Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chrisW4
New Contributor III

Created on ‎06-12-2023 07:38 AM

SQL Server connection not working via ZTNA Rule

Hi,

 

I'm new and this is my first post.

I'm currently configuring ZTNA, but I have problems I'm not able to solve.

 

I want to connect to a SQL DB via TOAD GUI.

Therefore I changed the SQL instance port from dynamic to fixed (Port 6434).

 

Is there any other port next to may be 1433 and 1434 I need to enable in my ZTNA Server on the Fortigate?

Christoph Christian
Christoph Christian
Labels:
4504
0 Kudos
12 REPLIES 12
Demir21
Staff
Staff

Created on ‎06-12-2023 04:34 PM

Hi, 

Welcome in the community! Typical ports used by SQL Server are: TCP 1433, 4022, 135, 1434, UDP 1434.

I would also recommend checking ZTNA traffic logs and see what traffic is being denied.

3545
0 Kudos
chrisW4
New Contributor III

Created on ‎06-13-2023 10:39 PM

Hi Demir21,

 

thanks for your answer.

Regarding UDP, how is this configured as there is only TCP available for ZTNA Server on the Fortigate.

 

Cheers

 

Christoph

Christoph Christian
Christoph Christian
3511
0 Kudos
Demir21
Staff
Staff

Created on ‎06-15-2023 03:23 AM

Hi, 

ZTNA allows to configure only TCP ports. Please to check on ZTNA logs or troubleshoot WAD to find how the Proxy handles a client request. You can find more information on troubleshooting in the following link: 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/286458/ztna-troubleshooting-and-debu...

3488
0 Kudos
chrisW4
New Contributor III

Created on ‎06-15-2023 04:50 AM

OK so my Toad for SQL can not be used with ZTNA?

Christoph Christian
Christoph Christian
3477
0 Kudos
Demir21
Staff
Staff

Created on ‎06-15-2023 11:49 PM

That doesn't necessarily mean that. You need to check with what SQL service you bind Toad. You may want to check this Microsoft link to find the port for each SQL service http://support.microsoft.com/kb/287932

The most common port used is TCP 1433. Debugging ZTNA logs is useful to have a better look on where the issue may reside.

3423
0 Kudos
tbrown
New Contributor
In response to Demir21

Created on ‎08-25-2023 10:25 AM

I have a similar situation only I'm connecting to a Microsoft SQL Server from Microsoft SQL Server Management Studio (SSMS)

We currently have ZTNA deployed and functioning, with access to RDP and SMB shares. However, when connecting to a SQL Server using the fully qualified domain name, Windows Authentication, it fails with the error:

TITLE: Connect to Server
------------------------------

Cannot connect to myserver.mydomain.local.

------------------------------
ADDITIONAL INFORMATION:

The target principal name is incorrect. Cannot generate SSPI context. (Microsoft SQL Server, Error: 0)

For help, click: https://docs.microsoft.com/sql/relational-databases/errors-events/mssqlserver-0-database-engine-erro...

------------------------------
BUTTONS:

OK
------------------------------

The ZTNA logs on the Fortigate show no problems accessing any resources, no access denied, everything is allowed through.

The strange thing is if I ping my server's hostname "myserver.mydomain.local" (changed for privacy) and the proxy IP is returned 10.222.0.22 (changed for privacy), if swap out the hostname in the connection dialog, still using Windows authentication it connects without problem.

I can also connect via RDP to the hostname "myserver.mydomain.local" and SMB shares via hostname "myserver.mydomain.local" so the only thing that won't connect via hostname is SQL Server connections.

Given that I can connect via the proxy IP returned from pinging the FQDN of the sql server, that tells me all the necessary ports are open, but it does seem to be a name resolution issue affecting SQL Connections. 


Another test I did was create an ODBC System DSN, if I used the proxy IP, I had no issue connecting using Windows Authentication. If I created another connection using the FQDN the following error is displayed:

 

Connection failed:
SQLState: 'HY000'
SQL Server Error: 0
[Microsoft][ODBC SQL Server Driver]Cannot generate SSPI context


When connecting from the LAN we have no issues using the FQDN to connect to SQL Server, it is just when utilizing the ZTNA connection.

 

 

 

3261
0 Kudos
chrisW4
New Contributor III
In response to tbrown

Created on ‎09-12-2023 06:22 AM

Hi,

 

the Issue is related to Kerbereos, when using SQL Server Athentication it will work. I have the same problem at the moment, but don't know why Kerbereos isn't working.

Christoph Christian
Christoph Christian
3173
0 Kudos
tbrown
New Contributor
In response to chrisW4

Created on ‎09-12-2023 06:58 AM

Thanks Christoph, I believe you are correct. SQL authentication works just fine with the FQDN. 

3168
0 Kudos
adw2323
New Contributor
In response to tbrown

Created on ‎11-28-2023 08:36 AM

Disabling loopback check fixed my SQL ztna auth issues 

In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Right-click Lsa, point to New, and then click DWORD Value. (In Win 2008, its DWORD 32bit)

Type DisableLoopbackCheck, and then press ENTER.

Right-click DisableLoopbackCheck, and then click Modify.

In the Value data box, type 1 and then click OK.

Quit Registry Editor.

 

2768
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.