Is there any amazingly compelling reason why you _must_ have your CF box actually _in_ the DMZ, and then have to poke all these holes through your firewall? Wouldn't it be better/safer/easier to put your CF box fully behind your firewall and just open http port 80 traffic up to it from the big bad internet? This way you only have one hole in your firewall and only that one point of weakness and you don't expose the entire webserver to every attack the internet wants to throw at it.
Am I missing something? Regards Darren Tracey Systems Analyst Web Applications, Web and Integration Services p: + 61 7 3232 4091 (x64091) f: + 61 7 3232 4744 e: [EMAIL PROTECTED] l: Lvl 9, 388 Queen St Brisbane QLD 4000 m: Suncorp IPC IT040, GPO Box 1453, Brisbane QLD 4000 > -----Original Message----- > From: James Macpherson [SMTP:[EMAIL PROTECTED] > Sent: Friday, 2 July 2004 18:07 > To: CFAussie Mailing List > Subject: [cfaussie] RE: [OT] DMZ > > I would certainly hope not - I could be wrong... > > The first thing I'd try is maybe install the client tools on the webserver > and see if you can get to your sql server with enterprise manager or query > analyser from the webserver, any error message these give might be more > useful (it might be something to do with the "named pipes" or SMB > mentioned in the article etc. rather than the firewall per se)... then > start looking at the firewall logs as Ryan suggested. > > Another hint may be to run 'netstat -na' on the database server to see > what ports it's listening on - though I'd hope you wouldn't have to resort > to forwarding these 1 by 1 to find out which one makes it tick then turn > them off one by one - that's just a last resort that springs to mind. > > Good luck, sounds very interesting! > > - James > > -----Original Message----- > From: George Lu [mailto:[EMAIL PROTECTED] > Sent: Friday, 2 July 2004 5:42 PM > To: CFAussie Mailing List > Subject: [cfaussie] RE: [OT] DMZ > > > Thanks James and for pointing me to the link. It's quite useful. We > are using 'sa' account and port 1433 but this just for the testing. Their > cases are for ASP.NET. Does it apply to ColdFusion server as well? Would > CF use other secret ports for db connection? > > George > > >>> [EMAIL PROTECTED] 2/07/04 17:15:05 >>> > > George, > > I believe you just need 1433 and that's it however you have to be > sure that on your coldfusion server you're using the PUBLIC IP of the > firewall and that this port is forwarded. Also if you're using Windows > authentication this uses other ports (RPC???) that you don't want to be > opening up at all... > > Oh and whilst I'm going paranoia mode; make sure your firewall only > forwards 1433 from the webserver not ANYTHING to port 1433 - remember some > of those fun worms that got around - and no default 'sa' passwords > either!!! (I'm sure you weren't thinking of doing that but nonetheless...) > > I found this link > <http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=35718> which sounds a > lot like what you're trying to do which mentions named pipes etc. which > may affect your specific setup. > > Regards, > > James > > -----Original Message----- > From: George Lu [mailto:[EMAIL PROTECTED] > Sent: Friday, 2 July 2004 4:43 PM > To: CFAussie Mailing List > Subject: [cfaussie] RE: [OT] DMZ > > > > Thanks. That's what we are doing now. What I want to know is > what ports need to be open. > > George > > >>> [EMAIL PROTECTED] 2/07/04 16:37:13 >>> > > Hi George, > > I'm tempted to guess that your DMZ has public IPs, whilst > your LAN has got private ones, in which case you will need to forward the > database ports of your LAN gateway to the private IP database server? > This kind of set up could be quite complicated, especially if you've never > messed with firewalls and such before. > > Regards, > > J > > -----Original Message----- > From: George Lu [mailto:[EMAIL PROTECTED] > Sent: Friday, 2 July 2004 4:07 PM > To: CFAussie Mailing List > Subject: [cfaussie] [OT] DMZ > > > Hi All, > > We're going to set up an extranet environment. One > option is to place our ColdFusion server under DMZ (DeMilitarize Zone) and > the database server on the LAN. We try to test the connection between the > CF server and the db server without open UDP and most of TCP/IP ports. > However, the connection always fail no matter how many tcp/ip ports open. > I've tried to put 1839 or 1433 in the Data Source setting. Does anyone > have similar situation? Could someone give me an idea what's happening? > > > > > > > > Here was the error message when I tried to verified > the data source: > > Connection verification failed for data source: > Intranet > []java.sql.SQLException: [Macromedia][SQLServer JDBC > Driver]The requested instance is either invalid or not running. > The root cause was that: java.sql.SQLException: > [Macromedia][SQLServer JDBC Driver]The requested instance is either > invalid or not running. > > > > Thank you in advanced. > > George > > George Lu > Web Developer/Engineer > Information Systems and Technology > Adult Multicultural Education Services > 4/255 William Street > Melbourne, Vic 3000 > ------------------------------------------ > Direct: 03 9926 4706 > Fax: 03 9926 4695 > Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > Web: www.ames.net.au <http://www.ames.net.au> > ------------------------------------------ > > --- > You are currently subscribed to cfaussie as: > [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] Aussie Macromedia Developers: > http://lists.daemon.com.au/ > > AMES (Adult Multicultural Education Services) > www.ames.net.au > > > Disclaimer > > ********************************************************************** > This email and any attachments may be confidential. > If received in error, please contact us and delete > all copies. > Before opening or using attachments you should check > them for viruses > or defects. > Regardless of any loss, damage or consequence, > whether caused by the > negligence of the sender or not, resulting directly > or indirectly from > the use of any attached files our liability is > limited to resupplying > any affected attachments. > Any representations or opinions expressed are those > of the individual > sender, and not necessarily those of Adult > Multicultural Education > Services (AMES). > > > ********************************************************************** > --- > You are currently subscribed to cfaussie as: > [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] Aussie Macromedia Developers: > http://lists.daemon.com.au/ > > --- > You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] Aussie Macromedia Developers: > http://lists.daemon.com.au/ > --- > You are currently subscribed to cfaussie as: > [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] Aussie Macromedia Developers: > http://lists.daemon.com.au/ > > AMES (Adult Multicultural Education Services) > www.ames.net.au > > > Disclaimer > > ********************************************************************** > This email and any attachments may be confidential. > If received in error, please contact us and delete all > copies. > Before opening or using attachments you should check them > for viruses > or defects. > Regardless of any loss, damage or consequence, whether > caused by the > negligence of the sender or not, resulting directly or > indirectly from > the use of any attached files our liability is limited to > resupplying > any affected attachments. > Any representations or opinions expressed are those of the > individual > sender, and not necessarily those of Adult Multicultural > Education > Services (AMES). > > > ********************************************************************** > --- > You are currently subscribed to cfaussie as: > [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] Aussie Macromedia Developers: > http://lists.daemon.com.au/ > > --- > You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] Aussie Macromedia Developers: > http://lists.daemon.com.au/ > --- > You are currently subscribed to cfaussie as: > [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] Aussie Macromedia Developers: > http://lists.daemon.com.au/ > > AMES (Adult Multicultural Education Services) > www.ames.net.au > > > Disclaimer > > ********************************************************************** > This email and any attachments may be confidential. > If received in error, please contact us and delete all copies. > Before opening or using attachments you should check them for > viruses > or defects. > Regardless of any loss, damage or consequence, whether caused by the > > negligence of the sender or not, resulting directly or indirectly > from > the use of any attached files our liability is limited to > resupplying > any affected attachments. > Any representations or opinions expressed are those of the > individual > sender, and not necessarily those of Adult Multicultural Education > Services (AMES). > > > ********************************************************************** > --- > You are currently subscribed to cfaussie as: > [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] Aussie Macromedia Developers: > http://lists.daemon.com.au/ > > --- > You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] Aussie Macromedia Developers: > http://lists.daemon.com.au/ ----------------------------------------------------------------------------------- This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one of its related entities ("Suncorp"). Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 1800 689 762 or at suncorp.com.au. The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system. If this e-mail constitutes a commercial message of a type that you no longer wish to receive please reply to this e-mail by typing Unsubscribe in the subject line. --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/
