v-terliu
Sun Jul 13 19:48:01 PDT 2008
Hello Customer,
Thank you for your update.
You said you run the SBS 2003 premium. Why don't you install the ISA server
2004 on the SBS? If you do not install the ISA server 2004 on SBS, we
completely unable to control VPN client access after the VPN connection is
established. So we suggest you install the ISA server on SBS.
Even if you install the ISA server 2004 on SBS, the ISA unable to
distinguish between developer and non-developer. After you create the 2
deny rules in my previous reply, all VPN clients could only access SQL
server on SBS.
Please do not forward TCP port 1433 and UDP port 1434 from your router to
the SBS server, it is very dangerous for your SBS and SQL server.
Meanwhile, it will be very slow when you access SQL Server thru Internet.
I hope these steps will give you some help.
Thanks and have a nice day!
Best regards,
Terence Liu (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check
http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: SQL Developer Remote Access
>thread-index: AcjjYaBRs5qt/oWpQBmBrfmsyrZf8g==
>X-WBNR-Posting-Host: 65.55.21.8
>From: =?Utf-8?B?TUY=?= <MF@discussions.microsoft.com>
>References: <97892EC7-0488-4BFD-962D-E8911DE8324F@microsoft.com>
<z2VjA#x4IHA.1620@TK2MSFTNGHUB02.phx.gbl>
>Subject: RE: SQL Developer Remote Access
>Date: Fri, 11 Jul 2008 07:23:02 -0700
>Lines: 157
>Message-ID: <0BA001BF-C358-437C-9B12-F430AA89FB6E@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
>Newsgroups: microsoft.public.windows.server.sbs
>Path: TK2MSFTNGHUB02.phx.gbl
>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:114894
>NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Thanx for your response. Yes your understanding of the issue is correct.
We
>enabled VPN on the SBS and we use this for the remote office users for all
>day work. If I need to provide access to a database for the developer via
VPN
>how is it possible to restrict him from accessing anything else at all on
the
>server? Or what other options are there besides VPN or can the deny rules
be
>applied to only the developer? Just so you know, ISA server is not
installed
>on this SBS server, we basically use the firewall on our router and I have
>forwarded TCP port 1433 and UDP port 1434 to the SBS server.
>
>Thanx.
>
>"Terence Liu [MSFT]" wrote:
>
>> Hello Customer,
>>
>> Thank you for posting here.
>>
>> According to your description, I understand that you want to make the
>> remote client only access your SQL server on SBS. If I have
misunderstood
>> the problem, please don't hesitate to let me know.
>>
>> Before we go any further, please let me know the following information
so
>> that we can understand your situation more clearly.
>>
>> 1. Do you means VPN by "remote access"?
>>
>> 2. Do you have only one VPN client?
>>
>> By default, the VPN clients could access all resource on SBS and
internal.
>> If you want to make the VPN clients only access SQL server on SBS. We
need
>> to create deny rules to block the other traffic.
>>
>> If all answers are yes for the 2 questions above, I suggest you perform
the
>> following steps:
>>
>> Create 2 deny rules to block the traffic between VPN clients and LAN
except
>> SQL server:
>>
>> Rule 1:
>>
>> Please open the ISA management console, navigate to Firewall Policy,
right
>> click "Firewall Policy" and click New->Access Rule, then create a new
>> access rule as following:
>>
>> Rule name: block all to internal and external
>>
>> Rule Action: Deny
>>
>> Protocols: All Outbound traffic except Microsoft SQL (TCP) and Microsoft
>> SQL (UDP)
>>
>> Sources: VPN clients
>>
>> Destination: Local Host
>>
>> User Sets: All Users
>>
>> Then move this rule above to "SBS Protected Networks Access Rules" and
>> click Apply to save all the settings.
>>
>> Rule 2:
>>
>> Please open the ISA management console, navigate to Firewall Policy,
right
>> click "Firewall Policy" and click New->Access Rule, then create a new
>> access rule as following:
>>
>> Rule name: block all except SQL server to local host
>>
>> Rule Action: Deny
>>
>> Protocols: All Outbound traffic
>>
>> Sources: VPN clients