Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: VPN to database?

RE: VPN to database?

From: Jared Still <jkstill_at_cybcon.com>
Date: Fri, 24 Oct 2003 15:29:25 -0800
Message-ID: <F001.005D43E2.20031024152925@fatcity.com> 





I suppose it could be setup that way, but ours is not.



The only way to connect to a database from a local app
through the vpn ( for me anyway ) is to tunnel sqlnet
through ssh.



We could set it up to allow a certain range of ports
through, just as we do for other apps, but I don't
see any point in it, as I'm the only one that would
benefit from it.  :)



Jared



On Fri, 2003-10-24 at 14:29, Goulet, Dick wrote:


> Jared,

> 

> 	I'm no network guru, so take this with a ton of salt, but this is how I believe our network admin has it setup.  The VPN tunnel comes in thru the outer firewall on a specific port to the vpn server in the DMZ.  The vpn server then spreads the ports out as needed to the inner firewall which opens up all ports on the inside to that one server/ip address.  Therefore from the applications point of view the inside of the firewall looks the same whether your connected directly on the local lan or coming in via VPN.  And if it's that simple, I'm going to be greatly suprised.  But I will point out that if the vpn security stuff is not set up just right or gets disturbed the whole thing shuts down better than a clam.

> 

> Dick Goulet

> Senior Oracle DBA

> Oracle Certified 8i DBA

> 

> -----Original Message-----

> Sent: Friday, October 24, 2003 5:14 PM

> To: Multiple recipients of list ORACLE-L

> 

> 

> You're going through a firewall that allows port 22 to go

> through and connect to your ssh daemon via the VPN.

> 

> Port 15xx is likely being blocked, as well as the range

> of ports used to create the sqlnet connections.

> 

> I'm not a security guru, but I doubt that the firewall admins

> are opening all the ports just because you're connecting

> via VPN.  

> 

> I also connect through a VPN, but the only ways I know of

> to connect from my local apps to a database behind the firewall

> is to open up some ports ( probably won't fly ) or tunnel

> the sqlnet in via ssh.

> 

> Jared

> 

> 

> On Fri, 2003-10-24 at 13:19, Todd Boss wrote:

> > No, but (and forgive me for asking) why does that matter?

> > 

> > Is sqlnet tunneling important for security reasons, or important

> > for connectivity?  I'm able to telnet to the box straight away.

> > 

> > I figured that, once VPN was connected, I'd be able to run whatever

> > applications I wanted locally.  After not being able to get

> > any Oracle client to connect, i wondered if VPN had the capability

> > to transmit anything but the "lowest" level of tcp/ip protocols.

> > 

> > boss

> > 

> > > 

> > > 

> > > Are you tunneling sqlnet through ssh?

> > > 

> > > http://www.akadia.com/services/ssh_install_and_use.html

> > > 

> > > On Fri, 2003-10-24 at 08:44, Todd Boss wrote:

> > > > I can tell you right now, i'm VPN'd to a client overseas and have

> > > > NOT been able to get OCI to work over the protocol.  I can telnet/ssh

> > > > to the machine where the Oracle server runs (its Solaris) and work

> > > > via a sql*plus window, but nothing runs locally (i.e., Toad or windows

> > > > version of sql*plus connected to the remote server).

> > > > 

> > > > If there's some secret to making OCI work over VPN, we were not able

> > > > to find it.

> > > > 

> > > > boss

> > > > 

> > > > > 

> > > > > We are an Application Service Provider--we maintain a set of servers in

> > > > > a colocation facility and our customers use our application via the

> > > > > Web.  Security is a paramount concern, of course, and only our Web

> > > > > server has a public IP address, with the application and database

> > > > > servers completely private. 

> > > > > 

> > > > > We supply a number of standard reports, but most of our customers want

> > > > > some custom reports as well.  We would like to give them access to our

> > > > > database, possibly over a VPN, but only if security can be maintained. 

> > > > > I'd like to know if anyone has faced such a situation, and what kind of

> > > > > configuration (network/firewall/VPN/Oracle Net) might make such access

> > > > > possible.

> > > > > 

> > > > > TIA,


> > > > > 

> > > > > 

> > > > > 

> > > > > =====

> > > > > Paul Baumgartel

> > > > > Transcentive, Inc.

> > > > > www.transcentive.com

> > > > > 

> > > > > __________________________________

> > > > > Do you Yahoo!?

> > > > > The New Yahoo! Shopping - with improved product search

> > > > > http://shopping.yahoo.com

> > > > > -- 

> > > > > Please see the official ORACLE-L FAQ: http://www.orafaq.net

> > > > > -- 

> > > > > Author: Paul Baumgartel

> > > > >   INET: treegarden_at_yahoo.com

> > > > > 

> > > > > Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> > > > > San Diego, California        -- Mailing list and web hosting services

> > > > > ---------------------------------------------------------------------

> > > > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > > > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > > > (or the name of mailing list you want to be removed from).  You may

> > > > > also send the HELP command for other information (like subscribing).

> > > > > 

> > > > 

> > > > -- 

> > > > Please see the official ORACLE-L FAQ: http://www.orafaq.net

> > > > -- 

> > > > Author: Todd Boss

> > > >   INET: boss_at_i-sphere.com

> > > > 

> > > > Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> > > > San Diego, California        -- Mailing list and web hosting services

> > > > ---------------------------------------------------------------------

> > > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > > (or the name of mailing list you want to be removed from).  You may

> > > > also send the HELP command for other information (like subscribing).

> > > 

> > > 

> > > -- 

> > > Please see the official ORACLE-L FAQ: http://www.orafaq.net

> > > -- 

> > > Author: Jared Still

> > >   INET: jkstill_at_cybcon.com

> > > 

> > > Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> > > San Diego, California        -- Mailing list and web hosting services

> > > ---------------------------------------------------------------------

> > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > (or the name of mailing list you want to be removed from).  You may

> > > also send the HELP command for other information (like subscribing).

> > > 

> > 

> > -- 

> > Please see the official ORACLE-L FAQ: http://www.orafaq.net

> > -- 

> > Author: Todd Boss

> >   INET: boss_at_i-sphere.com

> > 

> > Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> > San Diego, California        -- Mailing list and web hosting services

> > ---------------------------------------------------------------------

> > To REMOVE yourself from this mailing list, send an E-Mail message

> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > the message BODY, include a line containing: UNSUB ORACLE-L

> > (or the name of mailing list you want to be removed from).  You may

> > also send the HELP command for other information (like subscribing).

> > 

> 

> 

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> -- 

> Author: Jared Still

>   INET: jkstill_at_cybcon.com

> 

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> -- 

> Author: Goulet, Dick

>   INET: DGoulet_at_vicr.com

> 

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 




-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Fri Oct 24 2003 - 18:29:25 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US