[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Broken connections with SQLServer through NAT
Guri, 1) Is your web site using COM objects to access the database? 2) If so, then are they "transaction based"? If the answers to 1 & 2 are yes then you should look to setting the DCOM port range on the SQL Server to a known value so that a correct & appropriate ruleset can be applied for this communication. Registry key and values needed: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet] "Ports"=hex(7):31,30,30,30,30,2d,31,30,31,30,30,00,00 "PortsInternetAvailable"="Y" "UseInternetPorts"="Y" The ports entry shown here is 10000-10100/tcp but you can set it to what you want. I would also suggest using a static NAT for the internal side of the Web Server for this type of communication. Your ruleset would then look something like Source Destination Service Web Server SQL Server 1433/tcp (default SQL tcp port) 135/tcp (RPC port) 10000-10100/tcp (your DCOM port range) SQL Server Web Server 135/tcp (RPC port) 10000-10100/tcp (your DCOM port range) Regards, Ken... ********************************************************************************************** hi, look at the drops between your web-server and the sql-server and open the required ports. cheers reinhard At 12:44 16.10.2003, you wrote: >Hello Everybody, > >I need help. > >AA. >We have a FW-1 FP-3 on Win2k running fine. We have a Win2k Server(Global >IP- static NAT, Workgroup) on the DMZ which is required to connect to a >database server(Win SQLServer 2K) on the Internal Net (Hide NAT). The >connection process is as follows: >External (Internet)-------> >FW------>WebServer(DMZ)------>FW------>Database Server(Internal) and back. > >BB. >If the relavent rules are as follows, everything runs absolutely fine and >there is no problem > >1. Any Webserver any http/https accept log >2. Webserver Internal any any accept log > >CC. >I do not want to allow all services from the WebServer(DMZ) to the >Internal Net for obvious reasons. Rule 1 is OK. In Rule 2, I have tried to >restrict the services to microsoft-ds instead of 'any' . Immediately >thereafter connections to the Webserver are lost. > >I would be grateful for any help. >Thanks in advance. > >Guri > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|