2012年2月24日星期五

Firewall ports to open

We're setting up an IIS server in a DMZ but it needs to communicate with a
SQL server on the LAN through the NetScreen firewall. I've opened up all
ports in test and using Enterprise Manager & Query Analyser, the following
ports are used:
UDP 1434
TCP 9127
Now I've seen lots of mentions to 1434 (not sure it should be UDP but there
you go) but is TCP 9127 also needed?
Thanks, Rob.PS. Also noticed TCP 1433 as well so the list so far:
UDP: 1434
TCP: 9127, 1433
"Rob Nicholson" <informed@.community.nospam> wrote in message
news:egK0lfc6EHA.2876@.TK2MSFTNGP12.phx.gbl...
> We're setting up an IIS server in a DMZ but it needs to communicate with a
> SQL server on the LAN through the NetScreen firewall. I've opened up all
> ports in test and using Enterprise Manager & Query Analyser, the following
> ports are used:
> UDP 1434
> TCP 9127
> Now I've seen lots of mentions to 1434 (not sure it should be UDP but
there
> you go) but is TCP 9127 also needed?
> Thanks, Rob.
>|||Hi
Check out
http://support.microsoft.com/defaul...kb;en-us;287932
John
"Rob Nicholson" <informed@.community.nospam> wrote in message
news:OEYY2gc6EHA.1564@.TK2MSFTNGP09.phx.gbl...
> PS. Also noticed TCP 1433 as well so the list so far:
> UDP: 1434
> TCP: 9127, 1433
> "Rob Nicholson" <informed@.community.nospam> wrote in message
> news:egK0lfc6EHA.2876@.TK2MSFTNGP12.phx.gbl...
> there
>|||Hello Rob,
To communicate with a SQL server through the NetScreen firewall, you need
configure the firewall, you must allow traffic from *ANY* to 1433, and from
1433 to *ANY*, where *ANY* is a port greater than 1024.
*ANY* -> 1433
1433 -> *ANY*
The firewall software should allow this dynamic allocation to occur through
the use of rules. If it does, you can configure 1433 -> *ANY* established;
this will dynamically open the response port after a syn followed by a
syn/ack by way of a statefull packet inspection.
There is no way to limit the number of source TCP ports used for a SQL
Server client to connect; this would defeat the purpose of having the
client allocate a new, unused dynamic port. This is a TCP/IP standard that
is defined for Winsock applications; this is not a limitation of SQL Server
client communication.
If you want you can use firewall to allow connection to SQL server only
from IIS server. You need enable TCPIP protocol on both server and client
side.
In addition, a named instance of SQL Server 2000 will use a dynamic
destination port by default. This port should be changed to a fixed port
prior to configuring the firewall. The SQL Server Network Utility should be
used to configure the destination port. See SQL Server Books Online for
information on how to use the SQL Server Network Utility.
You can refer to the following article regarding how to find the SQL Server
instance port number:
INF: How to Connect to an SQL Server 2000 Named Instance with the Previous
Version's Client Tools (265808)
http://support.microsoft.com/defaul...KB;EN-US;265808
Otherwise, the client computer would need to open a random UDP port and the
server UDP port 1434 will be used to send the instance name, and if the
instance is clustered, the version of the SQL instance, the TCP port number
that the instance is listening on, and the named pipe that the instance is
using. However, if the goal is to minimize the number of ports open on the
firewall, a static port number should be chosen for the default instance
and any named instance. The client computers would need to be configured to
connect to a particular ServerName or ServerName instance and specific port
number.
When SQLMail is started on a SQL Server, a DLL responsible for this creates
a socket and listens for connections. SQL Enterprise Manager will
periodically connect to this socket and read a DWORD (32bit) value returned
from the server. This value determines the state of sqlmail. By default the
port which sqlmail use is 9127.
I hope above information is helpful.
Sophie Guo
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
========================================
=============
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
=============
This posting is provided "AS IS" with no warranties, and confers no rights.|||Hello Rob,
To communicate with a SQL server through the NetScreen firewall, you need
configure the firewall, you must allow traffic from *ANY* to 1433, and from
1433 to *ANY*, where *ANY* is a port greater than 1024.
*ANY* -> 1433
1433 -> *ANY*
The firewall software should allow this dynamic allocation to occur through
the use of rules. If it does, you can configure 1433 -> *ANY* established;
this will dynamically open the response port after a syn followed by a
syn/ack by way of a statefull packet inspection.
There is no way to limit the number of source TCP ports used for a SQL
Server client to connect; this would defeat the purpose of having the
client allocate a new, unused dynamic port. This is a TCP/IP standard that
is defined for Winsock applications; this is not a limitation of SQL Server
client communication.
If you want you can use firewall to allow connection to SQL server only
from IIS server. You need enable TCPIP protocol on both server and client
side.
In addition, a named instance of SQL Server 2000 will use a dynamic
destination port by default. This port should be changed to a fixed port
prior to configuring the firewall. The SQL Server Network Utility should be
used to configure the destination port. See SQL Server Books Online for
information on how to use the SQL Server Network Utility.
You can refer to the following article regarding how to find the SQL Server
instance port number:
INF: How to Connect to an SQL Server 2000 Named Instance with the Previous
Version's Client Tools (265808)
http://support.microsoft.com/defaul...KB;EN-US;265808
Otherwise, the client computer would need to open a random UDP port and the
server UDP port 1434 will be used to send the instance name, and if the
instance is clustered, the version of the SQL instance, the TCP port number
that the instance is listening on, and the named pipe that the instance is
using. However, if the goal is to minimize the number of ports open on the
firewall, a static port number should be chosen for the default instance
and any named instance. The client computers would need to be configured to
connect to a particular ServerName or ServerName instance and specific port
number.
When SQLMail is started on a SQL Server, a DLL responsible for this creates
a socket and listens for connections. SQL Enterprise Manager will
periodically connect to this socket and read a DWORD (32bit) value returned
from the server. This value determines the state of sqlmail. By default the
port which sqlmail use is 9127.
I hope above information is helpful.
Sophie Guo
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
========================================
=============
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
=============
This posting is provided "AS IS" with no warranties, and confers no rights.

没有评论:

发表评论