Welcome to ISAserver.org

MySQL through ISA 2006 not working

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> Access Policies >> MySQL through ISA 2006 not working

Page: [1]

Message

<< Older Topic Newer Topic >>

MySQL through ISA 2006 not working - 12.Jan.2011 9:24:19 AM

neilbarker

Posts: 43
Joined: 18.Jan.2010
Status: offline

Hi,

I have ISA 2006 running in a DMZ scenario. Internal network, External network and DMZ.

I have a server in the DMZ running MySQL that I need to connect to from external. I created a custom protocol for MySQL - TCP 3306 inbound.

I created a non web server publishing rule pointing traffic from external to the MySQL server using the custom protocol.

When I try to access the MySQL server from external it times out. What am I missing here?

Many thanks,

Neil

Post #: 1

Featured Links*

RE: MySQL through ISA 2006 not working - 12.Jan.2011 10:56:15 AM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

does MySQL machine default gateway pointing to ISA DMZ address?

What does ISA server real-time logging tells you?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to neilbarker)

Post #: 2

RE: MySQL through ISA 2006 not working - 13.Jan.2011 7:02:29 AM

neilbarker

Posts: 43
Joined: 18.Jan.2010
Status: offline

Hi Paulo,

Yes the MySQL servers DG points to the ISA DMZ address. I have the following information for you:

1/13/2011 11:51:43 fffc1c6c Firewall service The Firewall service is performing rule evaluation.
157 1/13/2011 11:51:43 fffc1c6c Firewall service Protocol: Bt MySQL
158 1/13/2011 11:51:43 fffc1c6c Firewall Engine Packet properties: Source IP address: 87.19.x.x Source array network: Local Host Destination IP address: x.x.x.x Destination array network: Perimeter
159 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server will check only rules that are associated with the protocol Bt MySQL.
160 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is evaluating the rule MySQL.
161 1/13/2011 11:51:43 fffc1c6c Firewall service source does not match the packet.
162 1/13/2011 11:51:43 fffc1c6c Firewall service No matching rule was found.
163 1/13/2011 11:51:43 fffc1c6c Firewall service The listener on the IP address x.x.x.x accepted the request.
164 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is looking for a deny access rule that matches traffic from the source to the destination.
165 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is looking for a rule that is associated with the protocol MySQL.
166 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server will check only rules that are associated with the protocol MySQL.
167 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is evaluating the rule Default rule.
168 1/13/2011 11:51:43 fffc1c6c Firewall service The rule Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet.
169 1/13/2011 11:51:43 fffc1c6c Firewall service The rule Default rule blocked the packet.
170 1/13/2011 11:51:43 fffc1c6c Firewall service The Firewall service is performing rule evaluation.
171 1/13/2011 11:51:43 fffc1c6c Firewall Engine Packet properties: Source IP address: x.x.x.x Source array network: Perimeter Destination IP address: 87.19.x.x Destination array network: Local Host
172 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is looking for an applicable network rule.
173 1/13/2011 11:51:43 fffc1c6c Firewall service The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied.

The entry beginning 161 concerns me.

Cheers,

Neil

(in reply to paulo.oliveira)

Post #: 3

RE: MySQL through ISA 2006 not working - 13.Jan.2011 9:09:50 AM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi Neil,

can you paste the logs that appear at Logging tab?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to neilbarker)

Post #: 4

RE: MySQL through ISA 2006 not working - 13.Jan.2011 9:21:30 AM

neilbarker

Posts: 43
Joined: 18.Jan.2010
Status: offline

Hi Paulo,

I have looked in the logging but can't find any entries for the rules I have created. Do I need to add a filter and if so which one?

Many thanks,

Neil

(in reply to paulo.oliveira)

Post #: 5

RE: MySQL through ISA 2006 not working - 13.Jan.2011 9:25:27 AM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

add a filter to port 3306 and IP destination of your MySQL server.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to neilbarker)

Post #: 6

RE: MySQL through ISA 2006 not working - 13.Jan.2011 9:49:56 AM

neilbarker

Posts: 43
Joined: 18.Jan.2010
Status: offline

Paulo,

I can't seem to copy the logs out from the logging tab! How can I do this???

Thanks,

Neil

(in reply to paulo.oliveira)

Post #: 7

RE: MySQL through ISA 2006 not working - 13.Jan.2011 10:35:00 AM

neilbarker

Posts: 43
Joined: 18.Jan.2010
Status: offline

Paulo,

Below is a log - all of them are the same as this one.

Not sure why the External address 188.220.57.56 is trying to use port 53240 - I am using a program called Navicat to test as this connects to MySQL remotely and I specify the port 3306.

Thanks

Denied Connection BH-ISA01 1/13/2011 3:32:17 PM Log type: Firewall service Status: Rule: Default rule Source: External (188.220.57.56:53240) Destination: Local Host (87.194.123.115:3306) Protocol: MySQL

(in reply to neilbarker)

Post #: 8

RE: MySQL through ISA 2006 not working - 13.Jan.2011 10:49:47 AM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

the source port is not relevant on this case, by default when you use a non-web server publishing rule, it allows all source port.

Are testing from a machine outside of your network?
Can you provide details of you server publishing rule?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to neilbarker)

Post #: 9

RE: MySQL through ISA 2006 not working - 13.Jan.2011 11:06:38 AM

neilbarker

Posts: 43
Joined: 18.Jan.2010
Status: offline

Hi,

I am testing from outside the network (I did install the Navicat software on the ISA server to test and can connect from there to the MySQL server in the DMZ).

I setup a non web server publishing rule as follows:

Action: Allow
Traffic: MySQL (3306 inbound)
From: External
To: IP of MySQL server
Networks: External (selected the correct external IP)
Schedule: Always

Thanks,

Neil

(in reply to paulo.oliveira)

Post #: 10

RE: MySQL through ISA 2006 not working - 13.Jan.2011 1:11:01 PM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

how your ISA NICs are configured (ip, mask, gw, dns)?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to neilbarker)

Post #: 11

RE: MySQL through ISA 2006 not working - 13.Jan.2011 1:15:13 PM

neilbarker

Posts: 43
Joined: 18.Jan.2010
Status: offline

Paulo,

I have set them up as per the instructions in the following link under the heading "Multiple NIC Deployment - ISA Server Standard Edition"

http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Cheers,

Neil

(in reply to paulo.oliveira)

Post #: 12

RE: MySQL through ISA 2006 not working - 13.Jan.2011 1:22:30 PM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Great! It seems your configs are all fine. You migth need to use a protocol analyzer to see things under the hood.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to neilbarker)

Post #: 13

RE: MySQL through ISA 2006 not working - 13.Jan.2011 1:27:20 PM

neilbarker

Posts: 43
Joined: 18.Jan.2010
Status: offline

Protocol Analyzer?

I've never used it before. Will give it a go though.

As far as you can see have I done everything correctly?

(in reply to paulo.oliveira)

Post #: 14

RE: MySQL through ISA 2006 not working - 13.Jan.2011 1:32:26 PM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

yes, like network monitor or wireshark.

Just confirming, you used non-web server publishing wizard, not access rule wizard, right?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to neilbarker)

Post #: 15

RE: MySQL through ISA 2006 not working - 13.Jan.2011 1:37:28 PM

neilbarker

Posts: 43
Joined: 18.Jan.2010
Status: offline

Oh ok I've used wireshark before so I should be ok with the protocol analyzer.

Yes, I did use the non web server publishing wizard.

I also did a test and created a small php web site on the MySQL server and used IIS. I then created a web publishing rule using the same IP addresses etc and that worked fine, so I know the rules seem to be ok for HTTP on port 80, I just can't see why MySQL won't work.

(in reply to paulo.oliveira)

Post #: 16

RE: MySQL through ISA 2006 not working - 18.Jan.2011 4:48:30 PM

gazy007

Posts: 43
Joined: 29.Aug.2008
Status: offline

I have got a bit different problem. My colleague want to connect to mysql that is on Linux network. I have got isa server 2006. My colleague has created a VPN on linux server for internal clients to connect through IPSEC (Preshared Key)vpn. I created an Access rule
Allowed Protocols ike clients/IPsec/L2tp/PPTP from Internal to external All users allowed.
When my clients initiate a VPN connection from Internal to External it does connect but unable to view database but When I disable firewall client on internal user system it works fine.
I do not want anyone to disabling firewall client. I think there must be a way to avoid it.
Anyone tried it yet?

(in reply to neilbarker)

Post #: 17

RE: MySQL through ISA 2006 not working - 18.Jan.2011 4:50:34 PM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

FWC must be disabled when using VPN.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to gazy007)

Post #: 18

RE: MySQL through ISA 2006 not working - 18.Jan.2011 4:53:05 PM

gazy007

Posts: 43
Joined: 29.Aug.2008
Status: offline

Thanks for the reply but normal users can not disable FWC.
and when they disable it stops internet access as well
I am not sure but is it normal to disable FWC.

(in reply to paulo.oliveira)

Post #: 19

RE: MySQL through ISA 2006 not working - 18.Jan.2011 5:00:03 PM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

FWC client can handle only TCP and UCP winsock connections. IKE, GRE and others IP-level protocols are not handled by FWC.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to gazy007)

Post #: 20