Workstation on the network can only connect to domain controller on port 3306 if incoming port 3306 TCP is set to public on domain controller firewall.

Question

My workstation (Windows 11) on the domain network needs to connect to the MySQL server on domain controller (Windows Server 2025) via Port TCP 3306. Workstation is able to join the domain on domain controller. When firewall in domain controller has inbound rule added to allow connection on TCP Port 3306 for private and domain profiles, workstation cannot connect to MySQL server on domain controller. telnet <server ip> 3306 returned "Could not open connection to the host, on port 3306: Connect Failed." When firewall in domain controller has inbound rule for allow connection on Port TCP 3306 on public profile or the firewall is turn off for public profile, workstation is able to connect to domain controller via port 3306. How do I connect to workstation to domain controller without opening port 3306 to the public? Thank you!

Answer 1

Hello,

Thank you for reaching out

It seems like the issue you're facing is due to the firewall settings on your domain controller. When you allow the incoming traffic on TCP Port 3306 only for the public profile, your workstation can connect to the MySQL server, but that's not ideal as it exposes the port to public networks. You want to restrict the connection to only the domain network, without exposing it publicly.

Here are some steps to resolve the issue without opening port 3306 to the public:

1. Check the Network Profile of the Domain Controller

Ensure that your domain controller is correctly categorized as part of the Domain network profile. Sometimes, Windows might mistakenly categorize the domain controller as a public network, even if it’s part of the domain network.

You can check this by running:

Get-NetConnectionProfile

Ensure that the domain network interface is listed as DomainAuthenticated and not as Public. If it’s incorrect, change it using:

Set-NetConnectionProfile -InterfaceAlias "Ethernet" -NetworkCategory DomainAuthenticated

2. Allow 3306 TCP for the Domain Profile on the Firewall

You should configure the firewall rule to specifically allow connections for private and domain profiles, and avoid using the public profile for security reasons.

Follow these steps:

Open Windows Firewall and go to Advanced Settings.

In the Inbound Rules, locate the rule allowing TCP 3306.

Right-click the rule and choose Properties.

Under the General tab, ensure that the rule is enabled.

Go to the Scope tab and set the rule to apply only to the Domain profile and not to the public network.

Also, ensure that the Local IP Address is set to match the IP range of your domain network.

3. Check MySQL Binding Address

MySQL has a configuration option bind-address which controls on which IP address MySQL listens. By default, MySQL may only listen to 127.0.0.1 or localhost.

Open your my.cnf (or my.ini on Windows) file and ensure that MySQL is bound to the correct IP address (e.g., the domain controller's private IP address or 0.0.0.0 to listen on all interfaces). Example:

bind-address = 0.0.0.0

After making this change, restart MySQL.

4. Check the Routing Configuration

Ensure that there is proper routing between your workstation and the domain controller. If the workstation is on a different subnet, you might need to add a route on the domain controller to allow traffic from your workstation's subnet to reach port 3306.

5. Verify Network Isolation Settings

If you're using Network Isolation or Network Segmentation, ensure that the workstation can still reach the domain controller via TCP Port 3306 on the required interface.

6. Check for Antivirus Software Blocking

Some antivirus software (on either the workstation or domain controller) might block specific ports. Check for any settings in the antivirus software that might be preventing the connection.

7. Use Telnet for Further Debugging

After ensuring all firewall rules are correct, test the connection again using telnet:

telnet <server-ip> 3306

If the connection still fails, it could mean either MySQL is not listening on that port, or there's a misconfiguration in the firewall. You can also use tools like Wireshark to trace the packets and see if they’re getting blocked or misrouted.

8. Use Windows Server Firewall for Domain Profile

In some cases, instead of relying on the default Windows firewall settings, you might need to set up explicit inbound rules for the domain profile. Create a rule that allows port 3306, specifying the domain network only.

If you've verified all of this and the connection still fails, there may be a deeper networking or misconfiguration issue on either the workstation or the domain controller. Let me know how it goes!

Answer 2

Thank you, Molly. The issue is the domain controller network adapter having public network setting. Disabling and enabling the network adapter gets it to identify as a domain network, and everything works. However, with a reboot of the domain controller, the network adapter goes back to public network. Any idea of how to make the network adapter retain the domain network profile?

Answer 3

You can consider create a scheduled task that restarts the network adapter after the system starts. This can help the network adapter identifies as a domain network profile after every reboot.

1. Open Task Scheduler.
2. Create a new task.
3. Set the trigger to "At startup".
4. Set the action to "Start a program" and point it to powershell.exe.
5. Add the script as an argument:

    -Command "& { $NetworkCategory = Get-NetConnectionProfile.NetworkCategory; if ($NetworkCategory -match 'Public') { Get-NetAdapter | Restart-NetAdapter } }"
   

6. Save the task.