通过ISA代理SQL Server配置说明
前言
C/S程序开发方式,开发工具众多,开发效率高,缺点是一般是两层体系,在广域网上应用的时候安全性很难保证。
B/S程序开发方式,一般应用广域网,安全性较高,但是由于针对浏览器方式的开发,对于简单应用,开发效率还可以,对于复杂的应用以及操作,需要编写中间层组件,开发效率较差。
如何能够在广域网的应用体系中采用传统的局域网C/S开发方式,提高开发效率,改善界面友好性以及良好的可操作性,这就是本篇文章所要解决的问题。使用ISA作为SQL SERVER的代理服务器与防火墙,所有外部数据库访问通过ISA进行代理,外部访问连接并不直接连接到数据库服务器,而是连接到ISA服务器上,ISA服务器将外部请求重新定向到SQL服务器上,隐藏了SQL服务器,保护数据的安全性。外部请求不需要知道SQL服务器名以及地址,只要将ISA服务器当作SQL服务器进行请求,对于外部数据请求,由ISA服务器来进行判断是否连接以及如何处理,对于合法的连接,他是透明的,好像是与数据库服务器直接连接一样。
ISA、SQL Server简介
Microsoft Internet Security & Acceleration Server 2000
---- Microsoft公司Microsoft Internet Security & Acceleration Server提供强大的安全和网络加速功能。它具有基于策略的安全、速度和网络管理的特征, 与Windows 2000操作系统无缝集成,是一个具有高度可伸缩性的企业Internet防火墙和高速Web缓冲存储器。
---- Microsoft的ISA Server提供保密、高速、易处理Internet的连接。通过使企业Internet 防火墙和高性能的高速缓冲存储器功能结合,可以将Windows 2000 的安全、目录、有效的个人专用网络和利用服务的质量以及简化处理任务的带宽控制紧密地结合起来。
Microsoft SQL Server 2000
---- SQL Server 2000是为创建可伸缩电子商务、在线商务和数据仓储解决方案而设计的真正意义上的关系型数据库管理与分析系统。
---- Microsoft SQL Server 2000针对包括集成数据挖掘、OLAP服务、安全性服务及通过Internet对多维数据集进行访问和链接等在内的分析服务提供了新的数据仓储功能。
---- 除了提供电子商务所需的可伸缩性与可扩展性之外,SQL Server 2000还提供了丰富的基于Web标准数据库编程功能,以确保系统的协同工作和灵活性。与此相关,SQL Server 2000还包括丰富的XML、W3C标准支持。具有通过Transact SQL实现的XML数据操作能力、灵活而强大的Web分析功能以及使用HTTP进行的安全Web数据访问功能。
ISA、SQL Server的安装
Microsoft Internet Security & Acceleration Server 2000
1. 安装时,请注意确保计算机满足 Microsoft Internet Security & Acceleration Server 2000 的系统要求。有关更多信息,请参见 Microsoft Internet Security & Acceleration Server 2000 的硬件和软件安装要求。
2. 安装网卡、调制解调器(或是ISDN等)连接内部局域网和外部互联网。
3. 设置TCP/IP,设置内部外部IP地址。详情参见技术手册。
4. 运行安装盘上的ISA Server Enterprise Initialization,对参数进行设置。
l Array policy only. Select Use array policy only if each array should have its own policy, which can be administered by the array administrator.
l Enterprise policy only. Select Use this enterprise policy and type the name of the enterprise policy. In this case, the same enterprise policy will be applied to all the arrays in the enterprise. Unique access policies cannot be defined for each array in the enterprise. No rules can be defined at the array level.
l Combined enterprise and array policy. Select Use this enterprise policy and Allow array-level access rules to restrict enterprise policy. In this case, array administrators can define rules that further restrict the enterprise policy. For example, if the enterprise policy allows access to all sites, array administrators could refine that policy, by creating rules denying access to specific sites.
l If array administrators are allowed to publish internal servers, making those servers accessible to external (Internet) clients, then select Allow publishing rules to be created on the array.
l Select Use packet filtering on the array if packet filtering should always be enabled for the arrays in the enterprise. If you select this option, then the array administrator will not be able to disable packet filtering.
When ISA Server Enterprise Initialization is finished, the ISA Server schema is installed to Active Directory. You can now install ISA Server as an array member, creating the array that the ISA Server should join.
Note
The array creation process takes place when you install ISA Server on the first computer in the array. The information that is added to the Active Directory may take some time to replicate to all domain controllers. Therefore, if you receive an error message during installation that the ISA Server schema has not been installed, even though you have installed it, you must wait until the schema change has been replicated to the local domain controller.
Important
You must install the Windows 2000 Service Pack 1 or later before you install ISA Server.
If the computer on which you are installing ISA Server is not part of a Windows 2000 domain, then ISA Server will be installed as a stand-alone server. You can subsequently add the server to a Windows 2000 domain, and then join it to an array.
The first server in the new array defines a new array in Active Directory. You should allow sufficient time for the array information to replicate throughout the site before you add more members to the array.
When you install an ISA Server computer as a member of an existing array, you must install it in the same mode as the other array members. For example, if all the servers in the array were installed in firewall mode, then the new ISA Server computer must also be installed in firewall mode. The new ISA Server computer adopts the array's enterprise settings, access policy, publishing policy, and monitoring configuration.
You can select the disk drives that are available for caching during ISA Server installation. By default, the setup process searches for the largest NTFS partition and sets a default cache size of 100 megabytes (MB) if there are at least 150 MB available. When configuring the cache drives, you must, at a minimum, allocate at least one NTFS drive, setting aside at least 5 MB on that drive for caching. However, it is recommended that you allocate at least 100 MB and add 0.5 MB for each client that uses the HTTP or FTP protocols, rounded up to the nearest full megabyte.
The local address table (LAT) is a table of all IP address ranges used by the internal network behind the ISA Server computer. ISA Server uses the LAT to control how machines on the internal network communicate with external networks and decides which network adapters should be protected by loading the packet filter driver.
ISA Server can construct the LAT for you by basing it on your Windows 2000 routing table. You can also select the private IP address ranges, as defined by the Internet Assigned Numbers Authority (IANA) in RFC 1918. These three blocks of addresses are reserved for private intranets and are never used on the public Internet.
When creating a LAT, you should only include addresses on the private network. This means that you should not add the external interface of the ISA Server computer, any Internet sites, or any other external addresses including the DNS server at your Internet service provider, and so forth. An incorrect configuration of the LAT could make your network vulnerable to attacks.
The LAT is managed centrally, because it is maintained on the ISA Server computer. Firewall clients automatically download and receive LAT updates at preset, regular intervals.
Microsoft SQL Server 2000 (详细情况参见白皮书)
1. 安装时,请注意确保计算机满足 Microsoft SQL Server 2000 的系统要求。有关更多信息,请参见 SQL Server 2000 的硬件和软件安装要求。
2. 在运行 Microsoft Windows NT 或 Micorsoft Windows 2000 的计算机上安装 SQL Server 2000,并且希望 SQL Server 2000 与其它客户端和服务器通讯,则创建一个或多个域用户帐户。有关更多信息,请参见 创建安全帐户
3. 用具有本地管理权限的用户帐户登录到操作系统,或者给域用户帐户指派适当的权限。
4. 关闭所有和 SQL Server 相关的服务。包括所有使用 ODBC 的服务,如 Microsoft Internet Information 服务 (IIS)。
5. 关闭 Microsoft Windows NT 事件查看器和注册表查看器(Regedit.exe 或 Regedt32.exe)。
ISA、SQL SERVER的配置
1. 配置SQL Server TCP/IP网络协议
使用SQL Server Network Utility工具进行配置,启用TCP/IP协议,添加WinSocket代理,设置代理服务器的IP地址为ISA服务器的外部IP地址。设置SQL Server使用的端口。
注意:如果设置的IP地址是ISA服务器的内部IP地址,那么将不起作用!!
2. 在SQL Server服务器上创建Wspcfg.ini文件
文件内容:
[sqlservr]
ServerBindTCPPorts=1433
Persistent=1
KillOldSession=1
将文件保存在与Sqlservr.exe相同的路径下。如果在第一步设置的端口不是1433,将ServerBindTCPPorts=1433修改成为第一步所设置的端口。
3. SQL Server服务器端安装Fiewwall客户端
连接ISA服务器,查找MSPCLNT共享目录,安装Fiewwall客户端,这个共享目录是安装完ISA之后自动共享的。
4. 重新启动SQL Server服务器
5. 设置ISA的Network的LAT
添加SQL Server与ISA服务器的内部IP地址到LAT中。
6. 设置Publishing属性的Server Publishing Rules
使用Publish a Server,设置一个发布名称,填写Internal Server的IP为SQL Server服务器的内部IP地址,填写ISA Server的IP地址为ISA服务器的外部IP地址,设置Mapped Server Protocol为Microsoft SQL Server。设置访问规则。
7. 在需要访问的外部客户端进行测试
1. 配置客户端的hosts文件,填写ISA服务器的外部IP地址与机器名。
2. 使用Ping.exe进行测试,看是否能够连通(Ping xxxServer).
3. 使用SQL Server客户端或是其他工具进行连接测试,使用的服务器名称为ISA服务器的名称。