none
SQL Linked Server for DMZ Security

    Question

  • I have a few applications that require remote nodes to connect directly to SQL. This is a problem for me for my nodes in the DMZ. 

    My idea is to use a linked server from a SQL-Proxy to my SQL-Prod box.

    Remote App <-- |Firewall| -> SQL-Proxy <--> SQL-Prod

    To trick the app into working, it needs to be able to use the same sql queries against the proxy linked server that it would use on the production node. 

    I've created the linked node and i'm trying to bind to it using an ODBC connection (which would be a similar connection setup during the remote app installation). I can't get it to connect to the linked node.

    any ideas? better way? help?

    thanks

    Gd

    Thursday, May 23, 2013 3:30 PM

All replies

  • Hello,

    Did you get any error message when connect to the linked server? If so, please post the message for further analysis.
    The following thread is about similar issue, please refer to:
    http://www.sqlservercentral.com/Forums/Topic1316705-1550-1.aspx

    Regards,
    Fanny Liu


    Fanny Liu
    TechNet Community Support

    Monday, June 03, 2013 6:06 AM
    Moderator
  • Since the syntax for querying a linked server requires identifying the linked server so the SQL queries cannot be reused - unless the application specifically supports linked servers which none that I have worked with do.

    I am not certain that you having a SQL proxy box would really assist in hardening anything.

    There are really three options for a classic DMZ setup:

    1) Use SQL Native authentication, ensure only the identified DMZ servers can communicate with the SQL Server from the DMZ at the network layer.

    2) Use a federated or secondary domain and attach your DMZ servers to it and then use windows native authentication and do similar network traffic restrictions

    3) You can have a replicated copy in the DMZ

    There is a fourth using mirrored local accounts but I have never attempted to use that method.

    I would use either option 1 or 2. I would not consider linked servers to provide DMZ connectivity.

    • Edited by HITgrunt Wednesday, June 05, 2013 5:10 AM
    Wednesday, June 05, 2013 5:06 AM