locked
Using different addresses for intranet and internet RRS feed

  • Question

  • I have a SQL Server 2012 R2 running on a development server. This database must be available for intranet and internet, due to operational requisites.

    My server is named museum01.company.intra, and has an alias for responding to mssql.company.intra. At internet, it is named mssql.company.com.br, and I also have an alias to map this name to museum01.company.intra.

    When I enable SSL, using a certificate with a subject museum01.company.intra, the connections using aliases are refused. As the internet connections are important for my business, I decide to create a certificate with subject mssql.company.com.br, and use aliases for intranet, but when I configure that, the server does not start because the hostname does no match subject name.

    The ideal solution would be to force SSL connection over Internet, and allow clear connections only in intranet. Is it possible?

    If not, how can I do to allow the server to startup using a certificate with a principal name that do not match the hostname? Of course I cannot rename the server due to my domain name and naming standards.

    Wednesday, May 18, 2016 9:03 PM

Answers

  • Hi José Luiz Berg,

    Firstly, according to my knowledge, there is no method in SQL Server that you can disable SSL over Intranet after you enabled SSL encryption.

    Secondly, using a Subject Alternative Name(SAN) certificate should let you establish a SSL connection to your SQL Server from both Internet and Intranet as the Certificate can contain multiple subject names. In this case, you can create a certificate with "SUBJECT ALTERNATIVE NAME" field enabled, and the field should contain you server name as well as all your aliases, the “SUBJECT” field should contain the server name. You may need to contact your CA server administrator or talk to your vendor if you are using a third-party certificate.

    For more information, please review MSDN article https://blogs.msdn.microsoft.com/sqlserverfaq/2011/08/08/implementing-ssl-encryption-for-sql-server-in-a-dns-forwarding-environment/ .

    If you have any other questions, please let me know.

    Regards,
    Lin

    Thursday, May 19, 2016 7:14 AM