Acessing SQL Server over the web with shared IP

Chris (me*******@yahoo.com) writes:

I am new to setting up SQL Server and would greatly appreciate if
someone can help me out with this issue:

I have successfully set up SQL Server but want to be able for clients
of mine to be able to connect to it via the web through enterprise
manager. I have tried everything I could think of to get it to work. I
made sure the correct ports where open in the firewall (1433,1434).
Everytime I try to connecting using the IP of the box that the SQL
Server resides I get SQL Server does not exist or access denied. I
verified that the login credentials being used for the database I am
trying to correct to are correct. Still the same error message.

How I would like to set it up would be to create a subdomain on the
box and point it to SQL Server so that is what would be entered when
registering the group in enterprise manager.

I am currently running all my sites through vhost on a single IP using
IIS 2003. SQL Server is installed on the box where all of the sites
are being served up.

Is it impossible to set-up SQL Server to allow connections over the
web when using a Shared IP?

I'm not really sure what you mean with "connect to it via the web through
enterprise manager". Do you mean that they will connect over the Internet?
If they were to go from EM through a web site to SQL Server sounds a
little funny to me.

As for why things are not working, I don't really have much advice, but
I take the occassion to respond, because you may not want to do that
after all.

Exposing SQL Server directly on the Internet is something you should
avoid. And if you do it - make sure that you have SQL Server authentication
turned off. There is no protection in SQL Server against brute-force
attacks, other than logging, so no matter how strong password you have
for "sa", it is likely to be cracked sooner or later if someone is dead
set on doing it. I don't know if you are able to authenticate your clients
through Windows authentication. If you are, you might be safe. But it
might be a better option to offer them a VPN connection from which they
can access SQL Server that way.

What I can add about the error message "SQL Server does not exist or
access denied" is that playing with login credentials on SQL Server
is of no use. The error means that you never find the server, so it
is not able to authenticate you anyway.

This KB article discusses this message more in detail:
http://support.microsoft.com/default...;EN-US;q328306.


--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp

In article <1f*************************@posting.google.com> ,
me*******@yahoo.com says...

I am new to setting up SQL Server and would greatly appreciate if
someone can help me out with this issue:

I have successfully set up SQL Server but want to be able for clients
of mine to be able to connect to it via the web through enterprise
manager. I have tried everything I could think of to get it to work. I
made sure the correct ports where open in the firewall (1433,1434).
Everytime I try to connecting using the IP of the box that the SQL
Server resides I get SQL Server does not exist or access denied. I
verified that the login credentials being used for the database I am
trying to correct to are correct. Still the same error message.
First, let me say one important thing - exposing your SQL server
directly to the internet is always a BAD IDEA. There is no reason to
expose it directly to the internet. You should have the users VPN into
your server and access the SQL Server through the VPN.

It was servers like yours that let slammer spread around the world in
record time.
How I would like to set it up would be to create a subdomain on the
box and point it to SQL Server so that is what would be entered when
registering the group in enterprise manager.

I am currently running all my sites through vhost on a single IP using
IIS 2003. SQL Server is installed on the box where all of the sites
are being served up.

Is it impossible to set-up SQL Server to allow connections over the
web when using a Shared IP?

Since you have a router with port-forwarding (or a firewall with port
forwarding) you need to tell people to use your PUBLIC ip address when
they are outside of your network - external people access the SQL Server
using the Public IP that you forwarded to the internal IP.

One other thing - don't give users access to the SA account and don't
give them access to any other database (just their own). We did some
work for a company that let users access the DB over the net, the
company had created super user accounts for people to manage their
database remotely - as it turns out, the accounts had access to every
database in their system - some 30 databases on the server. It was
interesting to run an audit, find personal financial info on the other
databases, and then contact the ISP and the Owners of the databases to
let them know that anyone with access to any database could see all of
them as SA. The entire thing was taken off-line for a week while they
figured out how to manage it (should have taken about an hour).

I strongly suggest, even BEG, that you have users VPN into the
network/server and then gain access to the SQL server - do not expose it
directly to the internet.

--
--
sp*********@rrohio.com
(Remove 999 to reply to me)

Hi Chris

It is possible to allow access via the web. You need to use Enterprise
Manager from 2000 upwards and to check that TCP/IP is the connection
protocol. I would suggest not using the standard port but moving it
much higher up the range to a more 'random' port (purely to reduce
risk of hacking).

I'm not exactly sure what you mean by creating a sub-domain on the
box. My interpretation is that you want to create something like
subdomain.mydomain.com and use that to connect to the database. This
you can do, but not on the box. You will need to talk to your ISP and
get them to create the subdomain and point it to the IP address of
your server. Then I think you will be able to register the server by
entering subdomain.mydomain.com in EM.

Hope this helps

Sam