Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

RPC ALG

The Remote Procedure Call (RPC) ALG uses well-known ports TCP 111 and UDP 111 for port mapping, which dynamically assigns and opens ports for RPC services. The RPC Portmap ALG keeps track of port requests and dynamically opens the firewall for these requested ports. The RPC ALG can further restrict the RPC protocol by specifying the allowed program numbers.

Understanding RPC ALGs

Junos OS supports basic Remote Procedure Call Application Layer Gateway (RPC ALG) services. RPC is a protocol that allows an application running in one address space to access the resources of applications running in another address space as if the resources were local to the first address space. The RPC ALG is responsible for RPC packet processing.

The RPC ALG in Junos OS supports the following services and features:

  • Sun Microsystems RPC Open Network Computing (ONC)

  • Microsoft RPC Distributed Computing Environment (DCE)

  • Dynamic port negotiation

  • Ability to allow and deny specific RPC services

  • Static Network Address Translation (NAT) and source NAT (with no port translation)

  • RPC applications in security policies

Use the RPC ALG if you need to run RPC-based applications such as NFS or Microsoft Outlook. The RPC ALG functionality is enabled by default.

Understanding Sun RPC ALGs

Sun Microsystems Remote Procedure Call (Sun RPC)—also known as Open Network Computing Remote Procedure Call (ONC RPC)—provides a way for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service's program number and version number. Several binding protocols are defined for mapping the RPC program number and version number to a transport address.

Junos OS supports the Sun RPC as a predefined service and allows and denies traffic based on a security policy you configure. The Application Layer Gateway (ALG) provides the functionality for Juniper Networks devices to handle the dynamic transport address negotiation mechanism of the Sun RPC and to ensure program number-based security policy enforcement. You can define a security policy to permit or deny all RPC requests, or to permit or deny by specific program number. The ALG also supports route mode and Network Address Translation (NAT) mode for incoming and outgoing requests.

When an application or a PC client calls a remote service, it needs to find the transport address of the service. In the case of TCP/UDP, the address is a port number. A typical procedure for this case is as follows:

  1. The client sends the GETPORT message to the RPCBIND service on the remote machine. The GETPORT message contains the program number, and version and procedure number of the remote service it is attempting to call.

  2. The RPCBIND service replies with a port number.

  3. The client calls the remote service using the port number returned.

  4. The remote service replies to the client.

A client also can use the CALLIT message to call the remote service directly, without determining the port number of the service. In this case, the procedure is as follows:

  1. The client sends a CALLIT message to the RPCBIND service on the remote machine. The CALLIT message contains the program number and the version and procedure number of the remote service it attempting to call.

  2. RPCBIND calls the service for the client.

  3. RCPBIND replies to the client if the call has been successful. The reply contains the call result and the service's port number.

The Sun RPC ALG dynamically allocates new mapping entries instead of using a default size (512 entries). It also offers a flexible time-based RPC mapping entry that removes the mapping entry (auto-clean) without affecting the associated active RPC sessions, including both control session and data session.

Starting in Junos OS 15.1X49-D10 and Junos OS Release 17.3R1, you can define the Sun RPC mapping entry ageout value. Use the set security alg sunrpc map-entry-timeout value command. The ageout value ranges from 1 hour to 72 hours, and the default value is 32 hours. If the Sun RPC ALG service does not trigger the control negotiation even after 72 hours, the maximum RPC ALG mapping entry value times out and the new data connection to the service fails.

Enabling Sun RPC ALGs

The Sun RPC ALG is enabled by default and requires no configuration.

Enabling Sun RPC ALGs (CLI Procedure)

To disable the Sun RPC ALG, enter the following command:

To re-enable the Sun RPC ALG, enter the following command:

Customizing Sun RPC Applications (CLI Procedure)

All Sun RPC applications can be customized by using a predefined application set.

For example, an application can be customized to open the control session only and not allow any data sessions:

In the following example, the predefined application set allows data sessions only. It will not work without the control session:

To customize all Sun RPC applications with predefined application sets, use both application sets in the policy:

Note:

MS RPC applications are customized in the same way as Sun RPC applications.

Understanding Sun RPC Services

Sun RPC, also known as Open Network computing remote procedure call (ONC RPC), provides a way for a program running on one host to call procedures in a program running on another host. Sun RPC services are defined by a program identifier. The program identifier is independent of any transport address, and most of the Sun RPC sessions are initiated through TCP or UDP port 111. Each host links the required RPC service to a dynamic TCP or UDP port that is negotiated over the port 111 control channel, allowing the client to connect to either TCP or UDP port 111.

Predefined Sun Microsystems remote procedure call (Sun RPC) services include:

  • junos-sun-rpc-tcp

  • junos-sun-rpc-udp

The Sun RPC ALG can be applied by using the following methods:

  • ALG default application—Use one of the following predefined applications for control and data connections in your policy:

    • junos-sun-rpc-any-tcp

    • junos-sun-rpc-any-udp

    • junos-sun-rpc-mountd-tcp

    • junos-sun-rpc-mountd-udp

    • junos-sun-rpc-nfs-tcp

    • junos-sun-rpc-nfs-udp

    • junos-sun-rpc-nlockmgr-tcp

    • junos-sun-rpc-nlockmgr-udp

    • junos-sun-rpc-portmap-tcp

    • junos-sun-rpc-portmap-udp

    • junos-sun-rpc-rquotad-tcp

    • junos-sun-rpc-rquotad-udp

    • junos-sun-rpc-ruserd-tcp

    • junos-sun-rpc-ruserd-udp

    • junos-sun-rpc-sadmind-tcp

    • junos-sun-rpc-sadmind-udp

    • junos-sun-rpc-sprayd-tcp

    • junos-sun-rpc-sprayd-udp

    • junos-sun-rpc-status-tcp

    • junos-sun-rpc-status-udp

    • junos-sun-rpc-walld-tcp

    • junos-sun-rpc-walld-udp

    • junos-sun-rpc-ypbind-tcp

    • junos-sun-rpc-ypbind-udp

    • junos-sun-rpc-ypserv-tcp

    • junos-sun-rpc-ypserv-udp

  • Default control application—Use the predefined control through junos-sun-rpc:

    • Create an application for data (USER_DEFINED_DATA). You can make a set of your own data (for example, my_rpc_application_set) and use it in the policy.

    • ALG default application set—Use the predefined application set for control and customized data application in the policy:

      • junos-sun-rpc (for control sessions)

      • junos-sun-rpc-any

      • junos-sun-rpc-mountd

      • junos-sun-rpc-nfs

      • junos-sun-rpc-nfs-access

      • junos-sun-rpc-nlockmgr

      • junos-sun-rpc-portmap (for data sessions)

      • junos-sun-rpc-rquotad

      • junos-sun-rpc-ruserd

      • junos-sun-rpc-sadmind

      • junos-sun-rpc-sprayd

      • junos-sun-rpc-status

      • junos-sun-rpc-walld

      • junos-sun-rpc-ypbind

      • junos-sun-rpc-ypserv

  • Custom control and custom data application—Use a customized application:

    • Create an application for control (USER_DEFINED_CONTROL) and data (USER_DEFINED_DATA).

    • In the policy, use the user-defined application set for a control and customized data application:

      • USER_DEFINED_CONTROL

      • USER_DEFINED_DATA

Table 1 lists predefined Sun RPC services, a program identifier associated with each service, and a description of each service.

Table 1: Predefined Sun RPC Services

Service

Program ID

Description

PORTMAP

100000

Sun RPC Portmapper protocol is a TCP or UDP port-based service that includes TCP or UDP port 111.

NFS

100003

Sun RPC Network File System.

MOUNT

100005

Sun RPC mount process.

YPBIND

100007

Sun RPC Yellow Page Bind service.

STATUS

100024

Sun RPC status.

Understanding Microsoft RPC ALGs

Microsoft Remote Procedure Call (MS-RPC) is the Microsoft implementation of the Distributed Computing Environment (DCE) RPC. Like the Sun RPC, MS-RPC provides a way for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service program's universal unique identifier (UUID). The specific UUID is mapped to a transport address.

Junos OS devices running Junos OS support MS-RPC as a predefined service and allow and deny traffic based on a policy you configure. The Application Layer Gateway (ALG) provides the functionality for Juniper Networks devices to handle the dynamic transport address negotiation mechanism of the MS-RPC, and to ensure UUID-based security policy enforcement. You can define a security policy to permit or deny all RPC requests, or to permit or deny by specific UUID number. The ALG also supports route mode and Network Address Translation (NAT) mode for incoming and outgoing requests.

When both the MS-RPC client and MS-RPC server are 64 bit capable (such as MS Exchange 2008), they negotiate to use NDR64 transfer syntax during the network communication. when you use NDR64, the interface parameters should be encoded according to NDR64 syntax, because the packet format for NDR64 is different from the packet format for NDR20 (32 bit version).

In MS-RPC, there is a remote activation interface of the DCOM Remote Protocol called ISystemActivator (also known as IRemoteSCMActivator). It is used by the Windows Management Instrumentation Command-line (WMIC), Internet Information Services (IIS), and many other applications that are used extensively.

The MS-RPC ALG dynamically allocates new mapping entries instead of using a default size (512 entries). It also offers a flexible time-based RPC mapping entry that removes the mapping entry (auto-clean) without affecting the associated active RPC sessions, including both control session and data session.

Starting in Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1, you can define the MS-RPC mapping entry ageout value. Use the set security alg msrpc map-entry-timeout value command. The ageout value ranges from 1 hour to 72 hours, and the default value is 32 hours. If the MS-RPC ALG service does not trigger the control negotiation even after 72 hours, the maximum MS-RPC ALG mapping entry value times out and the new data connection to the service fails.

Enabling Microsoft RPC ALGs

The MS-RPC ALG is enabled by default and requires no configuration.

Enabling Microsoft RPC ALGs (CLI Procedure)

To disable the Microsoft RPC ALG, enter the following command:

To reenable the Microsoft RPC ALG, enter the following command:

Configuring the Microsoft RPC ALG

You can configure the Microsoft RPC ALG using the following three methods:

Configuring the MS-RPC ALG with a Predefined Microsoft Application

There are several predefined MS applications. To view the predefined Microsoft applications from the CLI, enter the show configuration groups junos-defaults command.

After you commit the configuration, from the CLI, enter the show security alg msrpc object-id-map command to view the output.

The output shows that the UUID has been applied for the policy.

Configuring the MS-RPC ALG with a Wildcard UUID

To permit the configuration for any MS RPC application, add the application junos-ms-rpc-any statement to the Permit configuration.

After you commit the configuration, from the CLI, enter the show security alg msrpc object-id-map command to view the output.

Configuring the MS-RPC ALG with a Specific UUID

For applications that have not been predefined, you need to manually configure a specific UUID. For example, to permit a NETLOGON application that has not been predefined, you add the application msrpc-netlogon statement to the Permit configuration.

In Junos OS Release 15.1X49-D90 and earlier, on all SRX Series Firewalls, the custom application universal unique identifier (UUID) of Microsoft remote procedure call (MS-RPC) with leading zeros and the nil UUID (00000000-0000-0000-0000-000000000000) might match all TCP traffic and referenced policies allowing all TCP traffic instead of entering MS-RPC ALG check.

Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.3R1, the custom application UUID with leading zeros does not match all TCP traffic and referenced policies, which will enter MS-RPC ALG check. This new application does not allow the nil UUID.

After you commit the configuration, from the CLI, enter the show security alg msrpc object-id-map command to verify the Microsoft universal unique identifier to Object ID (UUID-to-OID) mapping table. The Microsoft RPC ALG monitors packets on TCP port 135.

Note:

The show security alg msrpc object-id-map CLI command has a chassis cluster node option to permit the output to be restricted to a particular node or to query the entire cluster. The show security alg msrpc object-id-map node CLI command options are <node-id | all | local | primary>.

Understanding Microsoft RPC Services

MS-RPC is the Microsoft implementation of the Distributed Computing Environment (DCE) RPC. Like the Sun RPC, the MS-RPC provides a way for a program running on one host to call procedures in a program running on another host. The MS-RPC is dynamically negotiated based on the service program's universal unique identifier (UUID). The specific UUID is mapped to a transport address.

In Junos OS Release 15.1X49-D90 and earlier, on all SRX Series Firewalls, the custom application universal unique identifier (UUID) of Microsoft remote procedure call (MS-RPC) with leading zeros and the nil UUID (00000000-0000-0000-0000-000000000000) might match all TCP traffic and referenced policies allowing all TCP traffic instead of entering MS-RPC ALG check.

Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.3R1, the custom application UUID with leading zeros does not match all TCP traffic and referenced policies, which will enter MS-RPC ALG check. This new application does not allow the nil UUID.

Predefined Microsoft remote procedure call (MS-RPC) services include:

  • junos-ms-rpc-epm

  • junos-ms-rpc-tcp

  • junos-ms-rpc-udp

MS-RPC application defaults include:

  • junos-ms-rpc-iis-com-1

  • junos-ms-rpc-iis-com-adminbase

  • junos-ms-rpc-msexchange-directory-nsp

  • junos-ms-rpc-msexchange-directory-rfr

  • junos-ms-rpc-msexchange-info-store

  • junos-ms-rpc-uuid-any-tcp

  • junos-ms-rpc-uuid-any-udp

  • junos-ms-rpc-wmic-admin

  • junos-ms-rpc-wmic-admin2

  • junos-ms-rpc-wmic-mgmt

  • junos-ms-rpc-wmic-webm-callresult

  • junos-ms-rpc-wmic-webm-classobject

  • junos-ms-rpc-wmic-webm-level1login

  • junos-ms-rpc-wmic-webm-login-clientid

  • junos-ms-rpc-wmic-webm-login-helper

  • junos-ms-rpc-wmic-webm-objectsink

  • junos-ms-rpc-wmic-webm-refreshing-services

  • junos-ms-rpc-wmic-webm-remote-refresher

  • junos-ms-rpc-wmic-webm-services

  • junos-ms-rpc-wmic-webm-shutdown

MS-RPC application-set defaults include:

  • junos-ms-rpc

  • junos-ms-rpc-any

  • junos-ms-rpc-iis-com

  • junos-ms-rpc-msexchange

  • junos-ms-rpc-wmic

Table 2 lists predefined MS-RPC services, UUID values associated with each service, and a description of each service.

Table 2: Predefined MS-RPC services

Service

UUID

Description

EPM

e1af8308-5d1f-11c9-91a4-08002b14a0fa

MS-RPC Endpoint Mapper (EPM) protocol is a TCP/UDP port-based service that includes TCP/UDP port 135.

EXCHANGE-DATABASE

1a190310-bb9c-11cd-90f8-00aa00466520

Microsoft Exchange Database service.

EXCHANGE-DIRECTORY

f5cc5a18-4264-101a-8c59-08002b2f8426

f5cc5a7c-4264-101a-8c59-08002b2f8426

f5cc59b4-4264-101a-8c59-08002b2f8426

Microsoft Exchange Directory service.

WIN-DNS

50abc2a4-574d-40b3-9d66-ee4fd5fba076

Microsoft Windows DNS server.

WINS

5f52c28-7f9f-101a-b52b-08002b2efabe

811109bf-a4e1-11d1-ab54-00a0c91e9b45

Microsoft WINS service.

WMIC-Webm-Level1Login

f309ad18-d86a-11d0-a075-00c04fb68820

This service allows users to connect to the management services interface in a particular namespace.

Customizing Microsoft RPC Applications (CLI Procedure)

MS-RPC applications are customized in the same way as SUN RPC applications.

MS-RPC services in security policies are:

  • 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde

  • 1453c42c-0fa6-11d2-a910-00c04f990f3b

  • 10f24e8e-0fa6-11d2-a910-00c04f990f3b

  • 1544f5e0-613c-11d1-93df-00c04fd7bd09

The corresponding TCP/UDP ports are dynamic. To permit them, you use the following statement for each number:

The ALG maps the program numbers into dynamically negotiated TCP/UDP ports based on these four UUIDs and permits or denies the service based on a policy you configure.

Release History Table
Release
Description
15.1X49-D90
In Junos OS Release 15.1X49-D90 and earlier, on all SRX Series Firewalls, the custom application universal unique identifier (UUID) of Microsoft remote procedure call (MS-RPC) with leading zeros and the nil UUID (00000000-0000-0000-0000-000000000000) might match all TCP traffic and referenced policies allowing all TCP traffic instead of entering MS-RPC ALG check.
15.1X49-D90
In Junos OS Release 15.1X49-D90 and earlier, on all SRX Series Firewalls, the custom application universal unique identifier (UUID) of Microsoft remote procedure call (MS-RPC) with leading zeros and the nil UUID (00000000-0000-0000-0000-000000000000) might match all TCP traffic and referenced policies allowing all TCP traffic instead of entering MS-RPC ALG check.
15.1X49-D100
Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.3R1, the custom application UUID with leading zeros does not match all TCP traffic and referenced policies, which will enter MS-RPC ALG check. This new application does not allow the nil UUID.
15.1X49-D100
Starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.3R1, the custom application UUID with leading zeros does not match all TCP traffic and referenced policies, which will enter MS-RPC ALG check. This new application does not allow the nil UUID.
15.1X49-D10
Starting in Junos OS 15.1X49-D10 and Junos OS Release 17.3R1, you can define the Sun RPC mapping entry ageout value.
15.1X49-D10
Starting in Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1, you can define the MS-RPC mapping entry ageout value.