How to connect to SQL server on our Intranet

Posted on 2005-03-30
Medium Priority
Last Modified: 2012-06-21

We have an SQL server on our intranet and a web server running IIS which has ASP pages for viewing /editing etc data from the SQL server within the intranet.

The intranet has a connection to the internet via an ADSL router so we have a public dynamic IP and all the intranet pc´s  are behind NAT.

Which is the best way to access the SQL server data?

1- Access the intranet by forwarding port 80 on the router to the IIS server (what about security?)
2- Access the intranet SQL server by port forwarding on the router and using enterprise manager to connect remotely?
3- Place some ASP pages on a hosted webserver on the public internet (and these connect to our intranet somehow) and we can access these...

I am very stuck with this and do not know the security implications of each one....


Question by:intangiblemedia
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 11

Expert Comment

ID: 13664893
If you are attempting to access the intranet from the outside and run ASP pages, then:
1. I would use SSL to access the intranet.
2. Validate intranet access (on the top level intranet page) using NT/Windows.
3. If the intranet pages are already displaying data (by accessing from the intranet), then you shouldn't have to modify anything with the connection string.
4. A best practice for database security is to not embed the connection string in the APS page. It should reside somewhere else like the web.config page that Internet users wouldn't be able to access. It is also good practice to run the pages under a user 'alias'. In ASP.NET pages, this would be the aspnet_user account in windows.

Hope this helps.

Author Comment

ID: 13665490
Thanks Jokra,

Can I validate the intranet access on the top level page using validation against a recordset and create sessions on the ASP pages so that no other pages can be accessed unless they have succesfully logged in on the login page?

Also, what if I post all the existing intranet pages on a public hosted website and stick in a connection string to the SQL server in a private folder. As i understand it, it would call over the internet using SSL and go through port 14xx and perform the database queries? Is it safe?

Thanks and ready to close after next suitable post.

Accepted Solution

caball88 earned 1500 total points
ID: 13665889
ok let me get this straight you are trying to 1)find a safe way for IIS to talk to SQL server? or are you trying to 2)access you sql server remotely outside your network?

1)if this is the case i would put the IIS machine on a DMZ which is on your network but restricted. only allow port 1433(sql) for the local ip address of your sql server through to your local network. so now the IIS machine can only talk to your SQL server. it cannot communicate with any other box on your local network unless you specify permission to do so.

2)if you are trying to connect remotely to your SQL server then i would suggest setting up a VPN. you'll establish a virtual connection to your network and then you can use enterprise manager to connect to sql server. i assume this would be for management and administration.

i am a little confused when you say access the intranet because to me the intranet is the local network and cannot be accessed from the outside. are you trying to access the intranet remotely? if so refer to solution 2 and use a VPN.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 11

Expert Comment

ID: 13666169
Are you using ASP 3.0 or ASP.NET pages?

Author Comment

ID: 13668997

Thanks again. We are using ASP 3.0

I was hoping to open port 1433 from the public internet to the private side of our intranet and point it to the SQL server with port forwarding. This would allow our website to have forms so that they can interact with the db remotely as they are hosted on public internet in London and our intranet is in Spain.

In addition, I wanted to allow remote workers to access the intranet and view the pages that work off the SQL server, so I was thinking of pointing port 80 to the IIS machine on our intranet so when our ADSL´s public IP is accesses in http, it would point them to a login page on the IIS machine on the intranet and if login was successful they could see the intranet pages.

I tried setting up a Linksys VPN WRV54g router but with no success. So I am looking at an alternative way around this.

LVL 34

Expert Comment

ID: 13671832
"I was hoping to open port 1433 from the public internet to the private side of our intranet and point it to the SQL server with port forwarding. This would allow our website to have forms so that they can interact with the db remotely as they are hosted on public internet in London and our intranet is in Spain.

OUCH, I would never open your SQL Server to the internet--how much do you value your data?   Force people to use a VPN, or web applications that have your IIS server in the DMZ talking to your SQL SErver....

Expert Comment

ID: 13671969
my solution is basically identical to arbert's comment. you never ever expose your sql server to the internet. that would be a BIG security concern. if you need to connect to it remotely VPN is your solution. As far as the webserver is concerned it should be on a DMZ if not so already. webserver's are exposed to the internet and are basically shunned from the local network. only specific ports and ip addresses from the local network are allowed to communicate with the webserver. This greatly reduces the chances of the webserver being the single point of entry for an attacker. When designing a solution it's best to keep things simple but when you compromise things such as security it's not worth it.
LVL 11

Expert Comment

ID: 13673939
You shouldn't have to worry about access to SQL Server. The only thing that you should have to ensure is that somebody can access the web pages (on the intranet web site) and that they are authenticated. The web pages can then run under an impersonated or aliased windows account. You would also use this user to access SQL Server. That way, you don't have to grant permissions to public or individual users on SQL Server.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question