netcurmudgeon (netcurmudgeon) wrote,

  • Location:
  • Mood:
  • Music:

Give me a command line or give me death!

As unsophisticated as the PIX may be, that simplicity does make it pretty straight forward to configure. Which is a Good Thing, 'cause I was in the Cops' PIX a bunch today.

The first trip into the magical kingdom of the Cisco PIX firewall was to adjust the rules so that the three new remote Police sites can get in to headquarters to the SQL server with all of the mugshots on it. That was pretty trivial: copy the one line of the config that did that for Vice & Narcotics' old connection, and alter it thrice for Vice & Narcotics' new connection, and the new connections out to the North and South substations.

And then there was the M S D T C. The Microsoft Distributed Transaction Coordinator. We converted to a new rev of the financial system this weekend, which also saw us move from a Sun server running Sybase to a Windows server running SQL server. With SQL server comes MSDTC to do those high-faluten transactional things (like two-stage commit, which I used to know what it was). Everyone is working fine with the new software -- except the Cops.

The Cops, as described above, sit behind their own firewall; a good idea given the rather wild west nature of the rest of the network. But MSDTC was designed to operate inside a network, and in an environment where client and server would be separated by a firewall. The interim solution was to configure the Police PIX to grant unrestricted access by the financial server into the 'general office' subnet at the Cops. Now, when the MSDTC instance on the server tries to talk to a Police client, traffic will flow freely. Which, is a less than ideal situation.

I did some quick Googling and skimming and found that you can indeed configure MSTDC to behave across a firewall -- you just have to do some heavy registry editing, and perhaps make manual entries for every possible client that will ever connect to the server. Sigh. It appears that when an MSDTC client and server connect they use Microsoft's RPC service to randomly assign TCP port numbers for their connections in a scattershot fashion "above 1024". Thanks Redmond. Show me where all of this emphasis on security has gotten us, aside from being harassed by "auto update" all the time. Could'ja have made this a little easier to lock down?

I have my work cut out for me. I'll probably spend some time tomorrow poring over Microsoft's bulletin on getting MSDTC to work across a firewall and see if I can make anything good out of it.

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.