?
Solved

DMZ server access to internal SQL database issue

Posted on 2011-04-19
6
Medium Priority
?
837 Views
Last Modified: 2012-05-11
Hellow, I am having a issue being able to browse SQL instances from a win 2k8 R2 64bit server in the dmz and see my iinternal win 2k8 R2 64bit server (2008 SQL r2).

Can't see in ODBC or on my program install when it gets to point to select database instance

I have opened  the following ports (tcp/1433, tcp/1434, udp/1434)

I can verify the rule by telnetting from the dmz server to the internal database server and it creates the connection.

Any other server I can see the database server through ODBC

Anyone know what port it uses to browse and show the available sql servers or allow this connection. I tried to enter it manuall = no go.

Tried about 20 things and no change so far but I know other have done this so it shoudl be a simple fix.

Thanks for your time!
0
Comment
Question by:BDithelp
  • 4
  • 2
6 Comments
 
LVL 22

Expert Comment

by:8080_Diver
ID: 35432957
Out of curiosity, why would you want to be able to browse internal SQL Server instances from you DMZ?

This sounds, to me, like a very curious approach to security.

Allowing access to one or two Stored Procedures might be, IMHO, a reasonable need but being able to browse all of your SQL Server instances sounds questionable.
0
 
LVL 1

Author Comment

by:BDithelp
ID: 35433091
Dear Sage,

Thanks for the reply!

I only have holes open on the above ports (tcp/1433, tcp/1434, udp/1434) from a Single dmz server to s SINGLE internal sql server. I just want to be able to see that server in the browse option or be able to add it in manually and it work to make the database connection. I though udp/1434 would do that for me but it did not.

Sorry if my wording in the original post was implying that I wanted to be able to browse all our internal SQL instances and your correct in stating that that well is a very poor idea!

The issue is browsing across subnets does not work mainly but I should still be able to manually enter it and I can not and make the connection.

---

Anyways I have decided to dedicate a SQL server to the dmz for this project and others that will need a database and be public. It will NOT have any external connections just service the servers in the dmz that require a database.
0
 
LVL 22

Expert Comment

by:8080_Diver
ID: 35433214
Having the separate SQL Server servicing the DMZ sounds like a really good solution.  You could set up SSIS packages to handle any data transfers between internal SS instances and your DMZ instance.  It also would let you either omit or obfuscate any "sensitive" information.

However, now that you have brought up the question, I am going to get with our Production DBA (I am a Development DBA) to inquire as to how one might do your original task.  Having that information might be handy; although, I still think the separate, DMZ instance represents what I would think was a Best Practice in this situation.  (It provides isolation, which is part of the purpose of the DMZ, and it also allows for absolute limiations on the data available in the DMZ.)
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
LVL 1

Author Comment

by:BDithelp
ID: 35433347
Dear 8080 Diver,

Yes I am in all hopes and thoughts that it will turnout to be a better solution. I went over the whole project again and it for sure looks like the best possible solution.

I would be very interested in knowing how to properly perform the original setup as well. I am very critical about only opening what for sure needs to be. Then when I am alotted the time and resources to make database clusters and move my database to them I could possible use that knowledge to either make it happen with the dmz or know why that should not be done.

Thanks for your time and  knowledge!
0
 
LVL 1

Accepted Solution

by:
BDithelp earned 0 total points
ID: 35436863
Incase others read this and need info from it:

After I moved the sql server to the dmz I had the same issue (error message : Please select a SQL instance version 8.00.000 or higher) on the application I was installing (happened to be Asigra ds-system).

I assume for all other reasons the ports I had initially opened above would have established the sql connection by putting in the sever\instance manually (as you still would not be able to see it in the drop down browse as they are on seperate subnets).

To resolve the error I modified the ports from the dmz to the domain controllers. This allowed my domain admin account to pull something it was missing before to access the sql server. I change it to allow all ip and worked for testing. Now working on closing it back up and hopefully finding the exact port causing the issue and limiting as much access as possible.

0
 
LVL 1

Author Closing Comment

by:BDithelp
ID: 35465295
Was something beyond original issue causing problem. No real solution but issue was resolved
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question