Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

Firewall hole Issue with SBS 2008

6 posts in Networking Last posting was on 2009-04-01 21:33:06.0Z
keith crusius Posted on 2009-03-27 20:20:46.0Z
Date: Fri, 27 Mar 2009 15:20:46 -0500
From: keith crusius <no@email.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
Newsgroups: Advantage.Networking
Subject: Firewall hole Issue with SBS 2008
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
NNTP-Posting-Host: 72.181.26.95
Message-ID: <49cd34fc@solutions.advantagedatabase.com>
X-Trace: 27 Mar 2009 14:20:12 -0700, 72.181.26.95
Lines: 17
Path: solutions.advantagedatabase.com!solutions.advantagedatabase.com!72.181.26.95
Xref: solutions.advantagedatabase.com Advantage.Networking:853
Article PK: 1132270

A customer is complaining that our ADS software, "can work on SBS 2008
only in the event that the firewall is set to allow connections from all
programs. This is a significant opening in the firewall and is
necessary because neither of [the] programs can establish a secure
connection with SBS 2008. By that I mean that when the secure
connection box is checked, these programs cannot access. I suggest that
you address this issue and also ensure that the programs can connect
with win sockets. These programs do not ?qualify? for the optimum
firewall protection which is an option to permit only the named program
to gain entry."

I'm no network expert. What should I do (suggest) to make this better.
He running ADS 9.1 (new purchase) I know he was able to open a UDP
port and make it work but he didn't like that opening either. Either he
is too ultra security conscious or I'm missing a better way. I think he
wants to list our executable as an exemption to the firewall, but that
apparently isn't working.


keith crusius Posted on 2009-03-28 05:04:42.0Z
Date: Sat, 28 Mar 2009 00:04:42 -0500
From: keith crusius <no@email.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
Newsgroups: Advantage.Networking
Subject: Re: Firewall hole Issue with SBS 2008
References: <49cd34fc@solutions.advantagedatabase.com> <6c56a9224a0138cb7d14c6c395ac@devzone.advantagedatabase.com>
In-Reply-To: <6c56a9224a0138cb7d14c6c395ac@devzone.advantagedatabase.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: 72.181.26.95
Message-ID: <49cdafc7@solutions.advantagedatabase.com>
X-Trace: 27 Mar 2009 23:04:07 -0700, 72.181.26.95
Lines: 18
Path: solutions.advantagedatabase.com!solutions.advantagedatabase.com!72.181.26.95
Xref: solutions.advantagedatabase.com Advantage.Networking:855
Article PK: 1132271


> So long as Windows Sockets are used by ADS (confirmation by Sybase
> iAnywhere requested), then I would confirm with the customer that the
> application uses Windows Sockets and let him know the TCP/IP ports
> utilized (including the poorly documented discovery port). After this,
> it becomes a network engineers problem to implement the firewall
> security as desired.

What do you mean by ports utilized? Isn't 6262 (or whatever port we
use) the only one to worry about? If I set the connection path to
\\x.x.x.x:6262\share\path then I should only need to open port 6262 in
the firewall for TCP or UDP and that's it, correct? Is that not a
secure way to do things? Is TCP more secure than UDP? He also seems to
suggest that he wants to open his firewall to my program by name, but it
isn't working and that I should fix that. How do I fix that? Is there
some sort of official listing of allowed programs I can register for?

Sorry for the dumb questions as I am totally lost when it comes to most
networking issues. Thanks for your time as always.


keith crusius Posted on 2009-03-28 05:23:07.0Z
Date: Sat, 28 Mar 2009 00:23:07 -0500
From: keith crusius <no@email.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
Newsgroups: Advantage.Networking
Subject: Re: Firewall hole Issue with SBS 2008
References: <49cd34fc@solutions.advantagedatabase.com> <6c56a9224a0138cb7d14c6c395ac@devzone.advantagedatabase.com> <49cdafc7@solutions.advantagedatabase.com>
In-Reply-To: <49cdafc7@solutions.advantagedatabase.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: 72.181.26.95
Message-ID: <49cdb419@solutions.advantagedatabase.com>
X-Trace: 27 Mar 2009 23:22:33 -0700, 72.181.26.95
Lines: 12
Path: solutions.advantagedatabase.com!solutions.advantagedatabase.com!72.181.26.95
Xref: solutions.advantagedatabase.com Advantage.Networking:856
Article PK: 1132272

He also seems to

> suggest that he wants to open his firewall to my program by name, but it
> isn't working and that I should fix that. How do I fix that? Is there
> some sort of official listing of allowed programs I can register for?

Researching this a little more, perhaps he isn't listing the ADS server
correctly in the program/service name rule for outgoing traffic. How do
you determine the exact name of the advantage service to list in a
firewall exception rule? Is it the name of the executable?
Unfortunately I don't have access to our server from where I'm at now to
see what's there.


Joachim Duerr (ADS) Posted on 2009-03-30 08:01:20.0Z
From: "Joachim Duerr (ADS)" <jojo.duerr@gmx.de>
Subject: Re: Firewall hole Issue with SBS 2008
Newsgroups: Advantage.Networking
References: <49cdafc7@solutions.advantagedatabase.com> <6c56a9224a0ac8cb7eec1bb0f066@devzone.advantagedatabase.com>
Date: Mon, 30 Mar 2009 10:01:20 +0200
User-Agent: XanaNews/1.19.1.110
X-Face: u2p+</,mb|Ah!x!/qxX5q0t:O~.<1&JzwNHYhSqcviY{~&|iDc"U.Je1A.ZeHR`d;;y#R
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
NNTP-Posting-Host: 10.56.66.104
Message-ID: <49d07c2e@solutions.advantagedatabase.com>
X-Trace: 30 Mar 2009 02:00:46 -0700, 10.56.66.104
Lines: 14
Path: solutions.advantagedatabase.com!solutions.advantagedatabase.com!10.56.66.104
Xref: solutions.advantagedatabase.com Advantage.Networking:859
Article PK: 1132273


Rodd Graham wrote:

>TCP is no more or less secure than UDP as neither define a security
>policy. It is the stateful firewall and the application layers that
>enforce security policies.

UDP is stateless, TCP is stateful.
For firewall reasons it's better to use TCP - just to calm down the
admin - not for speed, not for security;)

--
Joachim Duerr
Advantage Presales
check out my new ADS book on http://www.jd-engineering.de/adsbuch


Joachim Duerr (ADS) Posted on 2009-03-30 21:18:07.0Z
From: "Joachim Duerr (ADS)" <jojo.duerr@gmx.de>
Subject: Re: Firewall hole Issue with SBS 2008
Newsgroups: Advantage.Networking
References: <49d07c2e@solutions.advantagedatabase.com> <6c56a9224a1318cb7f682f337f21@devzone.advantagedatabase.com>
Date: Mon, 30 Mar 2009 23:18:07 +0200
User-Agent: XanaNews/1.19.1.110
X-Face: u2p+</,mb|Ah!x!/qxX5q0t:O~.<1&JzwNHYhSqcviY{~&|iDc"U.Je1A.ZeHR`d;;y#R
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
NNTP-Posting-Host: 95.113.170.110
Message-ID: <49d136e9@solutions.advantagedatabase.com>
X-Trace: 30 Mar 2009 15:17:29 -0700, 95.113.170.110
Lines: 13
Path: solutions.advantagedatabase.com!solutions.advantagedatabase.com!95.113.170.110
Xref: solutions.advantagedatabase.com Advantage.Networking:861
Article PK: 1132274


Rodd Graham wrote:

>True, true. In general I prefer TCP over UDP, but it seems rare that
>software supports both since it must implement communications
>reliability algorithms with UDP that are part of TCP. IMO, it makes
>little sense to do this while simultanously supporting TCP.

so ADS has once more an exceptional role;)

--
Joachim Duerr
Advantage Presales
check out my new ADS book on http://www.jd-engineering.de/adsbuch


keith crusius Posted on 2009-04-01 21:33:06.0Z
From: "keith crusius" <no@email.com>
Newsgroups: Advantage.Networking
References: <49cd34fc@solutions.advantagedatabase.com>
In-Reply-To: <49cd34fc@solutions.advantagedatabase.com>
Subject: Re: Firewall hole Issue with SBS 2008
Date: Wed, 1 Apr 2009 16:33:06 -0500
Lines: 54
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
NNTP-Posting-Host: 72.179.176.48
Message-ID: <49d3dd75@solutions.advantagedatabase.com>
X-Trace: 1 Apr 2009 15:32:37 -0700, 72.179.176.48
Path: solutions.advantagedatabase.com!solutions.advantagedatabase.com!72.179.176.48
Xref: solutions.advantagedatabase.com Advantage.Networking:862
Article PK: 1132275

For everyone's benefit, here is more information from this customer and the
ADS team's response (which I believe solved his problem AFAIK)

[From Customer]
Here are my conclusions relating to the installation of Advantage Server /
IGN on SBS 2008:

IGN will not operate properly on SBS 2008 even where all users and all
computers on the network are specifically authorized pursuant to an INBOUND
firewall rule. Even where a CONNECTION SECURITY rule is applied to grant
access to all of the ip addresses on the network, this alone does not grant
IGN access to its database on the server.

The only thing that will enable IGotNotices to operate properly is an
INBOUND RULE that authorizes 1) all connections (not just secure
connections), 2) all programs (not just IGN) and 3) contains a list of all
local ip addresses under the Scope tab. This generalized rule cannot be
limited by specifying that the permission applies only IGN or ign.add. So,
in order to permit IGN to function properly SBS 2008 must open the door to
any program running on any computer on the local network. I believe that
this creates a security breach because it allows all programs (viruses) from
every computer to access to the server.

I do not know why IGN cannot be specifically enabled by the SBS 2008
firewall as a program. Perhaps it is because it has some type of
sub-program that in turn requires enablement. I suggest that you invest in
a SBS 2008 tech and obtain specific instructions as to how to make this
connection safely by configuring the firewall by the program rather than by
ip address.

[From Advantage]
I think it may be a configuration issue.

When creating a rule in the firewall, the program may be chosen, but be sure
to choose "ADS.exe" (The Advantage Server). For ADS 9.1 the default is
c:\program files\advantage 9.10\server\ads.exe. It sounds like the end user
may be choose the client application or the Data Dictionary. But, be warned.
I believe the rule will cease to be effective if the executable (ADS.exe) is
changed in any way (i.e. update to latest service release, expand license
count, etc.). If this occurs, as far as I can tell the rule must be deleted
and re-added referencing the new executable.

As far as using the "Connection Security Rule". Make sure that a rule is
setup under "Connection Security Rules" in the Windows Firewall with
Advanced Security setting. If this is setup, most likely the client is not
setup correctly to pass this security information to the Windows 2008
server. (I believe that XP clients do not have this setup by default). As
a test, find "Remote Desktop" under "Inbound Rules" on the Windows 2008
Firewall with Advanced Security and choose the same "Allow only secure
connections" setting for the "Remote Desktop" rule. Once set, verify that
the client can use Remote Desktop to connect to the server. If and when the
"Remote Desktop" connection succeeds, the communication between the client
and ADS should succeed as well.