2012年2月19日星期日

Firewall between Web Server and SQL Server

Hello everyone,
I've setup a web server in the DMZ and it interacts with a SQL server on the
inside of the firewall.
The problem is when I want to apply access control lists to the firewall,
the web server can't communicate with the SQL server for some reason.
I've enabled ports 1433, 135, 139... and when I apply the rule, and type the
website in the browser, I get a message that says SQL server not found...
etc...
Does anyone have any experience in this kind of situation?
Any help would be greatly appreciated.
AliAli (amiralisetoudeh@.hotmail.com) writes:
> I've setup a web server in the DMZ and it interacts with a SQL server on
> the inside of the firewall.
> The problem is when I want to apply access control lists to the firewall,
> the web server can't communicate with the SQL server for some reason.
> I've enabled ports 1433, 135, 139... and when I apply the rule, and type
> the website in the browser, I get a message that says SQL server not
> found... etc...
> Does anyone have any experience in this kind of situation?
Ports 135 and 139? Do you really need them? Those are ports I would keep
closed in a firewall.
As for SQL Server not being found, the obvious things to check are:
o Is SQL Server listening on port 1433? (If it's a named instance,
typically it does not.)
o Is the server name resolvable? Would it work if you use the IP address?
o What does the connection string in the application look like?
o Try connecting from SQLCMD or OSQL on the web server, to see if that
works.
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pr...oads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodin...ions/books.mspx|||Again, thanks for the reply Erland.
I guess 135 and 139 aren't needed as I removed them from the firewall rules.
The problem in a more detailed explanation was:
I enabled a firewall rule to have the web server, which is in the DMZ, talk
with the SQL server, which is inside. I enabled only SQL services to pass
through. And this configuration was working fine.
Over the weekend they called me saying the website was down and they had to
allow all traffic in the firewall rule. They explained for some reason ODBC
logging got enabled in IIS and couldn't communicate with the SQL server over
the port it communicates...
I'm still trying to monitor the network and see if it'll happen again...
hopefully not.
Ali
"Erland Sommarskog" <esquel@.sommarskog.se> wrote in message
news:Xns9905DF2A140C6Yazorman@.127.0.0.1...
> Ali (amiralisetoudeh@.hotmail.com) writes:
> Ports 135 and 139? Do you really need them? Those are ports I would keep
> closed in a firewall.
> As for SQL Server not being found, the obvious things to check are:
> o Is SQL Server listening on port 1433? (If it's a named instance,
> typically it does not.)
> o Is the server name resolvable? Would it work if you use the IP address?
> o What does the connection string in the application look like?
> o Try connecting from SQLCMD or OSQL on the web server, to see if that
> works.
>
> --
> Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
> Books Online for SQL Server 2005 at
> http://www.microsoft.com/technet/pr...oads/books.mspx
> Books Online for SQL Server 2000 at
> http://www.microsoft.com/sql/prodin...ions/books.mspx|||Ali (amiralisetoudeh@.hotmail.com) writes:
> Over the weekend they called me saying the website was down and they had
> to allow all traffic in the firewall rule. They explained for some
> reason ODBC logging got enabled in IIS and couldn't communicate with the
> SQL server over the port it communicates...
ODBC logging generates a lot of output and takes lots of resources. Not
that I see how it could affect the firewall, but maybe it was the general
load that caused problems together with the firewall.
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pr...oads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodin...ions/books.mspx

没有评论:

发表评论