[isapros] Re: [ISAServer] DMZ to SQL

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Tue, 11 Jul 2006 19:25:39 -0500

Hi Amy,

Is the Network Rule set for Route or NAT between the DMZ and the
Internal Network?

Thanks!
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
> Sent: Tuesday, July 11, 2006 7:23 PM
> To: isaserver@xxxxxxxxxxxxxxx
> Subject: RE: [ISAServer] DMZ to SQL
> 
> Original Client IP    Client Agent    Authenticated Client    Service
> Server Name   Referring Server        Destination Host Name
> Transport     MIME Type       Object Source   Source Proxy
> Destination Proxy     Bidirectional   Client Host Name        Filter
> Information   Network Interface       Raw IP Header   Raw Payload
> Source Port   Processing Time Bytes Sent      Bytes Received  Result
> Code  HTTP Status Code        Cache Information       Error
> Information   Log Record Type Log Time        Destination IP
> Destination Port      Protocol        Action  Rule    Client IP
> Client Username       Source Network  Destination Network     
> HTTP Method
> URL
> 
> 10.0.0.10     -                       VM-SBS          -       TCP
> -     -               -               -       -       -       2058
> 0     0       0       0xc004000d FWX_E_POLICY_RULES_DENIED
> 0x0   0x0     Firewall        7/11/2006 3:42:05 PM    192.168.26.10
> 1433  Microsoft SQL (TCP)     Denied Connection       Default rule
> 10.0.0.10     -       DMZ     Internal                
> 
> I've got an DMZ to SQL rule that is supposed to allow the DMZ to
> communicate with the SQL server using Microsoft SQL Server (TCP)
> protocol. I've tried specifying the sql server by name, by IP, just
> Internal network, I've tried adding Microsoft SQL (TCP) and Microsoft
> SQL (UDP) to the allowed protocols in the rule. Nothing 
> changes, I still
> get the log above. 
> 
> Seems like if the web server is communicating on the network (it's a
> member server) and if I can ping from the web server all the 
> way to the
> SQL server that this should be working. (sensing my 
> frustration yet?) I
> added ICMP to the DMZ to SQL rule just to check my routing 
> and DNS. ICMP
> uses the correct rule. The SQL protocol just blows by it. 
> 
> I'll gather the rest of the info tomorrow. 
> 
> Thanks,
> 
> Amy
> 
> -----Original Message-----
> From: Jim Harrison (ISA) [mailto:Jim.Harrison@xxxxxxxxxxxxx] 
> Sent: Tuesday, July 11, 2006 7:53 PM
> To: isaserver@xxxxxxxxxxxxxxx
> Subject: RE: [ISAServer] DMZ to SQL
> 
> Dunno; got:
> - ISABPA
> - ISAInfo
> - logging excerpts
> ?
> Rule behavior is nearly impossible to evaluate without this data.
> 
> Jim Harrison
> SASD (ISA SE)
> If We Can't Fix It - It Ain't Broke!
> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
> Sent: Tuesday, July 11, 2006 4:10 PM
> To: isaserver@xxxxxxxxxxxxxxx
> Subject: [ISAServer] DMZ to SQL
> 
> I'm stumped. Working with a client to setup a DMZ for a web server.
> Sounds easy enough. The web server (in the DMZ) needs to talk 
> to an SQL
> server on the Internal network. The web server can 
> communicate DNS, ICMP
> and any domain communications protocols that I throw at it. 
> It can even
> ping the SQL server and the SQL server can ping it. 
> 
> But SQL Server protocol port 1433 blows right by my DMZ 
> access rule and
> gets blocked by the default rule. 
> 
> Is there something special about SQL? This is the first time 
> I've tried
> to give access from DMZ to an SQL server.
> 
> Thanks,
> 
> Amy
> ---
> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
> youremailaddress
> 
> To leave the list - send an email to list@xxxxxxxxxxxxxxx
> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
> youremailaddress
> 
> Don't forget the comma!
> ---
> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
> youremailaddress
> 
> To leave the list - send an email to list@xxxxxxxxxxxxxxx
> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
> youremailaddress
> 
> Don't forget the comma!
> ---
> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, 
> youremailaddress
> 
> To leave the list - send an email to list@xxxxxxxxxxxxxxx
> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, 
> youremailaddress
> 
> Don't forget the comma!
> 
> 

Other related posts:

• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL
• » [isapros] Re: [ISAServer] DMZ to SQL

1. Home
2. isapros
3. Archive
4. 07-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---