RPC services, a program identifier associated with each service, and a description of each service.
Service |
Program ID |
Description |
|---|---|---|
PORTMAP |
100000 |
Sun RPC Portmapper protocol is a TCP or UDP port-based service that includes TCP or UDP port 111. |
NFS |
100003 |
Sun RPC Network File System. |
MOUNT |
100005 |
Sun RPC mount process. |
YPBIND |
100007 |
Sun RPC Yellow Page Bind service. |
STATUS |
100024 |
Sun RPC status. |
Understanding Microsoft RPC ALGs
Microsoft Remote Procedure Call (MS-RPC) is the Microsoft implementation of the Distributed Computing Environment (DCE) RPC. Like the Sun RPC, MS-RPC provides a way for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service program's universal unique identifier (UUID). The specific UUID is mapped to a transport address.
Junos OS devices running Junos OS support MS-RPC as a predefined service and allow and deny traffic based on a policy you configure. The Application Layer Gateway (ALG) provides the functionality for Juniper Networks devices to handle the dynamic transport address negotiation mechanism of the MS-RPC, and to ensure UUID-based security policy enforcement. You can define a security policy to permit or deny all RPC requests, or to permit or deny by specific UUID number. The ALG also supports route mode and Network Address Translation (NAT) mode for incoming and outgoing requests.
When both the MS-RPC client and MS-RPC server are 64 bit capable (such as MS Exchange 2008), they negotiate to use NDR64 transfer syntax during the network communication. when you use NDR64, the interface parameters should be encoded according to NDR64 syntax, because the packet format for NDR64 is different from the packet format for NDR20 (32 bit version).
In MS-RPC, there is a remote activation interface of the DCOM Remote Protocol called ISystemActivator (also known as IRemoteSCMActivator). It is used by the Windows Management Instrumentation Command-line (WMIC), Internet Information Services (IIS), and many other applications that are used extensively.
The MS-RPC ALG dynamically allocates new mapping entries instead of using a default size (512 entries). It also offers a flexible time-based RPC mapping entry that removes the mapping entry (auto-clean) without affecting the associated active RPC sessions, including both control session and data session.
Starting in Junos
OS Release 15.1X49-D10 and Junos OS Release 17.3R1, you can define
the MS-RPC mapping entry ageout value. Use
the set security alg msrpc map-entry-timeout value command.
The ageout value ranges from 1 hour to 72 hours, and the default value
is 32 hours. If the MS-RPC ALG service does not trigger the control
negotiation even after 72 hours, the maximum MS-RPC ALG mapping entry
value times out and the new data connection to the service fails.
Enabling Microsoft RPC ALGs
The MS-RPC ALG is enabled by default and requires no configuration.
Enabling Microsoft RPC ALGs (CLI Procedure)
To disable the Microsoft RPC ALG, enter the following command:
user@host# set security alg msrpc disable
To reenable the Microsoft RPC ALG, enter the following command:
user@host# delete security alg msrpc
Configuring the Microsoft RPC ALG
You can configure the Microsoft RPC ALG using the following three methods:
- Configuring the MS-RPC ALG with a Predefined Microsoft Application
- Configuring the MS-RPC ALG with a Wildcard UUID
- Configuring the MS-RPC ALG with a Specific UUID
Configuring the MS-RPC ALG with a Predefined Microsoft Application
There are several predefined MS applications. To view the predefined
Microsoft applications from the CLI, enter the show configuration
groups junos-defaults command.
user@host> show security policies
from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application junos-ms-rpc-msexchange;
}
then {
permit;
}
}
}
After you commit the configuration, from the CLI, enter the show security alg msrpc object-id-map command to view the output.
user@host> show security alg msrpc object-id-map UUID OID 1544f5e0-613c-11d1-93df-00c04fd7bd09 0x80000001 a4f1db00-ca47-1067-b31f-00dd010662da 0x80000002 f5cc5a18-4264-101a-8c59-08002b2f8426 0x80000003
The output shows that the UUID has been applied for the policy.
Configuring the MS-RPC ALG with a Wildcard UUID
To permit the configuration for any MS RPC application, add
the application junos-ms-rpc-any statement to the Permit
configuration.
user@host> show security policies
from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application junos-ms-rpc-any;
}
then {
permit;
}
}
}
After you commit the configuration, from the CLI, enter the show security alg msrpc object-id-map command to view the output.
user@host> show security alg msrpc object-id-map UUID OID ffffffff-ffff-ffff-ffff-ffffffffffff 0x80000004
Configuring the MS-RPC ALG with a Specific UUID
For applications that have not been predefined, you need to
manually configure a specific UUID. For example, to permit a NETLOGON
application that has not been predefined, you add the application
msrpc-netlogon statement to the Permit configuration.
In Junos OS Release 15.1X49-D90 and earlier, on all SRX Series Firewalls, the custom application universal unique identifier (UUID) of Microsoft remote procedure call (MS-RPC) with leading zeros and the nil UUID (00000000-0000-0000-0000-000000000000) might match all TCP traffic and referenced policies allowing all TCP traffic instead of entering MS-RPC ALG check.
Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.3R1, the custom application UUID with leading zeros does not match all TCP traffic and referenced policies, which will enter MS-RPC ALG check. This new application does not allow the nil UUID.
user@host> show applications
application msrpc-netlogon {
term t1 protocol tcp uuid 12345678-1234-abcd-ef00-01234567cffb;
term t2 protocol udp uuid 12345678-1234-abcd-ef00-01234567cffb;
term t3 protocol tcp uuid 12345778-1234-abcd-ef00-0123456789ab;
}
user@host> show security policies
from-zone trust to-zone untrust {
match {
source-address any;
destination-address any;
application msrpc-netlogon;
}
then {
permit;
}
}
}
After you commit the configuration, from the CLI, enter the show security alg msrpc object-id-map command to verify the
Microsoft universal unique identifier to Object ID (UUID-to-OID) mapping
table. The Microsoft RPC ALG monitors packets on TCP port 135.
user@host> show security alg msrpc object-id-map UUID OID 12345778-1234-abcd-ef00-0123456789ab 0x80000006 12345678-1234-abcd-ef00-01234567cffb 0x80000005 be617c0-31a5-11cf-a7d8-00805f48a135 0x80000020 e3514235-4b06-11d1-ab04-00c04fc2dcd2 0x80000002 67df7c70-0f04-11ce-b13f-00aa003bac6c 0x80000014
The show security alg msrpc object-id-map CLI
command has a chassis cluster node option to permit the output to
be restricted to a particular node or to query the entire cluster.
The show security alg msrpc object-id-map node CLI command
options are <node-id | all | local | primary>.
Understanding Microsoft RPC Services
MS-RPC is the Microsoft implementation of the Distributed Computing Environment (DCE) RPC. Like the Sun RPC, the MS-RPC provides a way for a program running on one host to call procedures in a program running on another host. The MS-RPC is dynamically negotiated based on the service program's universal unique identifier (UUID). The specific UUID is mapped to a transport address.
In Junos OS Release 15.1X49-D90 and earlier, on all SRX Series Firewalls, the custom application universal unique identifier (UUID) of Microsoft remote procedure call (MS-RPC) with leading zeros and the nil UUID (00000000-0000-0000-0000-000000000000) might match all TCP traffic and referenced policies allowing all TCP traffic instead of entering MS-RPC ALG check.
Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.3R1, the custom application UUID with leading zeros does not match all TCP traffic and referenced policies, which will enter MS-RPC ALG check. This new application does not allow the nil UUID.
Predefined Microsoft remote procedure call (MS-RPC) services include:
junos-ms-rpc-epmjunos-ms-rpc-tcpjunos-ms-rpc-udp
MS-RPC application defaults include:
junos-ms-rpc-iis-com-1junos-ms-rpc-iis-com-adminbasejunos-ms-rpc-msexchange-directory-nspjunos-ms-rpc-msexchange-directory-rfrjunos-ms-rpc-msexchange-info-storejunos-ms-rpc-uuid-any-tcpjunos-ms-rpc-uuid-any-udpjunos-ms-rpc-wmic-adminjunos-ms-rpc-wmic-admin2junos-ms-rpc-wmic-mgmtjunos-ms-rpc-wmic-webm-callresultjunos-ms-rpc-wmic-webm-classobjectjunos-ms-rpc-wmic-webm-level1loginjunos-ms-rpc-wmic-webm-login-clientidjunos-ms-rpc-wmic-webm-login-helperjunos-ms-rpc-wmic-webm-objectsinkjunos-ms-rpc-wmic-webm-refreshing-servicesjunos-ms-rpc-wmic-webm-remote-refresherjunos-ms-rpc-wmic-webm-servicesjunos-ms-rpc-wmic-webm-shutdown
MS-RPC application-set defaults include:
junos-ms-rpcjunos-ms-rpc-anyjunos-ms-rpc-iis-comjunos-ms-rpc-msexchangejunos-ms-rpc-wmic
Table 2 lists predefined MS-RPC services, UUID values associated with each service, and a description of each service.
Service |
UUID |
Description |
|---|---|---|
EPM |
e1af8308-5d1f-11c9-91a4-08002b14a0fa |
MS-RPC Endpoint Mapper (EPM) protocol is a TCP/UDP port-based service that includes TCP/UDP port 135. |
EXCHANGE-DATABASE |
1a190310-bb9c-11cd-90f8-00aa00466520 |
Microsoft Exchange Database service. |
EXCHANGE-DIRECTORY |
f5cc5a18-4264-101a-8c59-08002b2f8426 f5cc5a7c-4264-101a-8c59-08002b2f8426 f5cc59b4-4264-101a-8c59-08002b2f8426 |
Microsoft Exchange Directory service. |
WIN-DNS |
50abc2a4-574d-40b3-9d66-ee4fd5fba076 |
Microsoft Windows DNS server. |
WINS |
5f52c28-7f9f-101a-b52b-08002b2efabe 811109bf-a4e1-11d1-ab54-00a0c91e9b45 |
Microsoft WINS service. |
WMIC-Webm-Level1Login |
f309ad18-d86a-11d0-a075-00c04fb68820 |
This service allows users to connect to the management services interface in a particular namespace. |
Customizing Microsoft RPC Applications (CLI Procedure)
MS-RPC applications are customized in the same way as SUN RPC applications.
MS-RPC services in security policies are:
0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde1453c42c-0fa6-11d2-a910-00c04f990f3b10f24e8e-0fa6-11d2-a910-00c04f990f3b1544f5e0-613c-11d1-93df-00c04fd7bd09
The corresponding TCP/UDP ports are dynamic. To permit them, you use the following statement for each number:
set applications application-name term term-name uuid hex-number
The ALG maps the program numbers into dynamically negotiated TCP/UDP ports based on these four UUIDs and permits or denies the service based on a policy you configure.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.