Need outside port 1433 open - SBS2003 ISA2004

A vendor application at one of our SBS sites need port 1433 access to SBS2003 server.
SBS2003 has 2 nics and ISA2004 running to manage the traffic between.

SBS Lan side is 192.168.16.2
SBS Wan side is 10.0.0.5
Router is Cisco RV042.  We normally have port forwarding rules created for email etc. pointing to the wan side NIC i.e. 10.0.0.5

I tried opening port 1433 to 10.0.0.5 but wasn't enough to get vendor inboard.

I'm thinking an ISA rule may need to be created.  Not being very proffecient in ISA if someone believes that to be the case might it be possible to have some definitive description of the rule.

If other than that let me know.

Thanks
Bruce
BBraytonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
"port 1433" is normally for Microsoft SQL Server.  Is it installed on that machine?
BBraytonAuthor Commented:
SQL is installed on that machine.  The application they are contemplating requires the software vendor access via the port.

evidently is partial on site partial offsite.
Rob WilliamsCommented:
For the record, it is very unusual and very insecure to have port 1433 exposed to the internet. In the event it is required between sites this is usually done via VPN for security and to allow simultaneous access to other services such as DNS port 80, and additional services for authentication.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

BBraytonAuthor Commented:
I may be able to lock down the source.  

However can you advise on the technique here to open that port in the dual nic situation w/ w/o ISA?
Keith AlabasterEnterprise ArchitectCommented:
In the ISA gui, instead of creating an access rule, create a non-web publishing rule. Select (or create then select) a protocol for SQL using tcp port 1433 - 1433 (or whatever you want) inbound, select the external interface to listen on and provide the internal IP address that you want the 1433 traffic to be forwarded to on the inside.
Apply the policy.
Job done.
Rob WilliamsCommented:
If ISA is installed you will need to use the ISA tools to do so, but I am afraid I am not familiar enough with ISA. If ISA is not installed it is open by default. In a 2 NIC configuration RRAS is enabled which disables the windows firewall. There is usually more to it than just enabling port 1433, you normally also need UDP port 1434, and configure a listening port for SQL as on a LAN it uses dynamically assigned ports, which is not an option for Internet use. Perhaps an ISA expert will join in with specifics, but as mentioned it is not a best practice.
Rob WilliamsCommented:
Speaking of ISA experts :-)
Sorry, I refreshed, but guess less than a minute apart.
Keith AlabasterEnterprise ArchitectCommented:
hey Rob - as you mentioned, crap approach compared to best practice but I have given up trying to educate these days.... no-one wants to listen to expert advice, they just want it to work and screw the security implications to their users, clients or own company data.
BBraytonAuthor Commented:
Right on the money.
Rob WilliamsCommented:
You sound frustrated :-) It's like beating your head against the wall isn't it.
I don't blame BBrayton, it's the vendors of these apps; "all you  need to do is...."
Keith AlabasterEnterprise ArchitectCommented:
I don't blame anyone - just one of things....
Dave BaldwinFixer of ProblemsCommented:
It's worse.  We've had a couple of questions where the vendor simply says that their app works and it's up to you to "fix your network".  And... "No, we're not going to help you."
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.