• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 863
  • Last Modified:

DMZ server access to internal SQL database issue

Hellow, I am having a issue being able to browse SQL instances from a win 2k8 R2 64bit server in the dmz and see my iinternal win 2k8 R2 64bit server (2008 SQL r2).

Can't see in ODBC or on my program install when it gets to point to select database instance

I have opened  the following ports (tcp/1433, tcp/1434, udp/1434)

I can verify the rule by telnetting from the dmz server to the internal database server and it creates the connection.

Any other server I can see the database server through ODBC

Anyone know what port it uses to browse and show the available sql servers or allow this connection. I tried to enter it manuall = no go.

Tried about 20 things and no change so far but I know other have done this so it shoudl be a simple fix.

Thanks for your time!
  • 4
  • 2
1 Solution
Out of curiosity, why would you want to be able to browse internal SQL Server instances from you DMZ?

This sounds, to me, like a very curious approach to security.

Allowing access to one or two Stored Procedures might be, IMHO, a reasonable need but being able to browse all of your SQL Server instances sounds questionable.
BDithelpAuthor Commented:
Dear Sage,

Thanks for the reply!

I only have holes open on the above ports (tcp/1433, tcp/1434, udp/1434) from a Single dmz server to s SINGLE internal sql server. I just want to be able to see that server in the browse option or be able to add it in manually and it work to make the database connection. I though udp/1434 would do that for me but it did not.

Sorry if my wording in the original post was implying that I wanted to be able to browse all our internal SQL instances and your correct in stating that that well is a very poor idea!

The issue is browsing across subnets does not work mainly but I should still be able to manually enter it and I can not and make the connection.


Anyways I have decided to dedicate a SQL server to the dmz for this project and others that will need a database and be public. It will NOT have any external connections just service the servers in the dmz that require a database.
Having the separate SQL Server servicing the DMZ sounds like a really good solution.  You could set up SSIS packages to handle any data transfers between internal SS instances and your DMZ instance.  It also would let you either omit or obfuscate any "sensitive" information.

However, now that you have brought up the question, I am going to get with our Production DBA (I am a Development DBA) to inquire as to how one might do your original task.  Having that information might be handy; although, I still think the separate, DMZ instance represents what I would think was a Best Practice in this situation.  (It provides isolation, which is part of the purpose of the DMZ, and it also allows for absolute limiations on the data available in the DMZ.)
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

BDithelpAuthor Commented:
Dear 8080 Diver,

Yes I am in all hopes and thoughts that it will turnout to be a better solution. I went over the whole project again and it for sure looks like the best possible solution.

I would be very interested in knowing how to properly perform the original setup as well. I am very critical about only opening what for sure needs to be. Then when I am alotted the time and resources to make database clusters and move my database to them I could possible use that knowledge to either make it happen with the dmz or know why that should not be done.

Thanks for your time and  knowledge!
BDithelpAuthor Commented:
Incase others read this and need info from it:

After I moved the sql server to the dmz I had the same issue (error message : Please select a SQL instance version 8.00.000 or higher) on the application I was installing (happened to be Asigra ds-system).

I assume for all other reasons the ports I had initially opened above would have established the sql connection by putting in the sever\instance manually (as you still would not be able to see it in the drop down browse as they are on seperate subnets).

To resolve the error I modified the ports from the dmz to the domain controllers. This allowed my domain admin account to pull something it was missing before to access the sql server. I change it to allow all ip and worked for testing. Now working on closing it back up and hopefully finding the exact port causing the issue and limiting as much access as possible.

BDithelpAuthor Commented:
Was something beyond original issue causing problem. No real solution but issue was resolved
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now