Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: accessing Oracle through a firewall; which ports ?

Re: accessing Oracle through a firewall; which ports ?

From: Daniel <nospam_at_nospam.com>
Date: Wed, 24 Feb 1999 14:15:11 -0000
Message-ID: <7b103n$5js$1@inet16.us.oracle.com> 





Hi,



Ok here's how we make a connect...



The listener is running on port 1521 lets say...



The client runs sqlplus that runs over sqlnet...



The client connects to the lsnr on port 1521...



The connection is established...



The server starts up a shadow process for the user session...



The lsnr sends a re-direct packet back to the client to tell it to
re-connect to the shadow process on a random port number...



The lsnr then drops the connection on port 1521 allowing the next incoming
connection to be dealt with...



The client then makes a connection directly to the shadow process on the
random port...



The connection is established...



If you set in the client's sqlnet.ora file;
TRACE_LEVEL_CLIENT = 16



and after you connect and disconnect read the SQLNET.TRC you can watch this
all taking place...



Hmm...



The way round this when using a firewall is one of the following in least
desirable order;



On the firewall open up all the ports from 1024 to 64k... Not very secure...



On the firewall open up the whole IP address... Not very secure...



Have a node outside the firewall running the Oracle Connection Manager
software, this acts in the same way as a lsnr but makes one connection
through to the database on one port ie; 1521... Quite complex to setup and
needs an extra node and extra software...



Here's a good trick; If you are using NT4 SP3 and Oracle 8.0.4 then in the
REG under;


HKEY_LOCAL_MACHINE \ SOFTWARE \ ORACLE


Create a new entry



USE_SHARED_SOCKET = TRUE


This configures the lsnr to keep all connections on port 1521 and not
re-direct to a different port. This will utilise the SHARED_SOCKET
functionality of the WINSOCKv2 tcp/ip stack on the server.



The only drawback is that you can NOT re-start the lsnr until the database
has been shut down.



Also the reason that you can tnsping is that tnsping never actually makes a
connect into the database it just bounces a packet off the lsnr, this does
not require a re-direct...



Hope the above helps



Regards,



Daniel...



--


Daniel


Oracle UK




Mark Beck wrote in message <01be5fd6$f5eca7c0$748e3aa0_at_gzcap116>...


>Hi there,


>


>I've a problem accessing an oracle db through a firewall. TNSPing works,


>but SqlPlus doesn't connect. Only Port 1521/1526 are forewarded through the


>firewall,


>does SQLNet/TCP need another Port ?


>


>


> Mark


>




Received on Wed Feb 24 1999 - 08:15:11 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US