Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 39 subscribers
  • Views 8547 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to set up access to/from azure db (cloud) to server on DMZ?

NicolásRomero Giménez

Hi,

I'm trying to get our brand new XG appliance to production, but I've encountered an issue which made me roll back to our former router/setup.

one of our servers has application that uses an azuredb (cloud database). The application support team told me that "the app only requires port 1433 bound to the server, inbound and outbound" to let the app connect to the azure db.

Currently we have a 1:1 nat through a Mikrotik RouterOS (ISP owned and controlled - no access) from a public IP to the before mentioned server. With this configuration the app works great, connects to the azure db without an issue. - (this extremely unsecure setup was done by an external company, which I'm trying to correct).


Last night I've unplugged the mikrotik router, plugged in the XG (which is in place of the mikrotik, same IP address) and created a few basic network rules (LAN TO WAN, DMZ TO WAN, LAN TO DMZ) which allows hosts from LAN to access internet, DMZ hosts to access internet, and LAN hosts to connect to DMZ hosts. And a business app rule for the azure db server like this:

SOURCE:

HOST: AzureDBServerObject

HOSTED SERVER:

SOURCE ZONE: WAN

HOSTED ADDRESS: #Port2-WANIP

PROTECTED APPLICATION SERVER(s)

PROTECTED ZONE: DMZ

PROTECTED APPLICATION SERVER: ServerObject

FORWARD ALL PORTS: OFF

PORT FORWARDING

PROTOCOL: TCP

EXTERNAL PORT TYPE: PORT

EXTERNAL PORT: 1433

MAPPED PORT TYPE: PORT

MAPPED PORT: 1433

MASQUERADING: OFF

POLICIES: NONE

REFLEXIVE RULE: OFF

All worked as it I expected, except from the azuredb app which wouldn't connect to the server. I tried with masquerading on and off, creating a reflexive rule and even forwarding all ports. Also changed the source host to "any". Also tried with creating a secondary rule for UDP. None of them worked.

Then I created a test environment with a Raspberry PI, created same business app rule but to port 22 bound to the raspberry PI on DMZ, which worked like a charm.

I know I'm missing something... probably related to "inbound and outbound" and that is why port forwarding NAT is not working.

Anyone can throw some light into the matter?



This thread was automatically locked due to age.
Unfiltered HTML