Question :
I am running SQL Server 2014, and use LetsEncrypt to encrypt some websites on the server. I want to remain PCI compliant, which requires an encrypted connection to the database, if accessing from outside the network (I want to use SSMS). Would it be possible to leverage the WACS tool to secure a certificate for SQL Server external connections, with automatic updating of the certificate?
To be honest, I’m a little fuzzy on the details of assigning a certificate to SQL Server for external connections in the first place. (I get the gist, I think, but trying to put it together with WACS is another story…)
Yeah, I get it’s bad practice to leave external connections open, but it sure does make it convenient to not have to remote into a server to access SQL Server Management Studio, to modify necessary things in the database, on a regular basis. Not only that, I’d rather not work directly off the server.
Answer :
Per Igor’s suggestion, I went with the VPN method. What this entailed was installing, and configuring OpenVPN, disabling all external TCP interfaces in the SQL Configuration Manager, and adding one for the standard OpenVPN IP (10.8.0.1), then under protocol, setting listen all to ‘none.’
This solved a lot of issues – I also was running FileZilla server to transfer files, and now I no longer need to maintain a certificate, or keep this open to the outside world. Now I can connect via VPN, and access the FTP server that way (binded the OpenVPN IP to the server).
Moral of the story is: If you have a private server, configure a VPN, and stop wasting your time trying to secure things like SQL Server to the outside world (unless your web server isn’t on your SQL box, of course)