We help IT Professionals succeed at work.

Securing direct SQL server connections from the internet

We have an Office plugin which requires a direct connection to a SQL Server.

We want this plugin to work from outside of the SQL Server's LAN.

We cannot use Microsoft Direct Access or other VPN technology.

Suggestions please on how we could allow a laptop running this plug-in to talk to the internal SQL Server from the internet.

We want the connection to be seamless, operate from any internet connection and preferably use domain issued certificates for authentication (i.e. so that only domain members can access the resource remotely, all other connections are rejected).

Options I've considered:

1) Punch a hole in the firewall on the specific ports and use certificate based IPSec policies to restrict inbound connections to those with domain issued certificates.
2) Utilise some sort of reverse-proxy that authenticates using domain issued certificates.

Comments on either of those suggestions welcome, or new suggestions.

Watch Question

Bill BachPresident and Btrieve Guru
I've only ever done this one of two ways -- either a specific firewall hole for a single network address (useful for fixed web servers pulling data), or through a VPN, which ensures safe connectivity.  Obviously, you cannot use a single-address hole in the firewall, but can you expound on why a VPN is not feasible for your situation?  A split-tunnel VPN connection (even an SSL-VPN) would be secure enough and would work from anywhere.
IT Consultant
i think you have already have a good understanding about what and how to proect against an Internet facing SQL server, and have already covered two most important things to do: firwall + certificate.

just my two cents regarding your scenario:

1. if you have multiple SQL instances to be accessed over the Internet, be aware you need to forward more than TCP ports in additon to the default TCP 1433.

2. for a better control in addition to port forwarding a SQL port, on the firewall you may also try restricting the source (client) IPs from selected locations if possible (e.g. only a limited number of clients to access the SQL server).

3. the required certificate must be issued for at least Server Authentication and its name must be a fully qualified domain name (FQDN) for the computer.

4. if only a limited number of trusted clients to access the SQL server over the Internet, you may self-sign the certificate using your internal CA, and ask the clients to trust the certificate.

i am not sure if you have read the following official article on on configuring an Internet facing SQL server, just for your information.

Connecting to SQL Server over the Internet

How to: Enable Encrypted Connections to the Database Engine
(SQL Server Configuration Manager)

Encrypting Connections to SQL Server

hope it helps,


Thanks both.

Bbao - I'll check out those articles.