Wed, Apr 9 2008 21:14
bradley
Firewalls and SQL
ISA, the lake and vendors - The Official Blog of the SBS "Diva":
http://msmvps.com/blogs/bradley/archive/2008/04/09/isa-the-lake-and-vendors.aspx
For any App vendors that need to know how to do a SQL exception in the local firewall (and not ISA)
Go the Small Business Server Firewall Policy up on the server in the Group Policy Management console,
go to Computer Configuration, then to Administrative Template, then to Network, then to Network connections,
then to domain profile. Go to Windows Firewall: Define port exceptions. Ensure it's enabled.
Click on Show and you should see under Define port exceptions:
135:TCP:*:Enabled:Offer Remote Assistance
To that click Add
1433:TCP:*:Enabled:SQL Access
(or better yet just make the scope the local subnet like
1433:TCP:192.168.16.0/24:Enabled:SQL Access
(assuming the default IP numbering of the server of 192.168.16.2)
or if the only place they need to talk to on that SQL is point it up to the server itself
merely add:
1433:TCP:192.168.16.2:Enabled:SQL Access
First one is port, then transport (TCP or UDP), Scope (entire network, just a server or range), Status, and finally name.
For Vista you need to run the RSAT tools from the workstation, logging and editing the Vista firewall policy
Security: Exploring The Windows Firewall:
http://technet.microsoft.com/en-us/magazine/cc138010.aspx
SeanDaniel.com - Small Business Server and Other Technology: Configuring the Vista Firewall by Group Policy:
http://sbs.seandaniel.com/2007/01/configuring-vista-firewall-by-group.html
Right-click Small Business Server – Windows Vista policy, and then click edit. The Group Policy Object Editor appearsComputer configuration -> Policies-> windows settings ->Security Settings->
Windows Firewall with Advanced Security -> Windows Firewall With Advanced Security-LDAP://cn=(custom to your network) (no, this isn’t a repeat of the UI)Right-click Inbound Rules, and then click New RuleI'm going to guess that the vendor needs a static 1433 and that you can't tie it to the program opening up inbound (which is a more secure way) Now click on Port (rule that controls connections for a TCP or UDP port), click nextClick on TCP, and then enter 1433 in specific port, click next
Click "Allow the Connection", click nextClick to only allow this on the domain profile (thus if the computer comes off the LAN for any reason 1433 won't be open), click next
Name the rule and click Finish
P.S. notice how much more granular the Vista firewall settings are?
Filed under: Security
![[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.]](http://www.sbslinks.com/images/headertop.png "There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not!")