DMZ server access to internal SQL database issue

Posted on 2011-04-19
Last Modified: 2012-05-11
Hellow, I am having a issue being able to browse SQL instances from a win 2k8 R2 64bit server in the dmz and see my iinternal win 2k8 R2 64bit server (2008 SQL r2).

Can't see in ODBC or on my program install when it gets to point to select database instance

I have opened  the following ports (tcp/1433, tcp/1434, udp/1434)

I can verify the rule by telnetting from the dmz server to the internal database server and it creates the connection.

Any other server I can see the database server through ODBC

Anyone know what port it uses to browse and show the available sql servers or allow this connection. I tried to enter it manuall = no go.

Tried about 20 things and no change so far but I know other have done this so it shoudl be a simple fix.

Thanks for your time!
Question by:BDithelp
    LVL 22

    Expert Comment

    Out of curiosity, why would you want to be able to browse internal SQL Server instances from you DMZ?

    This sounds, to me, like a very curious approach to security.

    Allowing access to one or two Stored Procedures might be, IMHO, a reasonable need but being able to browse all of your SQL Server instances sounds questionable.
    LVL 1

    Author Comment

    Dear Sage,

    Thanks for the reply!

    I only have holes open on the above ports (tcp/1433, tcp/1434, udp/1434) from a Single dmz server to s SINGLE internal sql server. I just want to be able to see that server in the browse option or be able to add it in manually and it work to make the database connection. I though udp/1434 would do that for me but it did not.

    Sorry if my wording in the original post was implying that I wanted to be able to browse all our internal SQL instances and your correct in stating that that well is a very poor idea!

    The issue is browsing across subnets does not work mainly but I should still be able to manually enter it and I can not and make the connection.


    Anyways I have decided to dedicate a SQL server to the dmz for this project and others that will need a database and be public. It will NOT have any external connections just service the servers in the dmz that require a database.
    LVL 22

    Expert Comment

    Having the separate SQL Server servicing the DMZ sounds like a really good solution.  You could set up SSIS packages to handle any data transfers between internal SS instances and your DMZ instance.  It also would let you either omit or obfuscate any "sensitive" information.

    However, now that you have brought up the question, I am going to get with our Production DBA (I am a Development DBA) to inquire as to how one might do your original task.  Having that information might be handy; although, I still think the separate, DMZ instance represents what I would think was a Best Practice in this situation.  (It provides isolation, which is part of the purpose of the DMZ, and it also allows for absolute limiations on the data available in the DMZ.)
    LVL 1

    Author Comment

    Dear 8080 Diver,

    Yes I am in all hopes and thoughts that it will turnout to be a better solution. I went over the whole project again and it for sure looks like the best possible solution.

    I would be very interested in knowing how to properly perform the original setup as well. I am very critical about only opening what for sure needs to be. Then when I am alotted the time and resources to make database clusters and move my database to them I could possible use that knowledge to either make it happen with the dmz or know why that should not be done.

    Thanks for your time and  knowledge!
    LVL 1

    Accepted Solution

    Incase others read this and need info from it:

    After I moved the sql server to the dmz I had the same issue (error message : Please select a SQL instance version 8.00.000 or higher) on the application I was installing (happened to be Asigra ds-system).

    I assume for all other reasons the ports I had initially opened above would have established the sql connection by putting in the sever\instance manually (as you still would not be able to see it in the drop down browse as they are on seperate subnets).

    To resolve the error I modified the ports from the dmz to the domain controllers. This allowed my domain admin account to pull something it was missing before to access the sql server. I change it to allow all ip and worked for testing. Now working on closing it back up and hopefully finding the exact port causing the issue and limiting as much access as possible.

    LVL 1

    Author Closing Comment

    Was something beyond original issue causing problem. No real solution but issue was resolved

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now