Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Question on best practices of connecting over VPN Expand / Collapse
Author
Message
Posted Monday, September 21, 2009 12:33 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, July 15, 2014 9:55 AM
Points: 146, Visits: 127
Several of our key users are starting to work from home via company laptops. With this, we are experiencing issues with them using SSMS to connect directly to our database instances. I would like to get to a position where they can use their domain credentials (as they currently do) and authenticate that way.

My question is this, what is the best practice for such a setup? Assuming proper security controls are in place, can users use a VPN connection and SSMS locally on their work laptop to connect? Or should they be required to remote desktop into a machine/server on the network and use SSMS from there?

Any advice is appreciated.
Post #791360
Posted Monday, September 21, 2009 12:43 PM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Wednesday, July 2, 2014 9:41 AM
Points: 3,433, Visits: 14,421
The key is local SQL Server in the laptop and your user registers all your SQL Server on the network browser service must be running if I remember correctly in both or you could try one but it is a default requirement. If you are worried you could create an account for this task and audit it, but banks and many 24/7 places and developers use VPN.



Kind regards,
Gift Peddie
Post #791374
Posted Monday, September 21, 2009 12:51 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, July 15, 2014 9:55 AM
Points: 146, Visits: 127
Gift, I do not think I clearly expressed my intentions. But here goes another attempt.

Basically, I do want to get in the position where our home users can run SSMS on their laptop and connect to the database over the VPN. But before making that statement, I want to first understand what the "best practice" is for connecting over the VPN to our database. Once I establish that I will ask follow up questions for implementations / security controls.
Post #791377
Posted Monday, September 21, 2009 12:58 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Thursday, July 10, 2014 1:34 PM
Points: 6,623, Visits: 1,855
If it's a user-owned laptop, not a company asset, this isn't going to be possible.

If it's a company owned asset, you can have the laptop be part of the domain. Depending on the type of VPN, when that VPN connection is made, the laptop will see the DC. And that means if they're using their domain user credentials to connect, the laptop will authenticate on the domain and the user will validate. Then the user should be able to connect via Windows authentication normally. The catch is to allow traffic to the DCs (and to use internal DNS on the VPN configuration so the laptop can locate the DCs).

My work laptop used to be set up this way when I used VPN. And since the paths to the DCs and DNS were mapped properly, I was able to authenticate properly against servers.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #791382
Posted Monday, September 21, 2009 1:10 PM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Wednesday, July 2, 2014 9:41 AM
Points: 3,433, Visits: 14,421
Tony,

There are at least one million developers in the US using company issued boxes as Brain explained and many banks data teams work from home because their system is 24/7. There are many existing setups take your pick, some developers work from home either connected or connect to upload files.



Kind regards,
Gift Peddie
Post #791387
Posted Monday, September 21, 2009 10:27 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Wednesday, April 23, 2014 6:45 AM
Points: 104, Visits: 389
Brian,

Thanks for the response. I actually have a couple of scenarios to address:
- company employees using company owned laptops that connect via a normal VPN
- offshore development teams that connect via a site to site VPN

For my purposes I think I will focus on the first item now as the second item involves employees from another organization connecting from a non trusted domain. This is an entire different scenario.

Now, with our employees, we have two domains, trusted with one another. They may connect to either domain based on which servers they need to access (they have other needs besides the database servers). It sounds like we should be able to setup these users to use domain authentication regardless of (a) which domain the database server resides on and (b) which domain they connect to. Sounds like the work is on our network guys, sound about right?
Post #791501
Posted Tuesday, September 22, 2009 8:26 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Thursday, July 10, 2014 1:34 PM
Points: 6,623, Visits: 1,855
tafountain (9/21/2009)
Brian,

Thanks for the response. I actually have a couple of scenarios to address:
- company employees using company owned laptops that connect via a normal VPN
- offshore development teams that connect via a site to site VPN

For my purposes I think I will focus on the first item now as the second item involves employees from another organization connecting from a non trusted domain. This is an entire different scenario.

Now, with our employees, we have two domains, trusted with one another. They may connect to either domain based on which servers they need to access (they have other needs besides the database servers). It sounds like we should be able to setup these users to use domain authentication regardless of (a) which domain the database server resides on and (b) which domain they connect to. Sounds like the work is on our network guys, sound about right?


If there is a two way trust, you are correct, it should be fine to use Windows authentication to servers in either domain. And therefore the bulk of the work is on the network guys, as well as the AD guys, who will need to add a physical site in AD which comprise the IP address range the VPN is using.

In the second scenario, probably better would be to use a portal such as Citrix or Terminal Services and provide desktops to them. Citrix is normally used to publish specific apps, but in this case, since we're talking development teams, publishing the desktop may be necessary.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #791817
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse