Re: SQL through a Pix Firewall

• Previous message: SOHO: "Re: How to control SQL Server 2000 login and logout Method / Event."
• In reply to: jokes54321: "SQL through a Pix Firewall"
• Next in thread: jokes54321: "Re: SQL through a Pix Firewall"
• Reply: jokes54321: "Re: SQL through a Pix Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 17 Jun 2005 00:58:02 -0700

"jokes54321" <jokes54321@nospam.com> wrote in message
news:%237zO2WvcFHA.2980@TK2MSFTNGP10.phx.gbl...
> We are implementing a Pix firewall. The database servers will be attached
> to one port of the Pix, the domain controllers attached to another, and
> the clients attached to yet another port. So far the SQL clients can
> access the server using SQL authentication but not Windows authentication.
> What ports do I need to open and to which devices?
>
> I'm not sure how SQL and Windows Authentication work. Does the client send
> its credentials to the server which in turns validates them against the
> domain controllers?
>
> I know the connectivity is there being SQL authentication works.

I assume you mean that cliemts, DCs and SQL servers will be connected to
separate interfaces on the PIX (not ports.) What model PIX do you have?
Are the DCs and SQLs both on "inside" interfaces?

You really don't want to open-up NTLM to untrusted networks, ideally the SQL
and DC boxes would be on the same side of the firewall. But if they're not,
one way to do it would be to allow any traffic between those hosts. (If
there are multiple hosts on either side, hopefully they can be sub-netted
together.)

I don't know specifically all of ports that are involved -- lsass listens to
a boatload of ports, UDP 389, 500, 4500, 464; TCP 389, 500, 1025, 636...
Some are Kerberos, some are LDAP... it's really a mess. Luckily for me,
it's not something I've ever even considered, if I trust a net well enough
to open up NTLM (et al) then I trust it enough to open all ports..

-Mark

> Thanks,
>
> Denny
>

• Previous message: SOHO: "Re: How to control SQL Server 2000 login and logout Method / Event."
• In reply to: jokes54321: "SQL through a Pix Firewall"
• Next in thread: jokes54321: "Re: SQL through a Pix Firewall"
• Reply: jokes54321: "Re: SQL through a Pix Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Port open - help ... the exchange servers on the PIX. ... What I found out that port 25/110 open on the PIX ... open that ports on the PIX public interface. ... (Security-Basics) Re: SQL through a Pix Firewall ... This is a Pix 515E with 6 interfaces. ... The company policy requires the database servers to be in their own subnet ... >> access the server using SQL authentication but not Windows ... (microsoft.public.sqlserver.security) Re: Visa PCI Firewall Requirements and Windows Networks ... GP without the risk of open ports or a DC in the DMZ. ... Outbound access should be minimized but if windows update is your ... alternative tools on trusted servers to patch your machine. ... > behind the second firewall. ... (Focus-Microsoft) RE: Exhange 2003 ... Is the PIX smtp fixup protocol enabled? ... > and when the Exchange server actually presented it's 220 banner. ... no restriction on ports or types of traffic just on host... ... >>But if you open a tcp connection and after that run nbtstat command, ... (Pen-Test) Re: Win32 The RPC server is unavailable ... correct DNS servers and the port are unblocked. ... WMI errors the seem to be RPC related. ... All od the port are unblocked between the servers and the ... Usually RPC errors are due to name resolution or blocked ports. ... (microsoft.public.windows.server.networking)