Port Filter for specific URL

[AndyH]

Hello,

i searched a lot on the internet already but could only find an inofficial announcement for what I am looking for. I want to solve the following problem:

One of our customers wants to access a cloud server hosting a mssql server. mssql requires the accessing client machines to open port ranges for incoming responds from the server. This are typically ports 1024 to 4096. It is no problem to open this ports in WinGate 8. But for security reasons it is not a reasonable solution for the customer to open this range of ports for all incoming requests.
Is it possible to limitate the filter of port ranges for a specific URL ? It should only be possible for incoming request from this specific machine to pass through WinGate 8.

Thanks in Advance,

Andree

[adrien]

Hi

my understanding about MS SQL server was that it didn't need to connect back to the client. Problem with connecting back to the client, is that if the client is behind a NAT, it just won't work, unless there is special protocol support in the NAT for the MS SQL protocol to see which ports to open back to the client.

In the past, customers have been able to connect to MS SQL servers using only a single mapped port (e.g. a TCP mapping proxy) 1433.

http://support.microsoft.com/kb/287932

This mentions client port numbers, but only in the context of normal ephemeral ports assigned by the OS to any outbound TCP connection. It's not a requirement for the server to connect back in. The response packets to the outbound connection to the MS SQL server will be allowed by the NAT as part of its stateful TCP connection management... that's how a NAT works, and how any TCP connection can work through a NAT.

So, you should be able to remove that opened port range altogether. It's only there to allow access to other services running on the WinGate computer, such as FTP servers, or FTP clients.

Regards

Adrien

[AndyH]

First I want to say thanks for your answer.

After a lot of investigation I have the following understanding:

The client sends a request to the server port, .e.g. 1433. The outgoing port of the client is in the range 1024 to 4096, e.g. 2000.
The server responds with outgoing port 1433 and sends it to the client pc, addressing port 2000.
Wether this port is not opened for WinGate the reply fails.

We have installed a WinFate 8 proxy and are experiencing exactly this behaviour. As long as the port 2000 (we opened range 1024 to 4096) is not opened, the connection can not be established. We spent hours for testing. There seems to be no other way to solve this problem.

That is the reason why I am trying to restrict the opened ports to the server URL.

Thus my question is not how mssql works but if it is possible to restrict open ports to e specific URL.

Is there an answer to this question ???

Thanks in advance,

Andree

[adrien]

The way TCP connections work, is typically the client allocates a random port to use as the source port (to differentiate that connection from other connections that may be made to the same target IP:port) and sends a TCP packet with the SYN flag set to the target port.

The server responds with a SYN ACK packet where the destination port is the random chosen source port of the SYN packet.

The NAT when it sees a new connection (new combination of src:IP/Port + dst:IP/port + protocol (e.g. TCP)) sets up a mapping in the firewall to enable response packets to come back. It also translates the source IP and port on outbound packets, and dest ip:port on response packets before forwarding them.

So you don't need to manually open a port for the response packets. If you had to do this, the NAT would not be usable for anything, and no TCP connection would ever work through the NAT.

A URL refers to a page on a website, which is only http. If you want to filter that, you'd need to go through the web proxy, but this doesn't apply to MS SQL server.

There must be some other problem preventing NAT from working properly. Is your NAT behind another router or NAT?

Regards

Adrien

[AndyH]

Thanks for your reply,

I will check this.

Andree