Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: firewall sqlnet woes

Re: firewall sqlnet woes

From: Nandan Kalle <nkalle_at_questfs.com>
Date: Fri, 23 Apr 1999 15:47:41 -0400
Message-ID: <7fqioh$o3s$1@nntp3.atl.mindspring.net> 





Andrew/Dan:



I am also trying to connect thru firewalls.  I believe it *is* possible, but
I can't figure out how to configure the Listener properly.



Oracle's whitepaper, SQL*Net and Firewalls, indicates that in certain
circumstances it *is* possible to configure the Listener to create shadow
processes on a single port.  Specifically, on page 3, it says "When the IP
port number of the SQL*Net connection can be determined in advance, such as
1521, then connection can be permitted with some degree of security.
Systems running multi-threaded servers, pre-spawned servers or ones with
architectures that do not support IP port sharing, require dynamic port
allocation which tends to prevent connections."



So, Dan, as long as you don't fall under any of the exemptions (MTS,
pre-spawn or no port-sharing) this should be possible.



Page 6 of the whitepaper describes the connection sequence.  "Depending on
the operating system and TCP/IP protocl implementaiton, one of the following
procedures is performed.  1) The listener bequeaths the client conection to
the spawned server, effectively sharing the listener's IP port 1521.
Wherever possible, the listener bequeaths the connection instead of
redirecting it.   2) The Server performs a wild-card listen to obtain a
unique IP port number from the operating system and communicates the port
number allocated to the listner process.  The listener then issues a
redirect, containing the wild-card address, to the client and drops the
conneciton.  The client then calls the dedicated server process directly
using the wild-card port number provided in the redirect message."



Obviously, we'd prefer option 1 to occur.  The question is, how can we
ensure that this happens?



We're running Oracle for Workgroups 7.3 on NT 4.0, so I don't think we fall
under any of the "exemptions" listed in the first quote-- Dan, you should
check and make sure you're OK here.



Do we need to do anything special to the listener to encourage it to use
port 1521?



Also, is there a way to "trace" the listener to see how it's handling the
connection?



Dan, if anyone sends you answers offline, would you pls forward them to me?
I would really appreciate it.



Thanks.


Nandan Kalle




Received on Fri Apr 23 1999 - 14:47:41 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US