Thursday, February 3, 2011

Suggestions for accessing SQL Server from internet

i need to be able to access a customer's SQL Server, and ideally their entire LAN, remotely.

They have a firewall/router, but the guy responsible for it is unwilling to open ports for SQL Server, and is unable to support PPTP forwarding.

The admin did open VNC, on a non-stanrdard port, but since they have a dynamic IP it is difficult to find them all the time.

In the past i have created a VPN connection that connects back to our network. But that didn't work so well, since when i need access i have to ask the computer-phobic users to double-click the icon and press Connect

i did try creating a scheduled task that attempts to keep the VPN connection back to our office up at all times by running: 

>rasdial "vpn to name" username password

But after a few months the VPN connection went insane, and thought it was both, and neither, connected an disconnected; and the vpn connection wouldn't work again until the server was rebooted.

Can anyone think of a way where i can access the customer's LAN that doesn't involve

  • opening ports on the router
  • needing to know their external IP
  • customer interaction of any kind

Blah blah blah

  • use vpn
  • vnc protocol has known weaknesses
  • you are unwise to lower your defenses
  • it's not wise to expose SQL Server directly to the internet
  • you stole that line from Empire

Customer doesn't care about any of that. Customer wants things to work.

From serverfault Ian Boyd

  • Have them use a dynamic DNS service, and then connect to that DNS name via VNC.

    Ian Boyd : Tried that. But for various reasons, various dyndns update programs get stuck, or stalled, or fail, or lose their credentials, or the account has gotten disabled. These are all solvable problems; but when the customer calls for the first time in 6 months i can't be trying to debug why their dyndns isn't updating, or why their WinVNC service isn't running, or isn't accepting connections (especially since i can't connect to the machine to diagnose it, and they know nothing about computers)
    mfinni : But if this happens because the customer is calling you, why do you have a requirement of "no customer interaction of any kind" ? You've got them on the phone, you could tell them "Please do X so that I may troubleshoot this remotely." How far are you from this client? You know that F2F time is good customer service, especially if it's 6 months between visits.
    Ian Boyd : It's not "no customer interaction", it's "customer does not have to do anything to let me gain access". If they have to browse to browse to a web-site, enter a url in ie, find a program on the start menu or click an icon on the desktop: we're reaching the limit of their capabilities. If them calling me on the phone were enough to make remote access happen - i'd be golden. About 15 minutes away.
    From mfinni

  • Fog Creek Copilot offers a one-click connect service which is based on VNC (IIRC) and is fairly inexpensive and requires no user interaction on the remote side once it's installed and configured (and the connection confirmation is disabled). Requires no firewall changes on their network.

    If the basic VNC connection works fine for you, install a dynamic DNS client on the server and have it update a static hostname which you can use to connect as long as a port is opened (as you've indicated).

    Ian Boyd : i've used copilot, a lot. It requires them to browse to a web-site, click a link, run a program, and enter a number. You'd be surprised how hard that can be for some users. (i much prefer copilot over glance, though)
    Ian Boyd : i once spent 10 minutes on the phone trying to talk a customer through copilot. ("In the address bar", "The bar at the top", "What do you see?", "No, those are google search results, you typed it in the google toolbar. Type it in the address bar." "The bar at the top" "Try hitting Alt+D" "No, those are google search results again. You have to put it in the address bar." "Okay, try this. Click the file menu, and select Open" "Oh, hmmm. Try pressing the Alt key" "No, just the alt key, then release it, the file menu should appear." "No, just once" "Then open" "Which version of Windows are yo..."
    Ian Boyd : (see what i'm saying?)
    Justin Scott : Yes, I've felt the pain. The OneClick service is slightly different though. Once it's installed the client just stays running and you can connect any time without further intervention or action from the user on the remote side.
    Ian Boyd : Link to this `OneClick` application? On the downside, it could be possible that this (indeed any program) might fail to operate correctly after running in the background for many months, or years. We have a world-wide network, providing high-speed connection between everyone on the planet: yet i can't connect to a customer who's 10 miles away. Security is the bane of the internet - the great possibilities are destroyed by security.
    Justin Scott : Information is available on their "Learn More" page at: https://www.copilot.com/LearnMore/ The issue you stated could apply to ANY program or service. Things change, especially over years. As for security, it's just something you have to deal with, and that's a good thing. You think spam and viruses are bad now? If it weren't for the security we have the Internet would be entirely overrun and unusable with garbage.
    Ian Boyd : @Justin Scott: i understand the need for security. But security is the *bane* of the internet. Some better system needs to be invented. Passwords, enabling/disabling, domain controllers, authentication servers, features off-by-default, secure-by-default, disabled-by-default: broken-by-default.
    Ian Boyd : ...we have a global connection, where data can flow between any two computers in a fraction of a second: but i can't access the computer of a customer who is a 40 second walk from here.
    Justin Scott : @Ian Boyd - I manage dozens of servers in data centers in four states. Many of them are mission-critical for the businesses that use their services and some fall under fairly strict security guidelines. As I said, given the current state of things, you just have to deal with it. If it's all configured properly then it's really not so bad. However, if something goes wrong with the configuration on the customer's side, well, then NO remote access solution is going to meet your needs and hands will have to be applied in person to fix it.
    Ian Boyd : @Justin Scott: Fortunately i don't have to maintain software for you. We do have customers like that, and dealing the bureaucracy is always not fun. But in this case i'm talking about real people, who want real support - and don't have over the top security theater.
    From Justin Scott

  • Personally I would never let a vendor connect to my network without my explicit permission and presence. My suggestion (which is really a suggestion for them and not you) would be to use a third party solution like GoToMeeting, Webex, etc to allow you to connect to their server(s) with their participation.

    Ian Boyd : The downside to that is it requires their participation; which would be fine if they didn't have to use a computer while doing it. Not everyone is computer savvy (i.e. trying to talk them through a program over the phone is a problem - which technology should be able to fix)
    From joeqwerty
Posted by Ku XI at 8:42 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)