[isapros] Re: [ISAServer] DMZ to SQL

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Tue, 11 Jul 2006 19:36:40 -0500

It should be route if you want to use an Access Rule, but you should
just bag the DMZ -->SQL Network Rule.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> Sent: Tuesday, July 11, 2006 7:29 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: [ISAServer] DMZ to SQL
> 
> It's NAT. Source DMZ. Destination SQL server. Should it be route?
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Tuesday, July 11, 2006 8:26 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: [ISAServer] DMZ to SQL
> 
> Hi Amy,
> 
> Is the Network Rule set for Route or NAT between the DMZ and the
> Internal Network?
> 
> Thanks!
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
>  
> 
> > -----Original Message-----
> > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
> > Sent: Tuesday, July 11, 2006 7:23 PM
> > To: isaserver@xxxxxxxxxxxxxxx
> > Subject: RE: [ISAServer] DMZ to SQL
> > 
> > Original Client IP  Client Agent    Authenticated Client    Service
> > Server Name Referring Server        Destination Host Name
> > Transport   MIME Type       Object Source   Source Proxy
> > Destination Proxy   Bidirectional   Client Host Name        Filter
> > Information Network Interface       Raw IP Header   Raw Payload
> > Source Port Processing Time Bytes Sent      Bytes Received  Result
> > Code        HTTP Status Code        Cache Information       Error
> > Information Log Record Type Log Time        Destination IP
> > Destination Port    Protocol        Action  Rule    Client IP
> > Client Username     Source Network  Destination Network     
> > HTTP Method
> > URL
> > 
> > 10.0.0.10   -                       VM-SBS          -       TCP
> > -   -               -               -       -       -       2058
> > 0   0       0       0xc004000d FWX_E_POLICY_RULES_DENIED
> > 0x0 0x0     Firewall        7/11/2006 3:42:05 PM    192.168.26.10
> > 1433        Microsoft SQL (TCP)     Denied Connection       
> Default rule
> > 10.0.0.10   -       DMZ     Internal                
> > 
> > I've got an DMZ to SQL rule that is supposed to allow the DMZ to
> > communicate with the SQL server using Microsoft SQL Server (TCP)
> > protocol. I've tried specifying the sql server by name, by IP, just
> > Internal network, I've tried adding Microsoft SQL (TCP) and 
> Microsoft
> > SQL (UDP) to the allowed protocols in the rule. Nothing 
> > changes, I still
> > get the log above. 
> > 
> > Seems like if the web server is communicating on the network (it's a
> > member server) and if I can ping from the web server all the 
> > way to the
> > SQL server that this should be working. (sensing my 
> > frustration yet?) I
> > added ICMP to the DMZ to SQL rule just to check my routing 
> > and DNS. ICMP
> > uses the correct rule. The SQL protocol just blows by it. 
> > 
> > I'll gather the rest of the info tomorrow. 
> > 
> > Thanks,
> > 
> > Amy
> > 
> > -----Original Message-----
> > From: Jim Harrison (ISA) [mailto:Jim.Harrison@xxxxxxxxxxxxx] 
> > Sent: Tuesday, July 11, 2006 7:53 PM
> > To: isaserver@xxxxxxxxxxxxxxx
> > Subject: RE: [ISAServer] DMZ to SQL
> > 
> > Dunno; got:
> > - ISABPA
> > - ISAInfo
> > - logging excerpts
> > ?
> > Rule behavior is nearly impossible to evaluate without this data.
> > 
> > Jim Harrison
> > SASD (ISA SE)
> > If We Can't Fix It - It Ain't Broke!
> > -----Original Message-----
> > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
> > Sent: Tuesday, July 11, 2006 4:10 PM
> > To: isaserver@xxxxxxxxxxxxxxx
> > Subject: [ISAServer] DMZ to SQL
> > 
> > I'm stumped. Working with a client to setup a DMZ for a web server.
> > Sounds easy enough. The web server (in the DMZ) needs to talk 
> > to an SQL
> > server on the Internal network. The web server can 
> > communicate DNS, ICMP
> > and any domain communications protocols that I throw at it. 
> > It can even
> > ping the SQL server and the SQL server can ping it. 
> > 
> > But SQL Server protocol port 1433 blows right by my DMZ 
> > access rule and
> > gets blocked by the default rule. 
> > 
> > Is there something special about SQL? This is the first time 
> > I've tried
> > to give access from DMZ to an SQL server.
> > 
> > Thanks,
> > 
> > Amy
> > ---
> > To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
> > In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
> > youremailaddress
> > 
> > To leave the list - send an email to list@xxxxxxxxxxxxxxx
> > In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
> > youremailaddress
> > 
> > Don't forget the comma!
> > ---
> > To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
> > In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,
> > youremailaddress
> > 
> > To leave the list - send an email to list@xxxxxxxxxxxxxxx
> > In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
> > youremailaddress
> > 
> > Don't forget the comma!
> > ---
> > To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
> > In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, 
> > youremailaddress
> > 
> > To leave the list - send an email to list@xxxxxxxxxxxxxxx
> > In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, 
> > youremailaddress
> > 
> > Don't forget the comma!
> > 
> > 
> 
> 
>

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 07-2006