Xref: alice comp.databases.oracle.misc:29459 comp.databases.oracle.server:46812 Path: alice!news-feed.fnsi.net!netnews.com!newsfeed.berkeley.edu!newsgate.cuhk.edu.hk!newsgate.netvigator.com!news.netvigator.com!usenet From: Andrew Babb Newsgroups: comp.databases.oracle.server,comp.databases.oracle.misc Subject: Re: firewall sqlnet woes Date: Sat, 24 Apr 1999 11:51:33 +0800 Organization: Netvigator Lines: 70 Message-ID: <37213FC5.24846019@mail.com> References: <7fouel$lo2$1@samba.rahul.net> <37200335.C70A8681@mail.com> <7fqioh$o3s$1@nntp3.atl.mindspring.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en To: Nandan Kalle Hi Dan and Nandan, You can trace SQL*Net operations, both on the client side and the server side with trace options in both the sqlnet.ora on the client and listener.ora on the server. A trace level of 16 is the debug trace level, aka MB's per minute, and you may be able to discover what is going on. The two parameters are; SQLNET.ORA -> TRACE_LEVEL_CLIENT=value SQLNET.ORA -> TRACE_LEVEL_SERVER=value LISTENER.ORA -> TRACE_LEVEL_listener=value where value is OFF, USER, ADMIN, SUPPORT or OFF, 1 thru 16. Rgds Andrew Babb BTW - Checkout http://technet.oracle.com/doc/network.804/a58230/toc.htm for the Oracle8 SQL*Net guide. Nandan Kalle wrote: > Andrew/Dan: > > I am also trying to connect thru firewalls. I believe it *is* possible, but > I can't figure out how to configure the Listener properly. > > Oracle's whitepaper, SQL*Net and Firewalls, indicates that in certain > circumstances it *is* possible to configure the Listener to create shadow > processes on a single port. Specifically, on page 3, it says "When the IP > port number of the SQL*Net connection can be determined in advance, such as > 1521, then connection can be permitted with some degree of security. > Systems running multi-threaded servers, pre-spawned servers or ones with > architectures that do not support IP port sharing, require dynamic port > allocation which tends to prevent connections." > > So, Dan, as long as you don't fall under any of the exemptions (MTS, > pre-spawn or no port-sharing) this should be possible. > > Page 6 of the whitepaper describes the connection sequence. "Depending on > the operating system and TCP/IP protocl implementaiton, one of the following > procedures is performed. 1) The listener bequeaths the client conection to > the spawned server, effectively sharing the listener's IP port 1521. > Wherever possible, the listener bequeaths the connection instead of > redirecting it. 2) The Server performs a wild-card listen to obtain a > unique IP port number from the operating system and communicates the port > number allocated to the listner process. The listener then issues a > redirect, containing the wild-card address, to the client and drops the > conneciton. The client then calls the dedicated server process directly > using the wild-card port number provided in the redirect message." > > Obviously, we'd prefer option 1 to occur. The question is, how can we > ensure that this happens? > > We're running Oracle for Workgroups 7.3 on NT 4.0, so I don't think we fall > under any of the "exemptions" listed in the first quote-- Dan, you should > check and make sure you're OK here. > > Do we need to do anything special to the listener to encourage it to use > port 1521? > > Also, is there a way to "trace" the listener to see how it's handling the > connection? > > Dan, if anyone sends you answers offline, would you pls forward them to me? > I would really appreciate it. > > Thanks. > Nandan Kalle