SQL cluster firewall question
- From: "Enghps1" <jamesserjeant@xxxxxxxxxxxxxxxx>
- Date: Fri, 19 Jan 2007 18:43:25 -0000
We have been running a standalone SQL2005 box which uses a dedicated
webserver for the last 12 months and both sit on our perimeter (DMZ) zone.
The SQL box is now due to be replaced by a failover SQL cluster. Failover
clusters requires domain access and therefore it will have to sit on the
TRUSTED zone but now we face a real security issue with how the webserver
(in the DMZ) can safely talk to the cluster (in the TRUST) without
compromising security. I can maybe live with opening 1433 for SQL as it will
still require authentication, but .NET on the DMZ webserver will still
require port 80 to be open to the cluster. Am I missing something here,
surely this can't be done safely? I fear the only "safe" method is to create
a new standalone domain in the DMZ to facilitate the SQL cluster as this
seems to be the only way for the failover cluster to sit in the DMZ. How
else can the DMZ webserver talk to the SQL Cluster if the cluster sits in
the Trusted zone? Is PAT a safe alternative? Any advice appreciated Thanks
.
- Follow-Ups:
- Re: SQL cluster firewall question
- From: Erland Sommarskog
- Re: SQL cluster firewall question
- Prev by Date: Re: ASP - Stored Procedure best practice?
- Next by Date: Re: ASP - Stored Procedure best practice?
- Previous by thread: ASP - Stored Procedure best practice?
- Next by thread: Re: SQL cluster firewall question
- Index(es):
Relevant Pages
|
|
