Odd behavior with certain ports

  • I’ve got a SA2000 up and running but I’ve run across some strange behavior with certain port resources I’ve opened in network connect policies for some roles.  We use PCAnywhere for troubleshooting with remote clients.  PCAnywhere uses only TCP5631 and UDP5632 so I set up a resource under Network Connect Access Policies that looked like this:
    Very straightforward as you can see.  This does not work for me, however.  I did a ton of testing and scanning of port usage with TCPView and watched my firewall logs and the only thing I saw is TCP5631 and UDP5632, absolutely no other ports are utilized, but I still couldn’t connect.  The only way I can get PCAnywhere to work is to add an open wildcard entry for my IP address (tcp://xxx.xxx.xxx.xxx:
    Similarly, we send some basic lpd output for printing to a remote client on port 515.  This user also telnets (port 23) into our AS400 so I added this entry:
    He was able to telnet in just fine, but our lpd traffic did not work.  Also checked it with TCPView and firewall logs.  Once again, the only way for it to function was to open wildcard on the AS400 ip address.  Absolutely no other ports were used, but connectivity could not be established.  Once we open it up with a * wildcard, it flows just fine.  A very strange problem that I’d appreciate any suggestions with.

  • We gave up and decided to use the Support Meeting functionality of the SSL VPN appliance for Remote Users. You need a meeting licenses to use this but I think with some of the later releases you get 1 licenses include so you can evaluate it.

  • Thanks for the response.  You’re correct that in the case of PCAnywhere, the source port is random.  Did you ever figure out a way to get Remote Assistance to work?  Did you have to open it up with a wildcard (*) to get things going?  I’m shocked Juniper didn’t account for bi-directional communication.

  • I had a similar problem with Remote Assistance. What I found was the resource policies are not bi-directional. If I understand what you saying about telnet and lpd correctly then Telnet works because 23 is the port on the internal resource. Printing doesn’t becuase port 515 is the port on the remote client. If you could predict the source port for the lpd traffic you could configure the policy to allow this but if its anything like Remote Assistance its a random port. For PCAnywhere you’ll probably find your Remote clients can PCAnywhere to your machine with the configured policy.