Yes the MySQL servers DG points to the ISA DMZ address. I have the following information for you:
1/13/2011 11:51:43 fffc1c6c Firewall service The Firewall service is performing rule evaluation. 157 1/13/2011 11:51:43 fffc1c6c Firewall service Protocol: Bt MySQL 158 1/13/2011 11:51:43 fffc1c6c Firewall Engine Packet properties: Source IP address: 87.19.x.x Source array network: Local Host Destination IP address: x.x.x.x Destination array network: Perimeter 159 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server will check only rules that are associated with the protocol Bt MySQL. 160 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is evaluating the rule MySQL. 161 1/13/2011 11:51:43 fffc1c6c Firewall service source does not match the packet. 162 1/13/2011 11:51:43 fffc1c6c Firewall service No matching rule was found. 163 1/13/2011 11:51:43 fffc1c6c Firewall service The listener on the IP address x.x.x.x accepted the request. 164 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is looking for a deny access rule that matches traffic from the source to the destination. 165 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is looking for a rule that is associated with the protocol MySQL. 166 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server will check only rules that are associated with the protocol MySQL. 167 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is evaluating the rule Default rule. 168 1/13/2011 11:51:43 fffc1c6c Firewall service The rule Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet. 169 1/13/2011 11:51:43 fffc1c6c Firewall service The rule Default rule blocked the packet. 170 1/13/2011 11:51:43 fffc1c6c Firewall service The Firewall service is performing rule evaluation. 171 1/13/2011 11:51:43 fffc1c6c Firewall Engine Packet properties: Source IP address: x.x.x.x Source array network: Perimeter Destination IP address: 87.19.x.x Destination array network: Local Host 172 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is looking for an applicable network rule. 173 1/13/2011 11:51:43 fffc1c6c Firewall service The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied.
Below is a log - all of them are the same as this one.
Not sure why the External address 188.220.57.56 is trying to use port 53240 - I am using a program called Navicat to test as this connects to MySQL remotely and I specify the port 3306.
Thanks
Denied Connection BH-ISA01 1/13/2011 3:32:17 PM Log type: Firewall service Status: Rule: Default rule Source: External (188.220.57.56:53240) Destination: Local Host (87.194.123.115:3306) Protocol: MySQL
I am testing from outside the network (I did install the Navicat software on the ISA server to test and can connect from there to the MySQL server in the DMZ).
I setup a non web server publishing rule as follows:
Action: Allow Traffic: MySQL (3306 inbound) From: External To: IP of MySQL server Networks: External (selected the correct external IP) Schedule: Always
Oh ok I've used wireshark before so I should be ok with the protocol analyzer.
Yes, I did use the non web server publishing wizard.
I also did a test and created a small php web site on the MySQL server and used IIS. I then created a web publishing rule using the same IP addresses etc and that worked fine, so I know the rules seem to be ok for HTTP on port 80, I just can't see why MySQL won't work.
I have got a bit different problem. My colleague want to connect to mysql that is on Linux network. I have got isa server 2006. My colleague has created a VPN on linux server for internal clients to connect through IPSEC (Preshared Key)vpn. I created an Access rule Allowed Protocols ike clients/IPsec/L2tp/PPTP from Internal to external All users allowed. When my clients initiate a VPN connection from Internal to External it does connect but unable to view database but When I disable firewall client on internal user system it works fine. I do not want anyone to disabling firewall client. I think there must be a way to avoid it. Anyone tried it yet?
Thanks for the reply but normal users can not disable FWC. and when they disable it stops internet access as well I am not sure but is it normal to disable FWC.