Solved

SQL server in DMZ

Posted on 2004-09-16
18
618 Views
Last Modified: 2008-03-17
I have a  SQL server sitting in my DMZ and I am trying to backup the database to a server that is inside my network.  I can't seem to get the SQL server to see the machine I want to backup to and when I try it says it's an invalid path to my server.  Any ideas?
0
Comment
Question by:gtimmons
  • 6
  • 5
  • 4
  • +3
18 Comments
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12077861
The first idea, for security's sake, and if you're not providing SQL Server hosting to 3rd parties, is to move SQL Server off your DMZ, and onto your corporate LAN. If you're using a web server that talks to SQL Server, open port 1433 between the web server's IP address and SQL Server's new inside IP address.

If you're hosting to 3rd parties, try mapping a driver from SQL Server to your backup machine, then designate the backup device as a file on that mapped drive.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12077871
To be able to back it up directly from SQL the user the SQL service is running under must have rights to the remote machine your saving it to.  This is often not the case, the system account is usualy what it's running under, and access by this account is probobly not granted on the remote machine.

Have you considered just backing it up localy, and then copy the backup file to your other server?
0
 

Author Comment

by:gtimmons
ID: 12077899
I've tried mapping a drive from the machine in the DMZ but it won't take, keeps coming up and saying it can't map the drive.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12077963
Perhaps your router's DMZ is sepparating the computer from the network.  As if the machine actualy existed outside of the firewall.  A feature is some but not all routers.  From windows, can you browse your network and find the other machines?
0
 

Author Comment

by:gtimmons
ID: 12077976
On the DMZ machine I do not see any other machines in my network neighborhood and on the LAN I do not see the DMZ server in my network Neighborhood.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12078010
There's your problem.  If you can't see it, neither can SQL server.  You'll need to reorganize your network setup, perhaps not placing your server in the DMZ, but mapping port 1433 to the server behind the firewall.
0
 

Author Comment

by:gtimmons
ID: 12078026
I unfortunately have to keep the server in the DMZ, so I need to figure out how I can see it from the LAN.
0
 
LVL 34

Expert Comment

by:arbert
ID: 12078037
Mapping drives usually don't work correctly because the SQLAgent account usually doesn't reconnect them....

Have you tried simply scripting the backup from query analyzer to see what you get:

backup yourdatabasename to disk='\\internalserver\share\yourdatabase.bak'

Do you actually know if the network "people" have ports opened to the DMZ server from your private network?
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12078047
A second network card on the server, connected behind the firewall.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 15

Assisted Solution

by:jdlambert1
jdlambert1 earned 250 total points
ID: 12078048
>On the DMZ machine I do not see any other machines in my network neighborhood and on the LAN I do not see the DMZ server in my network Neighborhood.

Nor should you. From a computer on the DMZ, you should only be able to see other computers on the DMZ, and LAN computers should only see others on the LAN. That's a critical reason for having a DMZ -- it should only have the "holes" you absolutely need, which means you have to manually configure your router to open those ports and protocols.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12078092
Have to disagree on one point: No computer in your DMZ should have a second network card that bypasses the firewall to the corporate LAN. That could seriously compromise the corporate LAN.
0
 

Author Comment

by:gtimmons
ID: 12078119
how can I do the sql backup then to a server that is on my LAN, or is this not possible because of the DMZ and the way DMZ's and LAN's work?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12078127
How often do you perform backups? If it's once per day, you can back it up to tape. You should be archiving some tapes off-site anyway. If you need copies on the LAN, restore from the most recent tape to a computer on the LAN, which has the added benefit of allowing you to confirm the tapes are good.
0
 

Author Comment

by:gtimmons
ID: 12078177
I would like to do a daily backup. I guess I'm going to have to get it onto tape instead of the LAN server. I just want to make sure that I have a good backup of this database, off the server in case something happens to that server we'll still have a copy of the database.
Thanks,
0
 
LVL 42

Expert Comment

by:EugeneZ
ID: 12078198
you can try to backup on local drive then ftp it
0
 
LVL 23

Accepted Solution

by:
rhandels earned 250 total points
ID: 12079621
Just a small point of view on security part (and routing part off course). I agree with was is said here, don't place the SQL on the DMZ unless you don't have any other choice.

Then, there must be something between the DMZ and your internal network. If this is a firewall (or a router fo that matter), create a NAT rule, this translates an external ip address of the router (on the DMZ side) to the internal ip address of the server you would like to back-up to. This way you can use the extarnel ip address of the router (that NAT's) to map a drive to the internal network.. Just keep one thing in mind, you can't have a bigger security hole...

>>Have to disagree on one point: No computer in your DMZ should have a second network card that bypasses the firewall to the corporate LAN. That could seriously compromise the corporate LAN.<<

Totally agree with jdlambert1 on this one. This is one of the worst security leaks (even worse than just Nat everything to the internal network)..
0
 

Author Comment

by:gtimmons
ID: 12085646
In order to do the ftp, do I need to do anything special, open any ports or anything?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12085763
Yes, the standard port number for FTP is 21.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you hear the word proxy, you may become apprehensive. This article will help you to understand Proxy and when it is useful. Let's talk Proxy for SQL Server. (Not in terms of Internet access.) Typically, you'll run into this type of problem w…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now