# Connecting to MS/Azure SQL Server over TLS

> Users may encounter connection errors while connecting to SQL Server 2022 (or greater) with `reason` set to `unsupported protocol` in `discriminat-flow` logs.

Users may encounter connection errors while connecting to SQL Server 2022 (or greater) with `reason` set to `unsupported protocol` in `discriminat-flow` logs.

**Solution:** Set `Encrypt=strict` in the connection string of the SQL Server driver. Check supported driver versions [here](https://learn.microsoft.com/en-us/sql/relational-databases/security/networking/tds-8?view=sql-server-ver17#strict-connection-encryption).

## Background

Microsoft uses a protocol called Tabular Data Stream (TDS) to establish connection between a SQL Server driver and a SQL Server. Prior to version 8 of the TDS protocol, TLS encryption was preceded by a cleartext *prelogin* phase. With TDS version 8, TLS precedes any TDS messages.

The following snippet is taken from a [Microsoft document on TDS 8.0](https://learn.microsoft.com/en-us/sql/relational-databases/security/networking/tds-8):

![](img/sql-tds-v8-vs-v7.png)

Also from that document:

>The TLS handshake now precedes any TDS messages, wrapping the TDS session in TLS to enforce encryption, making TDS 8.0 aligned with HTTPS and other web protocols. This significantly contributes to TDS traffic manageability as standard network appliances are now able to filter and securely passthrough SQL queries.

## Solution

It is sufficient to set `Encrypt=strict` in the connection string. For other methods and application stacks, please see [Connect to SQL Server with strict encryption](https://learn.microsoft.com/en-us/sql/relational-databases/security/networking/connect-with-strict-encryption) on Microsoft docs.

## Example Rule Configuration for DiscrimiNAT

The following examples assume TCP port 1433 – which is the default connection port for MS SQL Server and Azure SQL Database.

### on AWS

![](img/sql-1433-aws-example.png)

### on GCP

![](img/sql-1433-gcp-example.png)