- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SQL traffic inside an IPSEC tunnel
Hi'll
I'm using a fortigate 92D with the latest image 5.4
I connect my client's with the Forticlient using IPSEC.
This all works I narrowed down in my rules who can connect and to what.
But I want to allow only SMB (found that) and SQL traffic to a named instance on a SQL 2012 R2 server.
As long as I use the All services rule it works but I would like to limit it to SMB and SQL
Which service and ports are we talking about ??
Rene
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
you find the ports used for the various SQL Server services in this article "Configure the Windows Firewall to Allow SQL Server Access" here: https://msdn.microsoft.com/de-de/library/cc646023%28v=sql.110%29.aspx (sorry, "insert link" button is greyed out).
Define each port/protocol combo as a custom service and group them in a custom service group, to use in the policy. SMB or "Windows AD" is always needed additionally.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
you find the ports used for the various SQL Server services in this article "Configure the Windows Firewall to Allow SQL Server Access" here: https://msdn.microsoft.com/de-de/library/cc646023%28v=sql.110%29.aspx (sorry, "insert link" button is greyed out).
Define each port/protocol combo as a custom service and group them in a custom service group, to use in the policy. SMB or "Windows AD" is always needed additionally.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And the cli cmd diag debug flow if your friend if anything fails and it would also help to show you service are being matched or allowed o denied
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Be aware that certain ms sql configurations does not use fixed ports, so you need to dig on mssql documentation on how to configure fixed port for the service.
my .02
regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never heard of that but 1433/tcp is the defacto MS-SQL port unless you change it.The nestat -an on the target host will also indicate the listener for that service also.
Ken
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@last_3_posts:
that's all in the cited paper, 1433/tcp, 1434/tcp, 1433/udp, dynamic ports included, with instructions how to make them static.