Re: ISA and SQL2000
From: Scott (Scott_at_discussions.microsoft.com)
Date: 12/23/04
- Next message: jpolichn: "New to ISA"
- Previous message: Phillip Windell: "Re: Regarding Unidentified IP Traffic - Denied Connection"
- In reply to: Phillip Windell: "Re: ISA and SQL2000"
- Next in thread: Phillip Windell: "Re: ISA and SQL2000"
- Reply: Phillip Windell: "Re: ISA and SQL2000"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 23 Dec 2004 08:19:01 -0800
First off, thanks for the prompt responce Phillip.
We are almost there, I should have explained better. Yes, I still need
Internet access TO the SQL server on 1433, but via the ISA server (or rather
THROUGH) the ISA server. I guess I just want a buffer between SQL and the
Internet. Maybe do a port redirection.... (ie maybe "listen" on 1433 on the
ISA server but redirect to the SQL server to a non-standard internal port?)
We get hammered each year in audits because of the SQL port being exposed to
the Internet straight on to the server. If I proxy it via ISA, I atleast have
a buffer to play with.
Is this a better explanation?
Thanks again....
"Phillip Windell" wrote:
> "Scott" <Scott@discussions.microsoft.com> wrote in message
> news:C28D8C3C-187A-4F91-90C6-8C5E46B6FCAC@microsoft.com...
> > 1433. I would like to place an ISA server in a DMZ (or perimeter in front
> of
> > the SQL server) and have the ISA listen on port 1433 and possibly redirect
> > the requests internally to the SQL Server (which will not be exposed to
> the
> > Internet). Is this possible? If so, what steps would you recomend I use to
> > get started?
> >
> > On a related note, I run a Event Log Manager that alerts me of 1000+
> > attempts to log onto my SQL Server from the Internet due to the exposed
> port.
> > Would this be stopped if ISA is in front of the SQL server?
>
> Ok. Here's what I think you are asking. You want a Back-to-Back DMZ with ISA
> as the "inner" firewall between the LAN and DMZ. You want machines on the
> DMZ to get to the SQL on the LAN but not have Internet Users do the same.
> Assuming this is correct....
>
> 1. Eliminate any existing Static NAT or One-to-One NAT being performed by
> the "outer" Firewall to the SQL Server
>
> 2. Assuming ISA2004, right click on Firewall Policy, choose New, then Server
> Publishing Rule. Follow the prompts to create the Publishing rule for the
> Internal SQL Server. This will publish it to the External Nic of the ISA.
>
> 3. Contact the SQL from the DMZ by treating the ISA as if it was the SQL
> Server. As long as the "outer" Firewall does not do any Static or
> One-to-One NAT for SQL back to the ISA's External Nic,...the SQL Server will
> not be accessable from the Internet.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
- Next message: jpolichn: "New to ISA"
- Previous message: Phillip Windell: "Re: Regarding Unidentified IP Traffic - Denied Connection"
- In reply to: Phillip Windell: "Re: ISA and SQL2000"
- Next in thread: Phillip Windell: "Re: ISA and SQL2000"
- Reply: Phillip Windell: "Re: ISA and SQL2000"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
