I have a requirement within my company to setup a Cognos Connection with the LDAPS instead of regular LDAP server.
We have Multiple Domain Controllers & I am not sure how to make connection to multiple Domain Controller within Cognos.As when you do a Cognos Configuration you have to specifiy the Host & port Information .
Related
thanks in advance
I have the following scenario:
SQL database on a SQL Server on premise (source)
SQL database on aAzure (target)
I access to my network from a VPN (F5 - Big IP Edge Client)
I created and configured an Azure VPN Gateway to connect to the VPN. With this configuration and the use of Azure Data Factory, it is possible to see my on-premise database and read the data.
I want to restrict access to the Azure SQL database only to clients from my on-premise network (or connected to the VPN). When i try to set the firewall ip rules, Azure only allow to register public ips address but not recognice IPs from my onpremise network.
Questions
1)It is possible to set access to only clients from insede my private network. How to get this?
2)Is there another better option to get this secure connection?
Regards
SQL Azure maintains a firewall for the SQL Azure servers, preventing anyone from connecting to your server if you do not give their IP address permissions. Permissions are granted by client IP address. Any user’s desktop application that connected to SQL Azure would need to have the SQL Azure firewall open for them in order to connect. The client IP would be the IP address of the desktop machine as seen by the Internet.
Any desktop computer can access SQL Azure as long as it has Internet access, and port 1433 open for outbound connections.
If you're trying to connect from within a corporate network, you can add user machine public IP or the VPN endpoint IP if all user connect through it. Further to allow access from specific on-premises machines, firewall rules can be used to limit connectivity only to your public (NAT) IPs.
A more secure option, you can set up server-level firewall rules (Server-level IP firewall rules apply to all databases within the same server) and Setup database firewall rules (Database-level firewall rules only apply to individual databases, can be configured using Transact-SQL statements, and only after you've configured a server-level firewall rule.)
Create server-level and database-level firewall rules
Configure an Azure Active Directory (AD) administrator
Manage user access with SQL authentication, Azure AD authentication,
and secure connection strings
Enable security features, such as Azure Defender for SQL, auditing,
data masking, and encryption
Refer: Create firewall rules & Configure your client computers
I understand that Microsoft Azure is very secure and the Azure SQL Server as well. However, the question is bit scenario based:
I'm accessing Azure SQL Server DB using SSMS, which is asking me to login using SQL Server authentication.
In Azure DB firewall security setting when I'm trying to add my current PC IP address ( which is Dynamic in nature ),its not adding.However, its actually considering my ISP provided IP address. The questions are: why its not allowing me to add my current IP address? Should not there be a security issue, if its considering my ISP IP ( which I can found "what is my IP") ? How and what level of security Microsoft is providing in this case? Is not it that, if someone will get my SQL Server credential they will go inside my SQL Sever in Azure?
OR
is it like that, the HOST/Computer name and IP address (which got via What is my IP) should be matched then the SQL Server credential will work? - Which is kind of more secure.
Hope I have explained this correctly.This is just to get more clarification not to compare.
I understand that, I think, I should have static IP. But, the local IP is dynamic.
Thanks.
It is the IP address assigned by your ISP what Azure SQL Database firewall can "see". That is the one you need to add as firewall rule. The private IP address your computer is using on your local network cannot be "seen" by Azure SQL database firewall.
Azure SQL Database security is more than just a firewall rule. All data in transit coming from any Azure SQL Database or going to any Azure SQL Database is encrypted. Azure SQL Database does not allow non-encrypted connections. All this is happening on TCP port 1433. You cannot communicate to Azure SQL Database on a different port.
When a client first attempts a connection to SQL Azure Database, it sends an initial connection request. Consider this a "pre-pre-connection" request. At this point the client does not know if SSL/Encryption is required and waits an answer from SQL Azure to determine if SSL is indeed required throughout the session (not just the login sequence, the entire connection session). A bit is set on the response indicating so. Then the client library disconnects and reconnects armed with this information.
When you set Encrypt to true you avoid the "pre-pre-connection", and you are preventing any proxy from turning off the encryption bit on the client side of the proxy, this way attacks like man-in-the-middle attack are avoided.
When secure connections are needed, it is recommended to enable "Encrypt connection" setting on SSMS.
In addition to all this, when you create a new database on Azure SQL Database data at rest is encrypted. Transparent Data Encryption is enabled by deafult.
I would like to connect to Azure SQL server from a Window server via SSMS. In the “set server firewall” from Azure, I have given my server IP ( from the system I would like to connect). I need to know the destination IP adders of the Azure DB Server. From Azure portal the location is showing central US . To allow firewall I need to know the destination IP address.
My questions are:
1. As Central US could have multiple IP addresses, do I need to provide all IPs to my Firewall team?
2. How can I know the destination IP address ( i.e. Azure) so that I can provide that to my firewall team?
Note: From SQL server management studio, the tcp default port for SQL is enabled and services are running fine.
Hope I have explained it correctly.Thanks
No. You cannot get a static IP address assignment for your Azure SQL Database. Moreover, what you refer (mysqlserverdatabase.mysql.database.azure.com designates your Azure SQL Database Server, not a single Database. This is a logical server, in which you can put up to 149 Databases (150 with the Master DB).
You have to workaround your requirement for static IP address assingment to work with the DNS Name (mysqlserverdatabase.mysql.database.azure.com).
Otherwise if your company firewall can't work with the DNS Name ,you need to set the server connection policy to Proxy as documented in Azure SQL Connectivity Architecture. This allows the database gateway to proxy all traffic between the client and the DB server. The gateways all have static IP addresses, which are listed in the above document.
If you have setup a VNet in Azure, checkout VNet Service Endpoints to connect Azure SQL.
https://azure.microsoft.com/en-in/blog/vnet-service-endpoints-for-azure-sql-database-now-generally-available/
MS suggests these ways to allow Power BI Desktop to access an Azure DB
a) opening inbound connections of all Azure IP ranges to Azure SQL
b) opening inbound connections to certain IPs
c) use an Enterprise Gateway, even you are in Azure and not on-premise.
Concerns: is this as secure as a real VPN? Means no data can be sent to the DB Server port?
d) Is there no out of the Azure-box-service in place that works like a reverse proxy or application firewall with mfa?
e) is the Azure Application Proxy a solution?
What is the best security praxis?
a) and b) worries me, because of a huge Azure unknown user group that does not need to have access. And because the DB would not be protected against IP spoofing.
For c),d),e) I did not find a clear quote from MS about the security risk.
Thank you for clarifying and commenting my concerns.
From Power BI Desktop, option b) opening inbound connections to certain IPs, is the typical approach. There's typically a small, and fixed set of public IPs that your organization uses for outbound traffic, and these can be added to the Azure SQL Server's Firewall.
IP Spoofing is a non-issue, as Azure will never route return packets to the spoofer, even if they somehow got all the way to the SQL Server.
c) use an Enterprise Gateway Concerns: is this as secure as a real VPN? Means no data can be sent to the DB Server port?
Yes. The Power BI Gateway server runs on a private Azure VNet, and the SQL Server's firewall is configured to allow connections from this VNet. But Power BI Desktop can't connect directly using a Gateway. It's only a solution for connecting from Power BI Service to your data source. So if you publish a shared Data Set, you can connect using Power BI desktop to that. But you can't connect directly from Power BI Desktop to Azure SQL Database via the gateway. So you still need a firewall rule for the users designing the Power BI Data Sets (models) in Power BI Desktop.
Is there no out of the Azure-box-service in place that works like a reverse proxy or application firewall with mfa?
No. This is not an HTTP connection, so there's no reverse proxy. Although you can configure your Azure SQL Database to allow Azure Active Directory accounts, and then use your conditional access policies to force MFA. These are built-in to Azure SQL Database and Azure Active Directory, and are a layer of security after the firewall.
2021 Edit
Azure SQL Database now supports Private Link which enables Azure SQL Database to listen on an IP address on a private network in Azure. This network can be routed to your Power BI Desktop users using Site-to-Site VPN or ExpressRoute, or developers can deploy a Point-to-Site VPN to enable a single desktop to communicate directly with the target private network.
I'm setting up Auth0 integration with an application that uses an existing database that stored usernames and password hashes. The database is stored in Azure SQL Database, and I need to configure the firewall rules to allow Auth0 to be able to connect to the database.
What is the IP address range that Auth0 uses to connect to custom databases?
Within the Auth0 configuration page for setting up the Database Action Scripts for connecting to and working with your custom database, there is a list of originating IP Addresses below the script editor. You can setup the Azure SQL Database Server IP Whitelist to allows the specific IP Addresses listed.
The display of the IP Addresses, look like the following, but you'll want to use the IP Addresses it lists on your account just in case they may differ from this screenshot.