Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

SQL server in DMZ

Posted on 2004-09-16
18
637 Views
Last Modified: 2008-03-17
I have a  SQL server sitting in my DMZ and I am trying to backup the database to a server that is inside my network.  I can't seem to get the SQL server to see the machine I want to backup to and when I try it says it's an invalid path to my server.  Any ideas?
0
Comment
Question by:gtimmons
  • 6
  • 5
  • 4
  • +3
18 Comments
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12077861
The first idea, for security's sake, and if you're not providing SQL Server hosting to 3rd parties, is to move SQL Server off your DMZ, and onto your corporate LAN. If you're using a web server that talks to SQL Server, open port 1433 between the web server's IP address and SQL Server's new inside IP address.

If you're hosting to 3rd parties, try mapping a driver from SQL Server to your backup machine, then designate the backup device as a file on that mapped drive.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12077871
To be able to back it up directly from SQL the user the SQL service is running under must have rights to the remote machine your saving it to.  This is often not the case, the system account is usualy what it's running under, and access by this account is probobly not granted on the remote machine.

Have you considered just backing it up localy, and then copy the backup file to your other server?
0
 

Author Comment

by:gtimmons
ID: 12077899
I've tried mapping a drive from the machine in the DMZ but it won't take, keeps coming up and saying it can't map the drive.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 14

Expert Comment

by:adwiseman
ID: 12077963
Perhaps your router's DMZ is sepparating the computer from the network.  As if the machine actualy existed outside of the firewall.  A feature is some but not all routers.  From windows, can you browse your network and find the other machines?
0
 

Author Comment

by:gtimmons
ID: 12077976
On the DMZ machine I do not see any other machines in my network neighborhood and on the LAN I do not see the DMZ server in my network Neighborhood.
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12078010
There's your problem.  If you can't see it, neither can SQL server.  You'll need to reorganize your network setup, perhaps not placing your server in the DMZ, but mapping port 1433 to the server behind the firewall.
0
 

Author Comment

by:gtimmons
ID: 12078026
I unfortunately have to keep the server in the DMZ, so I need to figure out how I can see it from the LAN.
0
 
LVL 34

Expert Comment

by:arbert
ID: 12078037
Mapping drives usually don't work correctly because the SQLAgent account usually doesn't reconnect them....

Have you tried simply scripting the backup from query analyzer to see what you get:

backup yourdatabasename to disk='\\internalserver\share\yourdatabase.bak'

Do you actually know if the network "people" have ports opened to the DMZ server from your private network?
0
 
LVL 14

Expert Comment

by:adwiseman
ID: 12078047
A second network card on the server, connected behind the firewall.
0
 
LVL 15

Assisted Solution

by:jdlambert1
jdlambert1 earned 250 total points
ID: 12078048
>On the DMZ machine I do not see any other machines in my network neighborhood and on the LAN I do not see the DMZ server in my network Neighborhood.

Nor should you. From a computer on the DMZ, you should only be able to see other computers on the DMZ, and LAN computers should only see others on the LAN. That's a critical reason for having a DMZ -- it should only have the "holes" you absolutely need, which means you have to manually configure your router to open those ports and protocols.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12078092
Have to disagree on one point: No computer in your DMZ should have a second network card that bypasses the firewall to the corporate LAN. That could seriously compromise the corporate LAN.
0
 

Author Comment

by:gtimmons
ID: 12078119
how can I do the sql backup then to a server that is on my LAN, or is this not possible because of the DMZ and the way DMZ's and LAN's work?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12078127
How often do you perform backups? If it's once per day, you can back it up to tape. You should be archiving some tapes off-site anyway. If you need copies on the LAN, restore from the most recent tape to a computer on the LAN, which has the added benefit of allowing you to confirm the tapes are good.
0
 

Author Comment

by:gtimmons
ID: 12078177
I would like to do a daily backup. I guess I'm going to have to get it onto tape instead of the LAN server. I just want to make sure that I have a good backup of this database, off the server in case something happens to that server we'll still have a copy of the database.
Thanks,
0
 
LVL 42

Expert Comment

by:EugeneZ
ID: 12078198
you can try to backup on local drive then ftp it
0
 
LVL 23

Accepted Solution

by:
rhandels earned 250 total points
ID: 12079621
Just a small point of view on security part (and routing part off course). I agree with was is said here, don't place the SQL on the DMZ unless you don't have any other choice.

Then, there must be something between the DMZ and your internal network. If this is a firewall (or a router fo that matter), create a NAT rule, this translates an external ip address of the router (on the DMZ side) to the internal ip address of the server you would like to back-up to. This way you can use the extarnel ip address of the router (that NAT's) to map a drive to the internal network.. Just keep one thing in mind, you can't have a bigger security hole...

>>Have to disagree on one point: No computer in your DMZ should have a second network card that bypasses the firewall to the corporate LAN. That could seriously compromise the corporate LAN.<<

Totally agree with jdlambert1 on this one. This is one of the worst security leaks (even worse than just Nat everything to the internal network)..
0
 

Author Comment

by:gtimmons
ID: 12085646
In order to do the ftp, do I need to do anything special, open any ports or anything?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12085763
Yes, the standard port number for FTP is 21.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question