Title: Oracle Web Application
I have
dealt with this myself more than once. This is actually what is called an
sqlnet2 connection in the firewall and I have been told it doesn't
work
Here
is what happens:
First,
the database is in multi-threaded mode. In single thread mode, the server
opens a separate login process for each connection and that user (and every
other user) communicates to the server on port 1521 for the duration of the
session and all the different users are identified by their user id. So,
the firewall sees port 1521 and everything is fine. The drawback to this
method is all those user processes hogging up resources.
Now,
in multithreaded mode, the client connects on 1521 or 1526 and then is
assigned a high port to use for the duration of the connection. If you
snoop it you see several packets on 1525 then it starts back up on a higher
one. The server identifies each connection/user by what port they come in
on and doesn't have to create a new process, thereby supposedly saving
resources. The kicker here is that this port assignment is buried in the
data portion of the packet and as such is not identifiable by the
firewall. I was told by Oracle that unless you have a large number of
users connecting directly to the database, this method is actually worse than
the single threaded method.
For a
app server to database server connection, which is a lot of very fast connect
and drops, I would definitely use the single threaded model. Check your
init.ora file on the database server for any parameters starting with
"mts". Comment them out and bounce the database. You can always put
them back if you run into performance problems.
Hope
this helps.
Jim Edwards
Systems Manager
Texas Secretary of
State
My client just installed an Oracle web application on a web
server in the DMZ. The web server needs to connect to the Oracle DB server on
the internal network. The developer said that the app will communicate on
ports 1521 and 1526. I added the rule to allow the connection with those ports
specified as the service. The app cannot connect. The log on the FW-1 shows
the initial connection on 1521, however the app also tries to open a
connection on a random port in the 1850 range which is dropped. About a minute
later the 1526 port opens but the app still fails. Anyone dealt with this
before? I have him checking into why the app uses three ports; 1521, 1526 and
an 1850 something but was hoping one of you have dealt with this and can point
me in the right direction. thanks!
John
