We help IT Professionals succeed at work.

isa 2004 - opening up port 1433 to one external IP address for SQL server

1,233 Views
Last Modified: 2012-08-13
This is a SBS 2003 box with ISA 2004 and SQL server 2005. Currently ISA is set up so that there is no access to our SQL server externally. We've got some developer inthat would prefer to work on a new database externally so I want to poke a tiny hole in the firewall to allow them access.

It's very easy to open up port 1433 so that everyone gets access to the database but that's leaving a massive hole. How do I limit external access to the database to just one (or two) IP addresses?
Comment
Watch Question

Most Valuable Expert 2011
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
why not use VPN, that is far better than drilling holes :)

Author

Commented:
@simonlimon:

Well that's what I would normally do but this database will eventually need to be synced with an external database and at present I'm not sure if service provider will allow VPN setups. Besides, it's always good to have the knowledge of all the options available just in case.

@pwindell:

Got through Steps 1, 2 & 3 with no issues but part 4 is proving a little tricky. The Computer Object I created doesn't appear on my list of choices, just network connections.

Opening up the Publishing rule's properties the following tabs have these entries-
[Traffic] > "Microsoft SQL Server"
[From] > currently set to "Anywhere"
[To] > currently set to the ISA servers internal IP address
[Networks] > Set to "External"

Do I just change the "anywhere" in my [From] tab to my created Computer Object? Do I still need some sort of Network entry in the [Networks] tab? Will it be OK to just leave it as "External" or do I also need to create a network entry with the same IP as the newly created Computer Object?
[To] > currently set to the ISA servers internal IP address

This has to be your SQL server, as you are publishing that and not ISA.

Author

Commented:
oops. but same thing anyway as it's SBS :)
Most Valuable Expert 2011

Commented:
Do I just change the "anywhere" in my [From] tab to my created Computer  Object?

Yes.  Publishing Rules should never be left with "anywhere" in the From.  They should always be specific.

Author

Commented:
@pwindell: OK, here's your post edited a little to fix the 'external'/'anywhere' confusion...

1. Create a Computer Object  (Firewall Policy-->Toolbox Tab-->Network Objects). This will represent the user's IP# they will be coming from.  Call the Computer "Remote Developer" or something else usefull and give it the IP# you want used.

2. Create a Server Publishing Rule, use the predefinded protocol called Microsoft SQL Server. It may be just called SQL Server in 2004 (I'm looking at ISA2006 as I write this).  the wizard will lead you through it. It is simple and straight forward, nothing unusual, no suprises.

3. The SQL Server should be a SecureNAT Client of the ISA,...if it is not then the Publishing Rule must be set to "Show comming from ISA Server" instead of the normal or "Show comming from orginal Client".

4. Go back to the Properties of the Rule and change the From to be the Computer Object you created rather than the default of 'Anywhere'.  Leave the Network as 'External'

5. No Access Rules are needed, the Publishing Rule covers it all.

Author

Commented:
Very nearly spot on. Very easy to follow. Just a teensy tweak needed to make it perfect.
Most Valuable Expert 2011

Commented:
Yes, the Wizard Default is "Anywhere".   Humans usually make it External without really thinking about it in special cases like this.  So use the Computer Object instead.

Looks fine.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.