Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Problem connecting to SQL hosted behind ISA server firewall

Posted on 2006-05-03
9
Medium Priority
?
381 Views
Last Modified: 2013-11-16
I have a Citrix farm using public IP's.  On my servers I have a 3rd party app that connects to their external hosted SQL server on Port 80.  This is working fine.  When I enable NAT on my firewall and attempt to connect to this same app it works fine initially but once my farm gets busy and usage of the app picks up I lose connection to the SQL server.  I am unable to ping it or connect to it.  No communication with it whatsoever.  All other services run fine in this NAT config.

If I change my NAT public IP I can again communicate with the external server on Port 80 for a brief period but once usage picks up I can't connect again.

When I bypass my firewall and connect a workstation directly to my ISP's router/gateway using one of the non-working IP addresses it still doesn't work.  If I change to an unused IP it works.

I have used a couple different Watchguard Fireboxes.  Most recently the Firebox III.  I just found out our SQL host is using Microsoft ISA server/firewall -- not sure which version yet.

It seems to me that at some point as my usage perks up something on the ISA box/firewall is misinterpreting the traffic from my IP address as an attack of some sort -- even though it is coming over Port 80 -- and automatically blocking us?  I am not too familiar with ISA server settings/features.  Am I totally off-base here?  Is there something I can tell my hosting company to check/do to verify this?  At this point they are suggesting it is a misconfig on my NAT but I can replicate the problem with a "blocked" IP even when I bypass my firewall/NAT.
0
Comment
Question by:broussardgroup
  • 5
  • 4
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16603424
Please give a brief diagram of your layout.
0
 

Author Comment

by:broussardgroup
ID: 16611656
Current Config:
Mobile users connect to the Citrix Farm using Web Interface.  This connection goes through my Watchguard Firebox which is in "drop-in" mode.  EVERYTHING has public IP addresses and is on the same subnet.  No masquereding.  This works fine.

After NAT-enabled:
Watchguard Firebox gets public IP 1.2.3.4
Mobile users connect to the Citrix Farm using Web Interface.  Watchguard resolves public IP from mobile users to private IP of Citrix servers.  Users have no problems connecting and using the Citrix Farm.  Mail works fine.  Inbound web traffic fine.  Outbound mail and web traffic fine.  Communication to exteranlly hosted SQL works fine too.

So, Watchguard is configured LAN 10.10.10.1 & DMZ 192.168.10.1 & WAN 1.2.3.4

On LAN are 2 Citrix Servers (10.10.10.5 & 10.10.10.6)
Lots of individual workstations on the LAN 10.10.10.100-200

External SQL server hosted by 3rd party on Internet has public IP 2.3.4.5

After outbound traffic to externally hosted SQL server picks up -- all users piled onto the Citrix box -- communication at some point stops with SQL box 2.3.4.5.  Not only from the Citrix farm but from the workstations too.  Anything behind Watchguard 1.2.3.4.  Cannot ping, or view a test web page hosted at SQL site 2.3.4.5.

If I change my external IP address to Watchguard to 1.2.3.5 then communication with SQL starts again.  Users pile on.  Communication stops.  I can change to .6 works then stops .7 and so on.

To test my firewall I REMOVE firewall completely.  Hook a previous untested laptop directly to my ISP's router.  I give it a previously "blocked" IP 1.2.3.4 and it cannot communicate with SQL server.  I change IP to new address 1.2.3.10 and it works.  Change to different previously "blocked" IP 1.2.3.5 and it doesn't work.

Looking at Watchguard logs I see traffic leaving through my Watchguard.  No traffic comes back from SQL host.
0
 

Author Comment

by:broussardgroup
ID: 16623929
ADDENDUM -- At this point I am not getting much help from the folks hosting SQL.  Other than they are using Microsoft ISA firewall I know nothing about their config or if they are seeing traffic coming from me.

My main question regarding ISA is does ISA have a feature that will automatically block an inbound IP Address it doesn't like or deems dangerous -- maybe too much traffic or it doesn't like how my Watchguard NAT is rewriting my outbound packets?  Like I said, my hosting company is not being helpful but I really don't think the problem is on my side.  I'm trying to come up with ideas to troubleshoot this from their end so I can tell them what their problem is -- or mine.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16624643
ISA has the facilities for this
(Open GUI, configuration - general)
Settings such as the IP controls could have this effect.

However, it will not block traffic of its own volition; only if it is told to. Sounds like the issue is on the outside.

An 'option' might be to pick a weekend and then create your own SQL server outside of the firewall and connect it to the WAN interface. can you recreate the condition. Another option might be to reduce the size of the MTU on your external interfaces.




0
 

Author Comment

by:broussardgroup
ID: 16627178
Since the last time I tried turning on NAT on my side I have gotten a new firewall -- Watchguard again but different model than the last.  Also, the host said he would have a tech at my disposal the day we go live following my NAT change again.  Due to service time constraints I will be making the network reconfig May 14th weekend.  In the past all testing with the SQL box has been fine following the change.  It won't be until Monday around 10am when all my users are busy banging away that I expect something to happen.  No time to test with an external SQL box and furthermore unless I had some way of testing with 100 users hitting it simultaneously I don't think I could replicate the problem.

Again, I was just looking for something on the ISA side that might be causing this.  I'm planning on loading an eval of ISA this week prior to the changes so I can see what it looks like.

Regarding ISA, so you say nothing would block the traffic on the ISA side of its own volition.  I know in Watchguard and SonicWall firewalls (My main experience) they come preconfigured with rules that will automatically block IP addresses they think are attacking them.  You have to go in and manually turn this off.  There is not an equivalent preconfigured rule in ISA?

Sorry to keep beating a dead horse.  I suppose I will know more after I load my eval.  I was just hoping for a smoking gun.  I feel like I've tested this enough to know this problem is outside my equipment/config.  Both my and his ISP said it isn't them.  That only leaves the vendor and I haven't had success dealing with him in the past.

One last time for doubting Thomas, nothing comes to mind on the ISA side that could be blocking traffic from my NAT IP?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1000 total points
ID: 16628291
If you are going to evaluate ISA, use ISA2006 (beta); its good for 6 months and is another huge step forward.

<<<However, it will not block traffic of its own volition; only if it is told to. Sounds like the issue is on the outside>>>

As I said, ISA CAN do this (its set up in the Configuration - General - Additional Security Policy section) but it has to be told to do this.  ie there are about 6 options that can be ticked/unticked dealing with scan attacks, dos attacks, fragmentation, IP Bomb, etc There are another few options under DNS attacks also.


0
 

Author Comment

by:broussardgroup
ID: 16630363
I just found out my host is using ISA 2004.  Do the same options regarding Additional Security Policy apply to 2004 as well?

Last question and thanks for your help.  If a rule is added to ISA that explicitly allows port 80 traffic to and from my NAT IP Address will this circumvent Additional Security Policy?

Thanks Keith.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16632298
Yes and also ISA2006.

regards
Keith
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16632353
Thank you :)  I'll stay subscribed to this one so if you have issues, just post and I'll get it.

regards
keith
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Loops Section Overview
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month11 days, 12 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question