通過ISA代理SQL Server配置說明
前言
C/S程序開發方式,開發工具眾多,開發效率高,缺點是一般是兩層體系,在廣域網上應用的時候安全性很難保證。
B/S程序開發方式,一般應用廣域網,安全性較高,但是由於針對浏覽器方式的開發,對於簡單應用,開發效率還可以,對於復雜的應用以及操作,需要編寫中間層組件,開發效率較差。
如何能夠在廣域網的應用體系中采用傳統的局域網C/S開發方式,提高開發效率,改善界面友好性以及良好的可操作性,這就是本篇文章所要解決的問題。使用ISA作為SQL Server的代理服務器與防火牆,所有外部數據庫訪問通過ISA進行代理,外部訪問連接並不直接連接到數據庫服務器,而是連接到ISA服務器上,ISA服務器將外部請求重新定向到SQL服務器上,隱藏了SQL服務器,保護數據的安全性。外部請求不需要知道SQL服務器名以及地址,只要將ISA服務器當作SQL服務器進行請求,對於外部數據請求,由ISA服務器來進行判斷是否連接以及如何處理,對於合法的連接,他是透明的,好像是與數據庫服務器直接連接一樣。
ISA、SQL Server簡介
Microsoft Internet Security & Acceleration Server 2000
---- Microsoft公司Microsoft Internet Security & Acceleration Server提供強大的安全和網絡加速功能。它具有基於策略的安全、速度和網絡管理的特征, 與Windows 2000操作系統無縫集成,是一個具有高度可伸縮性的企業Internet防火牆和高速Web緩沖存儲器。
---- Microsoft的ISA Server提供保密、高速、易處理Internet的連接。通過使企業Internet 防火牆和高性能的高速緩沖存儲器功能結合,可以將Windows 2000 的安全、目錄、有效的個人專用網絡和利用服務的質量以及簡化處理任務的帶寬控制緊密地結合起來。
Microsoft SQL Server 2000
---- SQL Server 2000是為創建可伸縮電子商務、在線商務和數據倉儲解決方案而設計的真正意義上的關系型數據庫管理與分析系統。
---- Microsoft SQL Server 2000針對包括集成數據挖掘、OLAP服務、安全性服務及通過Internet對多維數據集進行訪問和鏈接等在內的分析服務提供了新的數據倉儲功能。
---- 除了提供電子商務所需的可伸縮性與可擴展性之外,SQL Server 2000還提供了豐富的基於Web標准數據庫編程功能,以確保系統的協同工作和靈活性。與此相關,SQL Server 2000還包括豐富的XML、W3C標准支持。具有通過Transact SQL實現的XML數據操作能力、靈活而強大的Web分析功能以及使用HTTP進行的安全Web數據訪問功能。
ISA、SQL Server的安裝
Microsoft Internet Security & Acceleration Server 2000
1. 安裝時,請注意確保計算機滿足 Microsoft Internet Security & Acceleration Server 2000 的系統要求。有關更多信息,請參見 Microsoft Internet Security & Acceleration Server 2000 的硬件和軟件安裝要求。
2. 安裝網卡、調制解調器(或是ISDN等)連接內部局域網和外部互聯網。
3. 設置TCP/IP,設置內部外部IP地址。詳情參見技術手冊。
4. 運行安裝盤上的ISA Server Enterprise Initialization,對參數進行設置。
l Array policy only. Select Use array policy only if each array should have its own policy, which can be administered by the array administrator.
l Enterprise policy only. Select Use this enterprise policy and type the name of the enterprise policy. In this case, the same enterprise policy will be applIEd to all the arrays in the enterprise. Unique Access policIEs cannot be defined for each array in the enterprise. No rules can be defined at the array level.
l Combined enterprise and array policy. Select Use this enterprise policy and Allow array-level access rules to restrict enterprise policy. In this case, array administrators can define rules that further restrict the enterprise policy. For example, if the enterprise policy allows access to all sites, array administrators could refine that policy, by creating rules denying Access to specific sites.
l If array administrators are allowed to publish internal servers, making those servers Accessible to external (Internet) clIEnts, then select Allow publishing rules to be created on the array.
l Select Use packet filtering on the array if packet filtering should always be enabled for the arrays in the enterprise. If you select this option, then the array administrator will not be able to disable packet filtering.
When ISA Server Enterprise Initialization is finished, the ISA Server schema is installed to Active Directory. You can now install ISA Server as an array member, creating the array that the ISA Server should join.
Note
The array creation process takes place when you install ISA Server on the first computer in the array. The information that is added to the Active Directory may take some time to replicate to all domain controllers. Therefore, if you receive an error message during installation that the ISA Server schema has not been installed, even though you have installed it, you must wait until the schema change has been replicated to the local domain controller.
Important
You must install the Windows 2000 Service Pack 1 or later before you install ISA Server.
If the computer on which you are installing ISA Server is not part of a Windows 2000 domain, then ISA Server will be installed as a stand-alone server. You can subsequently add the server to a Windows 2000 domain, and then join it to an array.
The first server in the new array defines a new array in Active Directory. You should allow sufficIEnt time for the array information to replicate throughout the site before you add more members to the array.
When you install an ISA Server computer as a member of an existing array, you must install it in the same mode as the other array members. For example, if all the servers in the array were installed in firewall mode, then the new ISA Server computer must also be installed in firewall mode. The new ISA Server computer adopts the array's enterprise settings, Access policy, publishing policy, and monitoring configuration.
You can select the disk drives that are available for caching during ISA Server installation. By default, the setup process searches for the largest NTFS partition and sets a default cache size of 100 megabytes (MB) if there are at least 150 MB available. When configuring the cache drives, you must, at a minimum, allocate at least one NTFS drive, setting aside at least 5 MB on that drive for caching. However, it is recommended that you allocate at least 100 MB and add 0.5 MB for each clIEnt that uses the HTTP or FTP protocols, rounded up to the nearest full megabyte.
The local address table (LAT) is a table of all IP address ranges used by the internal network behind the ISA Server computer. ISA Server uses the LAT to control how Machines on the internal network communicate with external networks and decides which network adapters should be protected by loading the packet filter driver.
ISA Server can construct the LAT for you by basing it on your Windows 2000 routing table. You can also select the private IP address ranges, as defined by the Internet Assigned Numbers Authority (IANA) in RFC 1918. These three blocks of addresses are reserved for private intranets and are never used on the public Internet.
When creating a LAT, you should only include addresses on the private network. This means that you should not add the external interface of the ISA Server computer, any Internet sites, or any other external addresses including the DNS server at your Internet service provider, and so forth. An incorrect configuration of the LAT could make your network vulnerable to attacks.
The LAT is managed centrally, because it is maintained on the ISA Server computer. Firewall clIEnts automatically download and receive LAT updates at preset, regular intervals.
Microsoft SQL Server 2000 (詳細情況參見白皮書)
1. 安裝時,請注意確保計算機滿足 Microsoft SQL Server 2000 的系統要求。有關更多信息,請參見 SQL Server 2000 的硬件和軟件安裝要求。
2. 在運行 Microsoft Windows NT 或 Micorsoft Windows 2000 的計算機上安裝 SQL Server 2000,並且希望 SQL Server 2000 與其它客戶端和服務器通訊,則創建一個或多個域用戶帳戶。有關更多信息,請參見 創建安全帳戶
3. 用具有本地管理權限的用戶帳戶登錄到操作系統,或者給域用戶帳戶指派適當的權限。
4. 關閉所有和 SQL Server 相關的服務。包括所有使用 ODBC 的服務,如 Microsoft Internet Information 服務 (IIS)。
5. 關閉 Microsoft Windows NT 事件查看器和注冊表查看器(Regedit.exe 或 Regedt32.exe)。
ISA、SQL Server的配置
1. 配置SQL Server TCP/IP網絡協議
使用SQL Server Network Utility工具進行配置,啟用TCP/IP協議,添加WinSocket代理,設置代理服務器的IP地址為ISA服務器的外部IP地址。設置SQL Server使用的端口。
注意:如果設置的IP地址是ISA服務器的內部IP地址,那麼將不起作用!!
2. 在SQL Server服務器上創建Wspcfg.ini文件
文件內容:
[sqlservr]
ServerBindTCPPorts=1433
Persistent=1
KillOldSession=1
將文件保存在與Sqlservr.exe相同的路徑下。如果在第一步設置的端口不是1433,將ServerBindTCPPorts=1433修改成為第一步所設置的端口。
3. SQL Server服務器端安裝FIEwwall客戶端
連接ISA服務器,查找MSPCLNT共享目錄,安裝FIEwwall客戶端,這個共享目錄是安裝完ISA之後自動共享的。
4. 重新啟動SQL Server服務器
5. 設置ISA的Network的LAT
添加SQL Server與ISA服務器的內部IP地址到LAT中。
6. 設置Publishing屬性的Server Publishing Rules
使用Publish a Server,設置一個發布名稱,填寫Internal Server的IP為SQL Server服務器的內部IP地址,填寫ISA Server的IP地址為ISA服務器的外部IP地址,設置Mapped Server Protocol為Microsoft SQL Server。設置訪問規則。
7. 在需要訪問的外部客戶端進行測試
1. 配置客戶端的hosts文件,填寫ISA服務器的外部IP地址與機器名。
2. 使用Ping.exe進行測試,看是否能夠連通(Ping xxxServer).
3. 使用SQL Server客戶端或是其他工具進行連接測試,使用的服務器名稱為ISA服務器的名稱。