?
Solved

SQL server in DMZ

Posted on 2004-09-16
18
Medium Priority
?
659 Views
Last Modified: 2008-03-17
I have a  SQL server sitting in my DMZ and I am trying to backup the database to a server that is inside my network.  I can't seem to get the SQL server to see the machine I want to backup to and when I try it says it's an invalid path to my server.  Any ideas?
0
Comment
Question by:gtimmons
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +3
18 Comments
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12077861
The first idea, for security's sake, and if you're not providing SQL Server hosting to 3rd parties, is to move SQL Server off your DMZ, and onto your corporate LAN. If you're using a web server that talks to SQL Server, open port 1433 between the web server's IP address and SQL Server's new inside IP address.

If you're hosting to 3rd parties, try mapping a driver from SQL Server to your backup machine, then designate the backup device as a file on that mapped drive.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12077871
To be able to back it up directly from SQL the user the SQL service is running under must have rights to the remote machine your saving it to.  This is often not the case, the system account is usualy what it's running under, and access by this account is probobly not granted on the remote machine.

Have you considered just backing it up localy, and then copy the backup file to your other server?
0
 

Author Comment

by:gtimmons
ID: 12077899
I've tried mapping a drive from the machine in the DMZ but it won't take, keeps coming up and saying it can't map the drive.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 14

Expert Comment

by:adwiseman
ID: 12077963
Perhaps your router's DMZ is sepparating the computer from the network.  As if the machine actualy existed outside of the firewall.  A feature is some but not all routers.  From windows, can you browse your network and find the other machines?
0
 

Author Comment

by:gtimmons
ID: 12077976
On the DMZ machine I do not see any other machines in my network neighborhood and on the LAN I do not see the DMZ server in my network Neighborhood.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12078010
There's your problem.  If you can't see it, neither can SQL server.  You'll need to reorganize your network setup, perhaps not placing your server in the DMZ, but mapping port 1433 to the server behind the firewall.
0
 

Author Comment

by:gtimmons
ID: 12078026
I unfortunately have to keep the server in the DMZ, so I need to figure out how I can see it from the LAN.
0
 
LVL 34

Expert Comment

by:arbert
ID: 12078037
Mapping drives usually don't work correctly because the SQLAgent account usually doesn't reconnect them....

Have you tried simply scripting the backup from query analyzer to see what you get:

backup yourdatabasename to disk='\\internalserver\share\yourdatabase.bak'

Do you actually know if the network "people" have ports opened to the DMZ server from your private network?
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12078047
A second network card on the server, connected behind the firewall.
0
 
LVL 15

Assisted Solution

by:jdlambert1
jdlambert1 earned 1000 total points
ID: 12078048
>On the DMZ machine I do not see any other machines in my network neighborhood and on the LAN I do not see the DMZ server in my network Neighborhood.

Nor should you. From a computer on the DMZ, you should only be able to see other computers on the DMZ, and LAN computers should only see others on the LAN. That's a critical reason for having a DMZ -- it should only have the "holes" you absolutely need, which means you have to manually configure your router to open those ports and protocols.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12078092
Have to disagree on one point: No computer in your DMZ should have a second network card that bypasses the firewall to the corporate LAN. That could seriously compromise the corporate LAN.
0
 

Author Comment

by:gtimmons
ID: 12078119
how can I do the sql backup then to a server that is on my LAN, or is this not possible because of the DMZ and the way DMZ's and LAN's work?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12078127
How often do you perform backups? If it's once per day, you can back it up to tape. You should be archiving some tapes off-site anyway. If you need copies on the LAN, restore from the most recent tape to a computer on the LAN, which has the added benefit of allowing you to confirm the tapes are good.
0
 

Author Comment

by:gtimmons
ID: 12078177
I would like to do a daily backup. I guess I'm going to have to get it onto tape instead of the LAN server. I just want to make sure that I have a good backup of this database, off the server in case something happens to that server we'll still have a copy of the database.
Thanks,
0
 
LVL 43

Expert Comment

by:Eugene Z
ID: 12078198
you can try to backup on local drive then ftp it
0
 
LVL 23

Accepted Solution

by:
rhandels earned 1000 total points
ID: 12079621
Just a small point of view on security part (and routing part off course). I agree with was is said here, don't place the SQL on the DMZ unless you don't have any other choice.

Then, there must be something between the DMZ and your internal network. If this is a firewall (or a router fo that matter), create a NAT rule, this translates an external ip address of the router (on the DMZ side) to the internal ip address of the server you would like to back-up to. This way you can use the extarnel ip address of the router (that NAT's) to map a drive to the internal network.. Just keep one thing in mind, you can't have a bigger security hole...

>>Have to disagree on one point: No computer in your DMZ should have a second network card that bypasses the firewall to the corporate LAN. That could seriously compromise the corporate LAN.<<

Totally agree with jdlambert1 on this one. This is one of the worst security leaks (even worse than just Nat everything to the internal network)..
0
 

Author Comment

by:gtimmons
ID: 12085646
In order to do the ftp, do I need to do anything special, open any ports or anything?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12085763
Yes, the standard port number for FTP is 21.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question