Microsoft.com
Welcome Sign in
SQL Server TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
SQL Server
SQL Server 2008 R2
Database Engine
Operations
 How to: Configure a Windows Firewal...
Community Content
In this section
Statistics Annotations (4)
Collapse All/Expand All Collapse All
Other versions are also available for the following:
How to: Configure a Windows Firewall for Database Engine Access

Firewall systems help prevent unauthorized access to computer resources. To access an instance of the SQL Server Database Engine through a firewall, you must configure the firewall on the computer running SQL Server to allow access.

For more information about the default Windows firewall settings, and a description of the TCP ports that affect the Database Engine, Analysis Services, Reporting Services, and Integration Services, see Configuring the Windows Firewall to Allow SQL Server Access, and Connecting to SQL Server over the Internet. There are many firewall systems available. For information specific to your system, see the firewall documentation.

Important noteImportant

Opening ports in your firewall can leave your server exposed to malicious attacks. Make sure that you understand firewall systems before you open ports. For more information, see Security Considerations for a SQL Server Installation.

The principal steps to allow access are:

  1. Configure the Database Engine to use a specific TCP/IP port. The default instance of the Database Engine uses port 1433, but that can be changed. The port used by the Database Engine is listed in the SQL Server error log. Instances of SQL Server Express, SQL Server Compact 3.5 SP2, and named instances of the Database Engine use dynamic ports. To configure these instances to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager).

  2. Configure the firewall to allow access to that port for authorized users or computers.

NoteNote

The SQL Server Browser service lets users connect to instances of the Database Engine that are not listening on port 1433, without knowing the port number. To use SQL Server Browser, you must open UDP port 1434. To promote the most secure environment, leave the SQL Server Browser service stopped, and configure clients to connect using the port number.

NoteNote

By default, Microsoft Windows XP Service Pack 2 enables the Windows Firewall, which closes port 1433 to prevent Internet computers from connecting to a default instance of SQL Server on your computer. Connections to the default instance using TCP/IP are not possible unless you reopen port 1433. The basic steps to configure the Windows XP firewall are provided in the following procedures. For more information, see the Windows documentation.

As an alternative to configuring SQL Server to listen on a fixed port and opening the port, you can list the SQL Server executable (Sqlservr.exe) as an exception to the blocked programs. Use this method when you want to continue to use dynamic ports. Only one instance of SQL Server can be accessed in this way.

 Windows Vista and Windows Server 2008 and later

The following procedures configure the Windows Firewall by using the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in. This snap-in is available beginning with Windows Vista and Windows Server 2003. The Windows Firewall with Advanced Security only configures the current profile. For more information about the Windows Firewall with Advanced Security, see Configuring the Windows Firewall to Allow SQL Server Access

To open a port in the Windows firewall for TCP access

  1. On the Start menu, click Run, type WF.msc, and then click OK.

  2. In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then click New Rule in the action pane.

  3. In the Rule Type dialog box, select Port, and then click Next.

  4. In the Protocol and Ports dialog box, select TCP. Select Specific local ports, and then type the port number of the instance of the Database Engine, such as 1433 for the default instance. Click Next.

  5. In the Action dialog box, select Allow the connection, and then click Next.

  6. In the Profile dialog box, select any profiles that describe the computer connection environment when you want to connect to the Database Engine, and then click Next.

  7. In the Name dialog box, type a name and description for this rule, and then click Finish.

To open access to SQL Server when using dynamic ports

  1. On the Start menu, click Run, type WF.msc, and then click OK.

  2. In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then click New Rule in the action pane.

  3. In the Rule Type dialog box, select Program, and then click Next.

  4. In the Program dialog box, select This program path. Click Browse, and navigate to the instance of SQL Server that you want to access through the firewall, and then click Open. By default, SQL Server is at C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\Sqlservr.exe. Click Next.

  5. In the Action dialog box, select Allow the connection, and then click Next.

  6. In the Profile dialog box, select any profiles that describe the computer connection environment when you want to connect to the Database Engine, and then click Next.

  7. In the Name dialog box, type a name and description for this rule, and then click Finish.
 Windows XP and Windows Server 2003

The following procedures configure the Windows Firewall by using the Windows Firewall item in the Windows XP and Windows Server 2003 Control Panel which only configures the firewall for the current network location profile. The Windows Firewall can also be configured by using the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in and the netsh command line tool. For more information about these tools, see Configuring the Windows Firewall to Allow SQL Server Access.

To open a port in the Windows firewall for TCP access

  1. On the Start menu, click Run, type firewall.cpl and then click OK.

  2. In the Windows Firewall dialog box, click the Exceptions tab, and then click Add Port.

  3. In the Add a Port dialog box, in the Name text box, type SQL Server <instance name>.

  4. In the Port number text box, type the port number of the instance of the Database Engine, such as 1433 for the default instance.

  5. Verify that TCP is selected, and then click OK.

  6. To open the port to expose the SQL Server Browser service, click Add Port, type SQL Server Browser in the Name text box, type 1434 in the Port Number text box, select UDP, and then click OK.

    NoteNote

    To allow named pipes access through the firewall, you must also enable File and Printer Sharing through the firewall.

  7. Close the Windows Firewall and the Properties dialog boxes.

NoteNote

Click Add Program in the Windows Firewall dialog box for additional options, such as granting access to specific programs and restricting access to certain IP addresses or network subnets. For more information, see the Windows documentation.

To access a program through the Windows firewall

  1. In the Windows Firewall dialog box, on the Exceptions tab, click Add Program.

  2. Click Browse, and navigate to the instance of SQL Server that you want to access through the firewall, and then click Open. By default, SQL Server is at C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\Sqlservr.exe.

  3. To close the Windows firewall program, click OK twice.

For a brief tutorial about how to configure a static port, open the firewall, and connect to the Database Engine by using SQL Server Management Studio, see Tutorial: Getting Started with the Database Engine.
 See Also

Concepts

SQL Server Browser Service
Connecting to SQL Server Through a Proxy Server
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Remote connection to SQLserver using internet      jazzyg   |   Edit   |   Show History
It will be great if the article has some information about setup the internet connections at router/modem levels to access sql server. Now a days everyone is connected via Modem/Router. So if we want to access sql server remotely, we might have to do port forwarding at router/modem. Just a mention of it might save hrs of hair pulling.

Cheers
Tags What's this?: Add a tag
Flag as ContentBug
Ports and Protocols used by Microsoft SQL Server 2008      Alberto Morillo   |   Edit   |   Show History
Hello,

The following link shows a table with some ports and protocols used by SQL Server 2008.

http://www.sqlcoffee.com/Tips0011.htm


Regards,

Alberto Morillo
SQLCoffee.com
Tags What's this?: Add a tag
Flag as ContentBug
Using named instance with port 1433      lkeng   |   Edit   |   Show History

I have a named instance that uses the default port # 1433. When connecting from SQL Mgmt Studio, I can connect using (local) or (local)\{instance name}, but when connecting from a remote macine, I have to use the server name without the instance name. This is really counter-intuitive and wasted a few hours of mine. I hope you don't have to. I also read somewhere that, when connecting from a .Net app, you would need to specify the instance name... I have not verified that, so just keep that in mind.

BTW, in SQL Server Configuration Manager, make sure you specifically enable TCP/IP. It is disabled by default. You can do so by right-clicking on the TCP/IP protocol of the named instance, or by setting it in the "Protocol" tab.

Tags What's this?: Add a tag
Flag as ContentBug
Ports used by SQL Server 2008 Services      Samson J. Loo   |   Edit   |   Show History
Here is a Microsoft link that specifies what ports are used by what SQL Server service, database engine, integration services, etc... in a tabular format with some details. http://msdn.microsoft.com/en-us/library/cc646023.aspx
Tags What's this?: Add a tag
Flag as ContentBug
© 2012 Microsoft. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker