MS_RPC_TCP service is used for the RPC communication.
Microsoft Distributed Transaction Coordinator(DTC) uses the Remote Procedure Call(RPC) dynamic port(ex:49743/TCP) allocation by default. RPC dynamic port allocation randomly selects port numbers in the 49152-65535 range.
NSX Firewall rules configured with MS_RPC_TCP is establishing the connection with TCP-135 but not allowing the connection for the higher ports(49152-65535) which is required for the ALG connection to complete.
Ex: When the service: MS_RPC_TCP is configured on the rule, The traffic is accepted with the port TCP-135 but the firewall starts blocking when one of the dynamic ports(49152-65535) is allocated.
NSX-T Datacenter
Depending on the type of RPC method, the DCERPC BIND packet has Auth level set to "Packet privacy (6)" vs. "Packet integrity (5)".
If the auth level is set to privacy, the DCERPC response packet will have encrypted info containing the dynamic port number. DFW VSIP code cannot decrypt this info & hence cannot open the dynamic port.
1. Use RPC methods that has Auth level set to "Packet integrity (5)" so the response packet is unencrypted.
2. If option#1 is not feasible, for RPC methods with Auth level "Packet privacy (6)" to work, manually open the port numbers using firewall rule.