Oracle and Firewall settings

Oracle and Firewall settings

To access the Windows Oracle database behind the firewall, it is not possible to simply open the fixed TCP port.

The root cause of this problem is the BT design of the Windows Oracle Database (Unix/linux is not the issue).

The principle of Oracle network communication port

The Oracle database network Access uses a very BT mode of work, its approximate process is as follows:

1 The Oracle NET Listener process on Oracle server continuously listens for a fixed TCP port (default is 1521);

2 Client initiates a connection request to the net listener port on the server;

3 after receiving the client's request, establish a connection with the client, and notify the server to create a new database connection service process (hereinafter referred to as P), the process will randomly select a Listenr TCP port and bind, and then notify the listener port number;

4) Listenr The port number bound by P to the client;

5 The client receives the port number of P, terminates the connection with the listener, and then connects directly to p through the binding port of P;

To step 5th, the connection is finally completed, and then the client can access the database.

As you can see from the workflow above, in this mode of operation, the Oracle server port that the client actually connects to is random.

It is not possible to pre-set a fixed TCP port on the firewall so that Oracle server can be accessed.

Oracle is said to have been forced to do so, because the TCP/IP portion of earlier Windows NT was a bug, and the direct use of a public port connection would be problematic, so Oracle made a genius design.

However, after the NT4SP3 did not have this bug, why to Oracle 11g is still using this BT mode? Of course, now that the network security problem is so serious, if you really can't use the firewall, the Windows version of Oracle database is not to sell it?

Oracle Company is certainly not so stupid, from Oracle 8i, Windows version of Oracle can also use the normal mode of work, but the default is still using the BT mode of work.

This issue is only available for Oracle 9i and the following versions on the Windows platform. Oracle on Linux and UNIX platforms, where multiple processes can reuse ports, Oracle Server process still uses a port (1521) with the listener process, the client only connects once, and no second connection is made. Has changed compared to the process described above.

On the Windows platform, the 10g and above versions of the database also use port multiplexing to avoid such problems. In fact 10g is the default Use_shared_socket true.

Second, set the program exception in the firewall

In Oracle's BT mode, you can actually traverse the firewall by setting an exception to the Oracle program in the firewall.

Third, set the port exception in the firewall

In the Windows registry (Homedir is the instance name of the Oracle database installed on your machine), add a string key value, the name is Use_shared_socket, the value is true (note case), and then restart Oracle instance or simply reboot Windows is OK.

In this way, you can access Oracle outside the firewall by turning on the Oracle's listening port on the firewall (default 1521).

Required in MTS mode (shared mode) Oracle is the private mode by default.

It was found that if the parameters were not set in the Init file, Oracle would still require a random port and 1521 ports to communicate with each other, but this random port, which does not change with the client session and login, is fixed when the server is not restarted. (The experiment found that, in private mode, each connection, the Oracle server will provide a non-1521 port in +1 ways.) Therefore, you also need to add an argument to the end of the Init.ora file:

Mts_dispatchers= "(Address= (PROTOCOL=TCP) (HOST=MYORADB) (port=1521)) (Dispatchers=1)"