Microsoft SQL Server uses two methods of access for replicated data: FTP and ODBC. Both services are required for replication over the Internet. Microsoft Proxy Server must be configured correctly to establish a link through ODBC and then to transfer data. Before configuring SQL Server replication, you must test the proxy server by connecting to it and then transferring data to and from it. There are four key steps to configuring Microsoft Proxy Server:
The Internet provides a cost-effective way to publish and collect (pull/subscribe) data over long distances, but it also can make the internal network and data vulnerable. To protect the network, disable listening on inbound service ports and disable IP forwarding. When IP forwarding is disabled, only your Network Operations–assigned IP address is visible to users on the Internet, reducing the potential for unauthorized intrusion.
The proxy server can block external ranges of IP addresses. When IP forwarding is disabled, Internet users cannot initiate connections unless an application service port is specifically enabled.
To disable IP forwarding
In large Windows NT environments, you can provide maximum security by establishing a separate domain for your proxy server with a single one-way trust relationship to another domain where SQL Server will be located on your private network. For configuration information, see your Windows NT documentation.
SQL Server replication uses FTP to transfer initial data and schema from one location to another over the Internet. The Snapshot Agent places in the snapshot folder data that is retrieved by the Merge Agent or Distribution Agent on the Subscriber.
When SQL Server replication transmits data over the Internet, it uses the FTP directory on the proxy server as the snapshot folder. An ODBC connection to the Distributor is first established to obtain the location of the snapshot folder. The Merge Agent on the Subscriber then initiates an FTP connection to the proxy server and retrieves any information stored in the snapshot folder.
To configure the FTP service on the proxy server, set the FTP home directory to the drop location in which SQL Server data is placed for replication. Stop and restart the FTP service for the changes to take effect.
To configure the FTP Service
FTP Site Description | FTP Replication Site |
Select the IP Address to use for this FTP Site | Enter the IP address for this site. |
TCP Port this FTP Site should use | 21 |
Enter the Path for your home directory | For example, C:\repldata\ftp |
What access permissions do you want to set for the home directory | Allow Read Access |
To complete the configuration of the FTP site, alter the default security settings. To increase security, turn off Anonymous Access or guest account access. A user account with appropriate permission should be defined for SQL Server Agent to gain access to all Windows NT servers. This same account is used to gain access to FTP and WinSock Services. For more information about SQL Server Agent account access, see “Configuring SQL Server Agent Account Access” earlier in this chapter.
To control FTP access through Proxy Server
Note This excludes any FTP Site Operator account entered in step 5 unless the IP address entered here is a static IP address for that account.
Before data can be transferred, the Subscriber must initialize an ODBC connection by using the WinSock Proxy service.
The WinSock Proxy service requires a protocol definition to identify valid network protocols when access control is enabled. The WinSock Proxy service uses the defined protocols to determine which Windows Sockets applications can be used to access the Internet.
If access control is enabled, the Replication Agent on the Subscriber uses the user account configured for the SQL Server Agent to gain access to system resources. The FTP user account can also be used by the WinSock Proxy for server connections.
To configure a protocol definition for WinSock Proxy to SQL Server
Note The protocol name has no significance. It is a mnemonic used to identify the socket and the accounts or servers that will be granted access.
To configure the WinSock Proxy service permissions
After all servers have been configured, it is recommended that you establish a connection and attempt to transfer data. Using SQL Server Agent user account, test the connection thoroughly. If the servers cannot connect, replication will not function properly.