How to check firewall rules to see if connection is made between server1 and server2

I have two servers, one on DMZ and the other inside our domain.

The server on DMZ is our webserver while the server inside our domain is database server.

Let's call the database server inside our domain server2.

Webserver on DMZ is server1.

We set firewall rule on Server1 so our apps can access the database on server2.

Is there a simpler way to check the firewall rule set to allow access to server2?

Thanks in advance
LVL 29
sammySeltzerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
Is there a simpler way to check the firewall rule set to allow access to server2?
Windows Firewall logging is "simpler" than hardware firewalls. Enable Windows Firewall on both servers and set the logging to Always for both Dropped and Allowed packets.
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vitor MontalvãoMSSQL Senior EngineerCommented:
You'll also need to create FW rules on server 2 to allow server 1 to perform the necessary connections to the database.
sammySeltzerAuthor Commented:
Thanks to you two for your inputs.

Vitor, our insfracture team created the firewall rules.

They told us the rules  have  been created. However, we were unable to ping the server for which the firewall rule was created.

They were advancing the argument that simply because we could not ping does not mean the firewall rule was not created.

So, we wanted to see if there is another simpler way to check if firewall rule was indeed created.

Your solution is dealing with creating the rules but that's not what my issue is.  It has already been created.
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

sammySeltzerAuthor Commented:
Thanks
Vitor MontalvãoMSSQL Senior EngineerCommented:
If there's a rule created to not listening on Ping port then only way is to use the Telnet command on the port where SQL Server instance is listening to. Example:
telnet 192.168.100.25 1433

Open in new window

Shaun VermaakTechnical SpecialistCommented:
This from my article easily creates exceptions for all SQL ports, including instances
$SqlKey = Get-ChildItem -ErrorAction SilentlyContinue "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server";
If ($SqlKey -ne $null)
{
    netsh advfirewall firewall delete rule name="MSSQL - SQL Server"
    netsh advfirewall firewall delete rule name="MSSQL - SQL Admin Connection"
    netsh advfirewall firewall delete rule name="MSSQL - SQL Database Management"
    netsh advfirewall firewall delete rule name="MSSQL - SQL Service Broker"
    netsh advfirewall firewall delete rule name="MSSQL - SQL Debugger/RPC"
    netsh advfirewall firewall delete rule name="MSSQL - SQL Server Browse Button Service"
    netsh advfirewall firewall delete rule name="MSAS - SQL Analysis Services"
    netsh advfirewall firewall delete rule name="MSAS - SQL Browser"
    netsh advfirewall firewall delete rule name="MSRS - HTTP"
    netsh advfirewall firewall delete rule name="MSRS - SSL"

    netsh advfirewall firewall add rule name="MSSQL - SQL Server" dir=in action=allow protocol=TCP localport=1433
    netsh advfirewall firewall add rule name="MSSQL - SQL Admin Connection" dir=in action=allow protocol=TCP localport=1434
    netsh advfirewall firewall add rule name="MSSQL - SQL Database Management" dir=in action=allow protocol=UDP localport=1434
    netsh advfirewall firewall add rule name="MSSQL - SQL Service Broker" dir=in action=allow protocol=TCP localport=4022
    netsh advfirewall firewall add rule name="MSSQL - SQL Debugger/RPC" dir=in action=allow protocol=TCP localport=135
    netsh advfirewall firewall add rule name="MSSQL - SQL Server Browse Button Service" dir=in action=allow protocol=UDP localport=1433
    netsh advfirewall firewall add rule name="MSAS - SQL Analysis Services" dir=in action=allow protocol=TCP localport=2383
    netsh advfirewall firewall add rule name="MSAS - SQL Browser" dir=in action=allow protocol=TCP localport=2382
    netsh advfirewall firewall add rule name="MSRS - HTTP" dir=in action=allow protocol=TCP localport=80
    netsh advfirewall firewall add rule name="MSRS - SSL" dir=in action=allow protocol=TCP localport=443

    $SubKeys = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server";
    ForEach ($SubKey in $SubKeys)
    {
        If ($SubKey.Name.Contains("\MSSQL") -And !$SubKey.Name.Contains("\MSSQLServer"))
        {
           $InstanceName = $SubKey.Name.Split("\")[4]
           $RegistryKey = Get-ItemProperty "HKLM:$($SubKey.Name)\Setup" -name SQLBinRoot;
           $EXEPath = "$($RegistryKey.SQLBinRoot)\sqlservr.exe";

           netsh advfirewall firewall delete rule name="MSSQL - $($InstanceName)"
           netsh advfirewall firewall add rule name="MSSQL - $($InstanceName)" dir=in action=allow program="$($EXEPath)"
        }
        If ($SubKey.Name.Contains("\MSAS"))
        {
            $InstanceName = $SubKey.Name.Split("\")[4]
            $RegistryKey = Get-ItemProperty "HKLM:$($SubKey.Name)\Setup" -name SQLBinRoot;
            $EXEPath = "$($RegistryKey.SQLBinRoot)\msmdsrv.exe";

            netsh advfirewall firewall delete rule name="MSAS - $($InstanceName)"
            netsh advfirewall firewall add rule name="MSAS - $($InstanceName)" dir=in action=allow program="$($EXEPath)"
        }
    }
}

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.