Can you explain to me: why is the juniper blocking any traffic when I specify I want to allow any source address, any destination address, any application, and any source-identity?
If you are NOT using MSRPC, then the traffic is hitting the ALG in error and causing the traffic to be incorrectly processed. so the solution then is to turn the ALG off.
If you ARE using MSRPC, then the traffic cannot be fully processed by the ALG because the rule is "any" and not application specific so the ALG cannot fully function.
What technically is so special about MSRPC that the Juniper is blocking it despite my any/any/any/any policy? Is it because "the port number is high"
I have not researched MSRPC but typically the issue that ALG fixes is that the INITIAL traffic is in one direction zone to zone on a particular port. But this session then sets up REVERSE traffic that initiates with different ports (usually high onews) that need to be open and are not because they are random and session specific. The ALG recognizes the traffic as part of the primary direction permitted flow and opens "pin hole" automatic rules to permit the return traffic in the REVERSE direction that would otherwise require a rule.
What else besides MSRPC does the Juniper block when I tell it to allow "any/any/any/any" traffic?
The firewall blocks by default and only permits what is in a rule. If you have and any/any allow rule in one direction and then a second any/any alllow rule for the reverse direction, then the ALG would not be needed. The ALG is needed if there are restrictions in the REVERSE direction of the normal traffic.