Solved

SQL server in DMZ

Posted on 2004-09-16
18
605 Views
Last Modified: 2008-03-17
I have a  SQL server sitting in my DMZ and I am trying to backup the database to a server that is inside my network.  I can't seem to get the SQL server to see the machine I want to backup to and when I try it says it's an invalid path to my server.  Any ideas?
0
Comment
Question by:gtimmons
  • 6
  • 5
  • 4
  • +3
18 Comments
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12077861
The first idea, for security's sake, and if you're not providing SQL Server hosting to 3rd parties, is to move SQL Server off your DMZ, and onto your corporate LAN. If you're using a web server that talks to SQL Server, open port 1433 between the web server's IP address and SQL Server's new inside IP address.

If you're hosting to 3rd parties, try mapping a driver from SQL Server to your backup machine, then designate the backup device as a file on that mapped drive.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12077871
To be able to back it up directly from SQL the user the SQL service is running under must have rights to the remote machine your saving it to.  This is often not the case, the system account is usualy what it's running under, and access by this account is probobly not granted on the remote machine.

Have you considered just backing it up localy, and then copy the backup file to your other server?
0
 

Author Comment

by:gtimmons
ID: 12077899
I've tried mapping a drive from the machine in the DMZ but it won't take, keeps coming up and saying it can't map the drive.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12077963
Perhaps your router's DMZ is sepparating the computer from the network.  As if the machine actualy existed outside of the firewall.  A feature is some but not all routers.  From windows, can you browse your network and find the other machines?
0
 

Author Comment

by:gtimmons
ID: 12077976
On the DMZ machine I do not see any other machines in my network neighborhood and on the LAN I do not see the DMZ server in my network Neighborhood.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12078010
There's your problem.  If you can't see it, neither can SQL server.  You'll need to reorganize your network setup, perhaps not placing your server in the DMZ, but mapping port 1433 to the server behind the firewall.
0
 

Author Comment

by:gtimmons
ID: 12078026
I unfortunately have to keep the server in the DMZ, so I need to figure out how I can see it from the LAN.
0
 
LVL 34

Expert Comment

by:arbert
ID: 12078037
Mapping drives usually don't work correctly because the SQLAgent account usually doesn't reconnect them....

Have you tried simply scripting the backup from query analyzer to see what you get:

backup yourdatabasename to disk='\\internalserver\share\yourdatabase.bak'

Do you actually know if the network "people" have ports opened to the DMZ server from your private network?
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12078047
A second network card on the server, connected behind the firewall.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 15

Assisted Solution

by:jdlambert1
jdlambert1 earned 250 total points
ID: 12078048
>On the DMZ machine I do not see any other machines in my network neighborhood and on the LAN I do not see the DMZ server in my network Neighborhood.

Nor should you. From a computer on the DMZ, you should only be able to see other computers on the DMZ, and LAN computers should only see others on the LAN. That's a critical reason for having a DMZ -- it should only have the "holes" you absolutely need, which means you have to manually configure your router to open those ports and protocols.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12078092
Have to disagree on one point: No computer in your DMZ should have a second network card that bypasses the firewall to the corporate LAN. That could seriously compromise the corporate LAN.
0
 

Author Comment

by:gtimmons
ID: 12078119
how can I do the sql backup then to a server that is on my LAN, or is this not possible because of the DMZ and the way DMZ's and LAN's work?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12078127
How often do you perform backups? If it's once per day, you can back it up to tape. You should be archiving some tapes off-site anyway. If you need copies on the LAN, restore from the most recent tape to a computer on the LAN, which has the added benefit of allowing you to confirm the tapes are good.
0
 

Author Comment

by:gtimmons
ID: 12078177
I would like to do a daily backup. I guess I'm going to have to get it onto tape instead of the LAN server. I just want to make sure that I have a good backup of this database, off the server in case something happens to that server we'll still have a copy of the database.
Thanks,
0
 
LVL 42

Expert Comment

by:EugeneZ
ID: 12078198
you can try to backup on local drive then ftp it
0
 
LVL 23

Accepted Solution

by:
rhandels earned 250 total points
ID: 12079621
Just a small point of view on security part (and routing part off course). I agree with was is said here, don't place the SQL on the DMZ unless you don't have any other choice.

Then, there must be something between the DMZ and your internal network. If this is a firewall (or a router fo that matter), create a NAT rule, this translates an external ip address of the router (on the DMZ side) to the internal ip address of the server you would like to back-up to. This way you can use the extarnel ip address of the router (that NAT's) to map a drive to the internal network.. Just keep one thing in mind, you can't have a bigger security hole...

>>Have to disagree on one point: No computer in your DMZ should have a second network card that bypasses the firewall to the corporate LAN. That could seriously compromise the corporate LAN.<<

Totally agree with jdlambert1 on this one. This is one of the worst security leaks (even worse than just Nat everything to the internal network)..
0
 

Author Comment

by:gtimmons
ID: 12085646
In order to do the ftp, do I need to do anything special, open any ports or anything?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12085763
Yes, the standard port number for FTP is 21.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

In this article—a derivative of my DaytaBase.org blog post (http://daytabase.org/2011/06/18/what-week-is-it/)—I will explore a few different perspectives on which week today's date falls within using Microsoft SQL Server. First, to frame this stu…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now