September 21, 2009 at 12:33 pm
Several of our key users are starting to work from home via company laptops. With this, we are experiencing issues with them using SSMS to connect directly to our database instances. I would like to get to a position where they can use their domain credentials (as they currently do) and authenticate that way.
My question is this, what is the best practice for such a setup? Assuming proper security controls are in place, can users use a VPN connection and SSMS locally on their work laptop to connect? Or should they be required to remote desktop into a machine/server on the network and use SSMS from there?
Any advice is appreciated.
September 21, 2009 at 12:43 pm
The key is local SQL Server in the laptop and your user registers all your SQL Server on the network browser service must be running if I remember correctly in both or you could try one but it is a default requirement. If you are worried you could create an account for this task and audit it, but banks and many 24/7 places and developers use VPN.
Kind regards,
Gift Peddie
September 21, 2009 at 12:51 pm
Gift, I do not think I clearly expressed my intentions. But here goes another attempt.
Basically, I do want to get in the position where our home users can run SSMS on their laptop and connect to the database over the VPN. But before making that statement, I want to first understand what the "best practice" is for connecting over the VPN to our database. Once I establish that I will ask follow up questions for implementations / security controls.
September 21, 2009 at 12:58 pm
If it's a user-owned laptop, not a company asset, this isn't going to be possible.
If it's a company owned asset, you can have the laptop be part of the domain. Depending on the type of VPN, when that VPN connection is made, the laptop will see the DC. And that means if they're using their domain user credentials to connect, the laptop will authenticate on the domain and the user will validate. Then the user should be able to connect via Windows authentication normally. The catch is to allow traffic to the DCs (and to use internal DNS on the VPN configuration so the laptop can locate the DCs).
My work laptop used to be set up this way when I used VPN. And since the paths to the DCs and DNS were mapped properly, I was able to authenticate properly against servers.
K. Brian Kelley
@kbriankelley
September 21, 2009 at 1:10 pm
Tony,
There are at least one million developers in the US using company issued boxes as Brain explained and many banks data teams work from home because their system is 24/7. There are many existing setups take your pick, some developers work from home either connected or connect to upload files.
Kind regards,
Gift Peddie
September 21, 2009 at 10:27 pm
Brian,
Thanks for the response. I actually have a couple of scenarios to address:
- company employees using company owned laptops that connect via a normal VPN
- offshore development teams that connect via a site to site VPN
For my purposes I think I will focus on the first item now as the second item involves employees from another organization connecting from a non trusted domain. This is an entire different scenario.
Now, with our employees, we have two domains, trusted with one another. They may connect to either domain based on which servers they need to access (they have other needs besides the database servers). It sounds like we should be able to setup these users to use domain authentication regardless of (a) which domain the database server resides on and (b) which domain they connect to. Sounds like the work is on our network guys, sound about right?
September 22, 2009 at 8:26 am
tafountain (9/21/2009)
Brian,Thanks for the response. I actually have a couple of scenarios to address:
- company employees using company owned laptops that connect via a normal VPN
- offshore development teams that connect via a site to site VPN
For my purposes I think I will focus on the first item now as the second item involves employees from another organization connecting from a non trusted domain. This is an entire different scenario.
Now, with our employees, we have two domains, trusted with one another. They may connect to either domain based on which servers they need to access (they have other needs besides the database servers). It sounds like we should be able to setup these users to use domain authentication regardless of (a) which domain the database server resides on and (b) which domain they connect to. Sounds like the work is on our network guys, sound about right?
If there is a two way trust, you are correct, it should be fine to use Windows authentication to servers in either domain. And therefore the bulk of the work is on the network guys, as well as the AD guys, who will need to add a physical site in AD which comprise the IP address range the VPN is using.
In the second scenario, probably better would be to use a portal such as Citrix or Terminal Services and provide desktops to them. Citrix is normally used to publish specific apps, but in this case, since we're talking development teams, publishing the desktop may be necessary.
K. Brian Kelley
@kbriankelley
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply