We ran in to a tricky firewall corner case today that I couldn't find anyone blogging about, so I'm jotting my notes down here for posterity.
It seems that AD domains that were set up post Windows Server 2008 (no 2003 backward compatibility) are now using dynamic ports for RPC.
MSFT KB
These high/dynamic ports DO NOT play nicely with Juniper's Application Layer Gateway features. We're using Juniper SRX boxes for site-to-site IPSEC VPN termination. I wasn't expecting any NAT or gateway features to be active on the Juniper between my tunnel interfaces and trusted interfaces, but ALG appears to have been blocking connectivity.
The symptom was lack of TCP connectivity between domain controllers.
telnet domain1 49152
would fail to connect. (in seemingly very non deterministic ways, but then would block solid for days)
Disabling ALG on the Juniper did the trick.
I doubt disabling ALD will be an issue since we're not using the SRXes as internet gateways. (atleast not these nodes)
