Juniper SSG5

cheto06 used Ask the Experts™
I am setting up a Read Only DC in the DMZ.  I open a bunch of ports that are needed for replication.

I am unable to log in to my RODC. If I open TCP-ANY and UDP-ANY, it works. Apparently, one of the required ports is:
UDP Dynamic Group Policy DCOM, RPC, EPM adn
TCP Dynamic Replication, User and Computer Authentication, Group Policy, Trusts (RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS)

How do I open UDP?TCP Dynamic on my Juniper SSG5?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

On an SSG every policy has the option to allow logging. Since you have shown that with all ports open everything works, how about creating a single policy with logging to allow traffic to your RODC. And then based on those logs create custom services.

I used this method to figure out how to allow windows server vpn traffic through my juniper firewall
"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
I agree. The best method for isolating unknown, but needed traffic is to put a restrictive policy in, allowing the ports you know already, and a generic "allow all" with logging. In your case you know source and destination addresses, so it should not be difficult to catch all needed ports. Of course you need to consider that some ports are dynamic, and work using some of the RPC ALGs (application layer gateway), which inspect traffic to see for dynamic IP and port info contained as part of the TCP/IP layers 5-7.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial