You can use certificates to tighten down security for administrative traffic. Create a new group in Active Directory (AD) and name the group Authorized Administrative SQL Server Clients. Add the administrative computers that need to communicate with the SQL Server on ports other than 1433. Set up another Certificate Authority (CA) and edit the new CA’s ACL to Allow the Enroll permission to the new group only. Create a new Group Policy Object (GPO), name it Authorized Administrative SQL Server Clients IPSEC, and add two automatic certificate requests: one for an IPSec certificate from the new CA and one for an IP Security (IPSec) certificate from SqlIPSecCA. (You need to include a certificate request to SqlIPSecCA so that you don't prevent the administrative clients from accessing the server through port 1433.) In the Authorized Administrative SQL Server Clients IPSEC GPO, create an IPSec policy and activate the policy's default response rule to use two authentication methods—certificate authentication for SqlIPSecCA and certificate authentication for the new CA. Limit the Apply Group Policy permission on the new GPO to the Authorized Administrative SQL Server Clients group, then assign the policy.
Edit the Secure SQL Server policy on the SQL Server system to add another rule. Use the All IP Traffic filter list, and set the authentication method to require a certificate from the new CA. Reassign the policy, and request a certificate from the new CA for your server. Now the server will require computers connecting to port 1433 to present a certificate from SqlIPSecCA and will require computers connecting to other ports to present a certificate from the new CA.
