Guri,
1) Is your web site using COM objects to access the database?
2) If so, then are they "transaction based"?
If the answers to 1 & 2 are yes then you should look to setting the DCOM
port range on the SQL Server to a known value so that a correct &
appropriate ruleset can be applied for this communication.
Registry key and values needed:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
"Ports"=hex(7):31,30,30,30,30,2d,31,30,31,30,30,00,00
"PortsInternetAvailable"="Y"
"UseInternetPorts"="Y"
The ports entry shown here is 10000-10100/tcp but you can set it to what
you want.
I would also suggest using a static NAT for the internal side of the Web
Server for this type of communication.
Your ruleset would then look something like
Source Destination Service
Web Server SQL Server 1433/tcp (default SQL tcp port)
135/tcp (RPC port)
10000-10100/tcp (your DCOM port range)
SQL Server Web Server 135/tcp (RPC port)
10000-10100/tcp (your DCOM port range)
Regards,
Ken...
**********************************************************************************************
hi,
look at the drops between your web-server and the sql-server and open the
required ports.
cheers
reinhard
At 12:44 16.10.2003, you wrote:
>Hello Everybody,
>
>I need help.
>
>AA.
>We have a FW-1 FP-3 on Win2k running fine. We have a Win2k Server(Global
>IP- static NAT, Workgroup) on the DMZ which is required to connect to a
>database server(Win SQLServer 2K) on the Internal Net (Hide NAT). The
>connection process is as follows:
>External (Internet)------->
>FW------>WebServer(DMZ)------>FW------>Database Server(Internal) and back.
>
>BB.
>If the relavent rules are as follows, everything runs absolutely fine and
>there is no problem
>
>1. Any Webserver any http/https accept log
>2. Webserver Internal any any accept log
>
>CC.
>I do not want to allow all services from the WebServer(DMZ) to the
>Internal Net for obvious reasons. Rule 1 is OK. In Rule 2, I have tried to
>restrict the services to microsoft-ds instead of 'any' . Immediately
>thereafter connections to the Webserver are lost.
>
>I would be grateful for any help.
>Thanks in advance.
>
>Guri
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
