Solved

SQL server in DMZ

Posted on 2004-09-16
18
647 Views
Last Modified: 2008-03-17
I have a  SQL server sitting in my DMZ and I am trying to backup the database to a server that is inside my network.  I can't seem to get the SQL server to see the machine I want to backup to and when I try it says it's an invalid path to my server.  Any ideas?
0
Comment
Question by:gtimmons
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +3
18 Comments
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12077861
The first idea, for security's sake, and if you're not providing SQL Server hosting to 3rd parties, is to move SQL Server off your DMZ, and onto your corporate LAN. If you're using a web server that talks to SQL Server, open port 1433 between the web server's IP address and SQL Server's new inside IP address.

If you're hosting to 3rd parties, try mapping a driver from SQL Server to your backup machine, then designate the backup device as a file on that mapped drive.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12077871
To be able to back it up directly from SQL the user the SQL service is running under must have rights to the remote machine your saving it to.  This is often not the case, the system account is usualy what it's running under, and access by this account is probobly not granted on the remote machine.

Have you considered just backing it up localy, and then copy the backup file to your other server?
0
 

Author Comment

by:gtimmons
ID: 12077899
I've tried mapping a drive from the machine in the DMZ but it won't take, keeps coming up and saying it can't map the drive.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 14

Expert Comment

by:adwiseman
ID: 12077963
Perhaps your router's DMZ is sepparating the computer from the network.  As if the machine actualy existed outside of the firewall.  A feature is some but not all routers.  From windows, can you browse your network and find the other machines?
0
 

Author Comment

by:gtimmons
ID: 12077976
On the DMZ machine I do not see any other machines in my network neighborhood and on the LAN I do not see the DMZ server in my network Neighborhood.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12078010
There's your problem.  If you can't see it, neither can SQL server.  You'll need to reorganize your network setup, perhaps not placing your server in the DMZ, but mapping port 1433 to the server behind the firewall.
0
 

Author Comment

by:gtimmons
ID: 12078026
I unfortunately have to keep the server in the DMZ, so I need to figure out how I can see it from the LAN.
0
 
LVL 34

Expert Comment

by:arbert
ID: 12078037
Mapping drives usually don't work correctly because the SQLAgent account usually doesn't reconnect them....

Have you tried simply scripting the backup from query analyzer to see what you get:

backup yourdatabasename to disk='\\internalserver\share\yourdatabase.bak'

Do you actually know if the network "people" have ports opened to the DMZ server from your private network?
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12078047
A second network card on the server, connected behind the firewall.
0
 
LVL 15

Assisted Solution

by:jdlambert1
jdlambert1 earned 250 total points
ID: 12078048
>On the DMZ machine I do not see any other machines in my network neighborhood and on the LAN I do not see the DMZ server in my network Neighborhood.

Nor should you. From a computer on the DMZ, you should only be able to see other computers on the DMZ, and LAN computers should only see others on the LAN. That's a critical reason for having a DMZ -- it should only have the "holes" you absolutely need, which means you have to manually configure your router to open those ports and protocols.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12078092
Have to disagree on one point: No computer in your DMZ should have a second network card that bypasses the firewall to the corporate LAN. That could seriously compromise the corporate LAN.
0
 

Author Comment

by:gtimmons
ID: 12078119
how can I do the sql backup then to a server that is on my LAN, or is this not possible because of the DMZ and the way DMZ's and LAN's work?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12078127
How often do you perform backups? If it's once per day, you can back it up to tape. You should be archiving some tapes off-site anyway. If you need copies on the LAN, restore from the most recent tape to a computer on the LAN, which has the added benefit of allowing you to confirm the tapes are good.
0
 

Author Comment

by:gtimmons
ID: 12078177
I would like to do a daily backup. I guess I'm going to have to get it onto tape instead of the LAN server. I just want to make sure that I have a good backup of this database, off the server in case something happens to that server we'll still have a copy of the database.
Thanks,
0
 
LVL 42

Expert Comment

by:Eugene Z
ID: 12078198
you can try to backup on local drive then ftp it
0
 
LVL 23

Accepted Solution

by:
rhandels earned 250 total points
ID: 12079621
Just a small point of view on security part (and routing part off course). I agree with was is said here, don't place the SQL on the DMZ unless you don't have any other choice.

Then, there must be something between the DMZ and your internal network. If this is a firewall (or a router fo that matter), create a NAT rule, this translates an external ip address of the router (on the DMZ side) to the internal ip address of the server you would like to back-up to. This way you can use the extarnel ip address of the router (that NAT's) to map a drive to the internal network.. Just keep one thing in mind, you can't have a bigger security hole...

>>Have to disagree on one point: No computer in your DMZ should have a second network card that bypasses the firewall to the corporate LAN. That could seriously compromise the corporate LAN.<<

Totally agree with jdlambert1 on this one. This is one of the worst security leaks (even worse than just Nat everything to the internal network)..
0
 

Author Comment

by:gtimmons
ID: 12085646
In order to do the ftp, do I need to do anything special, open any ports or anything?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12085763
Yes, the standard port number for FTP is 21.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Via a live example, show how to shrink a transaction log file down to a reasonable size.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question