| Author |
Topic |
|
jon3k
Starting Member
49 Posts |
 Posted - 2004-01-29 : 16:23:25
|
| I've got some connectivity problems here. I've got a SQL server in a DMZ and a SQL server on a seperate network here, trying to configure replication. But I can't connect to the SQL server in the DMZ from this subnet. What kind of connectivity is required here? I thought this was strictly TCP traffic? Will I need to pass RPC traffic as well? |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-01-29 : 16:25:49
|
| Have you opened up the firewall port that SQL Server listens on?Tara |
 |
|
|
jon3k
Starting Member
49 Posts |
Posted - 2004-01-29 : 16:31:32
|
| Its a DMZ, all ports are "open" - in the sense that, if a host outside of the DMZ initiates a connection, traffic is passed freely back and forth. The only constraint with a DMZ is that machines INSIDE it cannot initiate connections to the "outside world" (read: rest of the LAN and associated subnets).I really don't want to have to SPAN a switch port and spend the next 2 hours with tcpdump trying to track this down. Does anyone have any idea of the connectivity requirements? |
|
|
|
stephe40
Posting Yak Master
218 Posts |
Posted - 2004-01-29 : 16:36:55
|
| What kind of firewall is it? What logging level do you have set? Can you check the firewall logs.- Eric |
|
|
|
jon3k
Starting Member
49 Posts |
Posted - 2004-01-29 : 16:38:12
|
| Logs? heh. This is a DMZ off an interface on the PIX. I'm going to have to go setup some access lists for debugging. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-01-29 : 16:39:42
|
| Does Enterprise Manager connect or Query Analyzer? If not, did you setup an alias using Client Network Utility which specified server name or IP address and port number?I thought DMZs worked the other way around. That machines in front of the firewall could not connect to machines behind the firewall unless a port is opened and a rule is defined for that machine. So your SQL Server in the front DMZ would just need a firewall rule defined to use the port that the back DMZ SQL Servers listens on.Tara |
|
|
|
stephe40
Posting Yak Master
218 Posts |
Posted - 2004-01-29 : 16:47:47
|
| Im with you Tara. I always though a DMZ is just a natwork with a more lax rule set vs a private network. Anyway, we had firewall issues all the time and its proably best to set up a syslog server and have the firewall log to it. We have been able to solve 99.9 % of our problems with those. Just play with the loggin level. I suggest to start looking at anything thats blocked. Start at level 4 and work your way to 7. Level 7 shows EVERYTHING so be aware, grep will become your best friend. HTH- Eric |
|
|
|
jon3k
Starting Member
49 Posts |
Posted - 2004-01-29 : 17:04:30
|
quote:
Originally posted by tduggan
Does Enterprise Manager connect or Query Analyzer? If not, did you setup an alias using Client Network Utility which specified server name or IP address and port number?{/quote]Neither Enterprise Manager or the Query Analyzer connects successfully. I also setup an alias in the client network utility, using TCP/IP and I'm still having the same problem. [quote]Originally posted by tdugganI thought DMZs worked the other way around. That machines in front of the firewall could not connect to machines behind the firewall unless a port is opened and a rule is defined for that machine. So your SQL Server in the front DMZ would just need a firewall rule defined to use the port that the back DMZ SQL Servers listens on.
I can connect via RDP to the server w/o any problem. I'm trying to get a look at the rules applied to the interface right now, to see if there's some kind of configuration issue. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-01-29 : 17:09:53
|
| In the alias, did you specify the port? Hopefully, it isn't 1433 or 1434! The port that you specify in the alias must match the port that SQL Server is listening on. For DMZ environments, you don't want to use 1433 or 1434. If the alias doesn't work, then a firewall rule needs to be created for the front DMZ SQL Server.Tara |
|
|
|
jon3k
Starting Member
49 Posts |
Posted - 2004-01-29 : 17:33:24
|
| Yeah, so I rebooted the server and now everything works fine. Thanks Microsoft, there's another hour of my life I'll never get back. |
|
|
|
stephe40
Posting Yak Master
218 Posts |
Posted - 2004-01-29 : 17:42:37
|
| Kinda off topic, how do you guys apply updates to machines in the dmz if they cannot make any outgoing connections?- Eric |
|
|
|
jon3k
Starting Member
49 Posts |
Posted - 2004-01-29 : 17:54:23
|
Well, you can obviously download the patches without using windows update, but you can put in a temporary rule for the web service to allow outbound connections, even use class (or policy?) maps to specify specific urls it can access. It can all be done with IOS and cisco equipment, but I couldn't tell you exactly how. I'm still studying for the CCNA, so its a little beyond me  |
|
|
|
|
Can't Connect to SQL Server in a DMZ