neilbarker -> MySQL through ISA 2006 not working (12.Jan.2011 9:24:19 AM)
Hi,
I have ISA 2006 running in a DMZ scenario. Internal network, External network and DMZ.
I have a server in the DMZ running MySQL that I need to connect to from external. I created a custom protocol for MySQL - TCP 3306 inbound.
I created a non web server publishing rule pointing traffic from external to the MySQL server using the custom protocol.
When I try to access the MySQL server from external it times out. What am I missing here?
Many thanks,
Neil
paulo.oliveira -> RE: MySQL through ISA 2006 not working (12.Jan.2011 10:56:15 AM)
Hi,
does MySQL machine default gateway pointing to ISA DMZ address?
What does ISA server real-time logging tells you?
Regards, Paulo Oliveira.
neilbarker -> RE: MySQL through ISA 2006 not working (13.Jan.2011 7:02:29 AM)
Hi Paulo,
Yes the MySQL servers DG points to the ISA DMZ address. I have the following information for you:
1/13/2011 11:51:43 fffc1c6c Firewall service The Firewall service is performing rule evaluation. 157 1/13/2011 11:51:43 fffc1c6c Firewall service Protocol: Bt MySQL 158 1/13/2011 11:51:43 fffc1c6c Firewall Engine Packet properties: Source IP address: 87.19.x.x Source array network: Local Host Destination IP address: x.x.x.x Destination array network: Perimeter 159 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server will check only rules that are associated with the protocol Bt MySQL. 160 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is evaluating the rule MySQL. 161 1/13/2011 11:51:43 fffc1c6c Firewall service source does not match the packet. 162 1/13/2011 11:51:43 fffc1c6c Firewall service No matching rule was found. 163 1/13/2011 11:51:43 fffc1c6c Firewall service The listener on the IP address x.x.x.x accepted the request. 164 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is looking for a deny access rule that matches traffic from the source to the destination. 165 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is looking for a rule that is associated with the protocol MySQL. 166 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server will check only rules that are associated with the protocol MySQL. 167 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is evaluating the rule Default rule. 168 1/13/2011 11:51:43 fffc1c6c Firewall service The rule Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet. 169 1/13/2011 11:51:43 fffc1c6c Firewall service The rule Default rule blocked the packet. 170 1/13/2011 11:51:43 fffc1c6c Firewall service The Firewall service is performing rule evaluation. 171 1/13/2011 11:51:43 fffc1c6c Firewall Engine Packet properties: Source IP address: x.x.x.x Source array network: Perimeter Destination IP address: 87.19.x.x Destination array network: Local Host 172 1/13/2011 11:51:43 fffc1c6c Firewall service ISA Server is looking for an applicable network rule. 173 1/13/2011 11:51:43 fffc1c6c Firewall service The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied.
The entry beginning 161 concerns me.
Cheers,
Neil
paulo.oliveira -> RE: MySQL through ISA 2006 not working (13.Jan.2011 9:09:50 AM)
Hi Neil,
can you paste the logs that appear at Logging tab?
Regards, Paulo Oliveira.
neilbarker -> RE: MySQL through ISA 2006 not working (13.Jan.2011 9:21:30 AM)
Hi Paulo,
I have looked in the logging but can't find any entries for the rules I have created. Do I need to add a filter and if so which one?
Many thanks,
Neil
paulo.oliveira -> RE: MySQL through ISA 2006 not working (13.Jan.2011 9:25:27 AM)
Hi,
add a filter to port 3306 and IP destination of your MySQL server.
Regards, Paulo Oliveira.
neilbarker -> RE: MySQL through ISA 2006 not working (13.Jan.2011 9:49:56 AM)
Paulo,
I can't seem to copy the logs out from the logging tab! How can I do this???
Thanks,
Neil
neilbarker -> RE: MySQL through ISA 2006 not working (13.Jan.2011 10:35:00 AM)
Paulo,
Below is a log - all of them are the same as this one.
Not sure why the External address 188.220.57.56 is trying to use port 53240 - I am using a program called Navicat to test as this connects to MySQL remotely and I specify the port 3306.
Thanks
Denied Connection BH-ISA01 1/13/2011 3:32:17 PM Log type: Firewall service Status: Rule: Default rule Source: External (188.220.57.56:53240) Destination: Local Host (87.194.123.115:3306) Protocol: MySQL
paulo.oliveira -> RE: MySQL through ISA 2006 not working (13.Jan.2011 10:49:47 AM)
Hi,
the source port is not relevant on this case, by default when you use a non-web server publishing rule, it allows all source port.
Are testing from a machine outside of your network? Can you provide details of you server publishing rule?
Regards, Paulo Oliveira.
neilbarker -> RE: MySQL through ISA 2006 not working (13.Jan.2011 11:06:38 AM)
Hi,
I am testing from outside the network (I did install the Navicat software on the ISA server to test and can connect from there to the MySQL server in the DMZ).
I setup a non web server publishing rule as follows:
Action: Allow Traffic: MySQL (3306 inbound) From: External To: IP of MySQL server Networks: External (selected the correct external IP) Schedule: Always
Thanks,
Neil
paulo.oliveira -> RE: MySQL through ISA 2006 not working (13.Jan.2011 1:11:01 PM)
Hi,
how your ISA NICs are configured (ip, mask, gw, dns)?
Regards, Paulo Oliveira.
neilbarker -> RE: MySQL through ISA 2006 not working (13.Jan.2011 1:15:13 PM)
Paulo,
I have set them up as per the instructions in the following link under the heading "Multiple NIC Deployment - ISA Server Standard Edition"
paulo.oliveira -> RE: MySQL through ISA 2006 not working (13.Jan.2011 1:22:30 PM)
Great! It seems your configs are all fine. You migth need to use a protocol analyzer to see things under the hood.
Regards, Paulo Oliveira.
neilbarker -> RE: MySQL through ISA 2006 not working (13.Jan.2011 1:27:20 PM)
Protocol Analyzer?
I've never used it before. Will give it a go though.
As far as you can see have I done everything correctly?
paulo.oliveira -> RE: MySQL through ISA 2006 not working (13.Jan.2011 1:32:26 PM)
Hi,
yes, like network monitor or wireshark.
Just confirming, you used non-web server publishing wizard, not access rule wizard, right?
Regards, Paulo Oliveira.
neilbarker -> RE: MySQL through ISA 2006 not working (13.Jan.2011 1:37:28 PM)
Oh ok I've used wireshark before so I should be ok with the protocol analyzer.
Yes, I did use the non web server publishing wizard.
I also did a test and created a small php web site on the MySQL server and used IIS. I then created a web publishing rule using the same IP addresses etc and that worked fine, so I know the rules seem to be ok for HTTP on port 80, I just can't see why MySQL won't work.
gazy007 -> RE: MySQL through ISA 2006 not working (18.Jan.2011 4:48:30 PM)
I have got a bit different problem. My colleague want to connect to mysql that is on Linux network. I have got isa server 2006. My colleague has created a VPN on linux server for internal clients to connect through IPSEC (Preshared Key)vpn. I created an Access rule Allowed Protocols ike clients/IPsec/L2tp/PPTP from Internal to external All users allowed. When my clients initiate a VPN connection from Internal to External it does connect but unable to view database but When I disable firewall client on internal user system it works fine. I do not want anyone to disabling firewall client. I think there must be a way to avoid it. Anyone tried it yet?
paulo.oliveira -> RE: MySQL through ISA 2006 not working (18.Jan.2011 4:50:34 PM)
Hi,
FWC must be disabled when using VPN.
Regards, Paulo Oliveira.
gazy007 -> RE: MySQL through ISA 2006 not working (18.Jan.2011 4:53:05 PM)
Thanks for the reply but normal users can not disable FWC. and when they disable it stops internet access as well I am not sure but is it normal to disable FWC.
paulo.oliveira -> RE: MySQL through ISA 2006 not working (18.Jan.2011 5:00:03 PM)
Hi,
FWC client can handle only TCP and UCP winsock connections. IKE, GRE and others IP-level protocols are not handled by FWC.