SQL Clustering with DMZ

  • matt.strickler

    SSC Veteran

    Points: 287

    I have a Passive/Active SQL Server 2008 cluster running on Windows Server 2008 (both are enterprise editions).

    I have a server in the DMZ, I'll call it [Server A]. The cluster is named [CN] with nodes [CNA] and [CNB].

    Inside our network, everyone connects to the server via named pipe, named [CNSQL] like such...

    All ports are open inside our secure zone, all servers inside the the secure zone are numbers 192.168.1.* (not really, but I don't want to give out true IPs)

    We are now adding a web application in our DMZ, which is on (so my network people tell me) a different subnet. We want the web app server to connect to the cluster. By default, all the ports are closed (DMZ cannot communicate with servers inside secure zone) unless I give them an exception list of every port to open on the web application server. We have other servers like this. The also do not have DNS for the secure zone, all servers are accessed via 10.0.1.* instead of their secure zone IPs of 192.168.1.*.

    So, what do I need to do to get my DMZ'd web app server to connect to a SQL Cluster in a different network.

    I'll take any ideas. Thank you very much.

  • xxdbxx

    SSC Eights!

    Points: 812

    I'm not sure on your use of named pipes-i am assuming you have a reason for that. But what i might recommend for the SQL -Web communication would be this.

    Use TCPIP - Do you have TCPIP running for SQL? Does your SQL server have an assigned port or is it dynamic?

    If assigned then all you "should" need to open is that port TCP through the FW. You will also have to specify this port in whatever connection string you setup between the 2. If you want the browsers to work...well thats a whole other set of ports to open and not something i would recommend between a DMZ and a secure network.

    Any other questions please ask....

    db

  • matt.strickler

    SSC Veteran

    Points: 287

    Perhaps it was my ignorance, I used named pipes because I am unsure otherwise how to connect to a cluster.

    I can not cannot to the virtual cluster named CN and likewise, you cannot connect directly to CNA or CNB.

    Is there a way to connect to a cluster without using named pipes?

  • xxdbxx

    SSC Eights!

    Points: 812

    Absolutely! And you will be more secure 😉

    Some of the info you need depends on how you installed your sql instance. If you have not changed the tcpip port settings then it is either at 1434 or if you named the instance then it will be set to dynamic and it should be in the 50000 to 60000 range. Examine the SQL Server Logs after SQL starts up for a line that looks like "Server is listening on [xxx.xxx.xxx.xxx] port #" ---This is the info you need to attach to that instance-if it is not a default instance then most likely you will have to provide the port info in your connection string or if you use SSMS you would do this for server to attach to "Virtual SQL server\Instance,port" The virtual sql server being that name that you see in failover cluster mgmt that is your "virtual" sql server name.

    --the problem you might be seeing if the fact that for the browsers to work through the firewall you need to open a massive range for udp responses from your actual cluster nodes back to your user pc's-and from what you described that might not be open.

    * this blog post helped me greatly http://blogs.msdn.com/sql_protocols/archive/2006/02/27/unable-to-connect-to-a-sql-server-named-instance-on-a-cluster.aspx -- also the whole blog has helped me with problems that we have had with our old cluster and even had tickets open with microsoft that they did not solve.

  • matt.strickler

    SSC Veteran

    Points: 287

    So... after a week of fiddling, I still can not connect to the cluster.

    I looked through the logs and found this after bounce both nodes of the cluster

    "Server is listening on [ 172.25.5.62 1433]"

    So, I open up SSMS and for the servername put

    tcp:172.25.5.62,1433

    I continue to receive the standard timeout error code 0.

    I am no longer working with the firewall right now. This is all internal where all ports are open. Any ideas?

  • xxdbxx

    SSC Eights!

    Points: 812

    Matt,

    So you are testing from of the cluster nodes or at least on a machine that is on the same firewall leg as the cluster node?

    I did just try using the IP on my older cluster and that worked .

    A little trick i learned from a microsoft support person is to create a "txt" file on the desktop (or whereever) on one of your nodes but then change the extension to .udl . then run it. then put the server connection string in the "select or enter a servername" and try out the test connection button. i find this helps for you to tweak your connection string settings and is very simple to try.

    Also, you dont need to reboot the cluster nodes to get the sql logs to reset, you can either fail over the sql instance or just use sql configuration manager to restart the sql service.

  • matt.strickler

    SSC Veteran

    Points: 287

    For anyone who is following this, by default Windows Server 2008 Enterprise blocks a lot of ports. All I had to do was add an exception for 1433 in Windows Firewall.

    It is not our standard to even use Windows Firewall, so I'm not sure why it was running. It's out of place configuration caused many of the errors.

  • xxdbxx

    SSC Eights!

    Points: 812

    Sorry Matt,

    I did not even think to ask about the windows firewall. We do not use it here, although once in the past i was given a server with it enabled and got very frustrated until i realized it was on.

    So are you able to connect correctly using tcpip now?

  • matt.strickler

    SSC Veteran

    Points: 287

    I did not think to look either, as we don't use it here, but whoever setup this server forgot to turn it off.

    I can now successfully connect via TCP

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply