I would like to connect to an Oracle database hosted on a remote box using Oracle SQL Developer. I am able to create a standard connection BUT I have to be connected to a VPN for security reasons. I want to bypass this vpn.
I do this all the time with normal ssh connections. There is one machine (gateway) on my company network than can be accessed outside the network (no vpn). From gateway, I can connect to any machine on our network. I would like to connect to the database hosted on machine (dbmachine) on the network (which cannot be accessed without being on the vpn unless I am first connected to the gateway).
This seems to be a common issue because I was easily able to bake this functionality seamlessly into my ssh config. Example:
Host gateway
HostName gateway.company.org
User marc
Host dbmachine
HostName dbmachine.company.org
User marc
ProxyJump gateway
Host exampleMachine
HostName exampleMachine.company.org
User marc
ProxyJump gateway
By using ProxyJump, I am able to type ssh dbmachine to seamlessly connect to dbmachine or ssh exampleMachine to seamlessly connect to exampleMachine. I want to do a similar jumping technique with Oracle SQL Developer. How can I connect to the database on dbmachine from Oracle SQL Developer?
I'm not sure what port the db is running on dbmachine, but I can access it though sqlplus when I'm logged into the box.
The answer is to create an SSH Tunnle:
ssh -L 1521:localhost:1521 -N -f dbmachine
This will forward all traffic on localhost:1521 to dbmachine:1521 (where the database is running). It will respect the user's configuration so you do not have to setup two tunnles.
-N Will not switch to remote shell
-f Requests ssh to go to background just before command execution
I'm not sure if there's a better solution that is configurable directly in a database client, but this works for me on Arch Linux.
Is it possible to only allow a Port to be used via SSH Port Tunneling if the user is in a specific Active Directory Group?
I have a client machine, a Windows Web Server and a Linux Server with a database. I would like the client to be able to connect to the Database using SSH, but only if they are in a specific AD group.
Is there any way of achieving this?
Basically: no. Any user with shell access can use his own forwarder and gain access to the port anyway. So if you have users root, bob and dbtunnel on the Linux machine, all three can "export" access to the database.
But what is it that you really want to do? Because it seems to me that you want to encrypt (possibly compress) the database connection between Web server and database. You can do that without SSH at all.
What you can do, with SSH, is disable port forwarding and shell altogether except for that one group. sshd_config allowgroups supports LDAP. You will be severely limiting all (or most) users on the Linux machine.
Some databases such as MySQL offer native encryption, possibly not so performant if compared to "born" solutions. MySQL also has compressed client/server protocol (which is best left disabled whenever using a third party encrypted connection).
You can set up a VPN and only allow access to port 3306 from the VPN interface.
Also, you can restrict connections (both SSH and VPN) to those coming from the web server to reduce the database machine's attack surface.
A fancy solution, even if it does little for security, is to not have SSHd on the Linux machine at all, and rather have it on the Windows machine. Then the Linux machine can connect with an autossh client and forward its local 3306 port to the remote. Anyone on the Windows machine can still connect to the database. And the tunnel user needn't even exist on the Linux machine. You can then disable SSH access to all users except bob for management purposes. To open the tunnel with auto-SSH from Linux to Windows, you'll need some SSH server or other for Windows.
The reason why VPN, iptables and reverse-tunnel make little difference is, how would an attacker get "into" the Windows machine? He would probably exploit the Web server. But at that point, whatever connection there is between the Web server and the database, the attacker would have full access no matter what. He would just piggyback on the existing connection.
So the firewall IP restriction and reverse-tunneling solutions do nothing for user identification, as it would be moot anyway, but rather remove the vulnerability of having the Linux machine accessible from outside the Web server by a non-admin user.
Fancy solution (in this example MySQL and port 3306; could be PostgreSQL and port 5432 just as well)
install a SSHd server on the Windows machine on some nonstandard port.
configure Windows firewall to allow connections to that port only if coming from the Linux machine's IP.
create a (limited) user on the Windows machine to allow Linux to connect.
install autossh script (above) on the Linux machine and configure it to connect to the Windows server, forwarding local 3306 port to a newly created listening remote 3306 port bound to localhost (no -g option).
tell the Web server there's a MySQL server at address 127.0.0.1 port 3306.
...and you're done.
Who can connect to the database now?
any user on that one Windows machine. This should mean only the Web server user (*).
any admin user with SSH access on the Linux machine (provided there is a SSH access to the Linux machine. You could have turned it off).
an attacker successfully exploiting the Windows Web server: but he could have done it anyway, since the Web server needs access to the database.
(*) and any other user could have done this also if port forwarding was LDAP limited -- they would have just needed to wait until the connection was performed by the LDAP enabled user, then they could have piggybacked on it.
So I'm building a pretty simple application in Access 2013, and our company recommended using Azure SQL Database for the backend (due to the cost and simplicity of setting up/maintenance). However, their recommendation left us with a massive problem. Port 1433 is blocked on our company's network, and it's such a big company, I can't get it unblocked.
I don't know too much about having a middle-tier, but what are my options here? Is there a simple way to connect to the database without accessing this port?
Thanks
You could fire up a Azure VM with SQL Server already installed. Then you should be able to change the ports to your liking.
Check out this post...
http://roberteichenseer.wordpress.com/2012/07/06/nderung-default-port-sql-server-innerhalb-einer-azure-vm/
You only need to open up 1433 outbound in your works firewall not the 1433 inbound.
Most security teams are ok to open the outbound port. Opening the outbound will give you the access to connect and access the data inside Azure.
During my daily work, I need to use the customer's Database. for this connection, first of all, I need to connect the VPN to customer's network, and then make the DB connection.
Normally, if this connection can be established using TCP protocol. But sometimes I cannot connect to the DB. Then I track the network package, I found the connection is attempting connect to customer's DB using UDP protocol.
And now my network environment is using '172.16', if I change my network to '10.12', do the same connection, then change back to the '172.16' network, the connection can be established successfully.
Because the DB is in customer's side, I cannot check it.
The first couple of things I'd look at:
Firewall
... and ...
Firewall
PS:
Yesterday I had a case where the customer's database could communicate by Windows host name or by "localhost" ... but NOT by IP, nor by hostname alias ... even though the client and the SQL Server were ON THE SAME PC!!!!
Windows firewall was OFF. There wasn't any router between SQL server and the client (remember: same PC!).
But they installed a new A/V program ... that had it's own firewall ... and wouldn't allow any SQL Server connections.
PPS:
The correct approach, of course, is to configure firewall exceptions for all services you need (like MSSQL).
You could check with the customer's server administrator if the VPN access you have would have sufficient port/route access with customer's server database.
Normally VPN access allow outsider to gain access to internal network but it might be assigned by different router at the time you encountered problem. It isn't db problem, it is network issue.
I have connected for the first time to an existing network over VPN. I can ping the IP address which is used by the SQL Server from the VPN client, but SSMS does not connect to the SQL Server. I am using the right login id and password.
Why could this happen? Any ideas?
On a default instance, SQL Server listens on TCP/1433 by default. This can be changed. On a named instance, unless configured differently, SQL Server listens on a dynamic TCP port. What that means is should SQL Server discover that the port is in use, it will pick another TCP port. How clients usually find the right port in the case of a named instance is by talking to the SQL Server Listener Service/SQL Browser. That listens on UDP/1434 and cannot be changed. If you have a named instance, you can configure a static port and if you have a need to use Kerberos authentication/delegation, you should.
What you'll need to determine is what port your SQL Server is listening on. Then you'll need to get with your networking/security folks to determine if they allow communication to that port via VPN. If they are, as indicated, check your firewall settings. Some systems have multiple firewalls (my laptop is an example). If so, you'll need to check all the firewalls on your system.
If all of those are correct, verify the server doesn't have an IPSEC policy that restricts access to the SQL Server port via IP address. That also could result in you being blocked.
When this happens to me, it is because DNS is not working properly. Try using the IP address instead of the server name in the SQL Server login.
Make sure SQL Server is enabled for TCP/IP (someone may have disabled it)?
This will also help you to check/verify the port number the SQL instance is using (in case someone changed it from the default of port 1433).
Obviously port 1433 (or whatever port SQL is listening on) needs to be unblocked by any firewalls between your machine and the box SQL is running on.
To check SQL's network configuration (requires SQL Server Client Tools installed):
Start -> Programs -> SQL Server 200x -> Configuration Tools -> SQL Server Configuration Manager
Connect to the machine you need then expand the Tree Item (LHS) "SQL Server Network Configuration", then pick instance. You should have four options - Shared Memory, Named Pipes, TCP/IP and VIA. You can check that TCP/IP is enabled in the RHS window.
If you double click TCP/IP and hit the "Advanced" tab, you can also view the Port number.
Other thoughts.. Are you using SQL Authentication or Windows (Domain) authentication?
If SQL Authentication (which I assume you are using given you said username and password), are you sure the SQL instance you're connecting to has mixed mode authentication enabled? If not, you have to connect as Administrator and change the default security settings to allow SQL authentication.
If Windows Authentication, could your network be using Kerberos potentially? One would think the VPN credentials would be used for the handshake. I'd check your account has appropriate login rights.
I also had this problem when trying to connect remotely via the Hamachi VPN. I had tried everything available on the internet (including this post) and it still did not work. Note that everything worked fine when the same database was installed on a machine on my local network. Finally I was able to achieve success using the following fix: on the remote machine, enable the IP address on the TCP/IP protocol, like so:
On the remote machine, start SQL Server Configuration Manager, expand SQL Server Network Configuration, select "Protocols for SQLEXPRESS" (or "MSSQLSERVER"), right-click on TCP/IP, on the resulting dialog box go to the IP Addresses tab, and make sure the "IP1" element is Active=Yes and Enabled=Yes. Make note of the IP address (for me it wasn't necessary to modify these). Then stop and start the SQL Server Services. After that, ensure that the firewall on the remote machine is either disabled, or an exception is allowed for port 1433 that includes both the local subnet and the subnet for the address noted in the previous dialog box. On your local machine you should be able to connect by setting the server name to 192.168.1.22\SQLEXPRESS (or [ip address of remote machine]\[SQL server instance name]).
Hope that helps.
Check that the port that SQL Server is using is not being blocked by either your firewall or the VPN.
I have this issue a lot with Citrix Access Gateway. I usually get a timeout error. If you are able to connect to the database from a client on the network, but not from a remote client via VPN, you can forget most suggestions given here, because they all address server-side issues.
I am able to connect when I increase the timeout from the default (15 seconds) to 60 seconds, and for good measure, force the protocol to TCP/IP. These things can be done on the Options screen of the login dialog:
As long as you have the firewall set to allow the port that your SQL Server instance is using, all you need to do is change Data Source from =Server name to =IP,Port
ie, in the connection string use something like this.
Data Source=190.190.1.100,1433;
You should not have to change anything on the client side.
You may not have the UDP port open/VPN-forwarded, it's port number 1433.
Despite client protocol name of "TCP/IP", mssql uses UDP for bitbanging.
SQL Server uses the TCP port 1433. This is probably blocked either by the VPN tunnel or by a firewall on the server.
When connecting to VPN every message goes through VPN server and it could not be forwarding your messages to that port SQL server is working on.
Try
disable VPN settings->Properties->TCP/IP properties->Advanced->Use default gateway on remote network.
This way you will first try to connect local IP of SQL server and only then use VPN server to forward you
I was having this issue too with SQL Server 2017.
I'm on the same network as the server via VPN and can ping it. After being frustrated that no authentication method would work - I set up an SSH server on the SQL server - and I was able to connect normally. This confirmed the correct port wasn't being hit for some reason. I even created a new user accounts, domain accounts, firewall checks on both ends, etc...
The solution for me was:
1. Set Connection to strictly use TCP/IP on SSMS
2. Use a custom string to point to the default port (ex: Data Source=192.168.168.166,1433;)
All the other comments above haven't worked so far. It looks like it was mandatory to include the port (even though its default).
This is what fixed my connection problem of accessing the SQL Server 2012 Database via VPN
With the SQL Server 2012 Configuration Manager,
I went to the SQL Server Network configuration
Then clicked on the NEW server instance and double-clicked the TCP/IP protocol
[I had also previously enabled this option and rebooted the server but that did still not fix it]
now that the TCP/IP was enabled, I noted that all of the IP port slots in the 'IP Addresses' tab of the TCP/IP Properties advanced dialog were set to Enabled=No.
I was curious to why my new installation set all of these IP slots to NO rather than Yes, so I just changed them to YES.
Now the connection to the sever via VPN works great, I did not change any port numbers.
Note: I also had SQL Server 2008 default from the Visual studio 2010 uninstalled, but I do not think that had a direct effect to the TCP/IP situation. A coworker told me that the 2008 and 2005 installations which come with visual studio may interfere with SQL 2012.
If you're using sql server 2005, start sql server browser service first.
Try changing Server name with its IP
for example
SERVERNAME//SQLSERVER -> 192.168.0.2//SQLSERVER
its work flawlessly with me using VPN
Make sure to add port 1433 to firewall exceptions and make sure "Any IP Address" is checked under Firewall port setting(see attachment).
In case everything works fine on your LAN, but fails when client application tries to establish connection thru a VPN, you might consider changing your router MTU (Maximum Transmit Unit) settings from AUTO to a lower than maximum value.
Further references:
https://faq.draytek.com.au/2021/03/15/adjusting-vpn-mss-mtu-settings/
https://community.spiceworks.com/topic/217130-mtu-issues-in-vpn-connections
https://community.ui.com/questions/EdgeRouter-4-FortiGate-VPN-Performance-issues/84932edc-d2ee-4bdd-bd47-e0993210f17e?page=1
My solution was enable and start the service "SQL Server Browser".
Be also sure, you allow this service in your firewall.
I have a similar problem but with a strange effect.
If I use SMSS over a VPN (site2site) I can't connect. But If I use OpenVPN client it's working.
And this isn't the only thing... Using the same site2site vpn but with DBeaver or HeidiSQL I can connect... I wrote a simple c# console app to test the connection and it's working. The only issue is with SMSS.
I don't know why but I'm very curious about that :)