REPOST: Re: TNS Connectivity through ISA Firewall

From: Sybrand Bakker <postbus_at_sybrandb.demon.nl>
Date: Fri, 25 Jan 2002 23:10:27 +0100
Message-ID: <8$--$%%%_$___$%-_$_at_news.noc.cabal.int>


On Fri, 25 Jan 2002 19:27:17 +0100, Frank van Bortel <fbortel_at_home.nl> wrote:

>Shaun wrote:
>>
>> Hi NG
>> I am having problems letting clients on my network with firewall
>> client installed from a MS SBS2000 server running the ISA Server, If
>> the client switches of the firewall client they can connect to the
>> remote Oracle Server via a dial up connection on their machine as soon
>> as it is enabled again the TNS will not connect, how to I configure
>> the firewall to let TNS through?
>>
>> Any help would be appreciated.
>> Many Thanks
>> Shaun
>
>Any idea how Oracle connects?
>Se is dozing off, one ear listening to station 1521 (AM that is ;-))
>Cl: Hey! Server! Gimme a connection!
>Se: Huh? Ok - I can see you on port 1521; I'll hand you over to
> my buddy who's in charge of logins. Please go to port xxxxx.
>Cl (on port xxxxx): Hi, Buddy - let me login?
>Buddy: Yup - here's the prompt.
>
>where xxxxx stands for any port number (vaguely remember these are
>unpriveleged ports, aka port# is 1024 and up), but there's your
>problem: your firewall will only be open to traffic on 1521 - right?
>
>Solutions:
>- install names server - it is possible to configure ONS to use
> one, dedicated port. No need for tnsnames.ora on clients!
>- introduce shared_socket=true on server and clients; all will go thru
> a shared socket on port 1521. Some bugs, tho (does not work on
>8.1.7/NT;
> does work on 8.1.6/NT, as well as on all unixes I know of)
>- Install a 'tns-aware' firewall. These firewalls will interpret the
>incoming
> request as a tns connection request (they scan for the string
>'connect_data=(sid=',
> which explains why some will fail to work with 8.1, which may use
>service,
> not sid...).
> If tns-traffic, port doesn't matter, connection accepted.

The bug you mention is resolved in 8.1.7.1.2 Metalink recommended solutions are

- use an Oracle aware firewall
- configure *Connection Manager*
- configure MTS

Hth

Sybrand Bakker, Senior Oracle DBA

To reply remove -verwijderdit from my e-mail address

  • WAS CANCELLED BY =======: From: Sybrand Bakker <postbus_at_sybrandb.demon.nl> Control: cancel <qrl35u8up462lg2eud9svjnpjc7k3n8uoh_at_4ax.com> Subject: cmsg cancel <qrl35u8up462lg2eud9svjnpjc7k3n8uoh_at_4ax.com> Date: Sun, 27 Jan 2002 23:31:34 GMT Message-ID: <cancel.qrl35u8up462lg2eud9svjnpjc7k3n8uoh_at_4ax.com> X-No-Archive: yes Newsgroups: microsoft.test,alt.flame.niggers,comp.databases.oracle.tools NNTP-Posting-Host: w088.z064003087.lax-ca.dsl.cnc.net 64.3.87.88 Lines: 1 Path: news.uni-stuttgart.de!news.ruhr-uni-bochum.de!news-koe1.dfn.de!news-fra1.dfn.de!newsfeed.hanau.net!fr.clara.net!heighliner.fr.clara.net!news.stealth.net!msrtrans1!msrnewsc1!cppssbbsa01.microsoft.com!tkmsftngp01!tkmsftngp04!u&n&a&c&anceller Xref: news.uni-stuttgart.de control:40718259

This message was cancelled from within The Unacanceller's glorious new software, Lotus 1-2-3 For Rogue Cancellers. Received on Fri Jan 25 2002 - 23:10:27 CET

Original text of this message