August 25, 2011 at 4:59 pm
Hello All,
I am hoping some one can provide guidance and best practices. I need to configure 2008 R2 to allow secure access. This is my scenario. I have three servers.
SERVER_IN-This server is inside the firewall. The purpose of this server is provide a conduit to outside the firewall.
SERVER_OUT-This server will be outside the firewall and will service a website.
DATA1-This server contains business data.
I am in the process of configuring/rolling out SERVER_IN and SERVER_OUT.
The business requirements is to allow data from DATA1 to go to SERVER_OUT through SERVER_IN and to allow data collected on SERVER_OUT to be sent to DATA1 through SERVER_IN .
I have networking support and will there will be a firewall between SERVER_IN and SERVER_OUT.
SERVER_IN and DATA1 are in an interior domain. SERVER_OUT is in a separate domain.
Is creating linked servers on SERVER_IN the best way to for this server to access SERVER_OUT and DATA1?
Since SERVER_OUT is in a separate domain will I need to run in mixed mode on SERVER_IN and use SQL Server accounts?
Should I disable the browser service on SERVER_IN and SERVER_OUT?
What protocols should I use on SERVER_IN and SERVER_OUT? Does the firewall mean I need TCP/IP?
Should I change the default ports?
I always want SERVER_IN to initiate data transfers to SERVER_OUT. I plan on creating stored procedures on SERVER_IN that either write data to or retrieve data from SERVER_OUT? Is the firewall the proper way to prevent SERVER_OUT from calling SERVER_IN?
Any other recommendations?
Thanks so much if you can offer any assistance.
August 26, 2011 at 9:17 am
I am not sure I understand the logic of what you are doing. From what I can grasp from your post, you are going to use Server IN work just like a middle tier.
The Server OUT, will it contain sensitive data? You do not need to run the SQL Server in mixed mode just because Server OUT is in a workgroup. Create a windows user in Server IN and Server OUT with the same password and you can add those logins into the respective servers. This will allow you to use Windows authentication.
Instead of using linked server, you could use replication to do this. If you do not want to use replication, then think about a service.
For networking part, make sure you have tcp port 1433 open on your firewall. You might need UDP port 1434 if you want to use SSMS to connect to SERVER OUT when connecting from inside your SERVER IN domain. The security admins usually frown if you say you want UDP port 1434 open. 🙂
-Roy
August 26, 2011 at 1:29 pm
Thanks you for your response.
SERVERIN would be a conduit to transfer data across the firewall. DATA1 would contain our sensitive business data only some of which needs to be transferred to SERVEROUT. SERVEROUT would service the website.
So the jist of my question is how to best configure SQL server for secure data transfer across a firewall.
The information you provided about creating an identical account on both SERVERIN and SERVEROUT was useful. I will attempt to go this route and not enable SQL Server authentication.
August 26, 2011 at 1:44 pm
The secure way to move data to Server OUT would still be replication. You can encrypt the data being transferred if I am not mistaken.
-Roy
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply