NT Gatekeeper: Configuring SQL Server Access Across a Firewall
Learn how to let your IIS front end communicate with your SQL Server back end without punching large holes in your firewall.
September 30, 2001
I'm developing a Web-based application that will let customers use their Internet browsers to query my company's product catalog. The Microsoft Internet Information Server (IIS) 4.0 machine that hosts the Web front end will be in a demilitarized zone (DMZ). The Microsoft SQL Server 6.5 database machine that hosts the product database will—for obvious security reasons—be in the internal security zone. A firewall shields the internal security zone from the DMZ. The IIS front end comprises a set of Active Server Pages (ASP) applications that uses ActiveX Data Objects (ADO) to interact with the SQL Server database. How can I let the IIS front end communicate with the SQL Server back end without punching large holes in my firewall?
To connect to a SQL Server database, ADO can use different network libraries, each of which implements a database-specific network protocol. SQL Server supports the TCP/IP, Multi-protocol, and Named Pipes network libraries. From a firewall-configuration point of view, the best choice is the TCP/IP network library because by default, it uses one port for incoming database traffic.
Behind the TCP/IP network library is a protocol called Tabular Data Stream (TDS)—a TCP-based database network protocol that Sybase developed. By default, TDS uses port 1433 for incoming database traffic. You can preset the TDS port to another port during SQL Server setup (when you select the Select Network Protocols option). After you've installed SQL Server, you must rerun the setup program and select the Change Network Support option to change the TDS port.
Firewall administrators are less fond of the two alternatives to the TCP/IP network library—the Multiprotocol and Named Pipes network libraries. The Multiprotocol network library uses remote procedure calls (RPCs) to communicate with the SQL Server database. As I explained in my September 2001 column, by default, incoming RPC traffic uses a variable inbound port. Therefore, firewall administrators must open 65,536 ports to let all RPCs pass through. However, you can configure RPC to use a fixed port. The SQL Server 6.5 documentation section "Custom Server Configuration Using the Multiprotocol Networking Library" explains the configuration process.
The Named Pipes network library uses the Server Message Block (SMB) protocol. From a firewall point of view, the problem with the SMB protocol is its use of connection sharing. Multiple applications can share one SMB connection. At the firewall level, connection sharing means that the content of every SMB packet needs to be evaluated differently, depending on which applications are using the SMB pipe.
About the Author
You May Also Like