Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎05-29-2011 12:08 PM

MS-DTC

I have two servers (Internal server with 10.10.14.40) and DMZ (Live WebServer-192.168.10.2) I want to connect from Internal Server (VB Program) To DMZ Server ( SQL DB ) What I have done is : 1-I have installed MSTDC in both servers 2-Created policy from Internal to DMZ and enabled all services But still I can not connect to Sql DB ,is comming error in event viewer (for RPC Connection...etc) I search on the internet to open some ports for RPC 135 and MSDTC 5100 in fortigate to permit the connection between the servers but i don' t know how i open ports in fortigate and i don' t know it wil work or not any help ???
3571
0 Kudos
13 REPLIES 13
Not applicable

Created on ‎05-29-2011 03:30 PM

Hi Sami, In addition to a Firewall Policy allowing traffic from the Internal to the DMZ interface you will also need a policy to allow the reply traffic back (DMZ to Internal) And - you need Static Routes (Router > Static) to tell the firewall where to direct traffic, eg: Incoming interface Internal Destination 192.168.10.0 /24 Outgoing interface DMZ Incoming interface DMZ Destination 10.10.14.0 /24 Outgoing interface Internal Hope that helps ! Matt
2044
0 Kudos
Not applicable

Created on ‎05-29-2011 10:12 PM

Thank you for ur reply. I tried same u wrote but still same problem,Please any another idea?
2044
0 Kudos
Not applicable

Created on ‎05-30-2011 02:15 AM

The firewall rules and static routes above should allow the two servers to communicate. Are you sure the local firewalls (Windows Firewall, or some other third party software firewall) are not blocking the traffic ? Can you ping between the two servers ?
2044
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎05-30-2011 02:35 AM

@Matt: you don' t need a policy for reply traffic. A policy controls whether a session can be established or not. Reply traffic belongs to the session created for the original outgoing traffic. Secondly, sami created a policy with ALL services so here all ports are allowed. Such a policy even allows for non-stateful protocols like ICMP which do not use ports - otherwise he wouldn' t be able to ping the server. And last, explicit static routes are not needed here as they would duplicate the implicit routes for subnets that are directly connected to the FGT. @sami: do the ping test to confirm connectivity. I doubt it will succeed. Then check for software firewalls on both hosts.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2044
0 Kudos
Not applicable

Created on ‎05-30-2011 02:52 AM

Thanks Ede - I' ve always put policies in for reply traffic like that !! Good to know I don' t need to bother :) And good point regarding the implicit routes - don' t know what I was thinking (was still half asleep). But we' re agreed that Sami' s issue sounds like its probably not related to the fortigate.
2044
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎05-30-2011 03:15 AM

A policy allowing any host on the net into your LAN to access clients is THE greatest security breach imaginable. Wonder if you' ve had any issues yet... BTW I' m always 3-4 hours short of sleep. That' s part of the job description I guess.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2044
0 Kudos
Not applicable

Created on ‎05-30-2011 03:24 AM

Sorry for the confusion, I didn' t mean I create any host / any service inbound policies into my networks... that would be mental. But I think we' re beginning to hijack this guy' s thread now, so maybe we should call a truce.
2044
0 Kudos
Not applicable

Created on ‎05-30-2011 03:44 AM

Thank you so much all the guys they try to help. I tried all those things but it didn' t work. Of course I can ping from local network to DMZ (I had made policy for this before) but only some services I permitted as ping .Now I permit all services (Any) but still same issue. And I tried to add the custom port (MSDTC-5500-5700) and (RPC-135) when I read it in some forums and added to services also but still not working . --------------------------My Story Yesterday------------------------------------------------- Yesterday. I took local pc in the same local network (same subnet) and it has connected successfully without any error .When I put same pc in DMZ again for checking did not work <<THIS SCREW MY HEAD>> Thank You Really 4 all.
2044
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎05-30-2011 04:11 AM

If you put in just 2 policies - internal to DMZ, all to all, service ANY and - DMZ to internal, all to all, service ANY then the firewall effectively is out of the way. All remaining issues are server related.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2044
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.