Skip to main content

Tunneled Microsoft SQL Connections

This document explains how to connect to a Microsoft SQL database through an encrypted TCP tunnel. We use the sqlcmd command line utility, but the same tunnel can be used by GUI tools.

Long-lived connections behavior

When you create a TCP or Websocket connection, Pomerium validates the access policy at the time the connection is made.

Currently, there is no mechanism in place to terminate long-running connections if a policy becomes invalid.

tip

This example assumes you've already created a TCP route for this service.

Basic Connection

  1. Create a TCP tunnel, using either pomerium-cli or the Pomerium Desktop client:

    pomerium-cli tcp mssql.corp.example.com:1433 --listen :1433
    --listen

    The --listen flag is optional. It lets you define what port the tunnel listens on locally. If not specified, the client will choose a random available port.

  2. Initiate your $SERVICE connection, pointing to localhost:

    /opt/mssql-tools/bin/sqlcmd -S localhost -U SA -P "YOURSTRONGPASSWORD"

More Resources