- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SQL Server connection not working via ZTNA Rule
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SQL Server connection not working via ZTNA Rule
Hi,
I'm new and this is my first post.
I'm currently configuring ZTNA, but I have problems I'm not able to solve.
I want to connect to a SQL DB via TOAD GUI.
Therefore I changed the SQL instance port from dynamic to fixed (Port 6434).
Is there any other port next to may be 1433 and 1434 I need to enable in my ZTNA Server on the Fortigate?
Christoph Christian
Christoph Christian
Labels:
- Labels:
-
FortiGate
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Welcome in the community! Typical ports used by SQL Server are: TCP 1433, 4022, 135, 1434, UDP 1434.
I would also recommend checking ZTNA traffic logs and see what traffic is being denied.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Demir21,
thanks for your answer.
Regarding UDP, how is this configured as there is only TCP available for ZTNA Server on the Fortigate.
Cheers
Christoph
Christoph Christian
Christoph Christian
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
ZTNA allows to configure only TCP ports. Please to check on ZTNA logs or troubleshoot WAD to find how the Proxy handles a client request. You can find more information on troubleshooting in the following link:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK so my Toad for SQL can not be used with ZTNA?
Christoph Christian
Christoph Christian
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That doesn't necessarily mean that. You need to check with what SQL service you bind Toad. You may want to check this Microsoft link to find the port for each SQL service http://support.microsoft.com/kb/287932
The most common port used is TCP 1433. Debugging ZTNA logs is useful to have a better look on where the issue may reside.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar situation only I'm connecting to a Microsoft SQL Server from Microsoft SQL Server Management Studio (SSMS)
We currently have ZTNA deployed and functioning, with access to RDP and SMB shares. However, when connecting to a SQL Server using the fully qualified domain name, Windows Authentication, it fails with the error:
TITLE: Connect to Server
------------------------------
Cannot connect to myserver.mydomain.local.
------------------------------
ADDITIONAL INFORMATION:
The target principal name is incorrect. Cannot generate SSPI context. (Microsoft SQL Server, Error: 0)
For help, click: https://docs.microsoft.com/sql/relational-databases/errors-events/mssqlserver-0-database-engine-erro...
------------------------------
BUTTONS:
OK
------------------------------
The ZTNA logs on the Fortigate show no problems accessing any resources, no access denied, everything is allowed through.
The strange thing is if I ping my server's hostname "myserver.mydomain.local" (changed for privacy) and the proxy IP is returned 10.222.0.22 (changed for privacy), if swap out the hostname in the connection dialog, still using Windows authentication it connects without problem.
I can also connect via RDP to the hostname "myserver.mydomain.local" and SMB shares via hostname "myserver.mydomain.local" so the only thing that won't connect via hostname is SQL Server connections.
Given that I can connect via the proxy IP returned from pinging the FQDN of the sql server, that tells me all the necessary ports are open, but it does seem to be a name resolution issue affecting SQL Connections.
Another test I did was create an ODBC System DSN, if I used the proxy IP, I had no issue connecting using Windows Authentication. If I created another connection using the FQDN the following error is displayed:
Connection failed:
SQLState: 'HY000'
SQL Server Error: 0
[Microsoft][ODBC SQL Server Driver]Cannot generate SSPI context
When connecting from the LAN we have no issues using the FQDN to connect to SQL Server, it is just when utilizing the ZTNA connection.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
the Issue is related to Kerbereos, when using SQL Server Athentication it will work. I have the same problem at the moment, but don't know why Kerbereos isn't working.
Christoph Christian
Christoph Christian
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Christoph, I believe you are correct. SQL authentication works just fine with the FQDN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disabling loopback check fixed my SQL ztna auth issues
In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value. (In Win 2008, its DWORD 32bit)
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1 and then click OK.
Quit Registry Editor.
Related Posts
- Connection from VLAN to VIP does... 131 Views
- FSSO doesnt work with Fortigate eval... 148 Views
- IP sec tunnel connection from fortiweb 181 Views
- VLANS are not functioning in my... 278 Views
- Auth Issues with explicit proxy feature... 114 Views
Labels
-
FortiGate
6,699 -
FortiClient
1,333 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
343 -
FortiAP
340 -
FortiClient EMS
272 -
FortiMail
260 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
59 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiAuthenticator
21 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Proxy policy
4 -
Packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
Antivirus profile
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.