Publishing a SQL Server Computer with ISA Server 2004

This article describes how to use Microsoft Internet Security and Acceleration (ISA) Server 2004 to publish a computer that is running Microsoft SQL Server 2000.

Server Publishing Rules

ISA Server uses server publishing to process incoming requests to internal servers, such as File Transfer Protocol (FTP) servers, Structured Query Language (SQL) servers, and others. Requests are forwarded downstream to an internal server, located behind the ISA Server computer.

Server publishing allows virtually any computer on your Internal network to publish to the Internet. Security is enhanced because all incoming requests and outgoing responses pass through ISA Server. When a server is published by an ISA Server computer, the IP addresses that are published are actually the IP addresses of the ISA Server computer. Users who request objects assume that they are communicating with the ISA Server computer—whose name or IP address they specify when requesting the object—while they are actually requesting the information from the publishing server. This is true when the network on which the published server is located has a network address translation (NAT) relationship from the network on which the clients accessing the published server are located. When you configure a routed network relationship, the clients use the actual IP address of the published server to access it.

Server publishing rules determine how server publishing functions, essentially filtering all incoming and outgoing requests through the ISA Server computer. Server publishing rules map incoming requests to the appropriate servers behind the ISA Server computer. These rules will grant access dynamically, as specified, from Internet users to the specific publishing server.

No special configuration of the published server is required after you create the server publishing rule on the ISA Server computer. Note that ISA Server must be configured as the default gateway on the published server.

Note

If the published server and the ISA Server computer are not on the same subnet, configure the routers that handle traffic from the server so that it passes through the ISA Server computer.

Security Benefits of Server Publishing

Publishing servers through ISA Server provides the following security benefits:

  • The server can only be accessed through the port that is published through the ISA Server computer.
  • SYN attack protection
  • Intrusion detection, such as detection of ping of death and port scanning attacks.

Publishing a SQL Server Computer—Walk-through

This walk-through guides you through the steps necessary to publish a SQL Server 2000 computer using ISA Server 2004.

Publishing a SQL Server Computer Walk-through Procedure 1: Configure the Default Gateway

ISA Server must be configured as the default gateway on the SQL Server computer. Set the default gateway on the SQL Server computer to be the IP address of the ISA Server computer network adapter through which the SQL Server computer connects to the ISA Server computer.

Note

You can skip this step if you configure the server publishing rule to use the option Requests appear to come from the ISA Server computer. This is described in Step 9 of Publishing a SQL Server Computer Walk-through Procedure 2: Create a Server Publishing Rule.

Publishing a SQL Server Computer Walk-through Procedure 2: Create a Server Publishing Rule

To publish the SQL Server computer, you must create a server publishing rule that configures a single port for handling the traffic to the computer that is running SQL Server. To create the publishing rule, follow these steps.

  1. In ISA Server Management, select Firewall Policy.

  2. In the task pane, on the Tasks tab, click Create New Server Publishing Rule to open the New Server Publishing Rule Wizard.

  3. On the New Server Publishing Rule Wizard Welcome page, provide a name for the rule, such as SQL Server - sqltest, and then click Next.

  4. On the Select Server page, in Server IP address, type the IP address of your computer that is running SQL Server, and then click Next.

  5. On the Select Protocol page, from the Selected protocol drop-down list, select the MicrosoftSQL Server protocol, and then click Next.
    Cc302623.b7bfd3b0-b61a-4517-b30e-970e339d16f8(en-us,TechNet.10).gif

  6. On the IP Addresses page, under Listen for requests from these networks, select the networks on which you want to listen for SQL requests. For example, if you want to publish the SQL Server computer to the External network (the Internet), select External.
    Cc302623.faf051dc-90b1-4980-9b05-1378a0a2132b(en-us,TechNet.10).gif

    Note

    You can select specific IP addresses that ISA Server will listen on. To do this, click the Address button, and then for the selected network, specify the IP addresses that ISA Server will listen on. You can use this feature to publish multiple servers on the same protocol, by publishing each to a different IP address.

  7. Click Next.

  8. Click Finish to close the New Server Publishing Rule Wizard.
    Notice that in the ISA Server Management console, in the details pane, on the Firewall Policy tab, the SQL Server - sqltest rule is listed.

  9. On the Firewall Policy tab, under the Name column, double-click the SQL Server - sqltest rule to open the SQL Server - sqltest Properties dialog box.

    Note

    On the To tab, under Requests for the published server, there is an option Requests appear to come from the ISA Server computer. This option can be used when you have not configured ISA Server as the default gateway on the published server. This approach has the disadvantage that the published server will be unaware of the address of the client, which is a problem for server applications that use the client address for logging or for policy decisions.

    Cc302623.0f39869b-bf30-4d0c-89cb-16d1a33df08b(en-us,TechNet.10).gif

  10. In the details pane, click the Apply button to apply the publishing rule that is effective for the incoming traffic.

Publishing a SQL Server Computer Walk-through Procedure 3: Configure SQL Server Clients

After publishing the SQL Server computer at the firewall, configure the client computers to use the TCP protocol on port 1433. You can use the SQL Client Network Utility to configure the client computers. Or, you can specify this in the SQL connection string. In the case where there is a NAT relationship between the SQL Server computer and the external network, instead of specifying the server name, specify tcp:ipaddress, where ipaddress is the external IP address of the ISA Server 2004 computer.

In the NAT scenario, you will connect to the SQL Server computer by specifying the external IP address of the ISA Server 2004 computer. In the route scenario, you will specify the IP address of the SQL Server computer.