SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Question on best practices of connecting over VPN


Question on best practices of connecting over VPN

Author
Message
Tony Fountain
Tony Fountain
SSC-Addicted
SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)

Group: General Forum Members
Points: 451 Visits: 202
Several of our key users are starting to work from home via company laptops. With this, we are experiencing issues with them using SSMS to connect directly to our database instances. I would like to get to a position where they can use their domain credentials (as they currently do) and authenticate that way.

My question is this, what is the best practice for such a setup? Assuming proper security controls are in place, can users use a VPN connection and SSMS locally on their work laptop to connect? Or should they be required to remote desktop into a machine/server on the network and use SSMS from there?

Any advice is appreciated.
Gift Peddie
Gift Peddie
SSCoach
SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)

Group: General Forum Members
Points: 17438 Visits: 14456
The key is local SQL Server in the laptop and your user registers all your SQL Server on the network browser service must be running if I remember correctly in both or you could try one but it is a default requirement. If you are worried you could create an account for this task and audit it, but banks and many 24/7 places and developers use VPN.

Kind regards,
Gift Peddie
Tony Fountain
Tony Fountain
SSC-Addicted
SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)SSC-Addicted (451 reputation)

Group: General Forum Members
Points: 451 Visits: 202
Gift, I do not think I clearly expressed my intentions. But here goes another attempt.

Basically, I do want to get in the position where our home users can run SSMS on their laptop and connect to the database over the VPN. But before making that statement, I want to first understand what the "best practice" is for connecting over the VPN to our database. Once I establish that I will ask follow up questions for implementations / security controls.
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (25K reputation)

Group: Moderators
Points: 25182 Visits: 1917
If it's a user-owned laptop, not a company asset, this isn't going to be possible.

If it's a company owned asset, you can have the laptop be part of the domain. Depending on the type of VPN, when that VPN connection is made, the laptop will see the DC. And that means if they're using their domain user credentials to connect, the laptop will authenticate on the domain and the user will validate. Then the user should be able to connect via Windows authentication normally. The catch is to allow traffic to the DCs (and to use internal DNS on the VPN configuration so the laptop can locate the DCs).

My work laptop used to be set up this way when I used VPN. And since the paths to the DCs and DNS were mapped properly, I was able to authenticate properly against servers.

K. Brian Kelley
@‌kbriankelley
Gift Peddie
Gift Peddie
SSCoach
SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)

Group: General Forum Members
Points: 17438 Visits: 14456
Tony,

There are at least one million developers in the US using company issued boxes as Brain explained and many banks data teams work from home because their system is 24/7. There are many existing setups take your pick, some developers work from home either connected or connect to upload files.

Kind regards,
Gift Peddie
tafountain
tafountain
SSC-Addicted
SSC-Addicted (424 reputation)SSC-Addicted (424 reputation)SSC-Addicted (424 reputation)SSC-Addicted (424 reputation)SSC-Addicted (424 reputation)SSC-Addicted (424 reputation)SSC-Addicted (424 reputation)SSC-Addicted (424 reputation)

Group: General Forum Members
Points: 424 Visits: 389
Brian,

Thanks for the response. I actually have a couple of scenarios to address:
- company employees using company owned laptops that connect via a normal VPN
- offshore development teams that connect via a site to site VPN

For my purposes I think I will focus on the first item now as the second item involves employees from another organization connecting from a non trusted domain. This is an entire different scenario.

Now, with our employees, we have two domains, trusted with one another. They may connect to either domain based on which servers they need to access (they have other needs besides the database servers). It sounds like we should be able to setup these users to use domain authentication regardless of (a) which domain the database server resides on and (b) which domain they connect to. Sounds like the work is on our network guys, sound about right?
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (25K reputation)

Group: Moderators
Points: 25182 Visits: 1917
tafountain (9/21/2009)
Brian,

Thanks for the response. I actually have a couple of scenarios to address:
- company employees using company owned laptops that connect via a normal VPN
- offshore development teams that connect via a site to site VPN

For my purposes I think I will focus on the first item now as the second item involves employees from another organization connecting from a non trusted domain. This is an entire different scenario.

Now, with our employees, we have two domains, trusted with one another. They may connect to either domain based on which servers they need to access (they have other needs besides the database servers). It sounds like we should be able to setup these users to use domain authentication regardless of (a) which domain the database server resides on and (b) which domain they connect to. Sounds like the work is on our network guys, sound about right?


If there is a two way trust, you are correct, it should be fine to use Windows authentication to servers in either domain. And therefore the bulk of the work is on the network guys, as well as the AD guys, who will need to add a physical site in AD which comprise the IP address range the VPN is using.

In the second scenario, probably better would be to use a portal such as Citrix or Terminal Services and provide desktops to them. Citrix is normally used to publish specific apps, but in this case, since we're talking development teams, publishing the desktop may be necessary.

K. Brian Kelley
@‌kbriankelley
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search