• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 141
  • Last Modified:

Securing direct SQL server connections from the internet

We have an Office plugin which requires a direct connection to a SQL Server.

We want this plugin to work from outside of the SQL Server's LAN.

We cannot use Microsoft Direct Access or other VPN technology.

Suggestions please on how we could allow a laptop running this plug-in to talk to the internal SQL Server from the internet.

We want the connection to be seamless, operate from any internet connection and preferably use domain issued certificates for authentication (i.e. so that only domain members can access the resource remotely, all other connections are rejected).

Options I've considered:

1) Punch a hole in the firewall on the specific ports and use certificate based IPSec policies to restrict inbound connections to those with domain issued certificates.
2) Utilise some sort of reverse-proxy that authenticates using domain issued certificates.

Comments on either of those suggestions welcome, or new suggestions.

2 Solutions
Bill BachPresidentCommented:
I've only ever done this one of two ways -- either a specific firewall hole for a single network address (useful for fixed web servers pulling data), or through a VPN, which ensures safe connectivity.  Obviously, you cannot use a single-address hole in the firewall, but can you expound on why a VPN is not feasible for your situation?  A split-tunnel VPN connection (even an SSL-VPN) would be secure enough and would work from anywhere.
bbaoIT ConsultantCommented:
i think you have already have a good understanding about what and how to proect against an Internet facing SQL server, and have already covered two most important things to do: firwall + certificate.

just my two cents regarding your scenario:

1. if you have multiple SQL instances to be accessed over the Internet, be aware you need to forward more than TCP ports in additon to the default TCP 1433.

2. for a better control in addition to port forwarding a SQL port, on the firewall you may also try restricting the source (client) IPs from selected locations if possible (e.g. only a limited number of clients to access the SQL server).

3. the required certificate must be issued for at least Server Authentication and its name must be a fully qualified domain name (FQDN) for the computer.

4. if only a limited number of trusted clients to access the SQL server over the Internet, you may self-sign the certificate using your internal CA, and ask the clients to trust the certificate.

i am not sure if you have read the following official article on on configuring an Internet facing SQL server, just for your information.

Connecting to SQL Server over the Internet

How to: Enable Encrypted Connections to the Database Engine
(SQL Server Configuration Manager)

Encrypting Connections to SQL Server

hope it helps,
CodestoneAuthor Commented:
Thanks both.

Bbao - I'll check out those articles.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now