简体繁体 English

在不配置防火墙的情况下连接到远程SQL Server

[英]Connecting to a remote SQL Server without configuring the firewall

原文 2015-03-20 13:25:33 6 2 sql-server/ connection/ certificate/ firewall

I have an SQL Server located in the US, I've written a program that connects to a database on the server and takes the data from the server. 我在美国有一个SQL Server，我编写了一个程序，该程序连接到服务器上的数据库并从服务器获取数据。 The users of the program are spread around the world. 该程序的用户遍布世界各地。 The majority of them can easily use the program (ie the connection is successfully established). 他们中的大多数人都可以轻松使用该程序（即成功建立连接）。

But some of the users who try to run the program from inside their office building can't connect to the server because of their companies' firewalls. 但是，由于公司的防火墙，一些试图从其办公楼内部运行该程序的用户无法连接到服务器。 Since the number and location of the users is not known (the application is distributed for free with no notifications to me), customizing every firewall isn't really an option (even though it helped when I was able to do this). 由于用户的数量和位置未知（该应用程序是免费分发的，没有通知我），因此自定义每个防火墙并不是真正的选择（即使在我能够这样做的时候它也很有帮助）。

I believe there should be an option like a kind of "certificate" that has to be embedded in my program and has to be registered somewhere on a user's machine that would allow establishing the connection. 我相信应该有一个像“证书”这样的选项，该选项必须嵌入我的程序中，并且必须在用户计算机上的某个位置注册才能建立连接。 Or anything of that sort. 或任何类似的东西。 Unfortunately, I haven't found anything specific in the Internet. 不幸的是，我在Internet上找不到任何特定的东西。 Most probably because I googled wrong words or so. 很有可能是因为我用Google搜索了错误的单词左右。

Any help or advice is very much appreciated! 非常感谢您的任何帮助或建议！

2 个解决方案

If a firewall (or other security device) is blocking, then there is no magic bullet. 如果防火墙（或其他安全设备）被阻止，那么就没有魔术子弹。 You need to avoid directly talking to SQL Server. 您需要避免直接与SQL Server对话。

Even if you changed the port, many of those company workers will be limited to HTTP(S) access, and then only via a proxy. 即使您更改了端口，许多公司员工也将只能通过代理访问HTTP（S）。

So you need to talk HTTP to an API you provide, and the implementation of that API then talks (under your control) to the database. 因此，您需要将HTTP与提供的API进行通信，然后该API的实现（在您的控制下）与数据库进行通信。

This has the enormous advantage of giving you an extra layer protecting the integrity of the data in the database. 这具有极大的优势，可以为您提供一个额外的层来保护数据库中数据的完整性。

To build a connection you need firewall at client's place to allow access to the ip where your sql server present. 要建立连接，您需要在客户端放置防火墙，以允许访问您的sql服务器所在的ip。

You can give a custom message to the users to allow access to the IP address of the SQL server, but it is not safe to do so due to security concerns. 您可以向用户提供自定义消息，以允许访问SQL Server的IP地址，但是出于安全考虑，这样做并不安全。

Instead you can make a third application to take requests from clients and forward it to your sql server. 相反，您可以使第三个应用程序接受来自客户端的请求，并将其转发到sql服务器。 Like some web service. 像一些网络服务。 Host this application on public IP and inform the clients that they need to open the IP in their firewall to run the program. 将此应用程序托管在公共IP上，并通知客户端他们需要在其防火墙中打开IP才能运行该程序。 It will ensure security as well as your problem will be solved. 这将确保安全性以及您的问题将得到解决。