RE: SQLSERVE.EXE MSDE instance for ISA 2k4
- From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 15 Dec 2004 23:23:35 +0800
Dear Dr. Shinder,
I believe you never RECOMMEND installation ISA on DC, but
There is your article about how to install ISA on its top
http://www.isaserver.org/tutorials/Installing_ISA_Server_on_a_Domain_
Controller.html
It is just a guide, that's why I said I follow that instruction,
right?
Roy
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, December 15, 2004 11:16 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Hi Roy,
I NEVER recommend compromising the ISA firewall by making it a DC, or
any other extraneous services on the ISA firewall.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Wednesday, December 15, 2004 9:10 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Dear Jim,
Noted yours with thanks. But I am still too much confused or Even
frustrated in getting your reply so let me re-confirm With you one by
one
1) Upgrade of ISA2K4 instance: when I installed SQL2000 full version,
the wizard asked me if new installation of new instance or
upgrade,
then I can select upgrade to existing instance called
"isaserver/msfw",
it looks that installation did upgrade that instance. Also, I can
have
a management through "enterprise management tool" under full
SQL2000.
So I am wondering "no in-place" upgrade
2) even if rule "allow traffic from interal to local ISA host", is
there
any risk for SQL server at ISA side. My understanding is if client
with interal network can have right access right (qualified
user/password
information), they can access by such rule, or if can't supply
such access
previllage, SQL server can decline the access. In this sense, no
risk
for such a rule.
Onemore thing I want to confirm is that if ISA rule block port
1433 at WAN NIC,
does it mean all connection to SQL serverl via Wan interface can
be blocked
although SQL server listen port 1433 at all NIC interface
(0.0.0.0)
3) "merely firewall" means to get full function of firewall but only
at firwall
i.e.: NAT, Access control, port forwarding and content filter
like Surfcontrol,
in this view point, simple hardward route can't fit the
requirement. But
I don't think we shall invest for one more server for above
functions.
In face, I did install "DC" on the same server according to
advise of
Dr. Thomas W Shinder published at www.isaserver.org, I want to
stuff all
the feature into one box but with less risk as much as can.
Tim, I will surely thank you again for your comment for above
although it seems My question is somewhat stupid!
With regards,
Roy Tsao
P.S.: please also allow my poor English because it is not my native
language!
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, December 13, 2004 1:08 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
1) ISA defaults to using MSDE, a scaled-down version of SQL; since
this instance (not a default) is heavily "tweaked" to make it as
secure as possible (and these tweaks will NOT be publicized),
"upgrading" to a full-on SQL product is actually several steps
backwards.
2) there is no in-place upgrade path for ISA MSDE to SQL. I'll be
willing to bet that it isn't supported, either (anyone taking that
bet?)
3) by default, ISA blocks anything you don't specifically allow.
This isn't the case if/when you create a rule allowing "everything"
from internal to localhost.
4) "merely for firewall usage" reflects poor thinking. If you
believe that your firewall is "merely", then you should just go get
yourself a DLink wireless firewall/router/bag-o-chips and be done
with it. You should be thinking in terms of "attack surface
reduction", not "stuff as much on one box as I possibly can".
You undoubtedly have other machines in your environment; consider
using one of them for the SQL logging.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 10:07 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Jim,
Thanks a lot for your advise.
1) "Does it means no SQL server availabe at
ISA2K4 server end in terms of security concern"
Reflects my wondering "no installation of SQL At ISA2K4 server.
2) Sorry, I am not familiar with SQL server.
Firstly, I want to know if I upgrade the instance, The ISA2004 are
surely managed by SQL2000 or not and No limitation for storage &
co-current connection
3) I duly note that mechanism of MSDE bundled with ISA2004 Is through
memory mapped networking, no port listening at all.
However after installation of SQL2000 server, does it help To prevent
from vulnerabilities through port access (1433) blocking By ISA
access rule, in another words what happen SQL listen 1433 on All NIC
interface and ISA2K4 block 1433 port connection.
4) The reason why I want to put SQL & ISA into one box because There
is not enough budget to have two servers merely for firewall Usage,
agree?
With regards,
Roy Tsao
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, December 12, 2004 1:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Yes.
Really.
I'm not quite clear on this statement, though: "Does it means no SQL
server availabe at
ISA2K4 server end in terms of security concern"?
SBS2003 doesn't have ISA (yet) and when it does ship, co-location and
security concerns will be addressed by whole teams of folks that do
this for a living.
If you mean "is there a security concern with MSDE on ISA?", the
answer is "no". The MSDE instance on ISA is not even listening to
the network.
All MSDE logging is done via memory-mapped networking, not physical
or logical devices.
With the default MSDE instance, unless the ISA itself is compromised,
you simply "can't get there from here".
You can't say the same for SQL, which listens on all available
adapters by default.
Combine this with the prevalence of "allow all because I'm too damn
lazy to understand my traffic profile" rules and you have the makings
of Slammer-like virus victim.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 9:05 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Oh...Really, Does it means no SQL server availabe at
ISA2K4 server end in terms of security concern?
Then what about SBS 2003 plus ISA2K4.
I think I can put it into one basket if port could Be blocked at
firwall side like I block acess to SQL Server from Wan side.
Moreover, I did upgrade instance of ISA2K4, it works Fine under full
version of SQL2000, may I understand The log is still working under
MSDE I/O SQL2000?
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, December 12, 2004 12:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
No.
Bad.
Unsupported.
DO
NOT
REPLACE
MSDE
WITH
SQL
ON
THE
ISA
SERVER
ITSELF
If you want to replace MSDE with SQL logging, then do it off-box.
The MSDE that's shipped with ISA is "tweaked" to be as secure as
possible.
If you replace it, you open your ISA to potential SQL
vulnerabilities.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 6:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Sorry, the mail sent directly from my OE to discussion list always
change mal-coding.
To the question of MSDE instance, my idea/suggestion for best
performance is:
a) install ISA2K4 bundled with MSDE
b) upgrade SQL instance "server/msfw" into full version
of SQL 2000 though SQL2000 server instllation
c) use the same instance for Surfcontrol Both of ISA2K4 and
Surfcontrol is now being managed under SQL2000 server I/O MSDE.
Any comment
-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 10:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Who here can read Roy Tsao posts, all I see is gibberish characters
in his messages, can someone translate it??
Regards,
Andrew
-----Original Message-----
From: Mike Anderson [mailto:mike@xxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 12:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
In cases like this, isn't it better to just run a dedicated instance
of SQL Server (if you got it) which resides on a separate box, OR
have a single instance of MSDE host both Databases?
If I remember correctly, MSDE is just a crippled version of SQL
Server 7.0 - in which concurrent connections are just limited.
Otherwise, it's pretty much the same animal.
In fact, since I have a dedicated super fast SQL Server on my
network, I was hoping to uninstall MSDE on the ISA Box, and redirect
all the Database activity to my SQL Server. Can this be done -
anybody do this yet?
I don't mean to steal the fire away from your original post, but I
think this sort of parallels what I suggest doing, which goes back to
the
question: "why have two instances of MSDE running?". Use the one
that is working better (the one with less memory consumption), and
host the database on that instance.
I am just throwing out ideas here...
Mike
-----Original Message-----
From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx]
Sent: Friday, December 10, 2004 5:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Anyone notice the MSDE instance for ISA 2k4 memory increase to over
1gb mem usage? We host two instances of MSDE on the ISA2k4 machine,
one for Surf Control and the other for ISA2K4. Surf Control instance
is stable, while the ISA 2k4 instance hogs a lot of memory. Current
mem usage = 786,004k. Wait, wait -- 786,012k , 786,528k and growing.
MSDE versions: SurfControl = 8.00.761
ISA2k4 = 8.00.818
Server has 3gb memory
ISA2K4 version = trial
TIA
Have fun!
greg
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
mike@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
andrew@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
jim@xxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
jim@xxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
jim@xxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
