0

We have a remote web server that talks to a SQL Server database (located in a different city) via a VPN. That's working fine. The SQL database is on 192.168.1.xxx on the local LAN, and in addition to those remote web apps, many local desktop applications also talk to it over the LAN.

After some bad weather brought large trees down and cut electric power for the better part of a week, management has asked me to move the SQL database off the LAN and up to the remote server, which is housed in a fancy datacenter with backup generators.

So I have all of these desktop applications that would need to go out over a new VPN to reach the remote SQL database.

The remote web server has a hardware firewall with only three ports opened to the world at present, port 80, a port for mail, and a port for Remote Desktop Connection.

Is there a way to set up a VPN so that the desktop applications here on the LAN can see the database up there on the remote server, the web apps on the remote server can see the database on the same remote server, but the port that SQL Server is listening on is not opened to the world in the firewall, while still using TCP as the SQL Server protocol?

TRomano
  • 111
  • 7

1 Answers1

0

Sounds like what you should do is create an IPSec tunnel between webserver location and desktop application location.

http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html

Gnudiff
  • 533
  • 6
  • 21
  • I can see how the IPSec tunnel would allow the remote web-server to communicate with the database on our LAN (that's what we have now), or allow our desktop applications to communicate with the database if it is moved up to the remote server. But if we move the database up to the web-server, can the web apps on that server communicate with the database on that server without our opening up the SQL Server's port to the world? Can the SQL Server port be opened in the firewall with a restriction that says "requests must originate on this server" and/or "requests must come in over the VPN"? – TRomano Dec 23 '16 at 14:50
  • As far as I understand (haven't used IPSec very much), what you are doing, when using IPSec in tunnel mode, is to create router-router tunnel between the two sites (lets say site A and B), and the traffic is transparent between the two. This is actually, what possibly is already done there, since your users are able to connect to offsite SQL server to its LAN address 192.168.1.X In that case you just need to move webserver to SQL server site, give it a new address and update any clients/user computers/servers who used the old address, to have the new one. – Gnudiff Dec 27 '16 at 13:34
  • Site A: internal network 192.168.1.0/24 SQL server address 192.168.1.50 Web server address (after moving to this site): 192.168.1.60 Site B: internal network 192.168.20.0/24 user computers 192.168.20.1, etc. From site B perspective they can directly see 192.168.1.* as if it were part of their local LAN (if the routers are configured properly). In this setup, you only need to open port in firewall, if you need to have access to webserver from outside the site A and site B. – Gnudiff Dec 27 '16 at 13:34