Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: Question: traversing a firewall with Oracle 9i R2.

Re: Question: traversing a firewall with Oracle 9i R2.

From: Dave Sisk <>
Date: Thu, 01 Apr 2004 03:47:41 GMT
Message-ID: <xhMac.38677$>


If I understood what you are trying to do correctly, just opening port 1521 in your firewall won't do the trick. The TNSListener listens on port 1521 (by default, you can configure it to listen on a different port, of course). When it gets a connection request on that port, it accepts the connection, then asks the database server to spawn a process to handle the connection on some available port on the host. The TNS Listener then instructs the client to disconnect from it on 1521 and reconnect to the port this server process that it just spawned is listening on.

This is the default behavior, but there are ways to modify it. I don't recall the details at the moment, but I do recall that having the SQL*Net proxy on the firewall greatly simplifies things. Start with that piece!


"Doug Whittier" <> wrote in message
> Hi, all.
> I'm reasonably versed in network issues, but am fairly new to Oracle.
> I am attempting to configure a connection over two firewalls, allowing
> client communication to my 9i database server (NOT Forms).
> I am addressing this connection problem one firewall at a time, and
> have placed a client outside the firewall that is nearest to the
> database server. I believe that the firewall which would be closest to
> the client machines is running SQLNet Proxy, but I'm not really sure
> yet. First things first.
> I have opened up port 1521 between the client (external) and server
> (internal)IP Addresses.
> The firewall acts as a proxy, and does not do true Address
> Translation. The firewall redirects traffic from a routable address on
> the Internet to a non-routable address inside. This routable address
> is what is made available to incoming client connections (it's what
> you'd put in your tnsnames.ora file as the HOST).
> I try to connect from outside the firewall, and my client simply times
> out.
> I did a TCP dump on the server, and it looks as if what the server
> sees is an attempt from a client to connect to THE SERVER'S PUBLISHED
> ROUTABLE ADDRESS, rather than what it sees as its true internal
> address. This is in fact what I'm trying to do, but the firewall isn't
> changing the destination address inside the packet to reflect the true
> address of the server.
> I understand that I should be using Connection Manager to facilitate
> this - what I expect I need to do is to find a way to tell my server
> to accept connections that are destined to its true non-routable
> address, and also accept connections that are destined to its
> external, routable address which the firewall makes available to the
> outside world.
> I am pulling my hair out trying to understand what I need to do here.
> Is there some parameter in the cman.ora file which will tell the
> server to accept such connections? Or am I barking up the wrong tree?
> Many thanks for all feedback!
> Cheers,
> Doug Whittier
Received on Wed Mar 31 2004 - 21:47:41 CST

Original text of this message