I recently needed to publish a Windows NT Oracle8 server from a private network to be accessible from a demilitarized zone (DMZ). My company uses back-to-back DMZ configuration with Microsoft Internet Security and Acceleration (ISA) Server 2000. By default, the Oracle client and server use dynamic ports to negotiate a subsequent connection. Thus, the ISA Server configuration isn't sufficient for the initial connection. To have connectivity through the firewall, I needed to make configuration changes to the Oracle client and server.
I used the Microsoft Management Console (MMC) ISA Management snap-in to create a protocol definition named SQL*Net (Inbound) with the following parameters.
Port number: 1521 Protocol type: TCP Direction: Inbound No secondary connections
Then, I created a client address set that included the clients on the DMZ. I also created a publishing rule for the Oracle server. I applied the publishing rule to the SQL*Net (Inbound) protocol and to requests from the client set.
On the Oracle server, I added the system environment variable setting USE_SHARED_SOCKET, with the value TRUE. On Oracle8 for Windows, you can alternatively add a registry value called USE_SHARED_SOCKET to create the setting. This environment variable setting works on Windows and UNIX platforms.
I used Oracle's Net8 Easy Config utility to configure clients to point to the ISA Server's external interface. Then, I used Notepad to edit the connection string in C:\orawinnt\net80\admin\tnsnames.ora. I added the text (SERVER=DEDICATED) immediately after the text (SID=DB) in the connection string. UNIX requires the same change in the tnsnames.ora file. After my changes, the client connection from the DMZ to Oracle8 was successful.
