Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Broken connections with SQLServer through NAT

To: [email protected]
Subject: Re: [FW-1] Broken connections with SQLServer through NAT
From: [email protected]
Date: Mon, 20 Oct 2003 08:19:03 +1000
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Guri,

1)  Is your web site using COM objects to access the database?
2)  If so, then are they "transaction based"?

If the answers to 1 & 2 are yes then you should look to setting the DCOM
port range on the SQL Server to a known value so that a correct &
appropriate ruleset can be applied for this communication.

Registry key and values needed:
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
      "Ports"=hex(7):31,30,30,30,30,2d,31,30,31,30,30,00,00
      "PortsInternetAvailable"="Y"
      "UseInternetPorts"="Y"

The ports entry shown here is 10000-10100/tcp but you can set it to what
you want.

I would also suggest using a static NAT for the internal side of the Web
Server for this type of communication.

Your ruleset would then look something like

Source      Destination Service
Web Server   SQL Server   1433/tcp (default SQL tcp port)
                          135/tcp (RPC port)
                          10000-10100/tcp (your DCOM port range)

SQL Server   Web Server   135/tcp (RPC port)
                          10000-10100/tcp (your DCOM port range)

Regards,

Ken...


**********************************************************************************************
hi,

look at the drops between your web-server and the sql-server and open the
required ports.

cheers
reinhard

At 12:44 16.10.2003, you wrote:
>Hello Everybody,
>
>I need help.
>
>AA.
>We have a FW-1 FP-3 on Win2k running fine. We have a Win2k Server(Global
>IP- static NAT, Workgroup) on the DMZ which is required to connect to a
>database server(Win SQLServer 2K) on the Internal Net (Hide NAT). The
>connection process is as follows:
>External (Internet)------->
>FW------>WebServer(DMZ)------>FW------>Database Server(Internal) and back.
>
>BB.
>If the relavent rules are as follows, everything runs absolutely fine and
>there is no problem
>
>1. Any    Webserver    any    http/https    accept    log
>2. Webserver    Internal    any    any    accept    log
>
>CC.
>I do not want to allow all services from the WebServer(DMZ) to the
>Internal Net for obvious reasons. Rule 1 is OK. In Rule 2, I have tried to
>restrict the services to microsoft-ds instead of 'any' . Immediately
>thereafter connections to the Webserver are lost.
>
>I would be grateful for any help.
>Thanks in advance.
>
>Guri
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- [FW-1] How to hide the Internet behind fw interface
  - From: Joe <[email protected]>

Prev by Date: Re: [FW-1] Check Point SMART Clients from remote location
Next by Date: [FW-1] How to hide the Internet behind fw interface
Previous by thread: Re: [FW-1] Check Point SMART Clients from remote location
Next by thread: [FW-1] How to hide the Internet behind fw interface
Index(es):
- Date
- Thread