Securing direct SQL server connections from the internet

We have an Office plugin which requires a direct connection to a SQL Server.

We want this plugin to work from outside of the SQL Server's LAN.

We cannot use Microsoft Direct Access or other VPN technology.

Suggestions please on how we could allow a laptop running this plug-in to talk to the internal SQL Server from the internet.

We want the connection to be seamless, operate from any internet connection and preferably use domain issued certificates for authentication (i.e. so that only domain members can access the resource remotely, all other connections are rejected).

Options I've considered:

1) Punch a hole in the firewall on the specific ports and use certificate based IPSec policies to restrict inbound connections to those with domain issued certificates.
2) Utilise some sort of reverse-proxy that authenticates using domain issued certificates.

Comments on either of those suggestions welcome, or new suggestions.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bill BachPresident and Btrieve GuruCommented:
I've only ever done this one of two ways -- either a specific firewall hole for a single network address (useful for fixed web servers pulling data), or through a VPN, which ensures safe connectivity.  Obviously, you cannot use a single-address hole in the firewall, but can you expound on why a VPN is not feasible for your situation?  A split-tunnel VPN connection (even an SSL-VPN) would be secure enough and would work from anywhere.
bbaoIT ConsultantCommented:
i think you have already have a good understanding about what and how to proect against an Internet facing SQL server, and have already covered two most important things to do: firwall + certificate.

just my two cents regarding your scenario:

1. if you have multiple SQL instances to be accessed over the Internet, be aware you need to forward more than TCP ports in additon to the default TCP 1433.

2. for a better control in addition to port forwarding a SQL port, on the firewall you may also try restricting the source (client) IPs from selected locations if possible (e.g. only a limited number of clients to access the SQL server).

3. the required certificate must be issued for at least Server Authentication and its name must be a fully qualified domain name (FQDN) for the computer.

4. if only a limited number of trusted clients to access the SQL server over the Internet, you may self-sign the certificate using your internal CA, and ask the clients to trust the certificate.

i am not sure if you have read the following official article on on configuring an Internet facing SQL server, just for your information.

Connecting to SQL Server over the Internet

How to: Enable Encrypted Connections to the Database Engine
(SQL Server Configuration Manager)

Encrypting Connections to SQL Server

hope it helps,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CodestoneAuthor Commented:
Thanks both.

Bbao - I'll check out those articles.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server

From novice to tech pro — start learning today.