SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  OPC Support on SRX

    Posted 06-04-2019 01:24

    I need to allow OPC DA, OPC HDA, OPC A&E which is based on Windows DCOM, through SRX320 Junos firewalls.

    Is it fully supported on Juniper firewall? How can I define access rules?


    #SRX


  • 2.  RE: OPC Support on SRX

    Posted 06-04-2019 16:29

    Hi Avilt,


    DCOM uses MS-RPC and you can allow it by configuring your security-policies with one of the predefined MS-RPC applications like junos-ms-rpc-tcp or junos-ms-rpc-any. In order to permit MS-RPC communications, the SRX leverages its MS-RPC ALG; you can find more information on the following document:

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-rpc-alg.html#id-understanding-microsoft-rpc-algs

     

    Here I attach another document that will help you in case the SRX doesnt recognized the UUIDs used by the hosts in your network:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB23730

     

    I hope this helps.

     



  • 3.  RE: OPC Support on SRX

    Posted 06-04-2019 22:59

    Thank you.

    There is no information on OPC Data Access, OPC Histoical Data Access, OPC Alarm&Events, these protocols are used in industrial environment for data exchange.

     

    Maybe I need to allow the following services to work

    junos-ms-rpc-epm
    junos-ms-rpc-tcp
    junos-ms-rpc-uuid-any-tcp

     

    But in this case I am not sure how many ports it will keep open between clients and servers. Appreciate if you could share more info if available.



  • 4.  RE: OPC Support on SRX

    Posted 06-05-2019 08:20

    avilt,

     

    As you already stated, those standards use DCOM to transport data and this can also be confirmed in the following link:

     

            "Similar to the OPC Data Access specification, OPC Historical Data Access also uses Microsoft's DCOM to transport data"

     

            Ref: https://en.wikipedia.org/wiki/OPC_Historical_Data_Access

     

    Also I explained that DCOM uses MS-RPC to transfer data between hosts, so at the end what we care about is to allow MS-RPC traffic across the SRX. Here I attach a small explanation about MS-RPC

     

    "MS-RPC is used by windows devices to communicate processes running on different devices; these remote processes are identified by UUIDs.

    The device acting as the client will first establish a connection via port 135 and will ask for the dynamic port on which a specific service (UUID) is listening on the remote end. The device acting as the server will provide this information and the client will open a new session on that dynamic port (a high random port). Ideally we dont configure security-policies that permit traffic on all ports so when you reference the ms-rpc application on a security-policy it only permits port 135 and the SRX listens to the communications between the client the server in order to determine what is the high random port that will be used next, and the SRX allows communications from the client on that port only, blocking traffic on any other non-negotiated port. Thats pretty much the funtionality of the MS-RPC ALG. However is very common that from specific zones we dont need that much of security and sometimes we can have a security-policy allowing all the traffic from a specific zone to another zone."

     

    Ref: https://forums.juniper.net/t5/SRX-Services-Gateway/RT-ALG-WRN-CFG-NEED/m-p/462471

     

    In summary, the MS-RPC ALG will be listening to comunications on port 135 (known as EPM) and will be in charge of dynamically allow only the ports that were negotiated between the client and the server devices.

     



  • 5.  RE: OPC Support on SRX

    Posted 06-05-2019 21:28

    To conclude, if I allow the following services, OPC application should work right?

    junos-ms-rpc-epm
    junos-ms-rpc-tcp
    junos-ms-rpc-uuid-any-tcp



  • 6.  RE: OPC Support on SRX
    Best Answer

    Posted 06-06-2019 11:21

    Yes