Category Archives: Ports

Configure Windows Firewall for Database Engine Access

Posted on by
Reply

Configure Windows Firewall for Database Engine Access

This topic describes how to configure a Windows firewall for Database Engine access in SQL Server 2016 by using SQL Server Configuration Manager. Firewall systems help prevent unauthorized access to computer resources. To access an instance of the SQL Server Database Engine through a firewall, you must configure the firewall on the computer running SQL Server to allow access.

For more information about the default Windows firewall settings, and a description of the TCP ports that affect the Database Engine, Analysis Services, Reporting Services, and Integration Services, see Configure the Windows Firewall to Allow SQL Server Access. There are many firewall systems available. For information specific to your system, see the firewall documentation.

The principal steps to allow access are:

  1. Configure the Database Engine to use a specific TCP/IP port. The default instance of the Database Engine uses port 1433, but that can be changed. The port used by the Database Engine is listed in the SQL Server error log. Instances of SQL Server Express, SQL Server Compact, and named instances of the Database Engine use dynamic ports. To configure these instances to use a specific port, see Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager).
  2. Configure the firewall to allow access to that port for authorized users or computers.Note
    The SQL Server Browser service lets users connect to instances of the Database Engine that are not listening on port 1433, without knowing the port number. To use SQL Server Browser, you must open UDP port 1434. To promote the most secure environment, leave the SQL Server Browser service stopped, and configure clients to connect using the port number.Note
    By default, Microsoft Windows enables the Windows Firewall, which closes port 1433 to prevent Internet computers from connecting to a default instance of SQL Server on your computer. Connections to the default instance using TCP/IP are not possible unless you reopen port 1433. The basic steps to configure the Windows firewall are provided in the following procedures. For more information, see the Windows documentation.

As an alternative to configuring SQL Server to listen on a fixed port and opening the port, you can list the SQL Server executable (Sqlservr.exe) as an exception to the blocked programs. Use this method when you want to continue to use dynamic ports. Only one instance of SQL Server can be accessed in this way.

In This Topic

Before You Begin

Security 

Opening ports in your firewall can leave your server exposed to malicious attacks. Make sure that you understand firewall systems before you open ports. For more information, see Security Considerations for a SQL Server Installation

Using SQL Server Configuration Manager

The following procedures configure the Windows Firewall by using the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in. The Windows Firewall with Advanced Security only configures the current profile. For more information about the Windows Firewall with Advanced Security, see Configure the Windows Firewall to Allow SQL Server Access

To open a port in the Windows firewall for TCP access

  1. On the Start menu, click Run, type WF.msc, and then click OK.
  2. In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then click New Rule in the action pane.
  3. In the Rule Type dialog box, select Port, and then click Next.
  4. In the Protocol and Ports dialog box, select TCP. Select Specific local ports, and then type the port number of the instance of the Database Engine, such as 1433 for the default instance. Click Next.
  5. In the Action dialog box, select Allow the connection, and then click Next.
  6. In the Profile dialog box, select any profiles that describe the computer connection environment when you want to connect to the Database Engine, and then click Next.
  7. In the Name dialog box, type a name and description for this rule, and then click Finish.

To open access to SQL Server when using dynamic ports

  1. On the Start menu, click Run, type WF.msc, and then click OK.
  2. In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then click New Rule in the action pane.
  3. In the Rule Type dialog box, select Program, and then click Next.
  4. In the Program dialog box, select This program path. Click Browse, and navigate to the instance of SQL Server that you want to access through the firewall, and then click Open. By default, SQL Server is at C:Program FilesMicrosoft SQL ServerMSSQL13.MSSQLSERVERMSSQLBinnSqlservr.exe. Click Next.
  5. In the Action dialog box, select Allow the connection, and then click Next.
  6. In the Profile dialog box, select any profiles that describe the computer connection environment when you want to connect to the Database Engine, and then click Next.
  7. In the Name dialog box, type a name and description for this rule, and then click Finish.

See Also
How to: Configure Firewall Settings (Azure SQL Database)

Configuring SQL Server client aliases

Posted on by
Reply

If you block UDP port 1434 or TCP port 1433 on the computer that is running SQL Server, you must create a SQL Server client alias on all other computers in the server farm. You can use SQL Server client components to create a SQL Server client alias for computers that connect to SQL Server.

To configure a SQL Server client alias

  1. Verify that the user account that is performing this procedure is a member of either the sysadmin or the serveradmin fixed server role.

  2. Run Setup for SQL Server on the target computer, and install the following client components:

Connectivity Components

Management Tools

  1. Open SQL Server Configuration Manager.

  • In the navigation pane, click SQL Native Client Configuration.

  • In the main window under Items, right-click Aliases, and select New Alias.

  • In the Alias – New dialog box, in the Alias Name field, enter a name for the alias. For example, enter SharePoint_alias.

  • In the Port No field, enter the port number for the database instance. For example, enter 40000. Make sure that the protocol is set to TCP/IP.

  • In the Server field, enter the name of the computer that is running SQL Server.

  • Click Apply, and then click OK.

  • Verification: You can test the SQL Server client alias by using SQL Server Management Studio, which is available when you install SQL Server client components.

  • Open SQL Server Management Studio.

  • When you are prompted to enter a server name, enter the name of the alias that you created, and then click Connect. If the connection is successful, SQL Server Management Studio is populated with objects that correspond to the remote database.

  • To check connectivity to additional database instances from SQL Server Management Studio, click Connect, and then click Database Engine.

    • See also :

    Securing SharePoint: Harden SQL Server in SharePoint Environments

    How to: Configure a Windows Firewall for Database Engine Access

    How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager)

    Configuring Windows Firewall to open manually assigned ports

    Posted on by
    Reply

    To access a SQL Server instance through a firewall, you must configure the firewall on the computer that is running SQL Server to allow access. Any ports that you manually assign must be open in Windows Firewall.

    To configure Windows Firewall to open manually assigned ports

    1. Verify that the user account that is performing this procedure is a member of either the sysadmin or the serveradmin fixed server role.

    2. In Control Panel, open System and Security.

    3. Click Windows Firewall, and then click Advanced Settings to open the Windows Firewall with Advanced Security dialog box.

    4. In the navigation pane, click Inbound Rules to display the available options in the Actions pane.

    5. Click New Rule to open the New Inbound Rule Wizard.

    6. Use the wizard to complete the steps that are required to allow access to the port that you defined in  Configure a SQL Server instance to listen on a non-default port.

    Note:

    You can configure the Internet Protocol security (IPsec) to help secure communication to and from your computer that is running SQL Server by configuring the Windows firewall. You do this by selecting Connection Security Rules in the navigation pane of the Windows Firewall with Advanced Security dialog box.