Welcome to ISAserver.org

Oracle and DMZ

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Oracle and DMZ

Page: [1]

Message

<< Older Topic Newer Topic >>

Oracle and DMZ - 27.Dec.2003 8:35:00 PM

rglauser

Posts: 94
Joined: 25.Feb.2002
From: Toledo, Ohio
Status: offline

I need to access an Oracle application through a DMZ. I have set up my ISA server and written persistent routing statements to point internal users through the DMZ to the Oracle server. I have written protocol definitions for 1521 inbound with 1024-65535 as secondary connections. I can reach the Oracle server and access and write data. Where it falls apart is when I attempt to download information to the local database on the user's machine. I can't find anything in the firewall logs to suggest a port that is not opening. I get a very specific TNS Listener error that suggests that it might be a programing error on their part but I have been unable to reach the authors of this piece of software to see if this is the case. My first question is: Does ISA treat a DMZ interface that is not trusted as an external interface, thus allowing secondary connections, or should I be looking at writing protocol definitions to open each likely port?

Post #: 1

Featured Links*

RE: Oracle and DMZ - 29.Dec.2003 4:43:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi R,

The DMZ interface is only exposed to packet filters and should not be included in the LAT.

HTH,
Tom

(in reply to rglauser)

Post #: 2

RE: Oracle and DMZ - 29.Dec.2003 6:00:00 PM

rglauser

Posts: 94
Joined: 25.Feb.2002
From: Toledo, Ohio
Status: offline

It is not part of the LAT. If you look at DMZ and Spoofing posted on Dec. 18, 2003 you will see my current configuration.

(in reply to rglauser)

Post #: 3

RE: Oracle and DMZ - 3.Jan.2004 8:06:00 PM

khowlette

Posts: 33
Joined: 21.May2003
Status: offline

you may need 1526 as well. I did it internal LAN to DMZ and needed to specify secondary ports 1025-65536. Also check tnsnames is resloving, you may need to edit tnsnames.ora file.
check out this link as well http://www.winnetmag.com/Windows/Article/ArticleID/24863/24863.html

(in reply to rglauser)

Post #: 4

RE: Oracle and DMZ - 8.Jul.2005 6:02:00 PM

sergiovc

Posts: 4
Joined: 8.Jul.2005
From: Santa Cruz - Bolivia
Status: offline

I used the Microsoft Management Console (MMC) ISA Management snap-in to create a protocol definition named SQL*Net (Inbound) with the following parameters.

Port number: 1521
Protocol type: TCP
Direction: Inbound
No secondary connections
Then, I created a client address set that included the clients on the DMZ. I also created a publishing rule for the Oracle server. I applied the publishing rule to the SQL*Net (Inbound) protocol and to requests from the client set.

On the Oracle server, I added the system environment variable setting USE_SHARED_SOCKET, with the value TRUE. On Oracle for Windows, you can alternatively add a registry value called USE_SHARED_SOCKET to create the setting. This environment variable setting works on Windows and UNIX platforms.

I used Oracle's Net8 Easy Config utility to configure clients to point to the ISA Server's external interface. Then, I used Notepad to edit the connection string in C:\orawinnt\net80\admin\tnsnames.ora. I added the text (SERVER=DEDICATED) immediately after the text (SID=DB) in the connection string. UNIX requires the same change in the tnsnames.ora file. After my changes, the client connection from the DMZ to Oracle was successful.

(in reply to rglauser)

Post #: 5