Netscreen firewall limitation for Weblogic RMI Tunneling?

Archived from groups: comp.security.firewalls (More info?)

I am using RMI tunneling for my weblogic application. I have a
Netscreen firewall and I am not able to tunnel through port 443
because Netscreen only allows this a port number 1024 or lower. So my
current setup with my firewall allows a port address translation like
so

<external_ip_outside_firewall>:8000 (port 8000 because it needs to be
greater than 1024)
|
| (forwards to)
V
<internal_ip_inside_firewall>:7002 (7002 is weblogic's ssl port)



Here is what I want

<external_ip_outside_firewall>:443
|
| (forwards to)
V
<internal_ip_inside_firewall>:7002

Here are my questions:

1.)Is this limitation (tunnelling port 1024 and under) unique to
Netscreen? If not, is this something I can expect would work with
other firewalls? If not, what is the reason for this limiation?
2.)Suppose # 1 is not an issue, is there any issue with using port 443
as the tunneling port because it is the standard https port?

Archived from groups: comp.security.firewalls (More info?)

I was told that was a limitation by the person who manages our
firewall. Hmm. Do
you have any info I can pass on to this person to show him how to do
it?

Regarding port 443, is your advice not to use it then? Because of
collisions? Can you elaborate more on this?


nsr_93@yahoo.com (nsr93) wrote in message news:<85ea0cdf.0404121851.55395bc4@posting.google.com>...
> I am using RMI tunneling for my weblogic application. I have a
> Netscreen firewall and I am not able to tunnel through port 443
> because Netscreen only allows this a port number 1024 or lower. So my
> current setup with my firewall allows a port address translation like
> so
>
> <external_ip_outside_firewall>:8000 (port 8000 because it needs to be
> greater than 1024)
> |
> | (forwards to)
> V
> <internal_ip_inside_firewall>:7002 (7002 is weblogic's ssl port)
>
>
>
> Here is what I want
>
> <external_ip_outside_firewall>:443
> |
> | (forwards to)
> V
> <internal_ip_inside_firewall>:7002
>
> Here are my questions:
>
> 1.)Is this limitation (tunnelling port 1024 and under) unique to
> Netscreen? If not, is this something I can expect would work with
> other firewalls? If not, what is the reason for this limiation?
> 2.)Suppose # 1 is not an issue, is there any issue with using port 443
> as the tunneling port because it is the standard https port?

Archived from groups: comp.security.firewalls (More info?)

Thanks again. I will look at the references you cited. Having not
looked at those yet, here is some additional info I gathered:

I got some more information about the firewall and how we are using
it. We are using the "Virtual IP" facility which allows us to map
specific ports from an assigned, public IP address on the "outside"
interface to an individual host on the "inside" interface. My coworker
says he can map "standard" ports, ie 80, 443, etc., to the SAME port
on the inside, but non-standard ports must be greater than 1024. So
this is not compleltely in line with my original post, so I apologize.

He says if I can weblogic's SSL listen port to 443, he can change the
mapping such that <outside ip>:443 maps to <inside ip>:443. However, I
am not sure that this is a good idea.


I just wanted to further clarify with my new info, but don't worry, I
will do my homework first post a follow up.

Thanks in advance.


Jens Hoffmann <jh@bofh.de> wrote in message news:<slrnc7ns5m.s6q.jh@churrasco.bofh.de>...
> Hi,
>
> nsr93 <nsr_93@yahoo.com> wrote:
> > I was told that was a limitation by the person who manages our
> > firewall. Hmm. Do
> > you have any info I can pass on to this person to show him how to do
> > it?
>
> Grab the reference manuals from netscreens website.
>
> > Regarding port 443, is your advice not to use it then? Because of
> > collisions? Can you elaborate more on this?
>
> Netscreens knowledgebase describes your problem pretty good.
>
> Solution ID: nskb1290
> "Configure telnet http, https, or SSH service for VIP Same as Untrust".
>
> I cannot think of another situation where you might run into trouble
> with forwarding 443.
>
> Greetings,
> Jens

Archived from groups: comp.security.firewalls (More info?)

Jens

Ok, I read the solution you suggested. I have to admit, not being a
network adminstrator, but a software developer, the description was a
little fuzzy. I am not exactly sure of everything it said. For
exmaple, I don't understand exactly how the forwarding in that example
worked-it said the user accessed the normal http port 80, and somehow
got forwarded because the http port that Netscreen listens on for http
was changed to 1100. Would you be so kind as to explain as it pertains
to my situation? The details were not explained and it was not
intuitive to me.

Besides, I think it was dicussing port forwarding to the same port
between the trust side and the untrust side. I want to port forward
from a standard (port 443) to a high port >1024 (port 7002). I read
Solution ID: nskb794:


**********************************************************************
Solution ID: nskb794:

Configure VIP with low external port
Low port for VIP is supported in ScreenOS 3.0.2 and higher.


Here is the problem or goal:
Cannot add virtual port to VIP < 1024


Cannot define low port for VIP

WebUI Messageort number should be between 1024 and 32767, or default
1024

CLI Message: ###Invalid reserved VIP port number 80 for ....

Configure VIP with low external port mapped to high internal port


Click here to see the problem environment.

Applicable Products:
NetScreen-5XP
Applicable ScreenOS:
3.0.2
Applicable Software Versions:
None
**************************************************************************
I may be wrong, but isn't this the problem I am having? If so, I may
be out of luck because I do not have that version or higher of
netscreen.

Let me know if I made any sense, if not maybe you can make sense of
this for me.



Jens Hoffmann <jh@bofh.de> wrote in message news:<slrnc7ns5m.s6q.jh@churrasco.bofh.de>...
> Hi,
>
> nsr93 <nsr_93@yahoo.com> wrote:
> > I was told that was a limitation by the person who manages our
> > firewall. Hmm. Do
> > you have any info I can pass on to this person to show him how to do
> > it?
>
> Grab the reference manuals from netscreens website.
>
> > Regarding port 443, is your advice not to use it then? Because of
> > collisions? Can you elaborate more on this?
>
> Netscreens knowledgebase describes your problem pretty good.
>
> Solution ID: nskb1290
> "Configure telnet http, https, or SSH service for VIP Same as Untrust".
>
> I cannot think of another situation where you might run into trouble
> with forwarding 443.
>
> Greetings,
> Jens