We help IT Professionals succeed at work.

How do I route SQL traffic from an internet web server in the DMZ to my internal network?

If I have a web server in my DMZ that hosts an internet facing web application, and that web application depends on a SQL server on my internal network - how do I route SQL traffic through the firewall that separates my DMZ from my internal network?

Do I just open up the SQL traffic ports? Or is there some secure way to handle SQL traffic through this firewall?

Also, on my internet firewall, would I then be blocking the SQL ports so that people can't get from the internet to my SQL server?

Watch Question

Network Architect
Take a look at http://support.microsoft.com/kb/287932.  As for the routing part, you'll route based on IP address, so as long as the firewall knows where the two addresses are, that part of it should work.  The more challenging part is allowing the proper ports through, and that's where that article should help.  Coming from the DMZ area to the inside area, you would only want to allow the proper ports, and only when sourced from the IP address the server would use.  

I'm a little confused by your last question.  Allowing those ports to the inside shouldn't in any way interfere with traffic from the outside accessing the server, but are you saying hosts on the Internet need to get directly to your SQL database? You should be able to configure rules to allow that that won't interfere with the other rules, but that doesn't seem to me like what you should be doing.  Hosts on the outside should be able to reach your server, then the server alone should be able to access the SQL data.


You are right - I only want my web server to be able to talk to SQL through the DMZ firewall. I do not want other servers out on the internet to be able to access the SQL server on the internal network.

I wasn't sure if I needed to block SQL at the internet firewall or just put a rule in my DMZ firewall to only allow my internet web server to talk to it.

Thanks for the MS Link - the port numbers make sense I just wansn't sure about blocking SQL at the internet firewall.

You need to put a rule in your firewall to only allow the webserver to talk to the SQL server. Do you need help configuring the firewall? If so, what type of firewall is it?